Version 0.44.0 of Spellcheck (GitHub) Action have just seen the light of day.
This is yet another maintenance release, since the base Docker image for Python had been updated from version 3.12.7 to 3.13.0 and the plan is to keep up.
The PR with the updated failed it's test and when inspecting the logs of the run, I observed that the lxml
dependency had issues.
I have had problems in the exact area before and I learned about Python's concept of wheels. The wheel I was using with Python 3.12.7 and earlier was not available for 3.13.0. And to my surprise I found out the world had turned - several times actually.
I had lifted the dependencies from the core component PySpelling into a requirements.txt
so I could keep track of possible security advisories.
The was the version prior to version 0.44.0:
backrefs==5.6
beautifulsoup4==4.12.2
bracex==2.1.1
html5lib==1.1
lxml==4.9.3
Markdown==3.4.4
pymdown-extensions==10.4
pyspelling==2.10
PyYAML==6.0.1
six==1.16.0
soupsieve==2.5
wcmatch>=8.5
webencodings==0.5.1
zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability
As you can see a dependency (zipp
) has been included, only to be pinned, due to a security advisory.
I had a look at lxml
and discovered that the 4.9.3
release was from 5th. of July 2023, so I had fallen behind. The latest was 5.3.0
and a wheel was available.
I did a build of PySpelling, based on it's repository and inspected, what it was using. I could see that it was using version: 5.3.0
of lxxml
so I bumped lxml
from 4.9.3
to 5.3.0
and all my tests passed.
It then struck me that I can actually not updated the requirements since release: 0.35.0
released on 16th. of November 2023. I decided to inspect the other dependencies to bump to newer versions.
The recent version of my requirements.txt
ended looking as follows:
backrefs==5.6
beautifulsoup4==4.12.3
bracex==2.5.post1
html5lib==1.1
lxml==5.3.0
Markdown==3.7
pymdown-extensions==10.11.2
pyspelling==2.10
PyYAML==6.0.2
six==1.16.0
soupsieve==2.6
wcmatch>=10.0
webencodings==0.5.1
zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability
With the following changes applied:
- lxml bumped from version 4.9.3 to 5.3.0
- beautifulsoup4 bumped from version 4.12.2 to 4.12.3
- Markdown bumped from version 3.4.4 to 3.7
- pymdown-extensions bumped from version 10.4 to 10.11.2
- PyYAML bumped from version 6.0.1 to 6.0.2
- soupsieve bumped from version 2.5 to 2.6
I know the software can run on older versions, but since I only need this for building the Docker image, I do not see a problem with setting the bar a little higher than minimum requirement.
I think I should keep a closer eye on the dependencies in the future, I know get notified if there are security issues, but it would be easier to do baby-step updates as I do for the base image and I would love to dig into all of the change logs (see release notes below).
I must admit that I was expected the number of releases to slow down, but for October it has been a little crazy:
- 8th. of October 0.43.0
- 17th. of October 0.43.1
- 25th. of October 0.44.0
I hope things will slow down now, also because it is Hacktoberfest time and I have other projects I would like to look work on.
Happy coding and have a nice weekend.
Change log for release 0.44.0
0.44.0, 2024-10-25, maintenance release, update not required
Docker image updated to Python 3.13.0 slim via PR #217 from Dependabot. Release notes for Python 3.13.0
Since lxml was not building I bumped to the latest release 5.3.0. In in relation to that, so I while I was at it I went through the dependencies and updated the ones possible using a PySpelling build as the baseline. The following dependencies were updated:
beautifulsoup4 bumped from version 4.12.2 to 4.12.3, see release notes
lxml bumped from version 4.9.3 to 5.3.0, see release notes
Markdown bumped from version 3.4.4 to 3.7, see release notes
pymdown-extensions bumped from version 10.4 to 10.11.2, see release notes
PyYAML bumped from version 6.0.1 to 6.0.2, see release notes
soupsieve bumped from version 2.5 to 2.6, see release notes