2017-08-30 00:45:33 +02:00
|
|
|
# After editing this file, you MUST afterward run
|
2017-11-17 02:41:06 +01:00
|
|
|
# /tools/update-locked-requirements to update requirements/dev.txt
|
|
|
|
# and requirements/prod.txt.
|
2017-08-30 00:45:33 +02:00
|
|
|
# See requirements/README.md for more detail.
|
2017-10-19 06:48:23 +02:00
|
|
|
# Django itself
|
2022-06-28 00:43:57 +02:00
|
|
|
Django[argon2]==4.0.*
|
2017-08-22 00:16:18 +02:00
|
|
|
|
2022-04-27 02:23:56 +02:00
|
|
|
# needed for NotRequired, ParamSpec
|
2019-09-23 01:34:04 +02:00
|
|
|
typing-extensions
|
2017-08-09 04:01:00 +02:00
|
|
|
|
2017-08-22 00:16:18 +02:00
|
|
|
# Needed for rendering backend templates
|
2019-09-23 01:34:04 +02:00
|
|
|
Jinja2
|
2017-08-22 00:16:18 +02:00
|
|
|
|
2020-08-11 01:47:49 +02:00
|
|
|
# Needed for Markdown processing
|
2019-09-23 01:34:04 +02:00
|
|
|
Markdown
|
2022-02-19 03:03:08 +01:00
|
|
|
importlib-metadata ; python_version < "3.10" # for Markdown
|
2019-09-23 01:34:04 +02:00
|
|
|
Pygments
|
2020-04-24 08:52:33 +02:00
|
|
|
jsx-lexer
|
2017-08-22 00:16:18 +02:00
|
|
|
|
|
|
|
# Needed for manage.py
|
2020-04-24 08:57:51 +02:00
|
|
|
ipython
|
2017-08-22 00:16:18 +02:00
|
|
|
|
2020-10-23 02:43:28 +02:00
|
|
|
# Needed for image processing
|
2021-07-06 08:06:18 +02:00
|
|
|
Pillow
|
2017-08-22 00:16:18 +02:00
|
|
|
|
|
|
|
# Needed for building complex DB queries
|
2021-08-21 01:07:28 +02:00
|
|
|
SQLAlchemy==1.4.*
|
2017-08-22 00:16:18 +02:00
|
|
|
|
2022-05-07 01:15:46 +02:00
|
|
|
# Needed for S3 file uploads and other AWS tools
|
2018-12-07 17:52:01 +01:00
|
|
|
boto3
|
2022-05-07 02:54:45 +02:00
|
|
|
|
|
|
|
# The runtime-relevant part of boto3-stubs (see mypy.in)
|
|
|
|
mypy-boto3-s3
|
|
|
|
mypy-boto3-ses
|
|
|
|
mypy-boto3-sns
|
|
|
|
mypy-boto3-sqs
|
2017-08-22 00:16:18 +02:00
|
|
|
|
|
|
|
# Needed for integrations
|
2019-09-23 01:34:04 +02:00
|
|
|
defusedxml
|
2017-08-22 00:16:18 +02:00
|
|
|
|
|
|
|
# Needed for LDAP support
|
2021-08-25 23:15:27 +02:00
|
|
|
django-auth-ldap
|
2017-08-22 00:16:18 +02:00
|
|
|
|
|
|
|
# Django extension providing bitfield support
|
2019-09-23 01:34:04 +02:00
|
|
|
django-bitfield
|
2017-08-22 00:16:18 +02:00
|
|
|
|
|
|
|
# Django extension for sending data to statsd
|
2019-09-23 01:34:04 +02:00
|
|
|
django-statsd-mozilla
|
2017-08-22 00:16:18 +02:00
|
|
|
|
|
|
|
# Needed for Android push notifications
|
2019-09-23 01:34:04 +02:00
|
|
|
python-gcm
|
2017-08-22 00:16:18 +02:00
|
|
|
|
|
|
|
# Needed for the email mirror
|
2019-09-23 01:34:04 +02:00
|
|
|
html2text
|
2021-03-12 07:06:16 +01:00
|
|
|
# Forked to avoid pulling in scipy: https://github.com/mailgun/talon/pull/200
|
|
|
|
https://github.com/zulip/talon/archive/1711705c952806d4a704c7dbf58f21db8e11756a.zip#egg=talon-core==1.4.8.zulip1&subdirectory=talon-core
|
2017-08-22 00:16:18 +02:00
|
|
|
|
2017-09-16 14:29:51 +02:00
|
|
|
# Needed for inlining the CSS in emails
|
2019-09-23 01:34:04 +02:00
|
|
|
premailer
|
2017-09-16 14:29:51 +02:00
|
|
|
|
2017-08-22 00:16:18 +02:00
|
|
|
# Needed for JWT-based auth
|
2019-09-23 01:34:04 +02:00
|
|
|
PyJWT
|
2017-08-22 00:16:18 +02:00
|
|
|
|
2020-10-23 02:43:28 +02:00
|
|
|
# Needed to access RabbitMQ
|
2019-10-09 04:38:43 +02:00
|
|
|
pika
|
2017-08-22 00:16:18 +02:00
|
|
|
|
|
|
|
# Needed to access our database
|
2021-03-26 01:13:54 +01:00
|
|
|
psycopg2
|
2017-08-22 00:16:18 +02:00
|
|
|
|
|
|
|
# Needed for memcached usage
|
2020-09-12 22:31:17 +02:00
|
|
|
python-binary-memcached
|
2017-08-22 00:16:18 +02:00
|
|
|
|
2020-05-09 22:23:33 +02:00
|
|
|
# Needed for compression support in memcached via python-binary-memcached
|
|
|
|
django-bmemcached
|
2018-06-11 04:19:16 +02:00
|
|
|
|
2017-08-22 19:32:38 +02:00
|
|
|
# Needed for zerver/tests/test_timestamp.py
|
2019-09-23 01:34:04 +02:00
|
|
|
python-dateutil
|
2017-08-22 19:32:38 +02:00
|
|
|
|
2022-02-24 21:15:43 +01:00
|
|
|
# Needed for time zone work
|
2022-06-28 00:43:57 +02:00
|
|
|
backports.zoneinfo ; python_version < "3.9"
|
2017-08-22 00:16:18 +02:00
|
|
|
|
2020-10-23 02:43:28 +02:00
|
|
|
# Needed for Redis
|
2019-09-23 01:34:04 +02:00
|
|
|
redis
|
2017-08-22 00:16:18 +02:00
|
|
|
|
|
|
|
# Needed to parse source maps for error reporting
|
2019-09-23 01:34:04 +02:00
|
|
|
sourcemap
|
2017-08-22 00:16:18 +02:00
|
|
|
|
|
|
|
# Tornado used for server->client push system
|
2022-03-17 21:42:25 +01:00
|
|
|
tornado
|
2017-08-22 00:16:18 +02:00
|
|
|
|
|
|
|
# Fast JSON parser
|
2020-08-07 01:09:47 +02:00
|
|
|
orjson
|
2017-08-22 00:16:18 +02:00
|
|
|
|
|
|
|
# Needed for iOS push notifications
|
2021-07-06 08:06:18 +02:00
|
|
|
aioapns
|
2017-08-22 00:16:18 +02:00
|
|
|
|
2019-09-23 01:34:04 +02:00
|
|
|
python-twitter
|
2017-08-22 00:16:18 +02:00
|
|
|
|
|
|
|
# To parse po files
|
2019-09-23 01:34:04 +02:00
|
|
|
polib
|
2017-08-22 00:16:18 +02:00
|
|
|
|
|
|
|
# Needed for cloning virtual environments
|
2019-09-23 01:34:04 +02:00
|
|
|
virtualenv-clone
|
2017-08-22 00:16:18 +02:00
|
|
|
|
|
|
|
# Needed for link preview
|
2019-09-23 01:34:04 +02:00
|
|
|
beautifulsoup4
|
|
|
|
pyoembed
|
|
|
|
python-magic
|
2017-08-22 00:16:18 +02:00
|
|
|
|
2018-04-17 01:36:00 +02:00
|
|
|
# The Zulip API bindings, from its own repository. We integrate with
|
2020-03-27 00:37:21 +01:00
|
|
|
# these tightly, including fetching content not included in the official
|
|
|
|
# PyPI release tarballs, such as logos, assets and documentation files
|
|
|
|
# that we render on our /integrations page. Therefore, we need to pin
|
|
|
|
# the version from Git rather than a PyPI release. Keeping everything in
|
|
|
|
# one repository simplifies the process of implementing and documenting
|
|
|
|
# new bots for new contributors.
|
2022-03-16 02:08:26 +01:00
|
|
|
https://github.com/zulip/python-zulip-api/archive/0.8.2.zip#egg=zulip==0.8.2+git&subdirectory=zulip
|
|
|
|
https://github.com/zulip/python-zulip-api/archive/0.8.2.zip#egg=zulip_bots==0.8.2+git&subdirectory=zulip_bots
|
2017-05-14 07:09:42 +02:00
|
|
|
|
2016-07-02 07:26:18 +02:00
|
|
|
# Used for Hesiod lookups, etc.
|
2019-09-23 01:34:04 +02:00
|
|
|
py3dns
|
2016-07-03 09:21:33 +02:00
|
|
|
|
2016-07-20 12:16:02 +02:00
|
|
|
# Install Python Social Auth
|
2019-09-23 01:34:04 +02:00
|
|
|
social-auth-app-django
|
2021-07-06 08:06:18 +02:00
|
|
|
social-auth-core[azuread,openidconnect,saml]
|
2022-03-16 02:08:26 +01:00
|
|
|
python3-saml
|
2017-10-05 23:03:30 +02:00
|
|
|
|
2020-04-25 06:49:19 +02:00
|
|
|
# For encrypting a login token to the desktop app
|
|
|
|
cryptography
|
|
|
|
|
2017-10-05 23:03:30 +02:00
|
|
|
# Needed for messages' rendered content parsing in push notifications.
|
2019-09-23 01:34:04 +02:00
|
|
|
lxml
|
2017-11-29 00:13:09 +01:00
|
|
|
|
|
|
|
# Needed for 2-factor authentication
|
2021-01-26 22:50:42 +01:00
|
|
|
django-two-factor-auth[call,phonenumberslite,sms]
|
2018-01-13 19:36:21 +01:00
|
|
|
|
2018-12-17 20:32:11 +01:00
|
|
|
# Needed for processing payments (in corporate)
|
2019-09-23 01:34:04 +02:00
|
|
|
stripe
|
2018-02-12 18:18:03 +01:00
|
|
|
|
|
|
|
# Needed for serving uploaded files from nginx but perform auth checks in django.
|
2019-09-23 01:34:04 +02:00
|
|
|
django-sendfile2
|
2018-03-05 12:28:41 +01:00
|
|
|
|
|
|
|
# For checking whether email of the user is from a disposable email provider.
|
2019-09-23 01:34:04 +02:00
|
|
|
disposable-email-domains
|
2018-05-26 00:59:35 +02:00
|
|
|
|
|
|
|
# Needed for parsing YAML with JSON references from the REST API spec files
|
2020-08-12 01:35:02 +02:00
|
|
|
jsonref
|
2018-07-12 17:25:05 +02:00
|
|
|
|
2019-02-11 15:19:38 +01:00
|
|
|
# Needed for string matching in AlertWordProcessor
|
2019-09-23 01:34:04 +02:00
|
|
|
pyahocorasick
|
2019-08-01 15:04:02 +02:00
|
|
|
|
|
|
|
# Needed for function decorators that don't break introspection.
|
|
|
|
# Used for rate limiting authentication.
|
2019-09-23 01:34:04 +02:00
|
|
|
decorator
|
2019-09-19 22:31:52 +02:00
|
|
|
|
auth: Use zxcvbn to ensure password strength on server side.
For a long time, we've been only doing the zxcvbn password strength
checks on the browser, which is helpful, but means users could through
hackery (or a bug in the frontend validation code) manage to set a
too-weak password. We fix this by running our password strength
validation on the backend as well, using python-zxcvbn.
In theory, a bug in python-zxcvbn could result in it producing a
different opinion than the frontend version; if so, it'd be a pretty
bad bug in the library, and hopefully we'd hear about it from users,
report upstream, and get it fixed that way. Alternatively, we can
switch to shelling out to node like we do for KaTeX.
Fixes #6880.
2019-11-18 08:11:03 +01:00
|
|
|
# For server-side enforcement of password strength
|
|
|
|
zxcvbn
|
2019-11-16 09:26:28 +01:00
|
|
|
|
|
|
|
# Needed for sending HTTP requests
|
|
|
|
requests[security]
|
|
|
|
requests-oauthlib
|
2020-07-01 19:07:31 +02:00
|
|
|
|
|
|
|
# For OpenAPI schema validation.
|
2021-06-04 20:11:00 +02:00
|
|
|
openapi-core
|
2022-07-05 22:14:19 +02:00
|
|
|
openapi-schema-validator<0.3.0 # 0.3.0 requires jsonschema 4, which conflicts with semgrep: https://github.com/returntocorp/semgrep/issues/4739
|
2020-07-02 02:19:40 +02:00
|
|
|
|
|
|
|
# For reporting errors to sentry.io
|
|
|
|
sentry-sdk
|
2020-09-22 03:10:16 +02:00
|
|
|
|
|
|
|
# For detecting URLs to link
|
|
|
|
tlds
|
2020-10-21 23:38:45 +02:00
|
|
|
|
|
|
|
# Unicode Collation Algorithm for sorting multilingual strings
|
|
|
|
pyuca
|
2021-03-20 14:07:02 +01:00
|
|
|
|
|
|
|
# Handle connection retries with exponential backoff
|
|
|
|
backoff
|
2021-06-22 16:46:32 +02:00
|
|
|
|
|
|
|
# Needed for reading bson files in rocketchat import tool
|
|
|
|
pymongo
|
2021-09-15 02:01:23 +02:00
|
|
|
|
|
|
|
# Non-backtracking regular expressions
|
|
|
|
google-re2
|
2021-10-09 19:40:25 +02:00
|
|
|
|
|
|
|
# For querying recursive group membership
|
|
|
|
django-cte
|
2021-09-10 18:36:56 +02:00
|
|
|
|
|
|
|
# SCIM integration
|
|
|
|
django-scim2
|
2021-10-21 23:20:56 +02:00
|
|
|
|
|
|
|
# CSS manipulation
|
|
|
|
soupsieve
|
rate_limit: Add a flag to lump all TOR exit node IPs together.
TOR users are legitimate users of the system; however, that system can
also be used for abuse -- specifically, by evading IP-based
rate-limiting.
For the purposes of IP-based rate-limiting, add a
RATE_LIMIT_TOR_TOGETHER flag, defaulting to false, which lumps all
requests from TOR exit nodes into the same bucket. This may allow a
TOR user to deny other TOR users access to the find-my-account and
new-realm endpoints, but this is a low cost for cutting off a
significant potential abuse vector.
If enabled, the list of TOR exit nodes is fetched from their public
endpoint once per hour, via a cron job, and cached on disk. Django
processes load this data from disk, and cache it in memcached.
Requests are spared from the burden of checking disk on failure via a
circuitbreaker, which trips of there are two failures in a row, and
only begins trying again after 10 minutes.
2021-11-03 21:43:02 +01:00
|
|
|
|
|
|
|
# Circuit-breaking for outgoing services
|
|
|
|
circuitbreaker
|