From 5319686d0e7b592799292940465943307bef0901 Mon Sep 17 00:00:00 2001
From: Tor Erik Rabben <toera@equinor.com>
Date: Mon, 15 May 2023 13:31:07 +0200
Subject: [PATCH] [AB#110999] Feat: Update Gordo dependencies (#1316)

* Updated mlflow

* Updated flask

* Updated sqlparse

* Updated nbconvert and mistune

* Install curl from (bookworm) backports to close vulnerability

* Added comment about curl and backports
---
 Dockerfile                          |  6 ++++-
 requirements/full_requirements.txt  | 41 +++++++----------------------
 requirements/mlflow_requirements.in |  2 +-
 requirements/requirements.in        |  2 +-
 requirements/test_requirements.in   |  2 +-
 requirements/test_requirements.txt  |  8 ++----
 6 files changed, 19 insertions(+), 42 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 60880183a..38434008f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -26,9 +26,13 @@ RUN groupadd -g 999 gordo && \
 ENV HOME "/home/gordo"
 ENV PATH "${HOME}/.local/bin:${PATH}"
 
+# Using backports, remove this when moving to bookworm or if future bullseye security updates include the libcurl fix
+RUN echo "deb http://deb.debian.org/debian bullseye-backports main contrib non-free" >> /etc/apt/sources.list \
+    && echo "deb-src http://deb.debian.org/debian bullseye-backports main contrib non-free" >> /etc/apt/sources.list
+
 RUN apt-get update && apt-get install -y \
-    curl \
     jq \
+    && apt-get install -y curl -t bullseye-backports \
     && rm -rf /var/lib/apt/lists/*
 
 # Install requirements separately for improved docker caching
diff --git a/requirements/full_requirements.txt b/requirements/full_requirements.txt
index 448370157..36074d8fa 100644
--- a/requirements/full_requirements.txt
+++ b/requirements/full_requirements.txt
@@ -61,6 +61,8 @@ backports-weakref==1.0.post1
     # via backports-tempfile
 bcrypt==4.0.1
     # via paramiko
+blinker==1.6.2
+    # via flask
 cachetools==5.3.0
     # via
     #   google-auth
@@ -84,9 +86,7 @@ click==8.1.3
     #   gordo-client
     #   mlflow
 cloudpickle==2.2.1
-    # via
-    #   mlflow
-    #   shap
+    # via mlflow
 contextlib2==21.6.0
     # via azureml-core
 contourpy==1.0.7
@@ -114,7 +114,7 @@ docker==6.0.1
     #   mlflow
 entrypoints==0.4
     # via mlflow
-flask==2.2.3
+flask==2.3.2
     # via
     #   -r requirements.in
     #   mlflow
@@ -163,12 +163,7 @@ humanfriendly==10.0
 idna==3.4
     # via requests
 importlib-metadata==6.3.0
-    # via
-    #   flask
-    #   markdown
-    #   mlflow
-importlib-resources==5.12.0
-    # via matplotlib
+    # via mlflow
 influxdb==5.3.1
     # via gordo-core
 isodate==0.6.1
@@ -202,8 +197,6 @@ knack==0.10.1
     # via azureml-core
 libclang==16.0.0
     # via tensorflow
-llvmlite==0.39.1
-    # via numba
 mako==1.2.4
     # via alembic
 markdown==3.4.3
@@ -227,7 +220,7 @@ matplotlib==3.7.1
     #   mlflow
 ml-dtypes==0.1.0
     # via jax
-mlflow==2.2.2
+mlflow==2.3.2
     # via -r mlflow_requirements.in
 msal==1.21.0
     # via
@@ -254,8 +247,6 @@ mypy-extensions==1.0.0
     # via typing-inspect
 ndg-httpsclient==0.5.1
     # via azureml-core
-numba==0.56.4
-    # via shap
 numexpr==2.8.4
     # via gordo-core
 numpy==1.23.5
@@ -268,14 +259,12 @@ numpy==1.23.5
     #   matplotlib
     #   ml-dtypes
     #   mlflow
-    #   numba
     #   numexpr
     #   opt-einsum
     #   pandas
     #   pyarrow
     #   scikit-learn
     #   scipy
-    #   shap
     #   tensorboard
     #   tensorflow
     #   xarray
@@ -296,7 +285,6 @@ packaging==21.3
     #   matplotlib
     #   mlflow
     #   plotly
-    #   shap
     #   tensorflow
     #   xarray
 pandas==1.5.3
@@ -304,7 +292,6 @@ pandas==1.5.3
     #   catboost
     #   gordo-core
     #   mlflow
-    #   shap
     #   xarray
 paramiko==3.1.0
     # via azureml-core
@@ -409,18 +396,14 @@ scikit-learn==1.2.2
     # via
     #   gordo-core
     #   mlflow
-    #   shap
 scipy==1.10.1
     # via
     #   catboost
     #   jax
     #   mlflow
     #   scikit-learn
-    #   shap
 secretstorage==3.3.3
     # via azureml-core
-shap==0.41.0
-    # via mlflow
 simplejson==3.19.1
     # via
     #   -r requirements.in
@@ -439,15 +422,13 @@ six==1.16.0
     #   python-dateutil
     #   querystring-parser
     #   tensorflow
-slicer==0.0.7
-    # via shap
 smmap==5.0.0
     # via gitdb
 sqlalchemy==2.0.9
     # via
     #   alembic
     #   mlflow
-sqlparse==0.4.3
+sqlparse==0.4.4
     # via mlflow
 tabulate==0.9.0
     # via
@@ -471,8 +452,6 @@ termcolor==2.2.0
     # via tensorflow
 threadpoolctl==3.1.0
     # via scikit-learn
-tqdm==4.65.0
-    # via shap
 typing-extensions==4.5.0
     # via
     #   alembic
@@ -490,7 +469,7 @@ urllib3==1.26.15
     #   requests
 websocket-client==1.5.1
     # via docker
-werkzeug==2.2.3
+werkzeug==2.3.4
     # via
     #   flask
     #   tensorboard
@@ -505,9 +484,7 @@ wrapt==1.14.1
 xarray==2023.3.0
     # via gordo-core
 zipp==3.15.0
-    # via
-    #   importlib-metadata
-    #   importlib-resources
+    # via importlib-metadata
 
 # The following packages are considered to be unsafe in a requirements file:
 # setuptools
diff --git a/requirements/mlflow_requirements.in b/requirements/mlflow_requirements.in
index e33f62d68..099a1ea68 100644
--- a/requirements/mlflow_requirements.in
+++ b/requirements/mlflow_requirements.in
@@ -1,2 +1,2 @@
-mlflow~=2.2
+mlflow~=2.3
 azureml-core~=1.49
diff --git a/requirements/requirements.in b/requirements/requirements.in
index bdbebc043..4d022392d 100644
--- a/requirements/requirements.in
+++ b/requirements/requirements.in
@@ -5,7 +5,7 @@ h5py~=3.1
 jinja2~=3.1
 python-dateutil~=2.8
 tensorflow>=2.11,<2.13
-Flask>=2.2.3,<3.0.0
+Flask>=2.2.5,<3.0.0
 simplejson~=3.17
 catboost~=1.1.1
 prometheus_client~=0.7
diff --git a/requirements/test_requirements.in b/requirements/test_requirements.in
index 5cf7692a9..077c481e2 100644
--- a/requirements/test_requirements.in
+++ b/requirements/test_requirements.in
@@ -13,7 +13,7 @@ responses~=0.23
 # Due to packaging>22.0 in black 23.0, azureml-core~=1.49 requires packaging<22.0
 black>=22.0,<23.0
 notebook~=6.4
-nbconvert~=6.5
+nbconvert~=7.4
 types-simplejson
 types-python-dateutil
 types-PyYAML
diff --git a/requirements/test_requirements.txt b/requirements/test_requirements.txt
index 210658aca..a1b818320 100644
--- a/requirements/test_requirements.txt
+++ b/requirements/test_requirements.txt
@@ -60,7 +60,6 @@ entrypoints==0.4
     # via
     #   -c full_requirements.txt
     #   jupyter-client
-    #   nbconvert
 exceptiongroup==1.1.1
     # via pytest
 execnet==1.9.0
@@ -120,8 +119,6 @@ jupyter-server==1.21.0
     #   notebook-shim
 jupyterlab-pygments==0.2.2
     # via nbconvert
-lxml==4.9.2
-    # via nbconvert
 markupsafe==2.1.2
     # via
     #   -c full_requirements.txt
@@ -131,7 +128,7 @@ matplotlib-inline==0.1.6
     # via
     #   ipykernel
     #   ipython
-mistune==0.8.4
+mistune==2.0.5
     # via nbconvert
 mock==5.0.1
     # via -r test_requirements.in
@@ -146,7 +143,7 @@ nbclassic==0.4.8
     # via notebook
 nbclient==0.5.13
     # via nbconvert
-nbconvert==6.5.4
+nbconvert==7.4.0
     # via
     #   -r test_requirements.in
     #   jupyter-server
@@ -350,7 +347,6 @@ types-urllib3==1.26.25.1
 typing-extensions==4.5.0
     # via
     #   -c full_requirements.txt
-    #   black
     #   mypy
 urllib3==1.26.15
     # via