Merge branch 'main' into HEA-898/aide_alimentaire

Author: rhunwicks

docker-compose.override.yml

@@ -26,9 +26,6 @@ services:
       - /usr/src/app/jupyter
       - /usr/src/app/log
       - /usr/src/app/media
-      # Ignore the local .env file, to avoid it conflicting with variables set
-      # in the docker-compose.yml file, particularly by Dagster
-      - ./env.example:/usr/src/app/.env
     environment:
       DJANGO_SETTINGS_MODULE: hea.settings.local
       LAUNCHER: ${LAUNCHER}  # e.g. "debugpy" or "ddtrace"
@@ -54,9 +51,6 @@ services:
       - /usr/src/app/jupyter
       - /usr/src/app/log
       - /usr/src/app/media
-      # Ignore the local .env file, to avoid it conflicting with variables set
-      # in the docker-compose.yml file, particularly by Dagster
-      - ./env.example:/usr/src/app/.env
     environment:
       DJANGO_SETTINGS_MODULE: hea.settings.local
       LAUNCHER: ${LAUNCHER}  # e.g. "debugpy" or "ddtrace"
@@ -75,9 +69,6 @@ services:
       - /usr/src/app/jupyter
       - /usr/src/app/log
       - /usr/src/app/media
-      # Ignore the local .env file, to avoid it conflicting with variables set
-      # in the docker-compose.yml file, particularly by Dagster
-      - ./env.example:/usr/src/app/.env
     environment:
       DJANGO_SETTINGS_MODULE: hea.settings.local
       LAUNCHER: ${LAUNCHER}  # e.g. "debugpy" or "ddtrace"

docker-compose.yml

@@ -101,6 +101,9 @@ services:
       DAGSTER_ASSET_BASE_PATH: ${DAGSTER_ASSET_BASE_PATH}
       DAGSTER_WEBSERVER_URL: ${DAGSTER_WEBSERVER_URL}
       DAGSTER_WEBSERVER_PREFIX: pipelines
+      DAGSTER_S3_BUCKET: ${DAGSTER_S3_BUCKET}
+      DAGSTER_S3_PREFIX: ${DAGSTER_S3_PREFIX}
+      DAGSTER_S3_LOG_PATH: ${DAGSTER_S3_LOG_PATH}
       AWS_ACCESS_KEY_ID: ${MINIO_ROOT_USER}
       AWS_SECRET_ACCESS_KEY: ${MINIO_ROOT_PASSWORD}
       AWS_ENDPOINT_URL_S3: ${MINIO_ENDPOINT_URL}

docker/app/run_tests.sh

@@ -53,6 +53,10 @@ fi
 #     the vulnerable GMLAS driver, potentially rendering the application
 #     unresponsive. The issue is mitigated by introducing a limit on entity
 #     expansions and aborting parsing when the limit is exceeded.
+#  Vulnerability ID: 82915
+#    Affected spec: <3.12.1
+#    ADVISORY: Affected versions of the gdal package are vulnerable to
+#    path traversal due to insufficient path sanitization in multiple drivers.
 
 # Ignore vulnerability found in jinja2 version 3.1.4
 # We do not allow any untrusted templates, and so are not affected.
@@ -66,8 +70,24 @@ fi
 #   shouldn't use untrusted templates without sandboxing.
 #   CVE-2019-8341
 
+# Vulnerability found in nbconvert version 7.16.6
+#    Vulnerability ID: 83150
+#    Affected spec: <=7.16.6
+#    ADVISORY: Affected versions of the nbconvert package are
+#    vulnerable to Uncontrolled Search Path Element due to resolving the
+#    inkscape executable on Windows using a search order that includes the
+#    current working directory. In nbconvert/preprocessors/svg2pdf.py, the PDF
+#    conversion flow for notebooks with SVG outputs locates and executes
+#    inkscape without a fully qualified path, allowing a local inkscape.bat to
+#    be selected and run.
+# NOTE: jupyterlab==4.4.8 uses nbconvert==7.16.6 and there is currently no patched version 
+#  of nbconvert for CVE-2025-53000. 
+#  The vulnerability was only published on December 17-18, 2025, and version 7.16.6 remains 
+#  the latest release.
+#  Will ignore this and update once we got a fix
+
 echo Package Vulnerabilities:
-pip freeze | safety check --stdin --full-report -i 62283 -i 70612 -i 74054
+pip freeze | safety check --stdin --full-report -i 62283 -i 70612 -i 74054 -i 82915 -i 83150
 SAFETY_RESULT=$?
 
 # Suppress SAFETY_RESULT unless CHECK_SAFETY is set