Bump the pip group across 3 directories with 3 updates

Open dependabot[bot] opened this issue 1 month ago • 2 comments

Bumps the pip group with 1 update in the /insecure-api directory: requests. Bumps the pip group with 3 updates in the /insecure-app directory: requests, cryptography and werkzeug. Bumps the pip group with 1 update in the /insecure-ai directory: werkzeug.

Updates requests from 2.32.3 to 2.32.4

Release notes

Sourced from requests's releases.

v2.32.4

2.32.4 (2025-06-10)

Security

CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. (#6965)

Improvements

Numerous documentation improvements

Deprecations

Added support for pypy 3.11 for Linux and macOS. (#6926)

Dropped support for pypy 3.9 following its end of support. (#6926)

Changelog

Sourced from requests's changelog.

2.32.4 (2025-06-10)

Security

CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

Improvements

Numerous documentation improvements

Deprecations

Added support for pypy 3.11 for Linux and macOS.

Dropped support for pypy 3.9 following its end of support.

Commits

021dc72 Polish up release tooling for last manual release
821770e Bump version and add release notes for v2.32.4
59f8aa2 Add netrc file search information to authentication documentation (#6876)
5b4b64c Add more tests to prevent regression of CVE 2024 47081
7bc4587 Add new test to check netrc auth leak (#6962)
96ba401 Only use hostname to do netrc lookup instead of netloc
7341690 Merge pull request #6951 from tswast/patch-1
6716d7c remove links
a7e1c74 Update docs/conf.py
c799b81 docs: fix dead links to kenreitz.org
Additional commits viewable in compare view

Updates requests from 2.19.1 to 2.32.4

Release notes

Sourced from requests's releases.

v2.32.4

2.32.4 (2025-06-10)

Security

CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. (#6965)

Improvements

Numerous documentation improvements

Deprecations

Added support for pypy 3.11 for Linux and macOS. (#6926)

Dropped support for pypy 3.9 following its end of support. (#6926)

Changelog

Sourced from requests's changelog.

2.32.4 (2025-06-10)

Security

CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

Improvements

Numerous documentation improvements

Deprecations

Added support for pypy 3.11 for Linux and macOS.

Dropped support for pypy 3.9 following its end of support.

Commits

021dc72 Polish up release tooling for last manual release
821770e Bump version and add release notes for v2.32.4
59f8aa2 Add netrc file search information to authentication documentation (#6876)
5b4b64c Add more tests to prevent regression of CVE 2024 47081
7bc4587 Add new test to check netrc auth leak (#6962)
96ba401 Only use hostname to do netrc lookup instead of netloc
7341690 Merge pull request #6951 from tswast/patch-1
6716d7c remove links
a7e1c74 Update docs/conf.py
c799b81 docs: fix dead links to kenreitz.org
Additional commits viewable in compare view

Updates cryptography from 3.3.2 to 44.0.1

Changelog

Sourced from cryptography's changelog.

44.0.1 - 2025-02-11
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.1.
* We now build ``armv7l`` ``manylinux`` wheels and publish them to PyPI.
* We now build ``manylinux_2_34`` wheels and publish them to PyPI.
.. _v44-0-0:
44.0.0 - 2024-11-27
BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.9.

Deprecated Python 3.7 support. Python 3.7 is no longer supported by the Python core team. Support for Python 3.7 will be removed in a future cryptography release.

Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.0.

macOS wheels are now built against the macOS 10.13 SDK. Users on older versions of macOS should upgrade, or they will need to build cryptography themselves.

Enforce the :rfc:5280 requirement that extended key usage extensions must not be empty.

Added support for timestamp extraction to the :class:~cryptography.fernet.MultiFernet class.

Relax the Authority Key Identifier requirements on root CA certificates during X.509 verification to allow fields permitted by :rfc:5280 but forbidden by the CA/Browser BRs.

Added support for :class:~cryptography.hazmat.primitives.kdf.argon2.Argon2id when using OpenSSL 3.2.0+.

Added support for the :class:~cryptography.x509.Admissions certificate extension.

Added basic support for PKCS7 decryption (including S/MIME 3.2) via :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_der, :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_pem, and :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_smime.

.. _v43-0-3:

43.0.3 - 2024-10-18
* Fixed release metadata for ``cryptography-vectors``
.. _v43-0-2:
43.0.2 - 2024-10-18
Fixed compilation when using LibreSSL 4.0.0.

.. _v43-0-1:

... (truncated)

Commits

adaaaed Bump for 44.0.1 release (#12441)
ccc61da [backport] test and build on armv7l (#12420) (#12431)
f299a48 remove deprecated call (#12052)
439eb05 Bump version for 44.0.0 (#12051)
2c5ad4d chore(deps): bump maturin from 1.7.4 to 1.7.5 in /.github/requirements (#12050)
d23968a chore(deps): bump libc from 0.2.165 to 0.2.166 (#12049)
133c0e0 Bump x509-limbo and/or wycheproof in CI (#12047)
f2259d7 Bump BoringSSL and/or OpenSSL in CI (#12046)
e201c87 fixed metadata in changelog (#12044)
c6104cc Prohibit Python 3.9.0, 3.9.1 -- they have a bug that causes errors (#12045)
Additional commits viewable in compare view

Updates werkzeug from 3.0.1 to 3.0.6

Release notes

Sourced from werkzeug's releases.

3.0.6

This is the Werkzeug 3.0.6 security fix release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.6/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-0-6

Fix how max_form_memory_size is applied when parsing large non-file fields. GHSA-q34m-jh98-gwm2

safe_join catches certain paths on Windows that were not caught by ntpath.isabs on Python < 3.11. GHSA-f9vj-2wh5-fj8j

3.0.5

This is the Werkzeug 3.0.5 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.5/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-0-5 Milestone: https://github.com/pallets/werkzeug/milestone/37?closed=1

The Watchdog reloader ignores file closed no write events. #2945

Logging works with client addresses containing an IPv6 scope. #2952

Ignore invalid authorization parameters. #2955

Improve type annotation fore SharedDataMiddleware. #2958

Compatibility with Python 3.13 when generating debugger pin and the current UID does not have an associated name. #2957

3.0.4

This is the Werkzeug 3.0.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.4/ Changes: https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-4 Milestone: https://github.com/pallets/werkzeug/milestone/36?closed=1

Restore behavior where parsing multipart/x-www-form-urlencoded data with invalid UTF-8 bytes in the body results in no form data parsed rather than a 413 error. #2930

Improve parse_options_header performance when parsing unterminated quoted string values. #2904

Debugger pin auth is synchronized across threads/processes when tracking failed entries. #2916

Dev server handles unexpected SSLEOFError due to issue in Python < 3.13. #2926

Debugger pin auth works when the URL already contains a query string. #2918

3.0.3

This is the Werkzeug 3.0.3 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.3/ Changes: https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-3 Milestone: https://github.com/pallets/werkzeug/milestone/35?closed=1

Only allow localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger UI makes requests using the full URL rather than only the path. GHSA-2g68-c3qc-8985

Make reloader more robust when "" is in sys.path. #2823

... (truncated)

Changelog

Sourced from werkzeug's changelog.

Version 3.0.6

Released 2024-10-25

Fix how max_form_memory_size is applied when parsing large non-file fields. :ghsa:q34m-jh98-gwm2

safe_join catches certain paths on Windows that were not caught by ntpath.isabs on Python < 3.11. :ghsa:f9vj-2wh5-fj8j

Version 3.0.5

Released 2024-10-24

The Watchdog reloader ignores file closed no write events. :issue:2945

Logging works with client addresses containing an IPv6 scope :issue:2952

Ignore invalid authorization parameters. :issue:2955

Improve type annotation fore SharedDataMiddleware. :issue:2958

Compatibility with Python 3.13 when generating debugger pin and the current UID does not have an associated name. :issue:2957

Version 3.0.4

Released 2024-08-21

Restore behavior where parsing multipart/x-www-form-urlencoded data with invalid UTF-8 bytes in the body results in no form data parsed rather than a 413 error. :issue:2930

Improve parse_options_header performance when parsing unterminated quoted string values. :issue:2904

Debugger pin auth is synchronized across threads/processes when tracking failed entries. :issue:2916

Dev server handles unexpected SSLEOFError due to issue in Python < 3.13. :issue:2926

Debugger pin auth works when the URL already contains a query string. :issue:2918

Version 3.0.3

Released 2024-05-05

Only allow localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger

... (truncated)

Commits

5eaefc3 release version 3.0.6
2767bcb Merge commit from fork
87cc78a catch special absolute path on Windows Python < 3.11
50cfeeb Merge commit from fork
8760275 apply max_form_memory_size another level up in the parser
8d6a12e start version 3.0.6
a7b121a release version 3.0.5 (#2961)
9caf72a release version 3.0.5
e28a245 catch OSError from getpass.getuser (#2960)
e6b4cce catch OSError from getpass.getuser
Additional commits viewable in compare view

Updates werkzeug from 3.0.1 to 3.0.6

Release notes

Sourced from werkzeug's releases.

3.0.6

This is the Werkzeug 3.0.6 security fix release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.6/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-0-6

Fix how max_form_memory_size is applied when parsing large non-file fields. GHSA-q34m-jh98-gwm2

safe_join catches certain paths on Windows that were not caught by ntpath.isabs on Python < 3.11. GHSA-f9vj-2wh5-fj8j

3.0.5

This is the Werkzeug 3.0.5 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.5/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-0-5 Milestone: https://github.com/pallets/werkzeug/milestone/37?closed=1

The Watchdog reloader ignores file closed no write events. #2945

Logging works with client addresses containing an IPv6 scope. #2952

Ignore invalid authorization parameters. #2955

Improve type annotation fore SharedDataMiddleware. #2958

Compatibility with Python 3.13 when generating debugger pin and the current UID does not have an associated name. #2957

3.0.4

This is the Werkzeug 3.0.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.4/ Changes: https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-4 Milestone: https://github.com/pallets/werkzeug/milestone/36?closed=1

Restore behavior where parsing multipart/x-www-form-urlencoded data with invalid UTF-8 bytes in the body results in no form data parsed rather than a 413 error. #2930

Improve parse_options_header performance when parsing unterminated quoted string values. #2904

Debugger pin auth is synchronized across threads/processes when tracking failed entries. #2916

Dev server handles unexpected SSLEOFError due to issue in Python < 3.13. #2926

Debugger pin auth works when the URL already contains a query string. #2918

3.0.3

This is the Werkzeug 3.0.3 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.3/ Changes: https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-3 Milestone: https://github.com/pallets/werkzeug/milestone/35?closed=1

Only allow localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger UI makes requests using the full URL rather than only the path. GHSA-2g68-c3qc-8985

Make reloader more robust when "" is in sys.path. #2823

... (truncated)

Changelog

Sourced from werkzeug's changelog.

Version 3.0.6

Released 2024-10-25

Fix how max_form_memory_size is applied when parsing large non-file fields. :ghsa:q34m-jh98-gwm2

safe_join catches certain paths on Windows that were not caught by ntpath.isabs on Python < 3.11. :ghsa:f9vj-2wh5-fj8j

Version 3.0.5

Released 2024-10-24

The Watchdog reloader ignores file closed no write events. :issue:2945

Logging works with client addresses containing an IPv6 scope :issue:2952

Ignore invalid authorization parameters. :issue:2955

Improve type annotation fore SharedDataMiddleware. :issue:2958

Compatibility with Python 3.13 when generating debugger pin and the current UID does not have an associated name. :issue:2957

Version 3.0.4

Released 2024-08-21

Restore behavior where parsing multipart/x-www-form-urlencoded data with invalid UTF-8 bytes in the body results in no form data parsed rather than a 413 error. :issue:2930

Improve parse_options_header performance when parsing unterminated quoted string values. :issue:2904

Debugger pin auth is synchronized across threads/processes when tracking failed entries. :issue:2916

Dev server handles unexpected SSLEOFError due to issue in Python < 3.13. :issue:2926

Debugger pin auth works when the URL already contains a query string. :issue:2918

Version 3.0.3

Released 2024-05-05

Only allow localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger

... (truncated)

Commits

5eaefc3 release version 3.0.6
2767bcb Merge commit from fork
87cc78a catch special absolute path on Windows Python < 3.11
50cfeeb Merge commit from fork
8760275 apply max_form_memory_size another level up in the parser
8d6a12e start version 3.0.6
a7b121a release version 3.0.5 (#2961)
9caf72a release version 3.0.5
e28a245 catch OSError from getpass.getuser (#2960)
e6b4cce catch OSError from getpass.getuser
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the Security Alerts page.