geonode icon indicating copy to clipboard operation
geonode copied to clipboard

Published 20 hours ago verified publisher icon GeoNode

SECURITY - Outdated requirements.txt for branch 3.3.x

Open mirandadam opened this issue 3 years ago • 1 comments

Expected Behavior

Geonode would use updated versions of the packages in requirements.txt which fix relevant bugs or vulnerabilities.

Actual Behavior

Geonode uses some outdated packages with known problems.

Steps to Reproduce the Problem

  1. Install geonode from branch 3.3.x with "requirements.txt" unchanged.
  2. Install "safety" (pip install safety)
  3. Run "safety" in the same environment as Geonode.

Specifications

  • GeoNode version: 3.3.x
  • Installation method (manual, GeoNode Docker, SPCGeoNode Docker): custom podman install
  • Platform: Ubuntu 22.04.01
  • Additional details: I have not found a proper channel to communicate specific problems which should probably not be disclosed in an open issue report. If such channel is available please provide directions.

mirandadam avatar Sep 06 '22 15:09 mirandadam

Thanks for the super quick turnaround, @afabiani! I have just run "safety check" with the latest version and it still asks for:

  • djangorestframework >=3.12.0
  • django >= 2.2.28
  • flower > 1.0.0

mirandadam avatar Sep 08 '22 20:09 mirandadam

Please see pull request #10065. I did my best to not break anything and my geonode-project application based on these changes is functioning perfectly, but I haven't put these changes through the CI tests (I assume travis-ci will do that against the pull request).

mirandadam avatar Sep 27 '22 20:09 mirandadam