Are there incompatibilities between AWX and the latest version of setuptools/paramiko/pip?

actionmystique · December 29, 2023, 1:16pm

I have noticed some security vulnerabilities in the latest official awx-ee available here. Updating some python packages with their latest version would solve those flaws:

setuptools 53.0.0 → 69.0.3
paramiko 2.12.0 → 3.4.0
pip 21.2.3 → 23.3.2

It could be performed with the following lines added in execution-environment.yml:

additional_build_steps:
  append_final:
    - RUN pip3 --disable-pip-version-check list --outdated --format=json | python3 -c "import json, sys; print('\n'.join([x['name'] for x in json.load(sys.stdin)]))" | xargs -n1 pip3 install -U

The fact that it has not been done might suggest some sort of incompatibilities/conflicts with AWX.
Is it the case or is it safe to upgrade them?

ee awx ansible-builder

MallocArray · January 3, 2024, 6:23pm

What I’ve done in my EE is to manually install the latest with something like pip3 install paramiko --force and it completes but then tells me that it isn’t compatible with one of the Azure related modules, so that let me know why it wasn’t updated.

You could try that with the others and see if anything comes up.

actionmystique · January 12, 2024, 10:58am

I confirm that the azure collection drags every one down.
The only secure solution is to NOT use awx-ee and to build an ee from scratch without azure collection (and all the others) unless you really need it/them.