setup: Update charm-tools pin set

[coreycb]

pyyaml 5.4.0 and 5.4.1 are broken with cython 3
yaml/pyyaml#724

jsonschema 4.18.0 depends on Rust (via rpds-py)

[ajkavanagh]

This is similar to #656 - could we please consolidate them? So we also need to pin Cython<3.0.0 as that's also broken with PyYaml 6.0.1 (at the moment).

[ajkavanagh]

Do we also need to pin Cython?

[freyes]

LGTM, waiting for CI.

[freyes]

we need a 3.0.7 release in pypi with this fix

[markbeierl]

This change should be revisited now that 6.0.1 was released to fix the problem. I'm not sure, but it looks like the result of 'pyyaml>=5.0,!=5.4.0,!=5.4.1,<6.0' is 5.3.1, which has known CVEs.

pip install 'pyyaml>=5.0,!=5.4.0,!=5.4.1,<6.0'
Collecting pyyaml!=5.4.0,!=5.4.1,<6.0,>=5.0
  Using cached PyYAML-5.3.1-cp311-cp311-linux_x86_64.whl
Installing collected packages: pyyaml
Successfully installed pyyaml-5.3.1

[freyes]

On Wed, 2023-08-09 at 12:58 -0700, Mark Beierl wrote: This change should be revisited now that 6.0.1 was released to fix the problem. I'm not sure, but it looks like the result of 'pyyaml>=5.0,!=5.4.0,!=5.4.1,<6.0' is 5.3.1, which has known CVEs. pip install 'pyyaml>=5.0,!=5.4.0,!=5.4.1,<6.0' Collecting pyyaml!=5.4.0,!=5.4.1,<6.0,>=5.0   Using cached PyYAML-5.3.1-cp311-cp311-linux_x86_64.whl Installing collected packages: pyyaml Successfully installed pyyaml-5.3.1

I think we could do: pyyaml>=5.0,!=5.4.0,!=5.4.1,!=6.0,<7.0

[freyes]

#663