Skip to content

fix: remove lower-constraints.txt to resolve 41 Dependabot alerts#142

Merged
notque merged 1 commit into
masterfrom
fix/update-lower-constraints-security
Jun 8, 2026
Merged

fix: remove lower-constraints.txt to resolve 41 Dependabot alerts#142
notque merged 1 commit into
masterfrom
fix/update-lower-constraints-security

Conversation

@notque

@notque notque commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Delete lower-constraints.txt and the [testenv:lower-constraints] section from tox.ini
  • Resolves 41 of 54 open Dependabot security alerts, including all 6 critical CVEs
  • Fix tox envlist from py39 to py3 to match CI configuration

Why remove instead of update?

  1. Nobody runs it — CI (python-package.yml) runs tox (default env) and tox -e lint, never tox -e lower-constraints
  2. No Zuul — no upstream OpenStack CI tests our lower bounds
  3. The tox env was already brokenhacking>=8.0.0 doesn't exist on public PyPI
  4. Pure Dependabot noise — generates alerts against versions nothing ever installs
  5. The shared sapcc/requirements repo has the same problem — 270 alerts, all from test fixture files with 2017-era pins

Remaining alerts (13)

These require bumps in the shared sapcc/requirements constraints file:

Package Current ceiling Needs
urllib3 1.26.20 2.5.0+ (breaking API change)
cryptography 43.0.3 46.0.5+
GitPython 3.1.45 3.1.47+
requests 2.32.4 2.33.0
idna 3.10 3.15
webob 1.8.9 1.8.10
dulwich 0.24.1 1.2.5 (Windows-only NTFS vuln)

Test plan

  • Unit tests pass (76/76 via stestr)
  • CI passes on GitHub Actions (Ubuntu + Python 3.10)
  • Dependabot re-scans and confirms alert reduction

Delete lower-constraints.txt and its tox env. This file pinned ancient
package versions for lower-bound CI testing that was never run (no Zuul,
GHA only runs default tox env). Dependabot flagged 41 CVEs against these
floor versions that were never installed in production.

The remaining 13 alerts require version bumps in the shared
sapcc/requirements constraints file (urllib3 2.x, cryptography 46.x,
GitPython 3.1.47+, requests 2.33.0, idna 3.15, webob 1.8.10).

Also fix tox envlist to use py3 instead of py39 to match CI.
@notque notque force-pushed the fix/update-lower-constraints-security branch from d4983b6 to cad8f59 Compare June 4, 2026 19:15
@notque notque changed the title fix: update lower-constraints.txt to resolve 41 Dependabot alerts fix: remove lower-constraints.txt to resolve 41 Dependabot alerts Jun 4, 2026
@notque notque merged commit 9b629fb into master Jun 8, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants