Fixing aiohttp vulnerability

eclipse-velocitas · Sep 5, 2024 · bb166e5 · bb166e5
1 parent 1bd171e
commit bb166e5
Show file tree

Hide file tree

Showing 7 changed files with 35 additions and 30 deletions.
diff --git a/.project-creation/.skeleton/requirements.in b/.project-creation/.skeleton/requirements.in
@@ -15,4 +15,4 @@
 grpcio==1.64.1
 protobuf==5.27.2
 cloudevents==1.11.0
-aiohttp==3.9.5
+aiohttp==3.10.5
diff --git a/.project-creation/.skeleton/requirements.txt b/.project-creation/.skeleton/requirements.txt
@@ -4,13 +4,15 @@
 #
 #    pip-compile
 #
-aiohttp==3.9.5
+aiohappyeyeballs==2.4.0
+    # via aiohttp
+aiohttp==3.10.5
     # via -r requirements.in
 aiosignal==1.3.1
     # via aiohttp
 async-timeout==4.0.3
     # via aiohttp
-attrs==23.2.0
+attrs==24.2.0
     # via aiohttp
 cloudevents==1.11.0
     # via -r requirements.in
@@ -22,7 +24,7 @@ frozenlist==1.4.1
     #   aiosignal
 grpcio==1.64.1
     # via -r requirements.in
-idna==3.7
+idna==3.8
     # via yarl
 multidict==6.0.5
     # via
@@ -32,5 +34,5 @@ packaging==24.1
     # via deprecation
 protobuf==5.27.2
     # via -r requirements.in
-yarl==1.9.4
+yarl==1.9.7
     # via aiohttp
diff --git a/NOTICE-3RD-PARTY-CONTENT.md b/NOTICE-3RD-PARTY-CONTENT.md
@@ -3,13 +3,14 @@
 ## Python
 | Dependency | Version | License |
 |:-----------|:-------:|--------:|
-|aiohttp|3.9.5|Apache 2.0|
+|aiohappyeyeballs|2.4.0|Other/Proprietary License<br/>Python Software Foundation License|
+|aiohttp|3.10.5|Apache 2.0|
 |aiosignal|1.3.1|Apache 2.0|
 |APScheduler|3.10.4|MIT|
 |async-timeout|4.0.3|Apache 2.0|
 |attrs|24.2.0|MIT|
 |build|1.2.1|MIT|
-|cachetools|5.4.0|MIT|
+|cachetools|5.5.0|MIT|
 |cfgv|3.4.0|MIT|
 |chardet|5.2.0|LGPL|
 |click|8.1.7|New BSD|
@@ -26,11 +27,11 @@
 |grpcio|1.64.1|Apache 2.0|
 |grpcio-tools|1.64.1|Apache 2.0|
 |identify|2.6.0|MIT|
-|idna|3.7|BSD|
+|idna|3.8|BSD|
 |importlib-metadata|7.1.0|Apache 2.0|
 |iniconfig|2.0.0|MIT|
 |multidict|6.0.5|Apache 2.0|
-|mypy|1.11.1|MIT|
+|mypy|1.11.2|MIT|
 |mypy-extensions|1.0.0|MIT|
 |mypy-protobuf|3.6.0|Apache 2.0|
 |nodeenv|1.9.1|BSD|
@@ -51,14 +52,14 @@
 |pyproject-api|1.7.1|MIT|
 |pyproject-hooks|1.1.0|MIT|
 |pytest|8.3.2|MIT|
-|pytest-asyncio|0.23.8|Apache 2.0|
+|pytest-asyncio|0.24.0|Apache 2.0|
 |pytest-cov|5.0.0|MIT|
 |pytz|2024.1|MIT|
 |PyYAML|6.0.2|MIT|
 |setuptools|65.5.1|MIT|
 |six|1.16.0|MIT|
 |tomli|2.0.1|MIT|
-|tox|4.17.1|MIT|
+|tox|4.18.0|MIT|
 |types-Deprecated|1.2.9.20240311|Apache 2.0|
 |types-mock|5.1.0.20240425|Apache 2.0|
 |types-protobuf|5.27.0.20240626|Apache 2.0|
@@ -67,8 +68,8 @@
 |virtualenv|20.26.3|MIT|
 |wheel|0.44.0|MIT|
 |wrapt|1.16.0|BSD|
-|yarl|1.9.4|Apache 2.0|
-|zipp|3.19.2|MIT|
+|yarl|1.9.7|Apache 2.0|
+|zipp|3.20.1|MIT|
 ## Workflows
 | Dependency | Version | License |
 |:-----------|:-------:|--------:|

diff --git a/examples/seat-adjuster/requirements.in b/examples/seat-adjuster/requirements.in
@@ -15,5 +15,5 @@
 grpcio==1.64.1
 protobuf==5.27.2
 cloudevents==1.11.0
-aiohttp==3.9.5
+aiohttp==3.10.5
 packaging==24.1
diff --git a/examples/seat-adjuster/requirements.txt b/examples/seat-adjuster/requirements.txt
@@ -4,13 +4,15 @@
 #
 #    pip-compile
 #
-aiohttp==3.9.5
+aiohappyeyeballs==2.4.0
+    # via aiohttp
+aiohttp==3.10.5
     # via -r requirements.in
 aiosignal==1.3.1
     # via aiohttp
 async-timeout==4.0.3
     # via aiohttp
-attrs==23.2.0
+attrs==24.2.0
     # via aiohttp
 cloudevents==1.11.0
     # via -r requirements.in
@@ -22,7 +24,7 @@ frozenlist==1.4.1
     #   aiosignal
 grpcio==1.64.1
     # via -r requirements.in
-idna==3.7
+idna==3.8
     # via yarl
 multidict==6.0.5
     # via
@@ -34,5 +36,5 @@ packaging==24.1
     #   deprecation
 protobuf==5.27.2
     # via -r requirements.in
-yarl==1.9.4
+yarl==1.9.7
     # via aiohttp
diff --git a/requirements.txt b/requirements.txt
@@ -4,7 +4,9 @@
 #
 #    pip-compile --extra=dev
 #
-aiohttp==3.9.5
+aiohappyeyeballs==2.4.0
+    # via aiohttp
+aiohttp==3.10.5
     # via velocitas_sdk (setup.py)
 aiosignal==1.3.1
     # via aiohttp
@@ -16,7 +18,7 @@ attrs==24.2.0
     # via aiohttp
 build==1.2.1
     # via pip-tools
-cachetools==5.4.0
+cachetools==5.5.0
     # via tox
 cfgv==3.4.0
     # via pre-commit
@@ -29,9 +31,7 @@ cloudevents==1.11.0
 colorama==0.4.6
     # via tox
 coverage[toml]==7.6.1
-    # via
-    #   coverage
-    #   pytest-cov
+    # via pytest-cov
 deprecated==1.2.14
     # via
     #   opentelemetry-api
@@ -61,7 +61,7 @@ grpcio-tools==1.64.1
     # via velocitas_sdk (setup.py)
 identify==2.6.0
     # via pre-commit
-idna==3.7
+idna==3.8
     # via yarl
 importlib-metadata==7.1.0
     # via opentelemetry-api
@@ -71,7 +71,7 @@ multidict==6.0.5
     # via
     #   aiohttp
     #   yarl
-mypy==1.11.1
+mypy==1.11.2
     # via velocitas_sdk (setup.py)
 mypy-extensions==1.0.0
     # via mypy
@@ -138,7 +138,7 @@ pytest==8.3.2
     #   pytest-asyncio
     #   pytest-cov
     #   velocitas_sdk (setup.py)
-pytest-asyncio==0.23.8
+pytest-asyncio==0.24.0
     # via velocitas_sdk (setup.py)
 pytest-cov==5.0.0
     # via velocitas_sdk (setup.py)
@@ -157,7 +157,7 @@ tomli==2.0.1
     #   pyproject-api
     #   pytest
     #   tox
-tox==4.17.1
+tox==4.18.0
     # via velocitas_sdk (setup.py)
 types-deprecated==1.2.9.20240311
     # via velocitas_sdk (setup.py)
@@ -181,9 +181,9 @@ wrapt==1.16.0
     # via
     #   deprecated
     #   opentelemetry-instrumentation
-yarl==1.9.4
+yarl==1.9.7
     # via aiohttp
-zipp==3.19.2
+zipp==3.20.1
     # via importlib-metadata
 
 # The following packages are considered to be unsafe in a requirements file:

diff --git a/setup.py b/setup.py
@@ -18,7 +18,7 @@
     "grpcio==1.64.1",
     "protobuf==5.27.2",
     "cloudevents==1.11.0",
-    "aiohttp==3.9.5",
+    "aiohttp==3.10.5",
     "paho-mqtt==2.1.0",
     "opentelemetry-distro==0.46b0",
     "opentelemetry-instrumentation-logging==0.46b0",