追加: 依存パッケージ脆弱性診断を導入し現パッケージに適用 (#1151)

* add: `safety` audit ツールを導入 * fix: `jinja2` 脆弱性を bump して回避 * fix: `jinja2` アップデートの反映忘れを修正 * fix: `urllib3` 脆弱性を bump して回避 * fix: `gitpython` 脆弱性を bump して回避 * fix: `cryptography` 脆弱性を bump して回避 * fix: `urllib3` 依存範囲の拡大を取り下げて修正 * add: 脆弱性診断コマンドを追加 * fix: lock ファイルの更新による pyproject.toml 単純化
VOICEVOX · Apr 9, 2024 · 9a04a6d · 9a04a6d
1 parent 44571a3
commit 9a04a6d
Show file tree

Hide file tree

Showing 7 changed files with 352 additions and 51 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -205,6 +205,14 @@ poetry export --without-hashes --with license -o requirements-license.txt
 - LGPL: OK （コアと動的分離されているため）
 - GPL: NG （全関連コードの公開が必要なため）
 
+#### 脆弱性診断
+`safety` を用いた脆弱性診断により依存パッケージの安全性を確保しています。  
+以下のコマンドにより脆弱性を診断できます：  
+
+```bash
+safety check -r requirements.txt -r requirements-dev.txt -r requirements-test.txt -r requirements-license.txt
+```
+
 ### API ドキュメントの確認
 
 [API ドキュメント](https://voicevox.github.io/voicevox_engine/api/)（実体は`docs/api/index.html`）は自動で更新されます。  

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -51,7 +51,7 @@ uvicorn = "^0.15.0"
 soundfile = "^0.12.1"
 pyyaml = "^6.0"
 pyworld = "^0.3.0"
-jinja2 = "^3.1.2" # NOTE: required by fastapi
+jinja2 = "^3.1.3" # NOTE: required by fastapi
 pyopenjtalk = { git = "https://github.com/VOICEVOX/pyopenjtalk", rev = "b35fc89fe42948a28e33aed886ea145a51113f88" }
 semver = "^3.0.0"
 platformdirs = "^4.2.0"
@@ -64,6 +64,7 @@ pyinstaller = "^5.13"
 pre-commit = "^2.16.0"
 poetry = "1.8.1"
 poetry-plugin-export = "^1.6.0"
+safety = "^3.1.0"
 
 [tool.poetry.group.test.dependencies]
 pysen = "~0.10.5"
@@ -76,7 +77,7 @@ pytest = "^8.0.0"
 coveralls = "^3.2.0"
 poetry = "1.8.1"
 poetry-plugin-export = "^1.6.0"
-httpx = "^0.25.0"          # NOTE: required by fastapi.testclient.TestClient
+httpx = "^0.25.0" # NOTE: required by fastapi.testclient.TestClient
 syrupy = "^4.6.1"
 types-pyyaml = "^6.0"
 

diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -1,6 +1,7 @@
 altgraph==0.17.3 ; python_version >= "3.11" and python_version < "3.12"
 anyio==3.7.1 ; python_version >= "3.11" and python_version < "3.12"
 asgiref==3.7.2 ; python_version >= "3.11" and python_version < "3.12"
+authlib==1.3.0 ; python_version >= "3.11" and python_version < "3.12"
 build==1.0.3 ; python_version >= "3.11" and python_version < "3.12"
 cachecontrol[filecache]==0.14.0 ; python_version >= "3.11" and python_version < "3.12"
 certifi==2023.7.22 ; python_version >= "3.11" and python_version < "3.12"
@@ -11,9 +12,10 @@ cleo==2.1.0 ; python_version >= "3.11" and python_version < "3.12"
 click==8.1.7 ; python_version >= "3.11" and python_version < "3.12"
 colorama==0.4.6 ; python_version >= "3.11" and python_version < "3.12" and (platform_system == "Windows" or os_name == "nt")
 crashtest==0.4.1 ; python_version >= "3.11" and python_version < "3.12"
-cryptography==41.0.3 ; python_version >= "3.11" and python_version < "3.12" and sys_platform == "linux"
+cryptography==42.0.5 ; python_version >= "3.11" and python_version < "3.12"
 cython==3.0.7 ; python_version >= "3.11" and python_version < "3.12"
 distlib==0.3.7 ; python_version >= "3.11" and python_version < "3.12"
+dparse==0.6.4b0 ; python_version >= "3.11" and python_version < "3.12"
 dulwich==0.21.5 ; python_version >= "3.11" and python_version < "3.12"
 fastapi==0.110.0 ; python_version >= "3.11" and python_version < "3.12"
 fastjsonschema==2.19.1 ; python_version >= "3.11" and python_version < "3.12"
@@ -25,10 +27,13 @@ importlib-metadata==6.8.0 ; python_version >= "3.11" and python_version < "3.12"
 installer==0.7.0 ; python_version >= "3.11" and python_version < "3.12"
 jaraco-classes==3.3.0 ; python_version >= "3.11" and python_version < "3.12"
 jeepney==0.8.0 ; python_version >= "3.11" and python_version < "3.12" and sys_platform == "linux"
-jinja2==3.1.2 ; python_version >= "3.11" and python_version < "3.12"
+jinja2==3.1.3 ; python_version >= "3.11" and python_version < "3.12"
 keyring==24.2.0 ; python_version >= "3.11" and python_version < "3.12"
 macholib==1.16.2 ; python_version >= "3.11" and python_version < "3.12" and sys_platform == "darwin"
+markdown-it-py==3.0.0 ; python_version >= "3.11" and python_version < "3.12"
 markupsafe==2.1.3 ; python_version >= "3.11" and python_version < "3.12"
+marshmallow==3.21.1 ; python_version >= "3.11" and python_version < "3.12"
+mdurl==0.1.2 ; python_version >= "3.11" and python_version < "3.12"
 more-itertools==10.1.0 ; python_version >= "3.11" and python_version < "3.12"
 msgpack==1.0.5 ; python_version >= "3.11" and python_version < "3.12"
 nodeenv==1.8.0 ; python_version >= "3.11" and python_version < "3.12"
@@ -45,6 +50,7 @@ pre-commit==2.21.0 ; python_version >= "3.11" and python_version < "3.12"
 ptyprocess==0.7.0 ; python_version >= "3.11" and python_version < "3.12"
 pycparser==2.21 ; python_version >= "3.11" and python_version < "3.12"
 pydantic==1.10.14 ; python_version >= "3.11" and python_version < "3.12"
+pygments==2.17.2 ; python_version >= "3.11" and python_version < "3.12"
 pyinstaller-hooks-contrib==2023.7 ; python_version >= "3.11" and python_version < "3.12"
 pyinstaller==5.13.2 ; python_version >= "3.11" and python_version < "3.12"
 pyopenjtalk @ git+https://github.com/VOICEVOX/pyopenjtalk@b35fc89fe42948a28e33aed886ea145a51113f88 ; python_version >= "3.11" and python_version < "3.12"
@@ -56,6 +62,11 @@ pyyaml==6.0.1 ; python_version >= "3.11" and python_version < "3.12"
 rapidfuzz==3.6.1 ; python_version >= "3.11" and python_version < "3.12"
 requests-toolbelt==1.0.0 ; python_version >= "3.11" and python_version < "3.12"
 requests==2.31.0 ; python_version >= "3.11" and python_version < "3.12"
+rich==13.7.1 ; python_version >= "3.11" and python_version < "3.12"
+ruamel-yaml-clib==0.2.8 ; platform_python_implementation == "CPython" and python_version < "3.12" and python_version >= "3.11"
+ruamel-yaml==0.18.6 ; python_version >= "3.11" and python_version < "3.12"
+safety-schemas==0.0.2 ; python_version >= "3.11" and python_version < "3.12"
+safety==3.1.0 ; python_version >= "3.11" and python_version < "3.12"
 secretstorage==3.3.3 ; python_version >= "3.11" and python_version < "3.12" and sys_platform == "linux"
 semver==3.0.2 ; python_version >= "3.11" and python_version < "3.12"
 setuptools==68.1.2 ; python_version >= "3.11" and python_version < "3.12"
@@ -68,8 +79,9 @@ starlette==0.36.3 ; python_version >= "3.11" and python_version < "3.12"
 tomlkit==0.12.1 ; python_version >= "3.11" and python_version < "3.12"
 tqdm==4.66.1 ; python_version >= "3.11" and python_version < "3.12"
 trove-classifiers==2023.8.7 ; python_version >= "3.11" and python_version < "3.12"
+typer==0.11.0 ; python_version >= "3.11" and python_version < "3.12"
 typing-extensions==4.10.0 ; python_version >= "3.11" and python_version < "3.12"
-urllib3==2.0.4 ; python_version >= "3.11" and python_version < "3.12"
+urllib3==2.2.1 ; python_version >= "3.11" and python_version < "3.12"
 uvicorn==0.15.0 ; python_version >= "3.11" and python_version < "3.12"
 virtualenv==20.25.1 ; python_version >= "3.11" and python_version < "3.12"
 xattr==1.1.0 ; python_version >= "3.11" and python_version < "3.12" and sys_platform == "darwin"

diff --git a/requirements-license.txt b/requirements-license.txt
@@ -7,7 +7,7 @@ cython==3.0.7 ; python_version >= "3.11" and python_version < "3.12"
 fastapi==0.110.0 ; python_version >= "3.11" and python_version < "3.12"
 h11==0.14.0 ; python_version >= "3.11" and python_version < "3.12"
 idna==3.4 ; python_version >= "3.11" and python_version < "3.12"
-jinja2==3.1.2 ; python_version >= "3.11" and python_version < "3.12"
+jinja2==3.1.3 ; python_version >= "3.11" and python_version < "3.12"
 markupsafe==2.1.3 ; python_version >= "3.11" and python_version < "3.12"
 numpy==1.26.2 ; python_version >= "3.11" and python_version < "3.12"
 pip-licenses==4.3.4 ; python_version >= "3.11" and python_version < "3.12"

diff --git a/requirements-test.txt b/requirements-test.txt
@@ -14,7 +14,7 @@ colorlog==4.8.0 ; python_version >= "3.11" and python_version < "3.12"
 coverage==6.5.0 ; python_version >= "3.11" and python_version < "3.12"
 coveralls==3.3.1 ; python_version >= "3.11" and python_version < "3.12"
 crashtest==0.4.1 ; python_version >= "3.11" and python_version < "3.12"
-cryptography==41.0.3 ; python_version >= "3.11" and python_version < "3.12" and sys_platform == "linux"
+cryptography==42.0.5 ; python_version >= "3.11" and python_version < "3.12" and sys_platform == "linux"
 cython==3.0.7 ; python_version >= "3.11" and python_version < "3.12"
 dacite==1.8.1 ; python_version >= "3.11" and python_version < "3.12"
 distlib==0.3.7 ; python_version >= "3.11" and python_version < "3.12"
@@ -26,7 +26,7 @@ filelock==3.12.2 ; python_version >= "3.11" and python_version < "3.12"
 flake8-bugbear==24.2.6 ; python_version >= "3.11" and python_version < "3.12"
 flake8==7.0.0 ; python_version >= "3.11" and python_version < "3.12"
 gitdb==4.0.10 ; python_version >= "3.11" and python_version < "3.12"
-gitpython==3.1.32 ; python_version >= "3.11" and python_version < "3.12"
+gitpython==3.1.43 ; python_version >= "3.11" and python_version < "3.12"
 h11==0.14.0 ; python_version >= "3.11" and python_version < "3.12"
 httpcore==0.18.0 ; python_version >= "3.11" and python_version < "3.12"
 httpx==0.25.0 ; python_version >= "3.11" and python_version < "3.12"
@@ -37,7 +37,7 @@ installer==0.7.0 ; python_version >= "3.11" and python_version < "3.12"
 isort==5.13.2 ; python_version >= "3.11" and python_version < "3.12"
 jaraco-classes==3.3.0 ; python_version >= "3.11" and python_version < "3.12"
 jeepney==0.8.0 ; python_version >= "3.11" and python_version < "3.12" and sys_platform == "linux"
-jinja2==3.1.2 ; python_version >= "3.11" and python_version < "3.12"
+jinja2==3.1.3 ; python_version >= "3.11" and python_version < "3.12"
 keyring==24.2.0 ; python_version >= "3.11" and python_version < "3.12"
 markupsafe==2.1.3 ; python_version >= "3.11" and python_version < "3.12"
 mccabe==0.7.0 ; python_version >= "3.11" and python_version < "3.12"
@@ -87,7 +87,7 @@ trove-classifiers==2023.8.7 ; python_version >= "3.11" and python_version < "3.1
 types-pyyaml==6.0.12.12 ; python_version >= "3.11" and python_version < "3.12"
 typing-extensions==4.10.0 ; python_version >= "3.11" and python_version < "3.12"
 unidiff==0.7.5 ; python_version >= "3.11" and python_version < "3.12"
-urllib3==2.0.4 ; python_version >= "3.11" and python_version < "3.12"
+urllib3==2.2.1 ; python_version >= "3.11" and python_version < "3.12"
 uvicorn==0.15.0 ; python_version >= "3.11" and python_version < "3.12"
 virtualenv==20.25.1 ; python_version >= "3.11" and python_version < "3.12"
 xattr==1.1.0 ; python_version >= "3.11" and python_version < "3.12" and sys_platform == "darwin"

diff --git a/requirements.txt b/requirements.txt
@@ -7,7 +7,7 @@ cython==3.0.7 ; python_version >= "3.11" and python_version < "3.12"
 fastapi==0.110.0 ; python_version >= "3.11" and python_version < "3.12"
 h11==0.14.0 ; python_version >= "3.11" and python_version < "3.12"
 idna==3.4 ; python_version >= "3.11" and python_version < "3.12"
-jinja2==3.1.2 ; python_version >= "3.11" and python_version < "3.12"
+jinja2==3.1.3 ; python_version >= "3.11" and python_version < "3.12"
 markupsafe==2.1.3 ; python_version >= "3.11" and python_version < "3.12"
 numpy==1.26.2 ; python_version >= "3.11" and python_version < "3.12"
 platformdirs==4.2.0 ; python_version >= "3.11" and python_version < "3.12"