OpenStack Charm Dependency Dashboard

Charms

177

Critical

Warning

Info

Packages

127

Git Deps

441

Top Priority Issues

The most impactful dependency issues across all charms. Fixing these first yields the highest return — each affects dozens of charms simultaneously.

requests critical 97 charms

Pinned to >=2.18.4, >=1.1.0. 6 known vulnerabilities (CVE-2014-1830, CVE-2024-47081, CVE-2024-35195). Latest: 2.32.5.

CVE-2014-1830 CVE-2024-47081 CVE-2024-35195

Upper bound pin restricts to older versions with known CVEs.

psutil critical 82 charms

Pinned to >=1.1.1,<2.0.0, ~= 5.9.5. 1 known vulnerabilities (CVE-2019-18874). Latest: 7.2.2.

CVE-2019-18874

cinder-lvm

cryptography critical 81 charms

Pinned to <3.4. 6 known vulnerabilities (GHSA-39hc-v87j-747x, CVE-2023-50782, GHSA-5cpq-8wj7-hf2v). Latest: 46.0.5.

GHSA-39hc-v87j-747x CVE-2023-50782 GHSA-5cpq-8wj7-hf2v

charm-tools has an indirect dependency to cryptography. Newer versions require a Rust compiler to build, see

Charm Health

Each charm scored 0-100 based on dependency health. Red = critical CVE exposure or severe conflicts. Click any charm to see its specific issues and source repository.

barbican-softhsm

5 2

ceph-proxy

5 1

infoblox

3 6

panko

3 6

template-api

3 6

template-neutron-plugin

3 6

nova-compute

4 1

tempest

3 2

ceilometer

3 1

ceilometer-agent

3 1

ceph-osd

3 1

ceph-radosgw

3 1

cinder

3 1

cinder-backup

3 1

cinder-ceph

3 1

cinder-dell-emc-powerstore

3 1

cinder-ibm-storwize-svc

3 1

glance

3 1

glance-simplestreams-sync

3 1

heat

3 1

keystone

3 1

layer-openstack-principle

3 1

neutron-api

3 1

neutron-gateway

3 1

neutron-openvswitch

3 1

nova-cloud-controller

3 1

openstack-dashboard

3 1

percona-cluster

3 1

swift-proxy

3 1

swift-storage

3 1

trilio-data-mover

3 1

trilio-dm-api

3 1

trilio-horizon-plugin

3 1

trilio-wlm

3 1

ceph-fs

ceph-mon

ceph-rbd-mirror

ceph-iscsi

2 1 1

octavia

2 1 1

hacluster

2 1

keystone-ldap

2 1

keystone-saml-mellon

2 1

mysql-innodb-cluster

2 1

mysql-router

2 1

octavia-diskimage-retrofit

2 1

rabbitmq-server

2 1

watcher

2 1

woodpecker

2 1

aodh

1 1

arista-virt-test-fixture

1 1

barbican

1 1

barbican-vault

1 1

cinder-backup-swift-proxy

1 1

cinder-lvm

1 1

cinder-netapp

1 1

cinder-purestorage

1 1

designate

1 1

designate-bind

1 1

gnocchi

1 1

ironic-api

1 1

ironic-conductor

1 1

keystone-kerberos

1 1

magnum

1 1

magnum-dashboard

1 1

manila

1 1

manila-dashboard

1 1

manila-ganesha

1 1

manila-generic

1 1

manila-netapp

1 1

masakari

1 1

masakari-monitors

1 1

neutron-api-plugin-arista

1 1

neutron-api-plugin-ironic

1 1

neutron-api-plugin-ovn

1 1

neutron-dynamic-routing

1 1

nova-cell-controller

1 1

octavia-dashboard

1 1

ovn-central

1 1

pacemaker-remote

1 1

placement

1 1

vault

1 1

watcher-dashboard

1 1

ceph-dashboard

1 2

ceph-nfs

1 1

kingfisher

layer-openstack-api

magpie

zuul-jobs

neutron-arista

magnum-k8s

1 2

nova-compute-operator

1 2

layer-ceph-base

1 1

bcache-tuning

interface-keystone-admin

interface-panko

ironic

kerberos-keytab

keystone-ico

layer-ceph

layer-openstack

specs

trilio-data-mover-api

cinder-nfs

cinder-nimblestorage

cinder-three-par

guide

manila-flashblade

nova-compute-nvidia-vgpu

openstack-loadbalancer

100

aodh-k8s

100

barbican-k8s

100

bind-k8s

100

ceilometer-k8s

100

cinder-ns5

100

cinder-solidfire

100

cloudkitty

100

deployment-guide

100

designate-k8s

100

discoveryserver

100

interface-barbican-secrets

100

interface-bgp

100

interface-bind-rndc

100

interface-ceph-client

100

interface-ceph-rbd-mirror

100

interface-cinder-backend

100

interface-cinder-backup

100

interface-dashboard-plugin

100

interface-designate

100

interface-gnocchi

100

interface-hacluster

100

interface-keystone

100

interface-keystone-credentials

100

interface-keystone-domain-backend

100

interface-keystone-fid-service-provider

100

interface-keystone-notifications

100

interface-magpie

100

interface-manila-plugin

100

interface-mysql-innodb-cluster

100

interface-mysql-router

100

interface-mysql-shared

100

interface-neutron-api

100

interface-neutron-load-balancer

100

interface-neutron-plugin

100

interface-neutron-plugin-api-subordinate

100

interface-nova-cell

100

interface-nova-compute

100

interface-openstack-ha

100

interface-ovsdb

100

interface-pacemaker-remote

100

interface-placement

100

interface-prometheus-scrape

100

interface-rabbitmq

100

interface-service-control

100

interface-vault-kv

100

interface-websso-fid-service-provider

100

ironic-dashboard

100

kerberos-test-fixture

100

keystone-ldap-k8s

100

keystone-openidc

100

keystone-openidc-k8s

100

layer-ovn

100

ldap-test-fixture-k8s

100

openidc-test-fixture

100

openstack-exporter-k8s

100

openstack-hypervisor

100

ops-interface-ceph-client

100

ops-interface-ceph-iscsi-admin-access

100

ops-interface-openstack-loadbalancer

100

ops-interface-tls-certificates

100

ops-openstack

100

osci-frr

100

ovn-chassis

100

ovn-dedicated-chassis

100

quagga

100

sunbeam-machine

100

template-manila-plugin

100

zookeeper-k8s

Priority Board

Issues organized by severity. Each card shows the affected package, root cause, impact, and number of charms that benefit from fixing it.

Critical (17)

requests CVE

Pinned to >=2.18.4, >=1.1.0. 6 known vulnerabilities (CVE-2014-1830, CVE-2024-47081, CVE-2024-35195). Latest: 2.32.5.

Upper bound pin restricts to older versions with known CVEs.

Patch files: test-requirements.txt
test-requirements.txt

via 1 transitive sources

>=2.18.4 >=1.1.0 97 charms

psutil CVE

Pinned to >=1.1.1,<2.0.0, ~= 5.9.5. 1 known vulnerabilities (CVE-2019-18874). Latest: 7.2.2.

cinder-lvm

Patch files: test-requirements.txt
test-requirements.txt

via 2 transitive sources

>=1.1.1,<2.0.0 ~= 5.9.5 82 charms

cryptography CVE

Pinned to <3.4. 6 known vulnerabilities (GHSA-39hc-v87j-747x, CVE-2023-50782, GHSA-5cpq-8wj7-hf2v). Latest: 46.0.5.

charm-tools has an indirect dependency to cryptography. Newer versions require a Rust compiler to bu

Patch files: requirements.txt
test-requirements.txt

via 1 transitive sources

<3.4 81 charms

jinja2 CVE

Exposes systems to multiple critical CVEs including RCE and XSS vulnerabilities. Missing 4+ years of security patches an

Pinned to maintain compatibility with legacy Python 2.7 environments and avoid breaking changes from

Patch files: requirements.txt
requirements.txt

via 3 transitive sources

>=2.6 <=2.10.1 38 charms

ops CVE

Security vulnerability CVE-2024-41129 remains unpatched. Missing 2+ years of bug fixes and performance improvements from

Version pinned to maintain API compatibility across OpenStack charms ecosystem during major ops fram

Patch files: requirements.txt
test-requirements.txt

>= 1.2.0 >= 1.5.0 33 charms

charm_tools Conflict

Different charms pin charm_tools to incompatible ranges (>=2.4.4, ==2.8.3). Breaks unified environments.

Each charm pinned independently to different upper bounds.

Patch files: test-requirements.txt
requirements.txt

>=2.4.4 ==2.8.3 31 charms

setuptools CVE

Pinned to <50.0.0, <82. 4 known vulnerabilities (CVE-2013-1633, CVE-2025-47273, CVE-2024-6345). Latest: 82.0.1.

requirements.txt

Patch files: requirements.txt
test-requirements.txt

via 3 transitive sources

<50.0.0 <82 28 charms

netaddr Conflict

Different charms pin netaddr to incompatible ranges (>0.7.16,<0.8.0, >=0.7.12,!=0.7.16). Breaks unified environments.

Strange import error with newer netaddr:

Patch files: requirements.txt
requirements.txt

via 5 transitive sources

>0.7.16,<0.8.0 >=0.7.12,!=0.7.16 28 charms

jsonschema Conflict

Different charms pin jsonschema to incompatible ranges (<4.18.0, <=4.10). Breaks unified environments.

The dependency is present as we test various inputs to config options (including invalid ones) which

Patch files: requirements.txt
test-requirements.txt

<4.18.0 <=4.10 9 charms

pyopenssl CVE

Pinned to <=22.0.0. 5 known vulnerabilities (CVE-2018-1000808, CVE-2026-27459, CVE-2013-4314). Latest: 26.0.0.

icey: pyopenssl 22 introduces a requirement on newer OpenSSL which causes test failures. Pin pyopens

Patch files: src-test-requirements.txt
test-requirements.txt

via 1 transitive sources

<=22.0.0 9 charms

python_cinderclient Conflict

Different charms pin python_cinderclient to incompatible ranges (>=1.4.0,<2.0, >=1.4.0,<5.0.0). Breaks unified environme

Each charm pinned independently to different upper bounds.

Patch files: src-test-requirements.txt
src-test-requirements.txt

via 2 transitive sources

>=1.4.0,<2.0 >=1.4.0,<5.0.0 6 charms

python_openstackclient CVE

Exposes systems to CVE-2023-6110 security vulnerability and prevents access to 7+ years of bug fixes and new OpenStack s

Version pinned to avoid breaking API changes in major version 2.0+ of python-openstackclient that co

Patch files: src-test-requirements.txt
src-test-requirements.txt

via 2 transitive sources

>=1.7.0,<2.0 >=1.7.0 6 charms

pika Conflict

Different charms pin pika to incompatible ranges (>=0.10.0,<1.0). Breaks unified environments.

Each charm pinned independently to different upper bounds.

Patch files: src-test-requirements.txt
src-test-requirements.txt

via 1 transitive sources

>=0.10.0,<1.0 6 charms

pydantic CVE

Keeping v1 exposes systems to known security vulnerabilities CVE-2021-29510 and CVE-2024-3772, risking data validation b

Pydantic v2 introduced breaking API changes that require code refactoring across OpenStack charm cod

Patch files: src-test-requirements.txt
test-requirements.txt

< 2 6 charms

gnocchiclient Conflict

Different charms pin gnocchiclient to incompatible ranges (>=3.1.0,<3.2.0). Breaks unified environments.

Each charm pinned independently to different upper bounds.

Patch files: src-test-requirements.txt
src-test-requirements.txt

via 1 transitive sources

>=3.1.0,<3.2.0 2 charms

Warning (25)

zaza_openstack Git

Unpinned git dependency (master) across 98 charms. Breaking changes propagate instantly.

No branch pin — tracks latest master.

master (unpinned) branch-pinned 98 charms

zaza Git

Unpinned git dependency (master) across 97 charms. Breaking changes propagate instantly.

No branch pin — tracks latest master.

master (unpinned) branch-pinned 97 charms

flake8 Outdated

Pinned to >=2.2.4,<=2.4.1, >=2.2.4 but latest is 7.3.0. Multiple major versions behind.

Upper bound pin from older release, not updated since.

Patch files: test-requirements.txt
test-requirements.txt

via 2 transitive sources

>=2.2.4,<=2.4.1 >=2.2.4 92 charms

charms_openstack Git

Unpinned git dependency (master) across 83 charms. Breaking changes propagate instantly.

No branch pin — tracks latest master.

master (unpinned) branch-pinned 83 charms

pbr Outdated

Pinned to ==5.6.0, !=2.1.0,>=2.0.0 but latest is 7.0.3. Multiple major versions behind.

vault

Patch files: test-requirements.txt
test-requirements.txt

via 2 transitive sources

==5.6.0 !=2.1.0,>=2.0.0 76 charms

unknown Git

Unpinned git dependency (master) across 43 charms. Breaking changes propagate instantly.

No branch pin — tracks latest master.

master (unpinned) branch-pinned 43 charms

tempest Git

Unpinned git dependency (master) across 24 charms. Breaking changes propagate instantly.

No branch pin — tracks latest master.

master (unpinned) branch-pinned 24 charms

ops_openstack Git

Unpinned git dependency (master) across 22 charms. Breaking changes propagate instantly.

No branch pin — tracks latest master.

master (unpinned) branch-pinned 22 charms

charmhelpers Git

Unpinned git dependency (master) across 15 charms. Breaking changes propagate instantly.

No branch pin — tracks latest master.

master (unpinned) branch-pinned 15 charms

ops_sunbeam Git

Unpinned git dependency (master) across 9 charms. Breaking changes propagate instantly.

No branch pin — tracks latest master.

master (unpinned) branch-pinned 9 charms

python_keystoneclient Outdated

Exposes systems to multiple CVEs including authentication bypass and information disclosure. Missing 4+ years of securit

Version pinned to maintain API compatibility with OpenStack deployment model before major breaking c

Patch files: src-test-requirements.txt
src-test-requirements.txt

via 2 transitive sources

>=1.7.1,<2.0 >=1.7.1 8 charms

tempest;python_version>='3_8' Git

Unpinned git dependency (master) across 7 charms. Breaking changes propagate instantly.

No branch pin — tracks latest master.

master (unpinned) branch-pinned 7 charms

python_designateclient Outdated

Pinned to >=1.5,<2.0, >=1.5 but latest is 6.4.0. Multiple major versions behind.

Upper bound pin from older release, not updated since.

Patch files: src-test-requirements.txt
src-test-requirements.txt

via 2 transitive sources

>=1.5,<2.0 >=1.5 6 charms

python_heatclient Outdated

Pinned to >=0.8.0,<1.0, >=0.8.0 but latest is 5.1.0. Multiple major versions behind.

Upper bound pin from older release, not updated since.

Patch files: src-test-requirements.txt
src-test-requirements.txt

via 2 transitive sources

>=0.8.0,<1.0 >=0.8.0 6 charms

python_neutronclient Outdated

Pinned to >=3.1.0,<4.0, >=3.1.0 but latest is 11.8.0. Multiple major versions behind.

Upper bound pin from older release, not updated since.

Patch files: src-test-requirements.txt
src-test-requirements.txt

via 2 transitive sources

>=3.1.0,<4.0 >=3.1.0 6 charms

Info (6)

pyflakes Pinned

Exact pin ==2.1.1, ==2.4.0 prevents receiving updates. Latest: 3.4.0.

Pinned to exact version for reproducible builds.

Patch files: test-requirements.txt
test-requirements.txt

==2.1.1 ==2.4.0 3 charms

oslo_i18n Pinned

Exact pin <4.0.0, ==5.1.0 prevents receiving updates. Latest: 6.7.2.

oslo.i18n dropped py35 support

Patch files: test-requirements.txt
test-requirements.txt

<4.0.0 ==5.1.0 1 charms

charmcraft Pinned

Exact pin ==0.3.0 prevents receiving updates. Latest: 4.2.0.

Pinned to exact version for reproducible builds.

Patch files: build-requirements.txt

==0.3.0 1 charms

sphinxcontrib_spelling Pinned

Exact pin ==8.0.1 prevents receiving updates. Latest: 8.0.2.

Pinned to exact version for reproducible builds.

Patch files: requirements.txt

==8.0.1 1 charms

openstacksdk Pinned

Exact pin ==3.0.0 prevents receiving updates. Latest: 4.10.0.

Pinned to exact version for reproducible builds.

Patch files: requirements.txt
requirements.txt

==3.0.0 1 charms

ruamel_yaml Pinned

Exact pin ==0.10.12 prevents receiving updates. Latest: 0.19.1.

Pinned to exact version for reproducible builds.

Patch files: requirements.txt
requirements.txt

==0.10.12 1 charms