Update Snyk vulnerabilities in documentation

[owenlittlejohns]

Jira Issue ID

N/A

Description

I was in the Snyk UI and spotted harmony-py has a critical vulnerability in requirements/example.txt. This PR addresses the vulnerability by updating the dependencies for the notebooks in the examples directory. I also bumped the requirements in requirements/docs.txt, as there was a medium severity vulnerability there (tornado via nbconvert).

I checked things still worked by running the notebooks in the examples directory. Most ran, but there were a couple of exceptions:

• job_stac.ipynb couldn't find pystac.STAC_IO, so I changed that to pystac.stac_io, which seemed to work.
• The helper.show_results in basics.ipynb failed for a bunch of requests that were getting NetCDF-4 files out of HGA. I fixed this by forcing all the requests to give GeoTIFF outputs.
• There were some requests made to the Swath Projector that failed message validation. I thought Leo wrote a ticket for this, but can't find it in the DAS backlog. Anyway - that's not an issue with dependencies, but with the service itself.
• I was lazy and didn't try the in-region parts of the notebooks.

For the Sphinx documentation I had to tweak a method documentation string to make it all run again.

Local Test Steps

For requirements/examples.txt:

• Pull this branch.
• Create a new Python environment (via conda or pyenv) and pip install requirements/example.txt.
• Start a Jupyter notebook server (jupyter lab).
• Run through the notebooks in the examples directory. Checking basics.ipynb is probably a good one, as it uses a lot of the functionality. Similiarly, the job_stac.ipynb is a good test of pystac and intake-stac.

For requirements/docs.txt:

• Pull this branch.
• Create a new Python environment (via conda or pyenv) and pip install requirements/docs.txt.
• Navigate to the docs directory.
• Run make html - this should complete successfully.
• Open the docs/_build/html/index.html file in a browser. It should look like some shiny Sphinx-generated documentation.

PR Acceptance Checklist

• Acceptance criteria met N/A
• Tests added/updated (if needed) and passing N/A
• Documentation updated (if needed)

[owenlittlejohns]

Quick update - I was getting failing builds because I updated the progressbar2 dependency in requirements/docs.txt, but another version was present in requirements/core.txt. I've updated both places, and verified the tests still pass (locally at least)

[owenlittlejohns]

The update to a recent version of nbconvert requires Python >= 3.8. I also checked and 3.7 was EOL back in June (see: https://devguide.python.org/versions/). It would have been great to not drop 3.7 in the testing, but this seems to be the answer to the rabbit hole of dependencies. (The root of the issue comes from the tests.yml workflow installing the core, test and docs dependencies, and therefore needing all three to be consistent with one another)

[owenlittlejohns]

I wanted to leave these dependencies entirely alone, but progressbar2 needs to be consistent in core.txt and docs.txt to ensure the tests.yml workflow can run. The sphinx dependency in dev.txt was bumped for the same reason.

[owenlittlejohns]

I'm guessing future releases of ipyplot will bump their own required version of pillow, so this line can be removed at a later date. 🤞

[owenlittlejohns]

sphinx goes up to 7.2.6, but 7.2.0 onwards all require Python 3.9+. 7.1.2 was only released in August, and currently has no vulnerabilities.

[ygliuvt]

Verified the readthedocs looks good.