@@ -170,7 +170,7 @@ repos:
170170
171171 # Ansible hooks
172172 - repo : https://github.com/ansible/ansible-lint
173- rev : v24.9.2
173+ rev : v24.10.0
174174 hooks :
175175 - id : ansible-lint
176176 additional_dependencies :
@@ -181,17 +181,36 @@ repos:
181181 # necessary to add the ansible package itself as an
182182 # additional dependency, with the same pinning as is done in
183183 # requirements-test.txt of cisagov/skeleton-ansible-role.
184- # - ansible>=9,<10
184+ #
185+ # Version 10 is required because the pip-audit pre-commit
186+ # hook identifies a vulnerability in ansible-core 2.16.13,
187+ # but all versions of ansible 9 have a dependency on
188+ # ~=2.16.X.
189+ #
190+ # It is also a good idea to go ahead and upgrade to version
191+ # 10 since version 9 is going EOL at the end of November:
192+ # https://endoflife.date/ansible
193+ # - ansible>=10,<11
185194 # ansible-core 2.16.3 through 2.16.6 suffer from the bug
186195 # discussed in ansible/ansible#82702, which breaks any
187196 # symlinked files in vars, tasks, etc. for any Ansible role
188197 # installed via ansible-galaxy. Hence we never want to
189198 # install those versions.
190199 #
200+ # Note that the pip-audit pre-commit hook identifies a
201+ # vulnerability in ansible-core 2.16.13. The pin of
202+ # ansible-core to >=2.17 effectively also pins ansible to
203+ # >=10.
204+ #
205+ # It is also a good idea to go ahead and upgrade to
206+ # ansible-core 2.17 since security support for ansible-core
207+ # 2.16 ends this month:
208+ # https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix
209+ #
191210 # Note that any changes made to this dependency must also be
192211 # made in requirements.txt in cisagov/skeleton-packer and
193212 # requirements-test.txt in cisagov/skeleton-ansible-role.
194- - ansible-core>=2.16.7
213+ - ansible-core>=2.17
195214
196215 # Terraform hooks
197216 - repo : https://github.com/antonbabenko/pre-commit-terraform
0 commit comments