Merge pull request #45 from sw360/fix-CVEs

tngraf · web-flow · commit 56afb269ff41 · 2025-06-29T15:03:17.000+02:00
drop Python 3.8 support and vcrpy and update deps to fix CVEs
diff --git a/.github/workflows/deploy-documentation.yml b/.github/workflows/deploy-documentation.yml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [3.8]
+        python-version: [3.9]
 
     steps:
       - name: Checkout 🛎️
diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.8", "3.9", "3.10", "3.11"]
+        python-version: ["3.9", "3.10", "3.11"]
 
     steps:
     - uses: actions/checkout@v4
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -5,6 +5,11 @@
 
 # SW360 Base Library for Python
 
+## NEXT
+
+* Drop support for Python 3.8 (to update urllib3 to 2.5 fixing CVE-2025-50181 and -50182)
+* Update Poetry dependencies including requests 2.32.4 to fix CVE-2024-47081
+
 ## V1.9.1
 
 * We have now a more comprehensive query param encoding.
diff --git a/Readme.md b/Readme.md
@@ -6,7 +6,7 @@
 # SW360 Base Library for Python
 
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/sw360/sw360python/blob/master/License.md)
-[![Python Version](https://img.shields.io/badge/python-3.8%2C3.9%2C3.10%2C3.11-yellow?logo=python)](https://www.python.org/doc/versions/)
+[![Python Version](https://img.shields.io/badge/python-3.9%2C3.10%2C3.11-yellow?logo=python)](https://www.python.org/doc/versions/)
 [![PyPI](https://shields.io/pypi/v/sw360)](https://pypi.org/project/sw360/)
 [![Static checks](https://github.com/sw360/sw360python/actions/workflows/static-checks.yml/badge.svg)](https://github.com/sw360/sw360python/actions/workflows/static-checks.yml)
 [![Unit tests](https://github.com/sw360/sw360python/actions/workflows/unit-test.yml/badge.svg)](https://github.com/sw360/sw360python/actions/workflows/unit-test.yml)
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -22,13 +22,12 @@ classifiers = [
 ]
 
 [tool.poetry.dependencies]
-python = "^3.8" # because 3.8 is the minimum requirement for isort, mypy
-requests = "^2.32.2" # fix CVE-2024-35195 
+python = "^3.9" # 3.9 is needed for urllib 2.5 to fix CVE-2025-50181
+requests = "^2.32.4" # fix CVE-2024-47081
 
 [tool.poetry.group.dev.dependencies]
 colorama = "^0.4.6"
 sphinx = "^7.1.2"
-vcrpy = "4.0.2"
 yarl = "1.9.7" # force this version because 1.8.2 will not install
 flake8 = ">=3.7.8"
 responses = "^0.17"
diff --git a/sw360/base.py b/sw360/base.py
@@ -193,7 +193,6 @@ def api_delete(self, url: str = "") -> Optional[requests.Response]:
 
         raise SW360Error(response, url)
 
-    # type checking: not for Python 3.8: tuple[Optional[Any], Dict[str, Dict[str, str]], bool]
     def _update_external_ids(self, current_data: Dict[str, Any], ext_id_name: str, ext_id_value: str,
                              update_mode: str) -> Tuple[Optional[Any], Dict[str, Dict[str, str]], bool]:
         """Internal helper function to prepare an update/addition of external
