Address Github Dependabot warnings about dnspython<2.6.1 vulnerability. We cannot use 2.x on py2 so comments can only emphasize that one should really use one of the patched 1.x versions in that case. Let's see if that makes Dependabot happy. Added some more version rules and notes about version compatibility. Synchronized the latest changes to recommended.txt for consistency.

git-svn-id: svn+ssh://svn.code.sf.net/p/migrid/code/trunk@6110 b75ad72c-e7d7-11dd-a971-7dbc132099af

Author: jonasbardino

recommended.txt

@@ -1,10 +1,24 @@
 # migrid core dependencies on a format suitable for pip install as described on
 # https://pip.pypa.io/en/stable/reference/requirement-specifiers/
 future
+# NOTE: python-3.6 and earlier versions require older pyotp, whereas 3.7+
+#       should work with any modern version. We tested 2.9.0 to work.
 pyotp;python_version >= "3"
+pyotp<2.8;python_version > "3" and python_version < "3.7"
 pyotp<2.4;python_version < "3"
 pyyaml
-email-validator
+# NOTE: python-2.7 requires older dnspython, whereas 3.x should work with any
+#       modern version. We tested 2.6.1 to work.
+# IMPORTANT: there's a known security issue (CVE-2023-29483) in dnspython<2.6.1
+#            as explained on https://www.dnspython.org/news/2.6.1/
+dnspython>=2.6.1;python_version >= "3"
+# NOTE: one should use a patched 1.x version e.g. from RHEL/Rocky 8 if on python2
+dnspython<2;python_version < "3"
+# NOTE: python-3.6 and earlier versions require older email-validator, whereas
+#       3.7+ should work with any modern version. We tested 2.2.0 to work.
+email-validator;python_version >= "3.7"
+email-validator<2.0;python_version >= "3" and python_version < "3.7"
+email-validator<1.3;python_version < "3"
 
 # migrid recommended libs on a format suitable for pip install as described on
 # https://pip.pypa.io/en/stable/reference/requirement-specifiers/
@@ -29,7 +43,6 @@ nbconvert
 papermill
 notebook_parameterizer
 psutil
-dnspython
 # sslkeylog requires libssl-dev or similar system package to build
 #sslkeylog
 pyenchant

requirements.txt

@@ -1,12 +1,22 @@
 # migrid core dependencies on a format suitable for pip install as described on
 # https://pip.pypa.io/en/stable/reference/requirement-specifiers/
 future
+# NOTE: python-3.6 and earlier versions require older pyotp, whereas 3.7+
+#       should work with any modern version. We tested 2.9.0 to work.
 pyotp;python_version >= "3"
+pyotp<2.8;python_version > "3" and python_version < "3.7"
 pyotp<2.4;python_version < "3"
 pyyaml
-dnspython;python_version >= "3"
+# NOTE: python-2.7 requires older dnspython, whereas 3.x should work with any
+#       modern version. We tested 2.6.1 to work.
+# IMPORTANT: there's a known security issue (CVE-2023-29483) in dnspython<2.6.1
+#            as explained on https://www.dnspython.org/news/2.6.1/
+dnspython>=2.6.1;python_version >= "3"
+# NOTE: one should use a patched 1.x version e.g. from RHEL/Rocky 8 if on python2
 dnspython<2;python_version < "3"
-email-validator<2.1;python_version >= "3.7"
+# NOTE: python-3.6 and earlier versions require older email-validator, whereas
+#       3.7+ should work with any modern version. We tested 2.2.0 to work.
+email-validator;python_version >= "3.7"
 email-validator<2.0;python_version >= "3" and python_version < "3.7"
 email-validator<1.3;python_version < "3"