Fix aiohttp vulnerability (#152)

* Fix aiohttp vulnerability

* Test undefined version

* Prepare for release

* Apply suggestions from code review

Co-authored-by: BjoernAtBosch <[email protected]>

* update requirements

* fix licenses

* fix review findings

* update test requirements

* fix requirements

* fix readme and comment

* fix typo

---------

Co-authored-by: BjoernAtBosch <[email protected]>
Co-authored-by: Markus Petke <[email protected]>

Author: 3 people

.github/workflows/project-creation.yaml

@@ -50,7 +50,7 @@ jobs:
         with:
           repository: eclipse-velocitas/cli
           path: cli
-          ref: v0.11.0
+          ref: v0.13.1
 
       - name: Checkout SDK repo
         uses: actions/checkout@v4
@@ -92,7 +92,11 @@ jobs:
             CREATE_ARGS="-e ${{ matrix.example }}"
           fi
           velocitas create -c vapp-core-python $CREATE_ARGS
-          # Velocitas CLI fetches an older merged/released version of the example
+
+          # Velocitas CLI does not fetch the latest released version of the example.
+          # This is caused by vehicle-app-template that downloads latest tagged version of pkg-velocitas-main,
+          # which then uses the latest tagged SDK or the version mentioned in
+          # components/cores/vapp-python/.project-creation/config.json if no tags are found.
           # But we want to check the one in this repository so lets copy it
           if [ "${{ matrix.example }}" != "no-example" ]; then
             cp -r ../sdk/examples/${{ matrix.example }}/* ../app/app

.pre-commit-config.yaml

@@ -17,7 +17,7 @@
 # See https://pre-commit.com/hooks.html for more hooks
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v5.0.0
     hooks:
       - id: trailing-whitespace
         exclude: >
@@ -45,15 +45,15 @@ repos:
       - id: check-merge-conflict
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.1.13
+    rev: v0.9.10
     hooks:
       - id: ruff
         args: [--fix, --exclude, "*_pb2.py,*_pb2.pyi,*_pb2_grpc.py,*.log"]
       - id: ruff-format
         args: [--exclude, "*_pb2.py,*_pb2.pyi,*_pb2_grpc.py,*.log"]
 
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.8.0
+    rev: v1.15.0
     hooks:
       - id: mypy
         exclude: >
@@ -67,7 +67,7 @@ repos:
         pass_filenames: false
 
   - repo: https://github.com/Lucas-C/pre-commit-hooks
-    rev: v1.5.4
+    rev: v1.5.5
     hooks:
       - id: insert-license
         files: '.*\.(py|pyi|yaml|yml|sh|in)$'

.project-creation/.skeleton/requirements-velocitas.txt

@@ -1 +1 @@
-velocitas-sdk==0.15.4
+velocitas-sdk==0.15.5

.project-creation/.skeleton/requirements.in

@@ -15,4 +15,4 @@
 grpcio==1.64.1
 protobuf==5.27.2
 cloudevents==1.11.0
-aiohttp==3.10.5
+aiohttp==3.10.11

.project-creation/.skeleton/requirements.txt

@@ -4,35 +4,39 @@
 #
 #    pip-compile
 #
-aiohappyeyeballs==2.4.0
+aiohappyeyeballs==2.5.0
     # via aiohttp
-aiohttp==3.10.5
+aiohttp==3.10.11
     # via -r requirements.in
-aiosignal==1.3.1
+aiosignal==1.3.2
     # via aiohttp
-async-timeout==4.0.3
+async-timeout==5.0.1
     # via aiohttp
-attrs==24.2.0
+attrs==25.1.0
     # via aiohttp
 cloudevents==1.11.0
     # via -r requirements.in
 deprecation==2.1.0
     # via cloudevents
-frozenlist==1.4.1
+frozenlist==1.5.0
     # via
     #   aiohttp
     #   aiosignal
 grpcio==1.64.1
     # via -r requirements.in
-idna==3.8
+idna==3.10
     # via yarl
-multidict==6.0.5
+multidict==6.1.0
     # via
     #   aiohttp
     #   yarl
-packaging==24.1
+packaging==24.2
     # via deprecation
+propcache==0.3.0
+    # via yarl
 protobuf==5.27.2
     # via -r requirements.in
-yarl==1.9.7
+typing-extensions==4.12.2
+    # via multidict
+yarl==1.18.3
     # via aiohttp

.project-creation/.skeleton/tests/requirements.txt

@@ -4,31 +4,31 @@
 #
 #    pip-compile
 #
-coverage[toml]==7.3.2
+coverage[toml]==7.6.12
     # via pytest-cov
-exceptiongroup==1.1.3
+exceptiongroup==1.2.2
     # via pytest
 iniconfig==2.0.0
     # via pytest
-packaging==23.2
+packaging==24.2
     # via pytest
-pluggy==1.3.0
+pluggy==1.5.0
     # via pytest
-pytest==7.4.2
+pytest==8.3.5
     # via
     #   -r requirements.in
     #   pytest-asyncio
     #   pytest-cov
     #   pytest-ordering
-pytest-asyncio==0.21.1
+pytest-asyncio==0.25.3
     # via -r requirements.in
-pytest-cov==4.1.0
+pytest-cov==6.0.0
     # via -r requirements.in
 pytest-ordering==0.6
     # via -r requirements.in
-tomli==2.0.1
+tomli==2.2.1
     # via
     #   coverage
     #   pytest
-types-mock==5.1.0.2
+types-mock==5.2.0.20250306
     # via -r requirements.in

.project-creation/templates/requirements.in

@@ -20,9 +20,7 @@
 ##########################################
 # Development Tools Packages
 ##########################################
-grpcio-tools==1.59.0
-grpc-stubs==1.53.0.5
-mypy-protobuf==3.5.0
-pre-commit==3.6.0
-mypy==1.8.0
-pip-tools==7.3.0
+mypy-protobuf
+pre-commit
+mypy
+pip-tools

NOTICE-3RD-PARTY-CONTENT.md

@@ -3,35 +3,35 @@
 ## Python
 | Dependency | Version | License |
 |:-----------|:-------:|--------:|
-|aiohappyeyeballs|2.4.0|Other/Proprietary License<br/>Python Software Foundation License|
-|aiohttp|3.10.5|Apache 2.0|
-|aiosignal|1.3.1|Apache 2.0|
-|APScheduler|3.10.4|MIT|
-|async-timeout|4.0.3|Apache 2.0|
-|attrs|24.2.0|MIT|
-|build|1.2.1|MIT|
-|cachetools|5.5.0|MIT|
+|aiohappyeyeballs|2.5.0|Python Software Foundation License|
+|aiohttp|3.10.11|Apache 2.0|
+|aiosignal|1.3.2|Apache 2.0|
+|APScheduler|3.11.0|MIT|
+|async-timeout|5.0.1|Apache 2.0|
+|attrs|25.1.0|unknown|
+|build|1.2.2.post1|MIT|
+|cachetools|5.5.2|MIT|
 |cfgv|3.4.0|MIT|
 |chardet|5.2.0|LGPL|
-|click|8.1.7|New BSD|
+|click|8.1.8|BSD|
 |cloudevents|1.11.0|Apache 2.0|
 |colorama|0.4.6|BSD|
-|coverage|7.6.1|Apache 2.0|
-|Deprecated|1.2.14|MIT|
+|coverage|7.6.12|Apache 2.0|
+|Deprecated|1.2.18|MIT|
 |deprecation|2.1.0|Apache 2.0|
-|distlib|0.3.8|Python Software Foundation License|
+|distlib|0.3.9|Python Software Foundation License|
 |exceptiongroup|1.2.2|MIT|
-|filelock|3.15.4|The Unlicense (Unlicense)|
-|frozenlist|1.4.1|Apache 2.0|
+|filelock|3.17.0|The Unlicense (Unlicense)|
+|frozenlist|1.5.0|Apache 2.0|
 |grpc-stubs|1.53.0.5|MIT|
 |grpcio|1.64.1|Apache 2.0|
 |grpcio-tools|1.64.1|Apache 2.0|
-|identify|2.6.0|MIT|
-|idna|3.8|BSD|
+|identify|2.6.9|MIT|
+|idna|3.10|BSD|
 |importlib-metadata|7.1.0|Apache 2.0|
 |iniconfig|2.0.0|MIT|
-|multidict|6.0.5|Apache 2.0|
-|mypy|1.11.2|MIT|
+|multidict|6.1.0|Apache 2.0|
+|mypy|1.15.0|MIT|
 |mypy-extensions|1.0.0|MIT|
 |mypy-protobuf|3.6.0|Apache 2.0|
 |nodeenv|1.9.1|BSD|
@@ -41,35 +41,34 @@
 |opentelemetry-instrumentation-logging|0.46b0|Apache 2.0|
 |opentelemetry-sdk|1.25.0|Apache 2.0|
 |opentelemetry-semantic-conventions|0.46b0|Apache 2.0|
-|packaging|24.1|Apache 2.0<br/>BSD|
+|packaging|24.2|Apache 2.0<br/>BSD|
 |paho-mqtt|2.1.0|OSI Approved|
 |pip|23.0.1|MIT|
 |pip-tools|7.4.1|BSD|
-|platformdirs|4.2.2|MIT|
+|platformdirs|4.3.6|MIT|
 |pluggy|1.5.0|MIT|
-|pre-commit|3.8.0|MIT|
+|pre-commit|4.1.0|MIT|
+|propcache|0.3.0|Apache 2.0|
 |protobuf|5.27.2|Google License|
-|pyproject-api|1.7.1|MIT|
-|pyproject-hooks|1.1.0|MIT|
-|pytest|8.3.2|MIT|
-|pytest-asyncio|0.24.0|Apache 2.0|
-|pytest-cov|5.0.0|MIT|
-|pytz|2024.1|MIT|
+|pyproject-api|1.9.0|MIT|
+|pyproject-hooks|1.2.0|MIT|
+|pytest|8.3.5|MIT|
+|pytest-asyncio|0.25.3|Apache 2.0|
+|pytest-cov|6.0.0|MIT|
 |PyYAML|6.0.2|MIT|
 |setuptools|65.5.1|MIT|
-|six|1.16.0|MIT|
-|tomli|2.0.1|MIT|
-|tox|4.18.0|MIT|
-|types-Deprecated|1.2.9.20240311|Apache 2.0|
-|types-mock|5.1.0.20240425|Apache 2.0|
-|types-protobuf|5.27.0.20240626|Apache 2.0|
+|tomli|2.2.1|MIT|
+|tox|4.24.2|MIT|
+|types-deprecated|1.2.15.20250304|Apache 2.0|
+|types-mock|5.2.0.20250306|Apache 2.0|
+|types-protobuf|5.29.1.20250208|Apache 2.0|
 |typing-extensions|4.12.2|Python Software Foundation License|
-|tzlocal|5.2|MIT|
-|virtualenv|20.26.6|MIT|
-|wheel|0.44.0|MIT|
-|wrapt|1.16.0|BSD|
-|yarl|1.9.7|Apache 2.0|
-|zipp|3.20.1|MIT|
+|tzlocal|5.3.1|MIT|
+|virtualenv|20.29.3|MIT|
+|wheel|0.45.1|MIT|
+|wrapt|1.17.2|BSD|
+|yarl|1.18.3|Apache 2.0|
+|zipp|3.21.0|MIT|
 ## Workflows
 | Dependency | Version | License |
 |:-----------|:-------:|--------:|

README.md

@@ -63,3 +63,68 @@ By default the examples are started using the native middleware. Dapr middleware
 - [GitHub Issues](https://github.com/eclipse-velocitas/vehicle-app-python-sdk/issues)
 - [Mailing List](https://accounts.eclipse.org/mailing-list/velocitas-dev)
 - [Contribution](./CONTRIBUTING.md/)
+
+### Creating a new release
+
+1. Update examples
+
+This repository contain some example requirement files that reference the `velocitas-sdk` package created when we release the repository.
+Update `velocitas-sdk` version number in the following files:
+
+* `.project-creation/.skeleton/requirements-velocitas.txt`
+* `examples/seat-adjuster/requirements-velocitas.txt`
+
+Use the version number intended to be used for the release.
+
+2. Create a PR with the required changes
+
+> Note: The [project creation workflow](https://github.com/eclipse-velocitas/vehicle-app-python-sdk/actions/workflows/project-creation.yaml) will fail, since the new tag is required by the workflow but not yet available. Since these checks are not mandatory to be able to merge the PR, you can still release your changes.
+
+3. Once the PR is merged: Tag the commit and upload to GitHub
+
+Create a release in the GitHub UI and use the new tag of the form `vX.Y.X`.
+That will trigger the [release](https://github.com/eclipse-velocitas/vehicle-app-python-sdk/actions/workflows/release.yaml) workflow.
+If the action is successfully executed a new version of `velocitas-sdk` is published in [PyPI](https://pypi.org/project/velocitas-sdk/).
+
+4. Re-run project creation tests
+
+Now, when the updated [PyPI](https://pypi.org/project/velocitas-sdk/) package exists, the [project creation workflow](https://github.com/eclipse-velocitas/vehicle-app-python-sdk/actions/workflows/project-creation.yaml) is expected to succeed if run manually for `main`.
+If not you need to troubleshoot why it doesn't.
+
+### Updating Dependencies
+
+This repository specifies exact Python versions  in `setup.py` and other files.
+If a version needs to be updated, for example if a vulnerability is detected, the following approach needs to be followed
+
+1. Update version in `setup.py` if needed
+2. Update generated requirement files.
+
+```bash
+pip-compile -U --extra=dev
+```
+
+3. Update version in `examples/seat-adjuster/requirements.in` if needed
+4. Update generated file for Seat Adjuster
+
+```bash
+cd examples/seat-adjuster
+pip-compile -U
+```
+
+5. Update version in `.project-creation/.skeleton/requirements.in` if needed
+6. Update generated file for Skeleton
+
+```bash
+cd .project-creation/.skeleton/
+pip-compile -U
+```
+
+7. Update `NOTICE-3RD-PARTY-CONTENT.md`
+
+The easiest way to do it is to create a Pull Request.
+Then the [check license workflow](https://github.com/eclipse-velocitas/vehicle-app-python-sdk/actions/workflows/check-licenses.yml) will fail as versions used no longer match versions stated in the file.
+Copy output from the workflow to the `NOTICE-3RD-PARTY-CONTENT.md` file and update the Pull Request.
+
+8. Update examples and create a new release
+
+As we explicitly use our "own" PyPI package we need to udpate references and create a new release, see release section above.

examples/seat-adjuster/requirements-velocitas.txt

@@ -1 +1 @@
-velocitas-sdk==0.15.4
+velocitas-sdk==0.15.5

examples/seat-adjuster/requirements.in

@@ -15,5 +15,4 @@
 grpcio==1.64.1
 protobuf==5.27.2
 cloudevents==1.11.0
-aiohttp==3.10.5
-packaging==24.1
+aiohttp==3.10.11