[Card Client] Update dependencies and weaken conservative constraints
Description
Before updating dependencies look for any pinned dependencies or dependencies that are over-constrained (i.e. not using ^ or equivariant).
These dependencies should ideally have their dependency constraints weakened to ^ and/or have a comment added explaining the reason for the tighter constraint (e.g. constraint added to avoid version with bug).
The weakest safe constraint should be set.
requirements.txt comments:
# use normal hash comments
The developer should use their discretion as to whether to perform this as a separate infrastructure release to over dependency updates. Consult senior team members if necessary.
Follow the dependencies updating documentation here:
https://gitlab.developers.cam.ac.uk/uis/devops/iam/documentation/-/wikis/dependencies
For only vanilla requirements.txt python projects, just rebuilding should be enough (check for requirements.in/pip-tools, etc.)
safety pre-commit
Longer term we want to use the gitlab vulnerability scanner that is being worked on inside DevOps. In the meantime we'll add a basic python pre-commit based vulnerability scanner called safety.
This should be a dedicated MR and if no issues are detected a known vulnerability should be added to the repo to check that it fails (obviously do not merge or deploy). This can then be removed.
If the dedicated MR detects vulnerabilities then the MR should remain in draft and new ticket created to address the vulnerability and the draft MR linked to that new ticket. The ticket should be tagged for backlog refinement and it's priority set based on the severity of the vulnerability, with a baseline of medium priority.
Acceptance criteria
-
non ^dependencies have a comment -
remove any explicit child dependencies or other unnecessary dependencies -
new image docker image built and deployed -
if python project and not using poetry, ensure a boilerplate back porting ticket exists -
add safety pre-commit check in separate MR (see above)