Merge pull request #8122 from aws/dependabot/pip/develop/colorama-0.4.6

Bump colorama from 0.4.4 to 0.4.6
aws · Apr 26, 2024 · ca849a6 · ca849a6
2 parents d48c701 + b9ab36e
commit ca849a6
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 9 deletions.
diff --git a/.changes/next-release/enhancement-dependency-63735.json b/.changes/next-release/enhancement-dependency-63735.json
@@ -0,0 +1,5 @@
+{
+  "type": "enhancement",
+  "category": "dependency",
+  "description": "Bump upper bound of colorama to <0.4.7; fixes `#7086 <https://github.com/aws/aws-cli/issues/7086>`__"
+}
diff --git a/requirements-dev-lock.txt b/requirements-dev-lock.txt
@@ -7,9 +7,9 @@
 atomicwrites==1.4.1 \
     --hash=sha256:81b2c9071a49367a7f770170e5eec8cb66567cfbbc8c73d20ce5ca4a8d71cf11
     # via -r requirements-dev.txt
-colorama==0.4.4 \
-    --hash=sha256:5941b2b48a20143d2267e95b1c2a7603ce057ee39fd88e7329b0c292aa16869b \
-    --hash=sha256:9f47eda37229f68eee03b24b9748937c7dc3868f906e8ba69fbcbdd3bc5dc3e2
+colorama==0.4.6 \
+    --hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \
+    --hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6
     # via -r requirements-dev.txt
 coverage[toml]==7.2.7 \
     --hash=sha256:06a9a2be0b5b576c3f18f1a241f0473575c4a26021b52b2a85263a00f034d51f \

diff --git a/scripts/make-bundle b/scripts/make-bundle
@@ -26,6 +26,12 @@ EXTRA_RUNTIME_DEPS = [
     ('virtualenv', '16.7.8'),
     ('jmespath', '0.10.0'),
 ]
+PINNED_RUNTIME_DEPS = [
+    # The CLI has a relaxed pin for colorama, but versions >0.4.5
+    # require extra build time dependencies. We are pinning it to
+    # a version that does not need those.
+    ('colorama', '0.4.5'),
+]
 BUILDTIME_DEPS = [
     ('setuptools-scm', '3.3.3'),
     ('wheel', '0.33.6'),
@@ -78,12 +84,17 @@ def download_package_tarballs(dirname, packages):
             ))
 
 
-def download_cli_deps(scratch_dir):
+def download_cli_deps(scratch_dir, packages):
+    # pip download will always download a more recent version of a package
+    # even if one exists locally. The list of packages supplied in `packages`
+    # forces the use of a specific runtime dependency.
     awscli_dir = os.path.dirname(
         os.path.dirname(os.path.abspath(__file__)))
+    pinned_packages = " ".join(
+        f"{name}=={version}" for (name, version) in packages
+    )
     with cd(scratch_dir):
-        run('pip download %s %s' % (
-            PIP_DOWNLOAD_ARGS, awscli_dir))
+        run(f"pip download {PIP_DOWNLOAD_ARGS} {pinned_packages} {awscli_dir}")
 
 
 def _remove_cli_zip(scratch_dir):
@@ -169,7 +180,7 @@ def main():
         setup_dir,
         packages=BUILDTIME_DEPS,
     )
-    download_cli_deps(package_dir)
+    download_cli_deps(package_dir, packages=PINNED_RUNTIME_DEPS)
     add_cli_sdist(package_dir)
     create_bootstrap_script(scratch_dir)
     zip_filename = zip_dir(scratch_dir)

diff --git a/setup.cfg b/setup.cfg
@@ -7,7 +7,7 @@ requires_dist =
         docutils>=0.10,<0.17
         s3transfer>=0.10.0,<0.11.0
         PyYAML>=3.10,<6.1
-        colorama>=0.2.5,<0.4.5
+        colorama>=0.2.5,<0.4.7
         rsa>=3.1.2,<4.8
 
 [check-manifest]

diff --git a/setup.py b/setup.py
@@ -28,7 +28,7 @@ def find_version(*file_paths):
     'docutils>=0.10,<0.17',
     's3transfer>=0.10.0,<0.11.0',
     'PyYAML>=3.10,<6.1',
-    'colorama>=0.2.5,<0.4.5',
+    'colorama>=0.2.5,<0.4.7',
     'rsa>=3.1.2,<4.8',
 ]