From 6845418bb207342f1d6fb68a1c8472aaf4f99896 Mon Sep 17 00:00:00 2001
From: Georgy Moiseev <georgy.moiseev@corp.mail.ru>
Date: Mon, 18 Jul 2022 18:09:46 +0300
Subject: [PATCH 1/4] ci: remove unused msgpack variable in EE test

Tests with Tarantool EE runs only with latest msgpack, so "msgpack-deps"
variable and Actions steps for it are not used.
---
 .github/workflows/testing.yml | 18 ------------------
 1 file changed, 18 deletions(-)

diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
index 5b347773..d0f8721d 100644
--- a/.github/workflows/testing.yml
+++ b/.github/workflows/testing.yml
@@ -123,9 +123,6 @@ jobs:
           - '2.8.3-21-g7d35cd2be-r470'
           - '2.10.0-1-gfa775b383-r486-linux-x86_64'
         python: ['3.5', '3.6', '3.7', '3.8', '3.9', '3.10']
-        msgpack-deps:
-          # latest msgpack will be installed as a part of requirements.txt
-          - ''
 
     steps:
       - name: Clone the connector
@@ -150,21 +147,6 @@ jobs:
         with:
           python-version: ${{ matrix.python }}
 
-      - name: Install specific version of msgpack package
-        if: startsWith(matrix.msgpack-deps, 'msgpack==') == true
-        run: |
-          pip install ${{ matrix.msgpack-deps }}
-
-      - name: Install specific version of msgpack-python package
-        # msgpack package is a replacement for deprecated msgpack-python.
-        # To test compatibility with msgpack-python we must ignore
-        # requirements.txt install of msgpack package by overwriting it
-        # with sed.
-        if: startsWith(matrix.msgpack-deps, 'msgpack-python==') == true
-        run: |
-          pip install ${{ matrix.msgpack-deps }}
-          sed -i -e "s/^msgpack.*$/${{ matrix.msgpack-deps }}/" requirements.txt
-
       - name: Install package requirements
         run: pip install -r requirements.txt
 

From 39793c10cf262cf5e0d3ab7d3c61a9d60a16adbc Mon Sep 17 00:00:00 2001
From: Georgy Moiseev <georgy.moiseev@corp.mail.ru>
Date: Tue, 19 Jul 2022 14:01:33 +0300
Subject: [PATCH 2/4] deps: bump msgpack requirement to 1.0.4

In this patch we bump msgpack requirement since version 1.0.4 has
various vulnerability fixes (for example, [1]). Since the code is still
compatible with msgpack-python and older msgpack, tests are not removed
in this patch.

1. https://github.com/msgpack/msgpack-python/pull/153
---
 .github/workflows/testing.yml | 18 +++++++-----------
 CHANGELOG.md                  |  3 +++
 requirements.txt              |  2 +-
 setup.py                      |  2 +-
 4 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
index d0f8721d..ef8aeccc 100644
--- a/.github/workflows/testing.yml
+++ b/.github/workflows/testing.yml
@@ -53,7 +53,7 @@ jobs:
             msgpack-deps: 'msgpack==0.6.2'
           - tarantool: '2.8'
             python: '3.10'
-            msgpack-deps: 'msgpack==1.0.0'
+            msgpack-deps: 'msgpack==1.0.4'
 
     steps:
       - name: Clone the connector
@@ -77,16 +77,12 @@ jobs:
           python-version: ${{ matrix.python }}
 
       - name: Install specific version of msgpack package
-        if: startsWith(matrix.msgpack-deps, 'msgpack==') == true
-        run: |
-          pip install ${{ matrix.msgpack-deps }}
-
-      - name: Install specific version of msgpack-python package
-        # msgpack package is a replacement for deprecated msgpack-python.
-        # To test compatibility with msgpack-python we must ignore
-        # requirements.txt install of msgpack package by overwriting it
-        # with sed.
-        if: startsWith(matrix.msgpack-deps, 'msgpack-python==') == true
+        # We want to enforce using modern msgpack since it has
+        # various vulnerability fixes. But the code is compatible
+        # with older msgpack versions and msgpack-python package.
+        # To this test compatibility we must ignore requirements.txt
+        # install of the newer msgpack package by overwriting it with sed.
+        if: matrix.msgpack-deps != ''
         run: |
           pip install ${{ matrix.msgpack-deps }}
           sed -i -e "s/^msgpack.*$/${{ matrix.msgpack-deps }}/" requirements.txt
diff --git a/CHANGELOG.md b/CHANGELOG.md
index ad8892e5..c09eea66 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 ### Changed
+- Bump msgpack requirement to 1.0.4 (PR #223).
+  The only reason of this bump is various vulnerability fixes,
+  msgpack>=0.4.0 and msgpack-python==0.4.0 are still supported.
 
 ### Fixed
 
diff --git a/requirements.txt b/requirements.txt
index 14261dfd..46dff380 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1 +1 @@
-msgpack>=0.4.0
+msgpack>=1.0.4
diff --git a/setup.py b/setup.py
index c57573d5..7d84f4fd 100755
--- a/setup.py
+++ b/setup.py
@@ -83,7 +83,7 @@ def find_version(*file_paths):
     cmdclass=cmdclass,
     command_options=command_options,
     install_requires=[
-        'msgpack>=0.4.0',
+        'msgpack>=1.0.4',
     ],
     python_requires='>=3',
 )

From aa6dd4efd4ca45f4cd84191edb67191550e97310 Mon Sep 17 00:00:00 2001
From: Georgy Moiseev <georgy.moiseev@corp.mail.ru>
Date: Mon, 18 Jul 2022 18:11:40 +0300
Subject: [PATCH 3/4] deps: bump test PyYAML requirement to 6.0

In this patch we bump PyYAML requirement since version 6.0 has
various vulnerability fixes (see [1-3]). Since PyYAML is used only
in tests, the only reason of this patch is to remove Dependabot alerts.
After migrating to GitHub Actions issue [4] is no longer relevant,
so we are not restricted to using 5.2b1 version. There is no PyYAML 6.0
for Python 3.5 since it reached the end of its life on September 13th,
2020. So this patch removed Python 3.5 pipeline as well.

1. https://github.com/tarantool/tarantool-python/security/dependabot/1
2. https://github.com/tarantool/tarantool-python/security/dependabot/2
3. https://github.com/tarantool/tarantool-python/security/dependabot/3
4. https://github.com/tarantool/tarantool-python/commit/4f79627ef23e6fc8c77562cc9072a5c385afc521
---
 .github/workflows/testing.yml | 3 +--
 requirements-test.txt         | 4 +---
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
index ef8aeccc..e21dafa5 100644
--- a/.github/workflows/testing.yml
+++ b/.github/workflows/testing.yml
@@ -27,7 +27,6 @@ jobs:
           - '2.8'
           - '2.x-latest'
         python:
-          - '3.5'
           - '3.6'
           - '3.7'
           - '3.8'
@@ -118,7 +117,7 @@ jobs:
           - '1.10.11-0-gf0b0e7ecf-r470'
           - '2.8.3-21-g7d35cd2be-r470'
           - '2.10.0-1-gfa775b383-r486-linux-x86_64'
-        python: ['3.5', '3.6', '3.7', '3.8', '3.9', '3.10']
+        python: ['3.6', '3.7', '3.8', '3.9', '3.10']
 
     steps:
       - name: Clone the connector
diff --git a/requirements-test.txt b/requirements-test.txt
index 5a825685..7cc39625 100644
--- a/requirements-test.txt
+++ b/requirements-test.txt
@@ -1,4 +1,2 @@
 dbapi-compliance==1.15.0
-# Use this pyyaml version to be compatible with Python34-x64 on Windows.
-# See for more details http://help.appveyor.com/discussions/problems/28023.
-pyyaml==5.2b1
+pyyaml==6.0

From f2e2baa26dc740aaf97d180e723b961309b5f296 Mon Sep 17 00:00:00 2001
From: Georgy Moiseev <georgy.moiseev@corp.mail.ru>
Date: Mon, 18 Jul 2022 18:36:48 +0300
Subject: [PATCH 4/4] ci: install Tarantool 2.10 with GitHub Actions

After update [1] and Tarantool 2.10 release it is possible to install it
with setup-tarantool tools. This patch uses setup-tarantool to install
release Tarantool 2.10 instead of pre-release one.

1. https://github.com/tarantool/setup-tarantool/commit/6c88e714dad96108ac3cb6f704249c7482435efa
---
 .github/workflows/testing.yml | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
index e21dafa5..fdb427e3 100644
--- a/.github/workflows/testing.yml
+++ b/.github/workflows/testing.yml
@@ -25,7 +25,7 @@ jobs:
         tarantool:
           - '1.10'
           - '2.8'
-          - '2.x-latest'
+          - '2.10'
         python:
           - '3.6'
           - '3.7'
@@ -59,17 +59,10 @@ jobs:
         uses: actions/checkout@v2
 
       - name: Install tarantool ${{ matrix.tarantool }}
-        if: matrix.tarantool != '2.x-latest'
         uses: tarantool/setup-tarantool@v1
         with:
           tarantool-version: ${{ matrix.tarantool }}
 
-      - name: Install latest tarantool 2.x
-        if: matrix.tarantool == '2.x-latest'
-        run: |
-          curl -L https://tarantool.io/pre-release/2/installer.sh | sudo bash
-          sudo apt install -y tarantool tarantool-dev
-
       - name: Setup Python for tests
         uses: actions/setup-python@v2
         with:
@@ -173,6 +166,7 @@ jobs:
         tarantool:
           - '1.10'
           - '2.8'
+          - '2.10.0.g0a5ce0b9c-1'
         python:
           - '3.10'
 
@@ -196,12 +190,20 @@ jobs:
         with:
           distribution: Ubuntu-20.04
 
-      - name: Install tarantool ${{ matrix.tarantool }} for WSL
+      - name: Install tarantool ${{ matrix.tarantool }} for WSL (2.8 and older)
+        if: (matrix.tarantool == '1.10') || (matrix.tarantool == '2.8')
         shell: wsl-bash_Ubuntu-20.04 {0}
         run: |
           curl -L https://tarantool.io/installer.sh | VER=${{ matrix.tarantool }} bash -s -- --type "release"
           sudo apt install -y tarantool tarantool-dev
 
+      - name: Install tarantool ${{ matrix.tarantool }} for WSL (2.10 and newer)
+        if: (matrix.tarantool != '1.10') && (matrix.tarantool != '2.8')
+        shell: wsl-bash_Ubuntu-20.04 {0}
+        run: |
+          curl -L https://tarantool.io/release/2/installer.sh | bash -s
+          sudo apt install -y tarantool=${{ matrix.tarantool }} tarantool-dev=${{ matrix.tarantool }}
+
       - name: Setup test tarantool instance
         shell: wsl-bash_Ubuntu-20.04 {0}
         run: |