-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: update requests to 2.32.2 #10992
Conversation
.github/requirements.txt
Outdated
--hash=sha256:34b97092d7e0a3a8cf7cd10e386f401b3737364026c45e622aa02903dffe0f07 \ | ||
--hash=sha256:f8ecc1bba5667413457c529ab955bf8c67b45db799d159066261719e328580a0 | ||
# via requests | ||
requests==2.32.2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any scripts still use it? I think it was used by new-client.py
, but now that we moved to hermetic build, we may not need it anymore?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Answered in #10992 (comment)
.github/requirements.in
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we do still need requests
, we should keep this requiremenst.in
file. It was introduced to mitigate a security issue. @mpeddada1 probably has more info regarding why we need it as she implemented in originally.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I'll let @mpeddada1 to review this pr.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks all, it was used replace python2 -m pip install requests
in
- run: python3 -m pip install --require-hashes -r .github/requirements.txt |
Original PR: a2bb85d. I believe it is still used for the generate-readme
GA job so we may still need it (unless it's been replaced).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need two files (requirement.in
and requirement.txt
) to lock the dependency version?
requests==2.32.2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This version requires python 3.8 or above, so bumping python version in workflow.
Resolve https://github.com/googleapis/google-cloud-java/security/dependabot/78