Fix aiohttp vulnerability

.github/workflows/project-creation.yaml

@@ -92,7 +92,10 @@ jobs:
             CREATE_ARGS="-e ${{ matrix.example }}"
           fi
           velocitas create -c vapp-core-python $CREATE_ARGS
-          # Velocitas CLI fetches an older merged/released version of the example
+          # Velocitas CLI fetches an older released version of the example
+          # This is caused by vehicle-app-template that downloads latest tagged version of pkg-velocitas-main
+          # and then the SDK version mentioned in components/cores/vapp-python/.project-creation/config.json
+          # will be used.
           # But we want to check the one in this repository so lets copy it
           if [ "${{ matrix.example }}" != "no-example" ]; then
             cp -r ../sdk/examples/${{ matrix.example }}/* ../app/app

.project-creation/.skeleton/requirements-velocitas.txt

@@ -1 +1 @@
-velocitas-sdk==0.15.4
+velocitas-sdk==0.15.5

.project-creation/.skeleton/requirements.in

@@ -15,4 +15,4 @@
 grpcio==1.64.1
 protobuf==5.27.2
 cloudevents==1.11.0
-aiohttp==3.10.5
+aiohttp==3.10.11

.project-creation/.skeleton/requirements.txt

@@ -4,35 +4,39 @@
 #
 #    pip-compile
 #
-aiohappyeyeballs==2.4.0
+aiohappyeyeballs==2.4.3
     # via aiohttp
-aiohttp==3.10.5
+aiohttp==3.10.11
     # via -r requirements.in
 aiosignal==1.3.1
     # via aiohttp
-async-timeout==4.0.3
+async-timeout==5.0.1
     # via aiohttp
 attrs==24.2.0
     # via aiohttp
 cloudevents==1.11.0
     # via -r requirements.in
 deprecation==2.1.0
     # via cloudevents
-frozenlist==1.4.1
+frozenlist==1.5.0
     # via
     #   aiohttp
     #   aiosignal
 grpcio==1.64.1
     # via -r requirements.in
-idna==3.8
+idna==3.10
     # via yarl
-multidict==6.0.5
+multidict==6.1.0
     # via
     #   aiohttp
     #   yarl
-packaging==24.1
+packaging==24.2
     # via deprecation
+propcache==0.2.0
+    # via yarl
 protobuf==5.27.2
     # via -r requirements.in
-yarl==1.9.7
+typing-extensions==4.12.2
+    # via multidict
+yarl==1.17.2
     # via aiohttp

NOTICE-3RD-PARTY-CONTENT.md

@@ -3,35 +3,35 @@
 ## Python
 | Dependency | Version | License |
 |:-----------|:-------:|--------:|
-|aiohappyeyeballs|2.4.0|Other/Proprietary License<br/>Python Software Foundation License|
-|aiohttp|3.10.5|Apache 2.0|
+|aiohappyeyeballs|2.4.3|Python Software Foundation License|
+|aiohttp|3.10.11|Apache 2.0|
 |aiosignal|1.3.1|Apache 2.0|
 |APScheduler|3.10.4|MIT|
-|async-timeout|4.0.3|Apache 2.0|
+|async-timeout|5.0.1|Apache 2.0|
 |attrs|24.2.0|MIT|
-|build|1.2.1|MIT|
+|build|1.2.2.post1|MIT|
 |cachetools|5.5.0|MIT|
 |cfgv|3.4.0|MIT|
 |chardet|5.2.0|LGPL|
 |click|8.1.7|New BSD|
 |cloudevents|1.11.0|Apache 2.0|
 |colorama|0.4.6|BSD|
-|coverage|7.6.1|Apache 2.0|
-|Deprecated|1.2.14|MIT|
+|coverage|7.6.7|Apache 2.0|
+|Deprecated|1.2.15|MIT|
 |deprecation|2.1.0|Apache 2.0|
-|distlib|0.3.8|Python Software Foundation License|
+|distlib|0.3.9|Python Software Foundation License|
 |exceptiongroup|1.2.2|MIT|
-|filelock|3.15.4|The Unlicense (Unlicense)|
-|frozenlist|1.4.1|Apache 2.0|
+|filelock|3.16.1|The Unlicense (Unlicense)|
+|frozenlist|1.5.0|Apache 2.0|
 |grpc-stubs|1.53.0.5|MIT|
 |grpcio|1.64.1|Apache 2.0|
 |grpcio-tools|1.64.1|Apache 2.0|
-|identify|2.6.0|MIT|
-|idna|3.8|BSD|
+|identify|2.6.2|MIT|
+|idna|3.10|BSD|
 |importlib-metadata|7.1.0|Apache 2.0|
 |iniconfig|2.0.0|MIT|
-|multidict|6.0.5|Apache 2.0|
-|mypy|1.11.2|MIT|
+|multidict|6.1.0|Apache 2.0|
+|mypy|1.13.0|MIT|
 |mypy-extensions|1.0.0|MIT|
 |mypy-protobuf|3.6.0|Apache 2.0|
 |nodeenv|1.9.1|BSD|
@@ -41,35 +41,36 @@
 |opentelemetry-instrumentation-logging|0.46b0|Apache 2.0|
 |opentelemetry-sdk|1.25.0|Apache 2.0|
 |opentelemetry-semantic-conventions|0.46b0|Apache 2.0|
-|packaging|24.1|Apache 2.0<br/>BSD|
+|packaging|24.2|Apache 2.0<br/>BSD|
 |paho-mqtt|2.1.0|OSI Approved|
 |pip|23.0.1|MIT|
 |pip-tools|7.4.1|BSD|
-|platformdirs|4.2.2|MIT|
+|platformdirs|4.3.6|MIT|
 |pluggy|1.5.0|MIT|
-|pre-commit|3.8.0|MIT|
+|pre-commit|4.0.1|MIT|
+|propcache|0.2.0|Apache 2.0|
 |protobuf|5.27.2|Google License|
-|pyproject-api|1.7.1|MIT|
-|pyproject-hooks|1.1.0|MIT|
-|pytest|8.3.2|MIT|
+|pyproject-api|1.8.0|MIT|
+|pyproject-hooks|1.2.0|MIT|
+|pytest|8.3.3|MIT|
 |pytest-asyncio|0.24.0|Apache 2.0|
-|pytest-cov|5.0.0|MIT|
-|pytz|2024.1|MIT|
+|pytest-cov|6.0.0|MIT|
+|pytz|2024.2|MIT|
 |PyYAML|6.0.2|MIT|
 |setuptools|65.5.1|MIT|
 |six|1.16.0|MIT|
-|tomli|2.0.1|MIT|
-|tox|4.18.0|MIT|
-|types-Deprecated|1.2.9.20240311|Apache 2.0|
+|tomli|2.1.0|MIT|
+|tox|4.23.2|MIT|
+|types-Deprecated|1.2.15.20241117|Apache 2.0|
 |types-mock|5.1.0.20240425|Apache 2.0|
-|types-protobuf|5.27.0.20240626|Apache 2.0|
+|types-protobuf|5.28.3.20241030|Apache 2.0|
 |typing-extensions|4.12.2|Python Software Foundation License|
 |tzlocal|5.2|MIT|
-|virtualenv|20.26.3|MIT|
-|wheel|0.44.0|MIT|
+|virtualenv|20.27.1|MIT|
+|wheel|0.45.0|MIT|
 |wrapt|1.16.0|BSD|
-|yarl|1.9.7|Apache 2.0|
-|zipp|3.20.1|MIT|
+|yarl|1.17.2|Apache 2.0|
+|zipp|3.21.0|MIT|
 ## Workflows
 | Dependency | Version | License |
 |:-----------|:-------:|--------:|

README.md

@@ -63,3 +63,77 @@ By default the examples are started using the native middleware. Dapr middleware
 - [GitHub Issues](https://github.com/eclipse-velocitas/vehicle-app-python-sdk/issues)
 - [Mailing List](https://accounts.eclipse.org/mailing-list/velocitas-dev)
 - [Contribution](./CONTRIBUTING.md/)
+
+### Creating a new release
+
+1. Update examples
+
+This repository contain some example requirement files that reference the `velocitas-sdk` package created when we release the repository.
+Update `velocitas-sdk` version number in the following files:
+
+* `.project-creation/.skeleton/requirements-velocitas.txt`
+* `examples/seat-adjuster/requirements-velocitas.txt`
+
+Use the version number intended to be used for the release.
+As the version has not yet been released an error in Continuous Integration for the
+[Project creation](https://github.com/eclipse-velocitas/vehicle-app-python-sdk/actions/workflows/project-creation.yaml)
+workflow is expected.
+
+```
+Running post init hook for 'sdk-installer'
+Running 'run'...
+ExecExitError: Program returned exit code: 1
+```
+
+It is recommended to test locally that the not yet released SDK is compatible with the Seat Adjuster example and then merge the changes
+even if Continuos Integration fails.
+
+2. Tag the commit and upload to GitHub
+
+Create a tag of the form `vX.Y.X` and upload to the repository.
+That will trigger the [release](https://github.com/eclipse-velocitas/vehicle-app-python-sdk/actions/workflows/release.yaml) workflow.
+If the action is successfully executed a new [GitHub release](https://github.com/eclipse-velocitas/vehicle-app-python-sdk/releases) shall have been created as well as as
+a new version of `velocitas-lib` published in [PyPI](https://pypi.org/project/velocitas-sdk/).
+
+3. Re-run project creation tests
+
+Now when the updated [PyPI](https://pypi.org/project/velocitas-sdk/) package exists the [Project creation](https://github.com/eclipse-velocitas/vehicle-app-python-sdk/actions/workflows/project-creation.yaml) workflow is expected to succeed if run manually for `main`.
+If not you need to troubleshoot why it doesn't.
+
+### Updating Dependencies
+
+This repository specify exact Python versions  in `setup.py` and other files.
+If a version needs to be updated, for example if a vulnerability is detected, the following approach needs to be followed
+
+1. Update version in `setup.py` if needed
+2. Update generated requirement files.
+
+```bash
+pip-compile -U --extra=dev
+```
+
+3. Update version in `examples/seat-adjuster/requirements.in` if needed
+4. Update generated file for Seat Adjuster
+
+```bash
+cd examples/seat-adjuster
+pip-compile -U
+```
+
+5. Update version in `.project-creation/.skeleton/requirements.in` if needed
+6. Update generated file for Skeleton
+
+```bash
+cd .project-creation/.skeleton/
+pip-compile -U
+```
+
+7. Update `NOTICE-3RD-PARTY-CONTENT.md`
+
+The easiest way to do it is to create a Pull Request.
+Then the [check license workflow](https://github.com/eclipse-velocitas/vehicle-app-python-sdk/actions/workflows/check-licenses.yml) will fail as versions used no longer match versions stated in the file.
+Copy output from the workflow to the `NOTICE-3RD-PARTY-CONTENT.md` file and update the Pull Request.
+
+8. Update examples and create a new release
+
+As we explicitly use our "own" PyPI package we need to udpate references and create a new release, see release section above.

examples/seat-adjuster/requirements-velocitas.txt

@@ -1 +1 @@
-velocitas-sdk==0.15.4
+velocitas-sdk==0.15.5

examples/seat-adjuster/requirements.in

@@ -15,5 +15,5 @@
 grpcio==1.64.1
 protobuf==5.27.2
 cloudevents==1.11.0
-aiohttp==3.10.5
+aiohttp==3.10.11
 packaging==24.1

examples/seat-adjuster/requirements.txt

@@ -4,37 +4,41 @@
 #
 #    pip-compile
 #
-aiohappyeyeballs==2.4.0
+aiohappyeyeballs==2.4.3
     # via aiohttp
-aiohttp==3.10.5
+aiohttp==3.10.11
     # via -r requirements.in
 aiosignal==1.3.1
     # via aiohttp
-async-timeout==4.0.3
+async-timeout==5.0.1
     # via aiohttp
 attrs==24.2.0
     # via aiohttp
 cloudevents==1.11.0
     # via -r requirements.in
 deprecation==2.1.0
     # via cloudevents
-frozenlist==1.4.1
+frozenlist==1.5.0
     # via
     #   aiohttp
     #   aiosignal
 grpcio==1.64.1
     # via -r requirements.in
-idna==3.8
+idna==3.10
     # via yarl
-multidict==6.0.5
+multidict==6.1.0
     # via
     #   aiohttp
     #   yarl
 packaging==24.1
     # via
     #   -r requirements.in
     #   deprecation
+propcache==0.2.0
+    # via yarl
 protobuf==5.27.2
     # via -r requirements.in
-yarl==1.9.7
+typing-extensions==4.12.2
+    # via multidict
+yarl==1.17.2
     # via aiohttp

requirements-links.txt

@@ -1 +1,2 @@
+# Needed by some old examples that rely on a pre-generated signal model
 git+https://github.com/eclipse-velocitas/[email protected]