chore: Erlang 26.2.5

- Upgrades Sobelow and ignores a new false positive XSS warning - Fixes a test failure caused by changes in :gen_server.start_link - Fixes a test failure related to element ordering in ETS lookups
mbta · Jun 6, 2024 · f397995 · f397995
1 parent b3fc38f
commit f397995
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 8 deletions.
diff --git a/.tool-versions b/.tool-versions
@@ -1,4 +1,4 @@
-elixir 1.16.3-otp-25
-erlang 25.3.2.12
+elixir 1.16.3-otp-26
+erlang 26.2.5
 python 3.9.16
 poetry 1.7.0
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
-ARG ERLANG_VERSION=25.3.2.12
-ARG ALPINE_VERSION=3.17.7
 ARG ELIXIR_VERSION=1.16.3
+ARG ERLANG_VERSION=26.2.5
+ARG ALPINE_VERSION=3.20.0
 
 FROM hexpm/elixir:${ELIXIR_VERSION}-erlang-${ERLANG_VERSION}-alpine-${ALPINE_VERSION} as builder
 
@@ -28,7 +28,7 @@ RUN mix release
 # The one the elixir image was built with
 FROM alpine:${ALPINE_VERSION}
 
-RUN apk add --no-cache libssl1.1 dumb-init libstdc++ libgcc ncurses-libs && \
+RUN apk add --no-cache libcrypto3 dumb-init libstdc++ libgcc ncurses-libs && \
   mkdir /work /api && \
   adduser -D api && chown api /work
 

diff --git a/apps/api_web/.sobelow-skips b/apps/api_web/.sobelow-skips
@@ -0,0 +1,4 @@
+
+0430EA328823B25D53909F55172F2E3F
+7DB23C919D8A36AE6A649DA0A83FBAE2
+CB8E15060F63E711108608C13BA30278
diff --git a/apps/api_web/lib/api_web/templates/client_portal/user/_new.html.heex b/apps/api_web/lib/api_web/templates/client_portal/user/_new.html.heex
@@ -33,6 +33,7 @@
 
         <div class="form-group">
           <%= if Application.get_env(:recaptcha, :enabled) do %>
+            <!-- skip Sobelow XSS.Raw because there's no client input used in this response -->
             <%= raw(Recaptcha.Template.display(callback: "recaptchaCompleted")) %>
           <% end %>
         </div>

diff --git a/apps/api_web/test/api_web/canary_test.exs b/apps/api_web/test/api_web/canary_test.exs
@@ -43,6 +43,11 @@ defmodule ApiWeb.CanaryTest do
     assert {:error, "expect function/0 for notify_fn, got nil"} =
              Canary.start_link(notify_fn: nil)
 
-    assert_receive {:EXIT, _, "expect function/0 for notify_fn, got nil"}
+    # start_link consumes EXIT as of OTP 26, so we need to use spawn_link to trigger this. see:
+    # https://github.com/erlang/otp/issues/7524 and
+    # https://www.erlang.org/doc/apps/stdlib/gen_server.html#start_link/4
+    pid = spawn_link(Canary, :start_link, [[notify_fn: nil]])
+
+    assert_receive {:EXIT, ^pid, "expect function/0 for notify_fn, got nil"}
   end
 end
diff --git a/apps/state/test/state/server_test.exs b/apps/state/test/state/server_test.exs
@@ -251,7 +251,14 @@ defmodule State.ServerTest do
         %Example{id: 2, data: :other}
       ])
 
-      assert [%{data: 38}, %{data: 44}, %{data: :other}] = HooksServer.all()
+      # ETS tables appear to have different internal ordering on Mac and Linux as of OTP 26, so
+      # explicitly sorting here is necessary to fix this test.
+      assert [
+               %Example{id: 1, data: 38},
+               %Example{id: 1, data: 44},
+               %Example{id: 2, data: :other}
+             ] = Enum.sort(HooksServer.all())
+
       assert [%{data: 38}, %{data: 44}] = HooksServer.by_id(1)
       assert [%{data: 38}] = HooksServer.select([%{data: 37}])
     end

diff --git a/mix.lock b/mix.lock
@@ -84,7 +84,7 @@
   "result": {:hex, :result, "1.7.2", "a57c569f7cf5c158d2299d3b5624a48b69bd1520d0771dc711bcf9f3916e8ab6", [:mix], [], "hexpm", "89f98e98cfbf64237ecf4913aa36b76b80463e087775d19953dc4b435a35f087"},
   "rstar": {:git, "https://github.com/armon/erl-rstar.git", "a406b2cce609029bf65b9ccfbe93a0416c0ee0cd", []},
   "sentry": {:hex, :sentry, "8.1.0", "8d235b62fce5f8e067ea1644e30939405b71a5e1599d9529ff82899d11d03f2b", [:mix], [{:hackney, "~> 1.8", [hex: :hackney, repo: "hexpm", optional: true]}, {:jason, "~> 1.1", [hex: :jason, repo: "hexpm", optional: true]}, {:plug, "~> 1.6", [hex: :plug, repo: "hexpm", optional: true]}, {:plug_cowboy, "~> 2.3", [hex: :plug_cowboy, repo: "hexpm", optional: true]}], "hexpm", "f9fc7641ef61e885510f5e5963c2948b9de1de597c63f781e9d3d6c9c8681ab4"},
-  "sobelow": {:hex, :sobelow, "0.11.1", "23438964486f8112b41e743bbfd402da3e5b296fdc9eacab29914b79c48916dd", [:mix], [{:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}], "hexpm", "9897363a7eff96f4809304a90aad819e2ad5e5d24db547af502885146746a53c"},
+  "sobelow": {:hex, :sobelow, "0.13.0", "218afe9075904793f5c64b8837cc356e493d88fddde126a463839351870b8d1e", [:mix], [{:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}], "hexpm", "cd6e9026b85fc35d7529da14f95e85a078d9dd1907a9097b3ba6ac7ebbe34a0d"},
   "ssl_verify_fun": {:hex, :ssl_verify_fun, "1.1.7", "354c321cf377240c7b8716899e182ce4890c5938111a1296add3ec74cf1715df", [:make, :mix, :rebar3], [], "hexpm", "fe4c190e8f37401d30167c8c405eda19469f34577987c76dde613e838bbc67f8"},
   "stream_data": {:hex, :stream_data, "0.5.0", "b27641e58941685c75b353577dc602c9d2c12292dd84babf506c2033cd97893e", [:mix], [], "hexpm", "012bd2eec069ada4db3411f9115ccafa38540a3c78c4c0349f151fc761b9e271"},
   "sweet_xml": {:hex, :sweet_xml, "0.7.3", "debb256781c75ff6a8c5cbf7981146312b66f044a2898f453709a53e5031b45b", [:mix], [], "hexpm", "e110c867a1b3fe74bfc7dd9893aa851f0eed5518d0d7cad76d7baafd30e4f5ba"},