Fix security issues (#114)

* Fix security issues

* Fix some issue in dependencies

* Remove unecessary prints

* Re-compiled requirements

* Fix CI

* Fix review findings

Author: kse3hi

.github/actions/pre-commit-action/action.yml

@@ -35,7 +35,7 @@ jobs:
     strategy:
       max-parallel: 3
       matrix:
-        python-version: [3.8, 3.9, "3.10"]
+        python-version: ["3.9", "3.10"]
 
     steps:
       - name: Checkout repository
@@ -57,7 +57,7 @@ jobs:
           python3 -m pip install tox-gh-actions
 
       - name: Run Linters
-        uses: ./.github/actions/pre-commit-action
+        uses: pre-commit/action@v3.0.0
 
       - name: Run the daparized databroker binary
         run: |

.github/workflows/ci.yaml

@@ -16,3 +16,4 @@ grpcio==1.59.0
 protobuf==4.24.4
 dapr==1.11.0
 cloudevents==1.10.0
+aiohttp==3.9.2

.project-creation/.skeleton/requirements.in

@@ -4,16 +4,16 @@
 #
 #    pip-compile requirements.in
 #
-aiohttp==3.8.6
-    # via dapr
+aiohttp==3.9.0
+    # via
+    #   -r requirements.in
+    #   dapr
 aiosignal==1.3.1
     # via aiohttp
 async-timeout==4.0.3
     # via aiohttp
 attrs==23.1.0
     # via aiohttp
-charset-normalizer==3.3.0
-    # via aiohttp
 cloudevents==1.10.0
     # via -r requirements.in
 dapr==1.11.0

.project-creation/.skeleton/requirements.txt

@@ -81,7 +81,7 @@ def compile_requirements(destination_repo: str) -> None:
 
     subprocess.check_call(  # nosec B603, B607
         ["python", "-m", "piptools", "compile"],
-        cwd=destination_repo,
+        cwd=os.path.join(destination_repo),
         stdout=subprocess.DEVNULL,
         stderr=subprocess.DEVNULL,
     )
@@ -113,6 +113,7 @@ def main():
         if args.example
         else os.path.join(get_repo_root(), ".project-creation", ".skeleton")
     )
+
     copy_project(example_app, args.destination)
 
     compile_requirements(args.destination)

.project-creation/run.py

@@ -21,11 +21,8 @@
 # Development Tools Packages
 ##########################################
 grpcio-tools==1.59.0
-grpc-stubs==1.53.0.2
+grpc-stubs==1.53.0.5
 mypy-protobuf==3.5.0
-pre-commit==3.3.3
-black==23.7.0
-mypy==1.5.1
-bandit==1.7.5
-flake8==6.1.0
+pre-commit==3.6.0
+mypy==1.8.0
 pip-tools==7.3.0

.project-creation/templates/requirements.in

@@ -3,35 +3,34 @@
 ## Python
 | Dependency | Version | License |
 |:-----------|:-------:|--------:|
-|aiohttp|3.8.5|Apache 2.0|
+|aiohttp|3.9.2|Apache 2.0|
 |aiosignal|1.3.1|Apache 2.0|
 |APScheduler|3.10.4|MIT|
 |async-timeout|4.0.3|Apache 2.0|
 |attrs|23.1.0|MIT|
 |build|1.0.3|MIT|
-|cachetools|5.3.1|MIT|
+|cachetools|5.3.2|MIT|
 |cfgv|3.4.0|MIT|
 |chardet|5.2.0|LGPL|
-|charset-normalizer|3.2.0|MIT|
 |click|8.1.7|New BSD|
 |cloudevents|1.9.0|Apache 2.0|
 |colorama|0.4.6|BSD|
-|coverage|7.3.2|Apache 2.0|
+|coverage|7.4.1|Apache 2.0|
 |dapr|1.10.0|Apache 2.0|
 |Deprecated|1.2.14|MIT|
 |deprecation|2.1.0|Apache 2.0|
-|distlib|0.3.7|Python Software Foundation License|
-|exceptiongroup|1.1.3|MIT|
-|filelock|3.12.4|The Unlicense (Unlicense)|
+|distlib|0.3.8|Python Software Foundation License|
+|exceptiongroup|1.2.0|MIT|
+|filelock|3.13.1|The Unlicense (Unlicense)|
 |frozenlist|1.4.0|Apache 2.0|
-|grpc-stubs|1.53.0.3|MIT|
+|grpc-stubs|1.53.0.5|MIT|
 |grpcio|1.59.0|Apache 2.0|
 |grpcio-tools|1.59.0|Apache 2.0|
-|identify|2.5.30|MIT|
+|identify|2.5.33|MIT|
 |idna|3.4|BSD|
 |iniconfig|2.0.0|MIT|
 |multidict|6.0.4|Apache 2.0|
-|mypy|1.6.0|MIT|
+|mypy|1.8.0|MIT|
 |mypy-extensions|1.0.0|MIT|
 |mypy-protobuf|3.4.0|Apache 2.0|
 |nodeenv|1.8.0|BSD|
@@ -45,29 +44,29 @@
 |paho-mqtt|1.6.1|OSI Approved|
 |pip|23.3.2|MIT|
 |pip-tools|7.3.0|BSD|
-|platformdirs|3.11.0|MIT|
-|pluggy|1.3.0|MIT|
-|pre-commit|3.4.0|MIT|
+|platformdirs|4.1.0|MIT|
+|pluggy|1.4.0|MIT|
+|pre-commit|3.6.0|MIT|
 |protobuf|4.21.12|Google License|
 |pyproject-api|1.6.1|MIT|
 |pyproject-hooks|1.0.0|MIT|
-|pytest|7.4.2|MIT|
-|pytest-asyncio|0.21.1|Apache 2.0|
+|pytest|7.4.4|MIT|
+|pytest-asyncio|0.23.4|Apache 2.0|
 |pytest-cov|4.1.0|MIT|
 |python-dateutil|2.8.2|Apache 2.0<br/>BSD|
-|pytz|2023.3.post1|MIT|
+|pytz|2023.4|MIT|
 |PyYAML|6.0.1|MIT|
 |setuptools|58.1.0|MIT|
 |six|1.16.0|MIT|
 |tomli|2.0.1|MIT|
-|tox|4.11.3|MIT|
-|types-Deprecated|1.2.9.3|Apache 2.0|
-|types-mock|5.1.0.2|Apache 2.0|
-|types-protobuf|4.24.0.2|Apache 2.0|
+|tox|4.11.4|MIT|
+|types-Deprecated|1.2.9.20240106|Apache 2.0|
+|types-mock|5.1.0.20240106|Apache 2.0|
+|types-protobuf|4.24.0.20240106|Apache 2.0|
 |typing-extensions|4.7.1|Python Software Foundation License|
-|tzlocal|5.1|MIT|
-|virtualenv|20.24.5|MIT|
-|wheel|0.41.2|MIT|
+|tzlocal|5.2|MIT|
+|virtualenv|20.25.0|MIT|
+|wheel|0.42.0|MIT|
 |wrapt|1.15.0|BSD|
 |yarl|1.9.2|Apache 2.0|
 ## Workflows
@@ -82,4 +81,5 @@
 |devcontainers/ci|v0.3|MIT License|
 |github/codeql-action|v2|MIT License|
 |mikepenz/action-junit-report|v4|Apache License 2.0|
+|pre-commit/action|v3.0.0|MIT License|
 |softprops/action-gh-release|v1|MIT License|

NOTICE-3RD-PARTY-CONTENT.md

@@ -16,3 +16,5 @@ grpcio==1.59.0
 protobuf==4.24.4
 dapr==1.11.0
 cloudevents==1.10.0
+aiohttp==3.9.2
+packaging==23.0

examples/seat-adjuster/requirements.in

@@ -4,23 +4,23 @@
 #
 #    pip-compile
 #
-aiohttp==3.8.3
-    # via dapr
+aiohttp==3.9.2
+    # via
+    #   -r requirements.in
+    #   dapr
 aiosignal==1.3.1
     # via aiohttp
-async-timeout==4.0.2
+async-timeout==4.0.3
     # via aiohttp
-attrs==22.2.0
-    # via aiohttp
-charset-normalizer==2.1.1
+attrs==23.1.0
     # via aiohttp
 cloudevents==1.10.0
     # via -r requirements.in
 dapr==1.11.0
     # via -r requirements.in
 deprecation==2.1.0
     # via cloudevents
-frozenlist==1.3.3
+frozenlist==1.4.0
     # via
     #   aiohttp
     #   aiosignal
@@ -35,7 +35,9 @@ multidict==6.0.4
     #   aiohttp
     #   yarl
 packaging==23.0
-    # via deprecation
+    # via
+    #   -r requirements.in
+    #   deprecation
 protobuf==4.24.4
     # via
     #   -r requirements.in
@@ -46,5 +48,5 @@ six==1.16.0
     # via python-dateutil
 typing-extensions==4.8.0
     # via dapr
-yarl==1.8.2
+yarl==1.9.2
     # via aiohttp

examples/seat-adjuster/requirements.txt

@@ -17,3 +17,4 @@ pytest-ordering
 pytest-asyncio
 pytest-cov
 types-mock
+packaging==23.0