In the Azure collection, requirements-azure.txt has azure-cli-core==2.34.0 which was released February 2022 and requires older versions of paramiko that has vulnerabilities resolved in >=3.4.0. Other package maintainers do already require minimal versions known to not have security vulnerability. For example 2.34.0 has packaging<22, but that was addressed in https://github.com/Azure/azure-cli/releases/tag/azure-cli-2.61.0

This is also causing other issues than security ones, like dependency conflicts on install. For example, Ansible cannot update black for ansible-lint }}because it requires a newer version of the packaging. The Azure collection does not allow use of newer one due to its own pinning of an outdated version of azure-cli-core. So when we create a {{ee-supported build for AAP where both are present, the two come into conflict. This is now blocking a downstream release of Ansible development tools with a more modern and capable version of ansible-lint.

Solution

What needs to happen is an unpinning of packaging version in newer versions as the azure-cli-core==2.34.0 does have a ceiling that prevents used of modern versions. Versions after 2.61.0 have removed this bug. Besides addressing the security issues, it would resolve these dependency conflicts.

Note

Listing packaging as a direct dependency without any constraints does not help in any way, as resolver will still attempt to downgrade packaging if old version of azure-cli-core is requested.

This bug was fixed upstream and we made a PR to update the dependency to one that does not have this issue https://github.com/ansible-collections/azure/pull/1593

ADDITIONAL INFORMATION

See linked issues and repo code.