Security/198 update dependencies

.github/workflows/build-and-publish.yml

@@ -18,7 +18,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.4.0
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.6.0
 
       - name: Build Artifacts
         run: poetry build

.github/workflows/check-release-tag.yml

@@ -15,7 +15,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.4.0
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.6.0
 
       - name: Check Tag Version
         # make sure the pushed/created tag matched the project version

.github/workflows/checks.yml

@@ -16,7 +16,7 @@ jobs:
           fetch-depth: 0
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.4.0
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.6.0
 
       - name: Check Version(s)
         run: poetry run -- nox -s version:check
@@ -32,12 +32,16 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.4.0
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.6.0
 
       - name: Build Documentation
         run: |
           poetry run -- nox -s docs:build
 
+      - name: Link Check
+        run: |
+          poetry run -- nox -s links:check
+
   build-matrix:
     name: Generate Build Matrix
     uses: ./.github/workflows/matrix-python.yml
@@ -55,7 +59,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.4.0
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.6.0
 
       - name: Run changelog update check
         run: poetry run -- nox -s changelog:updated
@@ -74,7 +78,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.4.0
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.6.0
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -105,7 +109,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.4.0
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.6.0
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -127,7 +131,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.4.0
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.6.0
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -151,7 +155,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.4.0
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.6.0
 
       - name: Run format check
         run: poetry run -- nox -s project:format
@@ -190,7 +194,7 @@ jobs:
           sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.4.0
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.6.0
         with:
           python-version: ${{ matrix.python-version }}
 

.github/workflows/ci.yml

@@ -1,14 +1,10 @@
 name: CI
 
 on:
-  push:
-    branches-ignore:
-      - "github-pages/*"
-      - "gh-pages/*"
-      - "main"
-      - "master"
+  pull_request:
+      types: [opened, synchronize, reopened]
   schedule:
-    # "At 00:00 on every 7th day-of-month from 1 through 31." (https://crontab.guru)
+    # At 00:00 on every 7th day-of-month from 1 through 31. (https://crontab.guru)
     - cron: "0 0 1/7 * *"
 
 jobs:
@@ -22,5 +18,6 @@ jobs:
   Metrics:
     needs: [ CI ]
     uses: ./.github/workflows/report.yml
+    secrets: inherit
     permissions:
       contents: read

.github/workflows/gh-pages.yml

@@ -17,7 +17,7 @@ jobs:
           fetch-depth: 0
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.4.0
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.6.0
 
       - name: Build Documentation
         run: |

.github/workflows/matrix-python.yml

@@ -17,7 +17,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.4.0
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.6.0
 
       - name: Generate matrix
         run: poetry run -- nox -s matrix:python

.github/workflows/merge-gate.yml

@@ -39,7 +39,9 @@ jobs:
           fetch-depth: 0
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/[email protected]
+        uses: exasol/python-toolbox/.github/actions/[email protected]
+        with:
+          python-version: '3.10'
 
       - name: Allow unprivileged user namespaces
         run: |
@@ -50,7 +52,15 @@ jobs:
           SAAS_HOST: ${{ secrets.INTEGRATION_TEAM_SAAS_STAGING_HOST }}
           SAAS_ACCOUNT_ID: ${{ secrets.INTEGRATION_TEAM_SAAS_STAGING_ACCOUNT_ID }}
           SAAS_PAT: ${{ secrets.INTEGRATION_TEAM_SAAS_STAGING_PAT }}
-        run: poetry run -- pytest -rA --setup-show --backend=saas test/integration/test_cloud_storage.py
+        run: |
+            poetry run -- coverage run -a --rcfile=pyproject.toml -m pytest -rA --setup-show --backend=saas test/integration/test_cloud_storage.py
+
+      - name: Upload Artifacts
+        uses: actions/[email protected]
+        with:
+          name: coverage-python3.10-slow-saas
+          path: .coverage
+          include-hidden-files: true
 
   large-runner-tests:
     name: Text AI Tests
@@ -83,9 +93,9 @@ jobs:
           sudo rm -rf /opt/ghc
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.4.0
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.6.0
         with:
-          poetry-version: 2.1.2
+          python-version: '3.10'
 
       - name: Allow unprivileged user namespaces
         run: |
@@ -95,7 +105,14 @@ jobs:
         env:
           TXAIE_PRE_RELEASE_URL: ${{ vars.ZIP_URL }}
           TXAIE_PRE_RELEASE_PASSWORD: ${{ secrets.ZIP_PASSWORD }}
-        run: poetry run -- pytest -rA --setup-show test/integration/test_text_ai_extension_wrapper.py
+        run: poetry run -- coverage run -a --rcfile=pyproject.toml -m pytest -rA --setup-show test/integration/test_text_ai_extension_wrapper.py
+
+      - name: Upload Artifacts
+        uses: actions/[email protected]
+        with:
+          name: coverage-python3.10-slow-text-ai
+          path: .coverage
+          include-hidden-files: true
 
   # This job ensures inputs have been executed successfully.
   approve-merge:

.github/workflows/pr-merge.yml

@@ -28,5 +28,6 @@ jobs:
   metrics:
     needs: [ ci-job ]
     uses: ./.github/workflows/report.yml
+    secrets: inherit
     permissions:
       contents: read

.github/workflows/report.yml

@@ -19,7 +19,7 @@ jobs:
           fetch-depth: 0
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.4.0
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.6.0
 
       - name: Download Artifacts
         uses: actions/[email protected]
@@ -32,6 +32,11 @@ jobs:
       - name: Validate Artifacts
         run: poetry run -- nox -s artifacts:validate
 
+      - name: Upload to sonar
+        env:
+          SONAR_TOKEN: "${{ secrets.SONAR_TOKEN }}"
+        run: poetry run -- nox -s sonar:check
+
       - name: Generate Report
         run: poetry run -- nox -s project:report -- --format json | tee metrics.json
 

.gitignore

@@ -7,4 +7,6 @@ __pycache__/
 /.lint.json
 /.lint.txt
 /.html-documentation/
+/.security.json
+/.sonar
 .build_output

doc/changes/unreleased.md

@@ -4,5 +4,10 @@
 * #182: Updated LATEST_KNOWN_VERSION to be dynamically fetched with importlib.metadata for
 transformers_extension_wrapper & sagemaker_extension_wrapper
 
+## Security
+* #198: Updated requests from >=2.32.0 to >=2.32.4 due to CVE-2024-47081 and
+transformers from ^4.50.0 to ^4.52.1 due to CVE-2025-3933 and CVE-2025-3777
+
 ## Internal
-* Relocked poetry dependencies to resolve CVE-2025-47287 and CVE-2025-47273
+* Relocked poetry dependencies to resolve CVE-2025-47287 and CVE-2025-47273
+* #198: Relocked poetry dependencies to resolve CVE-2025-50181 and CVE-2025-50182 for transitive dependency urllib3

noxconfig.py

@@ -10,8 +10,9 @@ class Config:
     root: Path = ROOT_DIR
     doc: Path = ROOT_DIR / "doc"
     version_file: Path = ROOT_DIR / "version.py"
+    source: Path = Path("exasol/nb_connector")
     path_filters: Iterable[str] = ("dist", ".eggs", "venv")
-    python_versions = ["3.10", "3.11", "3.12"]
+    python_versions: Iterable[str] = ("3.10", "3.11", "3.12")
 
 
 PROJECT_CONFIG = Config()