Fix Dependabot security alerts by updating test fixture versions

jensens · jensens · commit 7fd462a8b8b7 · 2025-10-23T18:46:27.000+02:00
- Update urllib3 from 1.26.9 to 2.5.0 (fixes 4 CVEs) - Update requests from 2.28.0 to 2.32.4 (fixes 3 CVEs) - These are test data files only, not actual dependencies - Updated corresponding test assertions to match new versions - Resolves all 7 Dependabot alerts (#1-#7) Affected files: - tests/data/requirements/constraints.txt - tests/data/requirements/basic_requirements.txt - tests/data/config_samples/config_with_overrides.ini - tests/test_config.py (updated assertions) Note: No actual security risk existed as these versions were only used in test fixture files and never installed as dependencies.
diff --git a/CHANGES.md b/CHANGES.md
@@ -10,6 +10,8 @@
   [jensens]
 - Chore: Improved test coverage for main.py from 42% to 100%. Added comprehensive tests for the main() function covering all CLI argument combinations (--verbose, --silent, --offline, --threads, --no-fetch, --fetch-only), ensuring robust testing of the entry point and all code paths.
   [jensens]
+- Chore: Updated test fixture data versions to resolve Dependabot security alerts. Updated urllib3 from 1.26.9 to 2.5.0 and requests from 2.28.0 to 2.32.4 in test data files. These are test fixtures only and were never actual dependencies or security risks. Resolves GitHub Dependabot alerts #1-7.
+  [jensens]
 - Fix: Add 'synchronize' event to pull_request workflow triggers. This ensures CI runs when PRs are updated with new commits (e.g., after rebasing or pushing new changes), not just when opened or reopened.
   [jensens]
 - Chore: Optimize GitHub Actions to prevent duplicate workflow runs on pull requests. Restrict `push` trigger to only run on `main` branch, so PRs only trigger via `pull_request` event. This reduces CI resource usage by 50% for PR workflows.
diff --git a/tests/data/config_samples/config_with_overrides.ini b/tests/data/config_samples/config_with_overrides.ini
@@ -1,8 +1,8 @@
 [settings]
 requirements-in = requirements.txt
 version-overrides =
-    requests==2.28.0
-    urllib3==1.26.9
+    requests==2.32.4
+    urllib3==2.5.0
 
 [example.package]
 url = https://github.com/example/package.git
diff --git a/tests/data/requirements/basic_requirements.txt b/tests/data/requirements/basic_requirements.txt
@@ -1,3 +1,3 @@
-requests>=2.28.0
-urllib3>=1.26.9
+requests>=2.32.4
+urllib3>=2.5.0
 packaging>=21.0
diff --git a/tests/data/requirements/constraints.txt b/tests/data/requirements/constraints.txt
@@ -1,3 +1,3 @@
-requests==2.28.0
-urllib3==1.26.9
+requests==2.32.4
+urllib3==2.5.0
 packaging==21.3
diff --git a/tests/test_config.py b/tests/test_config.py
@@ -68,9 +68,9 @@ def test_configuration_with_overrides():
     config = Configuration(str(base / "config_with_overrides.ini"))
 
     assert "requests" in config.overrides
-    assert config.overrides["requests"] == "requests==2.28.0"
+    assert config.overrides["requests"] == "requests==2.32.4"
     assert "urllib3" in config.overrides
-    assert config.overrides["urllib3"] == "urllib3==1.26.9"
+    assert config.overrides["urllib3"] == "urllib3==2.5.0"
     assert "requests" in config.override_keys
     assert "urllib3" in config.override_keys
 
