Security/640 resolve vulnerability with pip

.github/workflows/build-and-publish.yml

@@ -15,7 +15,7 @@ jobs:
       contents: write
     steps:
       - name: SCM Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Python & Poetry Environment
         uses: exasol/python-toolbox/.github/actions/python-environment@v1

.github/workflows/check-release-tag.yml

@@ -12,7 +12,7 @@ jobs:
       contents: read
     steps:
       - name: SCM Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Python & Poetry Environment
         uses: exasol/python-toolbox/.github/actions/python-environment@v1

.github/workflows/checks.yml

@@ -11,7 +11,7 @@ jobs:
       contents: read
     steps:
       - name: SCM Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -29,7 +29,7 @@ jobs:
       contents: read
     steps:
       - name: SCM Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Python & Poetry Environment
         uses: exasol/python-toolbox/.github/actions/python-environment@v1
@@ -56,7 +56,7 @@ jobs:
     if: ${{ github.ref != 'refs/heads/main' && github.ref != 'refs/heads/master' }}
     steps:
       - name: SCM Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Python & Poetry Environment
         uses: exasol/python-toolbox/.github/actions/python-environment@v1
@@ -75,7 +75,7 @@ jobs:
       matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
     steps:
       - name: SCM Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Python & Poetry Environment
         uses: exasol/python-toolbox/.github/actions/python-environment@v1
@@ -86,7 +86,7 @@ jobs:
         run: poetry run -- nox -s lint:code
 
       - name: Upload Artifacts
-        uses: actions/upload-artifact@v4.6.2
+        uses: actions/upload-artifact@v5
         with:
           name: lint-python${{ matrix.python-version }}
           path: |
@@ -106,7 +106,7 @@ jobs:
 
     steps:
       - name: SCM Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Python & Poetry Environment
         uses: exasol/python-toolbox/.github/actions/python-environment@v1
@@ -128,7 +128,7 @@ jobs:
 
     steps:
       - name: SCM Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Python & Poetry Environment
         uses: exasol/python-toolbox/.github/actions/python-environment@v1
@@ -139,7 +139,7 @@ jobs:
         run: poetry run -- nox -s lint:security
 
       - name: Upload Artifacts
-        uses: actions/upload-artifact@v4.6.2
+        uses: actions/upload-artifact@v5
         with:
           name: security-python${{ matrix.python-version }}
           path: .security.json
@@ -152,17 +152,33 @@ jobs:
       contents: read
     steps:
       - name: SCM Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Python & Poetry Environment
         uses: exasol/python-toolbox/.github/actions/python-environment@v1
 
       - name: Run format check
         run: poetry run -- nox -s project:format
 
+  Build-Packages:
+    name: Build Package Check
+    needs: [ Documentation, Lint, Type-Check, Security, Format ]
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    steps:
+      - name: SCM Checkout
+        uses: actions/checkout@v5
+
+      - name: Setup Python & Poetry Environment
+        uses: exasol/python-toolbox/.github/actions/python-environment@v1
+
+      - name: Run Distribution Check
+        run: poetry run -- nox -s package:check
+
   Tests:
     name: Unit-Tests (Python-${{ matrix.python-version }})
-    needs: [ Documentation, Lint, Type-Check, Security, Format, build-matrix ]
+    needs: [ Build-Packages, build-matrix ]
     runs-on: ubuntu-24.04
     permissions:
       contents: read
@@ -172,7 +188,7 @@ jobs:
 
     steps:
       - name: SCM Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Python & Poetry Environment
         uses: exasol/python-toolbox/.github/actions/python-environment@v1
@@ -185,7 +201,7 @@ jobs:
           poetry run -- nox -s test:unit -- --coverage
 
       - name: Upload Artifacts
-        uses: actions/upload-artifact@v4.6.2
+        uses: actions/upload-artifact@v5
         with:
           name: coverage-python${{ matrix.python-version }}-fast
           path: .coverage

.github/workflows/gh-pages.yml

@@ -12,7 +12,7 @@ jobs:
       contents: read
     steps:
       - name: SCM Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.github/workflows/matrix-all.yml

@@ -14,7 +14,7 @@ jobs:
       contents: read
     steps:
       - name: SCM Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Python & Poetry Environment
         uses: exasol/python-toolbox/.github/actions/python-environment@v1

.github/workflows/matrix-exasol.yml

@@ -14,7 +14,7 @@ jobs:
       contents: read
     steps:
       - name: SCM Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Python & Poetry Environment
         uses: exasol/python-toolbox/.github/actions/python-environment@v1

.github/workflows/matrix-python.yml

@@ -14,7 +14,7 @@ jobs:
       contents: read
     steps:
       - name: SCM Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Python & Poetry Environment
         uses: exasol/python-toolbox/.github/actions/python-environment@v1

.github/workflows/report.yml

@@ -14,15 +14,15 @@ jobs:
 
     steps:
       - name: SCM Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
       - name: Setup Python & Poetry Environment
         uses: exasol/python-toolbox/.github/actions/python-environment@v1
 
       - name: Download Artifacts
-        uses: actions/download-artifact@v5.0.0
+        uses: actions/download-artifact@v6
         with:
           path: ./artifacts
 
@@ -41,7 +41,7 @@ jobs:
         run: poetry run -- nox -s project:report -- --format json | tee metrics.json
 
       - name: Upload Artifacts
-        uses: actions/upload-artifact@v4.6.2
+        uses: actions/upload-artifact@v5
         with:
           name: metrics.json
           path: metrics.json

.github/workflows/slow-checks.yml

@@ -10,7 +10,7 @@ jobs:
     permissions:
       contents: read
 
-  Tests:
+  tests:
     name: Integration-Tests (${{matrix.connector}}, Python-${{ matrix.python-version }}, Exasol-${{ matrix.exasol-version}})
     needs: [ build-matrix ]
     runs-on: ubuntu-24.04
@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: SCM Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Python & Poetry Environment
         uses: exasol/python-toolbox/.github/actions/python-environment@v1
@@ -40,7 +40,7 @@ jobs:
           poetry run -- nox -s test:integration -- --coverage --db-version ${{ matrix.exasol-version }}
 
       - name: Upload Artifacts
-        uses: actions/upload-artifact@v4.6.2
+        uses: actions/upload-artifact@v5
         with:
           name: coverage-python${{ matrix.python-version }}-${{matrix.connector}}-exasol${{ matrix.exasol-version }}slow
           path: .coverage

doc/changes/unreleased.md

@@ -24,3 +24,4 @@ This allows us to use the latest dependencies, which do not have open vulnerabil
 - Reformatted files to meet project specifications
 - #588: Updated to exasol-toolbox 1.6.0 and relocked dependencies to resolve CVE-2025-50182, CVE-2025-50181, & CVE-2024-47081
 - #605: Removed non-ASCII unicode from templates & relocked dependencies to resolve CVE-2025-8869 (pip -> transitive dependency)
+- #640: Re-locked dependencies to resolve CVE-2025-8869 for transitive dependency pip

noxconfig.py

@@ -1,9 +1,9 @@
 from __future__ import annotations
 
 from collections.abc import Iterable
-from dataclasses import dataclass
 from pathlib import Path
 
+from exasol.toolbox.config import BaseConfig
 from exasol.toolbox.nox.plugin import hookimpl
 
 
@@ -12,7 +12,7 @@ class StartDB:
     @hookimpl
     def pre_integration_tests_hook(self, session, config, context):
         port = context.get("port", 8563)
-        db_version = context.get("db_version", "7.1.17")
+        db_version = context.get("db_version", "2025.1.0")
         session.run(
             "itde",
             "spawn-test-environment",
@@ -38,8 +38,7 @@ def post_integration_tests_hook(self, session, config, context):
         session.run("docker", "kill", "db_container_test", external=True)
 
 
-@dataclass(frozen=True)
-class Config:
+class Config(BaseConfig):
     root: Path = Path(__file__).parent
     doc: Path = Path(__file__).parent / "doc"
     source: Path = Path("sqlalchemy_exasol")
@@ -49,14 +48,14 @@ class Config:
         ".eggs",
         "venv",
     )
-    environment_name = "test"
-    db_port = 8563
-    bucketfs_port = 2580
-    connectors = ["pyodbc", "turbodbc", "websocket"]
-    python_versions = ["3.10", "3.11", "3.12", "3.13"]
-    exasol_versions = ["7.1.30", "8.34.0", "2025.1.0"]
+    environment_name: str = "test"
+    db_port: int = 8563
+    bucketfs_port: int = 2580
+    connectors: list[str] = ["pyodbc", "turbodbc", "websocket"]
+    plugins: list = [StartDB, StopDB]
 
-    plugins = [StartDB, StopDB]
 
-
-PROJECT_CONFIG = Config()
+PROJECT_CONFIG = Config(
+    # PTB 1.12.0 still supports Python 3.9, so we override the python_versions
+    python_versions=("3.10", "3.11", "3.12", "3.13"),
+)