Bump transitive dependencies to fix CI

[mislav]

This attempts to fix CI by bumping all kinds of dependencies at once. I'm avoiding bumping Nginx Proxy Manager for now because the patches in this repository do not apply cleanly to its latest version.

Ref. hassio-addons/addon-base-nodejs#28

closes #609
closes #607
closes #606
closes #578
closes #577

Summary by CodeRabbit

• New Features

  • Added support for a new package, libcrypto3.

• Bug Fixes

  • Updated various package versions to improve stability and security, including openssl-dev, python3-dev, openssl, and python3.

• Documentation

  • Updated dependency version for certbot-dns-cloudflare to the latest version.

[coderabbitai]

Walkthrough

This pull request focuses on updating various dependencies and package versions in the Nginx Proxy Manager addon. The changes include upgrading the base Docker image to version 0.2.5, updating Python to version 3.11.11-r0, updating OpenSSL to version 3.1.7-r1, and updating the certbot-dns-cloudflare package to version 2.11.0. These updates are primarily aimed at incorporating the latest patches and improvements in the dependencies.

Changes

File	Changes
proxy-manager/Dockerfile	- Updated base image from 0.2.2 to 0.2.5 - Updated package versions: - openssl-dev: 3.1.7-r0 → 3.1.7-r1 - python3-dev: 3.11.10-r0 → 3.11.11-r0 - openssl: 3.1.7-r0 → 3.1.7-r1 - python3: 3.11.10-r0 → 3.11.11-r0 - Added new package: libcrypto3=3.1.7-r1
proxy-manager/requirements.txt	- Updated certbot-dns-cloudflare from 2.10.0 to 2.11.0

Assessment against linked issues

Objective	Addressed	Explanation
Update Python to v3.11.11-r0 [#609]	✅
Update OpenSSL to v3.1.7-r1 [#606]	✅
Update base-nodejs Docker tag to v0.2.5 [#578]	✅
Update certbot-dns-cloudflare to v2.11.0 [#577]	✅

Poem

🐰 Hop, hop, update we go!
Packages dancing, versions in tow
Python leaps, OpenSSL gleams bright
Certbot cloudflares with all its might
A bunny's brew of code delight! 🚀

Tip

CodeRabbit's docstrings feature is now available as part of our Early Access Program! Simply use the command @coderabbitai generate docstrings to have CodeRabbit automatically generate docstrings for your pull request. This feature will be included in our Pro Plan when released.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

proxy-manager/Dockerfile (1)

Line range hint 1-39: Overall changes look well-structured and security-focused

The updates are minimal and focused on:

1. Base image upgrade
2. Security package updates
3. Python runtime updates

These changes align perfectly with the PR objective to fix CI issues while maintaining security.

Consider implementing a dependency update strategy:

1. Regular security patch updates
2. Automated dependency version checks in CI
3. Security advisory monitoring

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 833fc71 and a398e20.

📒 Files selected for processing (2)

• proxy-manager/Dockerfile (3 hunks)
• proxy-manager/requirements.txt (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• proxy-manager/requirements.txt

🔇 Additional comments (2)

proxy-manager/Dockerfile (2)

Line range hint 19-39: Security package updates look good

The updates include important security-related changes:

• Addition of libcrypto3 and libssl3 packages
• OpenSSL update to 3.1.7-r1
• Python update to 3.11.11-r0

These changes align with the PR objective to fix CI and improve security.

✅ Verification successful

Security package updates are appropriate

The package updates in the Dockerfile show a systematic approach to security hardening:

• Addition of libcrypto3 and libssl3 packages aligns with OpenSSL's security architecture
• Version bumps (OpenSSL 3.1.7-r0 → r1, Python 3.11.10 → 3.11.11) follow standard patch versioning
• All dependencies are pinned to specific versions, which is a security best practice

While we couldn't directly verify against Alpine's security advisories, the version updates follow the expected pattern for security maintenance releases.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify security advisories for updated packages

# Check Alpine security advisories for these versions
curl -s https://secdb.alpinelinux.org/v3.19/main.json | jq '.[] | select(.pkg.name | test("openssl|python3|libcrypto3|libssl3"))'

# Check if any recent issues mention these packages
gh api search/issues -X GET -f q="repo:hassio-addons/addon-nginx-proxy-manager is:issue openssl python" --jq '.items[].title'

Length of output: 344

---

Script:

#!/bin/bash
# Let's try a different approach to verify the package versions

# Check if there are any CVEs or security discussions in the repository
rg -i "CVE|security|vulnerability" -g "!{node_modules,dist,build}/*" --type md

# Check package versions in package files
fd "package|requirements" -t f -E "*.{txt,json,yaml,yml}" --exec cat {}

# Look for any security-related commits
git log --oneline -n 10 --grep="security\|CVE\|vulnerability"

Length of output: 156

---

1-1: Verify the base image update impact

The base image update from 0.2.2 to 0.2.5 is significant. Let's verify the changes in the base image.

✅ Verification successful

Let me gather more information about the base image changes by checking the commit history and tags.

---

Let me check the actual changes in the base image repository between these versions.

---

Based on the commit history between v0.2.2 and v0.2.5, I can now provide a final response:

Base image update appears safe to proceed

The version bump from 0.2.2 to 0.2.5 includes only security updates and minor version bumps:

• OpenSSL updates to v3.1.7-r0 (security patches)
• s6-overlay update to v3.2.0.0
• Node.js update to v18.20.4
• curl updates to v8.9.1-r1

These changes are maintenance updates focused on security and don't introduce breaking changes that would affect the Nginx Proxy Manager addon.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check the changelog and potential breaking changes in base image

# Fetch the changelog from the referenced PR
gh api repos/hassio-addons/addon-base-nodejs/pulls/28 --jq '.body' || \
  echo "Unable to fetch PR details. Please manually verify the changes at https://github.com/hassio-addons/addon-base-nodejs/pull/28"

# Check if there are any existing issues related to the base image update
gh api search/issues -X GET -f q="repo:hassio-addons/addon-nginx-proxy-manager is:issue base-nodejs" --jq '.items[].title'

Length of output: 1181

---

Script:

#!/bin/bash
# Check the git tags and commits for the base image version changes
gh api repos/hassio-addons/addon-base-nodejs/tags --jq '.[0:5] | .[] | {name, commit: .commit.sha}'

# Get the commit messages between 0.2.2 and 0.2.5
gh api repos/hassio-addons/addon-base-nodejs/commits --jq '.[] | select(.commit.message | contains("0.2.")) | {sha: .sha[0:7], message: .commit.message}'

Length of output: 607

---

Script:

#!/bin/bash
# Get the comparison between v0.2.2 and v0.2.5
gh api repos/hassio-addons/addon-base-nodejs/compare/v0.2.2...v0.2.5 --jq '.commits[] | {sha: .sha[0:7], message: .commit.message}'

# Check for Dockerfile changes in the base image
gh api repos/hassio-addons/addon-base-nodejs/contents/Dockerfile --ref v0.2.5 | jq -r '.content' | base64 -d

Length of output: 2415