🔒️⬆️ Maintenance/upgrade vulnerable nbconvert (ITISFoundation#3451)

pcrespov · web-flow · commit f6a91eb902d9 · 2022-10-17T23:44:13.000+02:00
- nbconvert
diff --git a/requirements/constraints.txt b/requirements/constraints.txt
@@ -22,6 +22,13 @@ sqlalchemy>=1.3.3                             # https://nvd.nist.gov/vuln/detail
 ujson>=5.4.0                                  # https://github.com/advisories/GHSA-fh56-85cw-5pq6, https://github.com/advisories/GHSA-wpqr-jcpx-745r
 urllib3>=1.26.5                               # https://github.com/advisories/GHSA-q2q7-5pp4-w6pg
 
+
+# Blocked https://github.com/Pennsieve/pennsieve-python/issues/17
+# protobuf                                    # https://github.com/advisories/GHSA-8gq9-2x98-w8hf
+
+
+
+
 #
 # Breaking changes
 #
diff --git a/services/dask-sidecar/requirements/_base.txt b/services/dask-sidecar/requirements/_base.txt
@@ -92,8 +92,6 @@ dnspython==2.0.0
     # via email-validator
 email-validator==1.2.1
     # via pydantic
-entrypoints==0.3
-    # via nbconvert
 fastjsonschema==2.15.3
     # via nbformat
 frozenlist==1.3.0
@@ -113,6 +111,8 @@ idna==2.10
     #   email-validator
     #   requests
     #   yarl
+importlib-metadata==5.0.0
+    # via nbconvert
 jinja2==3.1.2
     # via
     #   -c requirements/../../../packages/dask-task-models-library/requirements/../../../packages/models-library/requirements/../../../requirements/constraints.txt
@@ -160,7 +160,7 @@ markupsafe==2.1.1
     # via
     #   jinja2
     #   nbconvert
-mistune==0.8.4
+mistune==2.0.4
     # via nbconvert
 msgpack==1.0.3
     # via distributed
@@ -170,7 +170,7 @@ multidict==6.0.2
     #   yarl
 nbclient==0.5.3
     # via nbconvert
-nbconvert==6.4.5
+nbconvert==7.2.1
     # via jupyter-server
 nbformat==5.3.0
     # via
@@ -192,6 +192,7 @@ packaging==21.3
     #   dask
     #   distributed
     #   jupyter-server
+    #   nbconvert
 pandas==1.2.4
     # via
     #   -r requirements/_base.in
@@ -288,7 +289,7 @@ tenacity==8.1.0
     # via -r requirements/../../../packages/service-library/requirements/_base.in
 terminado==0.10.1
     # via jupyter-server
-testpath==0.5.0
+tinycss2==1.1.1
     # via nbconvert
 toolz==0.11.1
     # via
@@ -335,7 +336,9 @@ urllib3==1.26.9
     #   distributed
     #   requests
 webencodings==0.5.1
-    # via bleach
+    # via
+    #   bleach
+    #   tinycss2
 websocket-client==0.59.0
     # via jupyter-server
 wrapt==1.14.1
@@ -344,6 +347,8 @@ yarl==1.7.2
     # via aiohttp
 zict==2.2.0
     # via distributed
+zipp==3.9.0
+    # via importlib-metadata
 
 # The following packages are considered to be unsafe in a requirements file:
 # setuptools

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,13 @@ sqlalchemy>=1.3.3 # https://nvd.nist.gov/vuln/detail`
`22`	`22`	`ujson>=5.4.0 # https://github.com/advisories/GHSA-fh56-85cw-5pq6, https://github.com/advisories/GHSA-wpqr-jcpx-745r`
`23`	`23`	`urllib3>=1.26.5 # https://github.com/advisories/GHSA-q2q7-5pp4-w6pg`
`24`	`24`
	`25`	`+`
	`26`	`+# Blocked https://github.com/Pennsieve/pennsieve-python/issues/17`
	`27`	`+# protobuf # https://github.com/advisories/GHSA-8gq9-2x98-w8hf`
	`28`	`+`
	`29`	`+`
	`30`	`+`
	`31`	`+`
`25`	`32`	`#`
`26`	`33`	`# Breaking changes`
`27`	`34`	`#`