Bump some docs dependencies to resolve a Dependabot security alert#107341
Uh oh!
There was an error while loading. Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Member
hugovk commented Jul 27, 2023
Did you use If I skip that, I don't get setuptools (by the way, Python 3.12 has removed the setuptools upgrade from the command). /private/tmp ❯ python -m venv bump-docsFound existing alias for "python". You should use: "p"/private/tmp ❯ cd bump-docs/private/tmp/bump-docs ❯ bin/pip freeze/private/tmp/bump-docs ❯ bin/pip install "Sphinx~=3.2.0""docutils<0.17""Jinja2<3""MarkupSafe<2"Collecting Sphinx~=3.2.0 Using cached Sphinx-3.2.1-py3-none-any.whl (2.9 MB)Collecting docutils<0.17 Using cached docutils-0.16-py2.py3-none-any.whl (548 kB)Collecting Jinja2<3 Using cached Jinja2-2.11.3-py2.py3-none-any.whl (125 kB)Collecting MarkupSafe<2 Using cached MarkupSafe-1.1.1-cp311-cp311-macosx_10_9_universal2.whlCollecting sphinxcontrib-applehelp (from Sphinx~=3.2.0) Using cached sphinxcontrib_applehelp-1.0.4-py3-none-any.whl (120 kB)Collecting sphinxcontrib-devhelp (from Sphinx~=3.2.0) Using cached sphinxcontrib_devhelp-1.0.2-py2.py3-none-any.whl (84 kB)Collecting sphinxcontrib-jsmath (from Sphinx~=3.2.0) Using cached sphinxcontrib_jsmath-1.0.1-py2.py3-none-any.whl (5.1 kB)Collecting sphinxcontrib-htmlhelp (from Sphinx~=3.2.0) Using cached sphinxcontrib_htmlhelp-2.0.1-py3-none-any.whl (99 kB)Collecting sphinxcontrib-serializinghtml (from Sphinx~=3.2.0) Using cached sphinxcontrib_serializinghtml-1.1.5-py2.py3-none-any.whl (94 kB)Collecting sphinxcontrib-qthelp (from Sphinx~=3.2.0) Using cached sphinxcontrib_qthelp-1.0.3-py2.py3-none-any.whl (90 kB)Collecting Pygments>=2.0 (from Sphinx~=3.2.0) Using cached Pygments-2.15.1-py3-none-any.whl (1.1 MB)Collecting snowballstemmer>=1.1 (from Sphinx~=3.2.0) Using cached snowballstemmer-2.2.0-py2.py3-none-any.whl (93 kB)Collecting babel>=1.3 (from Sphinx~=3.2.0) Using cached Babel-2.12.1-py3-none-any.whl (10.1 MB)Collecting alabaster<0.8,>=0.7 (from Sphinx~=3.2.0) Using cached alabaster-0.7.13-py3-none-any.whl (13 kB)Collecting imagesize (from Sphinx~=3.2.0) Using cached imagesize-1.4.1-py2.py3-none-any.whl (8.8 kB)Collecting requests>=2.5.0 (from Sphinx~=3.2.0) Using cached requests-2.31.0-py3-none-any.whl (62 kB)Requirement already satisfied: setuptools in ./lib/python3.11/site-packages (from Sphinx~=3.2.0) (65.5.0)Collecting packaging (from Sphinx~=3.2.0) Using cached packaging-23.1-py3-none-any.whl (48 kB)Collecting charset-normalizer<4,>=2 (from requests>=2.5.0->Sphinx~=3.2.0) Using cached charset_normalizer-3.2.0-cp311-cp311-macosx_11_0_arm64.whl (122 kB)Collecting idna<4,>=2.5 (from requests>=2.5.0->Sphinx~=3.2.0) Using cached idna-3.4-py3-none-any.whl (61 kB)Collecting urllib3<3,>=1.21.1 (from requests>=2.5.0->Sphinx~=3.2.0) Using cached urllib3-2.0.4-py3-none-any.whl (123 kB)Collecting certifi>=2017.4.17 (from requests>=2.5.0->Sphinx~=3.2.0) Using cached certifi-2023.7.22-py3-none-any.whl (158 kB)Installing collected packages: snowballstemmer, urllib3, sphinxcontrib-serializinghtml, sphinxcontrib-qthelp, sphinxcontrib-jsmath, sphinxcontrib-htmlhelp, sphinxcontrib-devhelp, sphinxcontrib-applehelp, Pygments, packaging, MarkupSafe, imagesize, idna, docutils, charset-normalizer, certifi, babel, alabaster, requests, Jinja2, SphinxSuccessfully installed Jinja2-2.11.3 MarkupSafe-1.1.1 Pygments-2.15.1 Sphinx-3.2.1 alabaster-0.7.13 babel-2.12.1 certifi-2023.7.22 charset-normalizer-3.2.0 docutils-0.16 idna-3.4 imagesize-1.4.1 packaging-23.1 requests-2.31.0 snowballstemmer-2.2.0 sphinxcontrib-applehelp-1.0.4 sphinxcontrib-devhelp-1.0.2 sphinxcontrib-htmlhelp-2.0.1 sphinxcontrib-jsmath-1.0.1 sphinxcontrib-qthelp-1.0.3 sphinxcontrib-serializinghtml-1.1.5 urllib3-2.0.4[notice] A new release of pip is available: 23.1.2 -> 23.2.1[notice] To update, run: python3.11 -m pip install --upgrade pip/private/tmp/bump-docs took 2s ❯ bin/pip freezealabaster==0.7.13Babel==2.12.1certifi==2023.7.22charset-normalizer==3.2.0docutils==0.16idna==3.4imagesize==1.4.1Jinja2==2.11.3MarkupSafe==1.1.1packaging==23.1Pygments==2.15.1requests==2.31.0snowballstemmer==2.2.0Sphinx==3.2.1sphinxcontrib-applehelp==1.0.4sphinxcontrib-devhelp==1.0.2sphinxcontrib-htmlhelp==2.0.1sphinxcontrib-jsmath==1.0.1sphinxcontrib-qthelp==1.0.3sphinxcontrib-serializinghtml==1.1.5urllib3==2.0.4/private/tmp/bump-docs ❯ |
MemberAuthor
no. But I did use Python 3.13a0. Might be relevant? |
MemberAuthor
Yes, that seems to be relevant! I did the same commands with the same version of pip (23.2.1), but in a venv using Python 3.11 instead of 3.13a0, and setuptools didn't show up when I ran Shall I use that |
Member
hugovk commented Jul 27, 2023
Yeah, if we don't need setuptools, let's make sure things work okay without it. |
hugovk approved these changes Jul 27, 2023
Member
hugovk left a comment
hugovk left a comment There was a problem hiding this comment.
Thanks!
And backport to 3.11?
https://github.com/python/cpython/blob/3.11/Doc/requirements-oldest-sphinx.txt
MemberAuthor
AlexWaygood commented Jul 27, 2023
SGTM, gotta keep our docs build secure 🔒 |
AlexWaygood added needs backport to 3.11 
Contributor
miss-islington commented Jul 27, 2023
Thanks @AlexWaygood for the PR 🌮🎉.. I'm working now to backport this PR to: 3.11, 3.12. |
bedevere-bot commented Jul 27, 2023
GH-107342 is a backport of this pull request to the 3.12 branch. |
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jul 27, 2023
…ythonGH-107341) (cherry picked from commit f84d77b) Co-authored-by: Alex Waygood <Alex.Waygood@Gmail.com>
bedevere-bot commented Jul 27, 2023
GH-107343 is a backport of this pull request to the 3.11 branch. |
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jul 27, 2023
…ythonGH-107341) (cherry picked from commit f84d77b) Co-authored-by: Alex Waygood <Alex.Waygood@Gmail.com>
AlexWaygood added a commit that referenced this pull request Jul 27, 2023
AlexWaygood added a commit that referenced this pull request Jul 27, 2023
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I ran the instructions at the top of
Doc/requirements-oldest-sphinx.txtto regenerate the dependency pins. This resolves an open Dependabot security alert on the CPython repo: https://github.com/python/cpython/security/dependabot/2Because I'm using a new version of pip, it looks like
setuptoolsis now listed in thepip freezeoutput if you have a virtual environment activated (previously, it was filtered out by pip from the output ofpip freeze). We probably don't need it pinned for the docs build, so I could remove it and update the instructions inDoc/requirements-oldest-sphinx.txt? But it also probably doesn't hurt to include it, and it keeps the instructions for regenerating the file simple to just add it to the dependency pins.📚 Documentation preview 📚: https://cpython-previews--107341.org.readthedocs.build/