[all-commits] [llvm/llvm-project] 703639: Update Python requirements to fix more CVEs (#105853)

Sat Aug 24 09:51:30 PDT 2024

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: 7036394048a963dd23f1a2da269089224e30d0b2
      https://github.com/llvm/llvm-project/commit/7036394048a963dd23f1a2da269089224e30d0b2
  Author: Stephan T. Lavavej <stl at nuwen.net>
  Date:   2024-08-24 (Sat, 24 Aug 2024)

  Changed paths:
    M llvm/utils/git/requirements.txt
    M llvm/utils/git/requirements_formatting.txt

  Log Message:
  -----------
  Update Python requirements to fix more CVEs (#105853)

Followup to #90109.

In Microsoft, our automated scans are warning that LLVM has vulnerable
dependencies. Specifically:

* [CVE-2024-35195](https://nvd.nist.gov/vuln/detail/CVE-2024-35195) was
fixed in `requests` 2.32.0.
* [CVE-2024-37891](https://nvd.nist.gov/vuln/detail/CVE-2024-37891) was
fixed in `urllib3` 2.2.2.

I've updated LLVM's dependencies by running the following commands in
`llvm/utils/git`:

```
pip-compile --upgrade --generate-hashes --output-file=requirements.txt requirements.txt.in
pip-compile --upgrade --generate-hashes --output-file=requirements_formatting.txt requirements_formatting.txt.in
```

Note that for `requirements_formatting.txt` this adds
`--generate-hashes` (according to my vague understanding, it's highly
desirable and was already used for `requirements.txt`) and was locally
run within `llvm/utils/git` (changing the recorded command, which
apparently was originally run from the repo root - again,
`requirements.txt` was already being regenerated with a locally run
command, so this increases consistency).

I observe that this has updated the relevant components to pick up the
CVE fixes. Note that I am largely clueless in this area, so I hope that
(like #90109) no other changes will be necessary.

To unsubscribe from these emails, change your notification settings at https://github.com/llvm/llvm-project/settings/notifications