dependencies: fix security issues

* Bumps dependencies. Co-Authored-by: Peter Weber <[email protected]>
rero · Nov 22, 2023 · d1c355a · d1c355a
1 parent ba7d577
commit d1c355a
Show file tree

Hide file tree

Showing 7 changed files with 1,044 additions and 1,020 deletions.
diff --git a/.github/workflows/continuous-integration-test.yml b/.github/workflows/continuous-integration-test.yml
@@ -18,7 +18,7 @@ jobs:
     - name: Setup node
       uses: actions/setup-node@v3
       with:
-        node-version: '12'
+        node-version: '14'
 
     - name: Docker compose up
       run: docker-compose up -d
@@ -51,7 +51,7 @@ jobs:
         poetry run ./scripts/bootstrap --ci --deploy E2E=yes
 
     - name: Run Test
-      run: poetry run ./run-tests.sh
+      run: poetry run ./scripts/test
 
     # - name: Upload Coverage ${{ matrix.tests }}
     #   if: ${{ matrix.dependencies == 'locked' }}

diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst
@@ -101,7 +101,7 @@ Ready to contribute? Here's how to set up `rero-ebooks` for local development.
 
    .. code-block:: console
 
-      $ ./run-tests.sh
+      $ ./scripts/test
 
    The tests will provide you with test coverage and also check PEP8
    (code style), PEP257 (documentation), flake8 as well as build the Sphinx

diff --git a/INSTALL.rst b/INSTALL.rst
@@ -97,14 +97,14 @@ Run the test suite via the provided script:
 
 .. code-block:: console
 
-    $ ./run-tests.sh
+    $ ./scripts/test
 
 By default, end-to-end tests are skipped. You can include the E2E tests like
 this:
 
 .. code-block:: console
 
-    $ env E2E=yes ./run-tests.sh
+    $ env E2E=yes ./scripts/test
 
 For more information about end-to-end testing see `pytest-invenio
 <https://pytest-invenio.readthedocs.io/en/latest/usage.html#running-e2e-tests>`_

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -29,7 +29,6 @@ uwsgitop = ">=0.11"
 
 ## Third party invenio modules used by RERO EBOOKS
 # TODO: needed for `parameter from` fix.
-invenio-oaiserver = { git = "https://github.com/rerowep/invenio-oaiserver.git", branch = "wep-fix-from" }
 invenio-oaiharvester = { git = "https://github.com/inveniosoftware/invenio-oaiharvester.git", tag = "v1.0.0a4" }
 invenio-search = {version = ">=2.1.0,<3.0.0", extras = ["elasticsearch7"]}
 
@@ -43,22 +42,23 @@ invenio-i18n = ">=2.0.0,<3.0.0"
 invenio-db = {version = ">=1.0.14,<1.1.0", extras = ["postgresql"]}
 # Invenio base bundle
 invenio-admin = ">=1.4.0,<1.5.0"
-invenio-assets = ">=2.0.0,<3.0.0"
-invenio-formatter = ">=1.2.0,<1.3.0"
-invenio-logging = {version = ">=1.3.2,<1.4.0", extras = ["sentry-sdk"]}
-invenio-mail = ">=1.0.2,<1.1.0"
-invenio-rest = ">=1.2.8,<1.3.0"
+# invenio-assets = ">=3.0.0,<4.0.0" # error patch-package 6.5.1 semantic-ui-less
+invenio-assets = ">=1.0.0,<3.0.0"
+invenio-formatter = ">=2.0.0,<3.0.0"
+invenio-logging = {version = ">=2.0.0,<3.0.0"}
+invenio-mail = ">=2.0.0,<3.0.0"
+invenio-rest = ">=1.3.0,<1.4.0"
 invenio-theme = ">=2.0.0,<3.0.0"
 # Invenio auth bundle
-invenio-access = ">=1.4.4,<1.5.0"
-invenio-accounts = ">=2.1.0,<2.2.0"
-invenio-oauth2server = ">=2.0.0,<2.1.0"
-invenio-oauthclient = ">=2.2.0,<3.0.0"
-invenio-userprofiles = ">=2.2.0,<2.3.0"
+invenio-access = ">=2.0.0,<3.0.0"
+invenio-accounts = ">=3.0.0,<4.0.0"
+invenio-oauth2server = ">=2.0.0,<3.0.0"
+invenio-oauthclient = ">=3.0.0,<4.0.0"
+invenio-userprofiles = ">=2.2.0,<3.0.0"
 # Invenio metadata bundle
-invenio-indexer = ">=2.1.0,<2.2.0"
+invenio-indexer = ">=2.2.0,<3.0.0"
 invenio-jsonschemas = ">=1.1.4,<1.2.0"
-# invenio-oaiserver = ">=2.2.0,<2.3.0"
+invenio-oaiserver = ">=2.2.0,<2.3.0"
 invenio-pidstore = ">=1.3.0,<1.4.0"
 invenio-records-rest = ">=2.2.0,<2.3.0"
 invenio-records-ui = ">=1.2.0,<1.3.0"
@@ -68,7 +68,8 @@ invenio-records = "2.1.0,<2.2.0"
 Flask = ">=2.2.0,<2.3.0"
 dojson = ">=1.4.0"
 # TODO: dojson problem = AttributeError: 'Group' object has no attribute 'resultcallback'
-click = "<8.1.0"
+# click = "<8.1.0"
+sentry-sdk = ">=1.0.0" # normaly in invenio-logging = {version = ">=2.0.0,<3.0.0", extras = ["sentry_sdk"]}
 
 ## RERO ILS specific python modules
 PyYAML = ">=5.3.1"
@@ -165,7 +166,7 @@ apiharvester = "rero_ebooks.apiharvester.tasks"
 [tool.poe.tasks]
 bootstrap = {cmd = "./scripts/bootstrap", help = "Runs bootstrap"}
 console = {cmd = "./scripts/console", help = "Opens invenio shell"}
-run_tests = {cmd = "./run-tests.sh", help = "Runs all tests"}
+run_tests = {cmd = "./scripts/tests", help = "Runs all tests"}
 tests = {cmd = "pytest", help = "pytest"}
 tests_debug = {cmd = "./scripts/pytest -s --v --no-cov", help = "pytest -s --v --no-cov"}
 server = {cmd = "./scripts/server", help = "Starts the server "}

diff --git a/rero_ebooks/config.py b/rero_ebooks/config.py
@@ -33,6 +33,8 @@ def _(x):
     return x
 
 
+APP_THEME = ['bootstrap3']
+
 # Rate limiting
 # =============
 RATELIMIT_STORAGE_URL = 'redis://localhost:6379/3'

diff --git a/run-tests.sh → scripts/test b/run-tests.sh → scripts/test
@@ -59,20 +59,23 @@ msg "PROGRAM: ${PROGRAM}"
 
 # Poetry is a mandatory condition to launch this program!
 if [[ -z "${VIRTUAL_ENV}" ]]; then
-  error_msg+exit "Error - Launch this script via poetry command:\n\tpoetry run run-tests"
+  error_msg+exit "Error - Launch this script via poetry command:\n\tpoetry run ./scripts/test"
 fi
 
 set -e
 # TODO: find out why we have following error:
-# -> Vulnerability found in sqlalchemy version 1.4.48
+# -> Vulnerability found in flask-caching version 2.0.1
+#    Vulnerability ID: 40459
+# -> Vulnerability found in sqlalchemy version 1.4.50
 #    Vulnerability ID: 51668
 # -> Vulnerability found in sqlalchemy-utils version 0.38.3
 #    Vulnerability ID: 42194
 # -> Vulnerability found in wtforms version 2.3.3
 #    Vulnerability ID: 42852
 # -> Vulnerability found in py version 1.11.0
 #    Vulnerability ID: 51457
-safety check -o bare -i 51668 -i 42194 -i 42852 -i 51457
+info_msg "Test safety:"
+safety check -o bare -i 40459 -i 51668 -i 42194 -i 42852 -i 51457
 info_msg "Test pydocstyle:"
 pydocstyle rero_ebooks tests docs
 info_msg "Test isort:"