exporters icon indicating copy to clipboard operation
exporters copied to clipboard

Published 20 hours ago verified publisher icon scrapinghub

Bump the pip group across 1 directory with 6 updates

Open dependabot[bot] opened this issue 9 months ago • 0 comments

Bumps the pip group with 6 updates in the / directory:

Package From To
pyyaml 3.11 5.4
requests 2.5.3 2.31.0
ecdsa 0.13 0.19.0
paramiko 1.15.2 2.0.9
protobuf 3.0.0b2 3.18.3
jinja2 2.8 3.1.4

Updates pyyaml from 3.11 to 5.4

Changelog

Sourced from pyyaml's changelog.

5.4 (2021-01-19)

5.3.1 (2020-03-18)

  • yaml/pyyaml#386 -- Prevents arbitrary code execution during python/object/new constructor

5.3 (2020-01-06)

5.2 (2019-12-02)

  • Repair incompatibilities introduced with 5.1. The default Loader was changed, but several methods like add_constructor still used the old default yaml/pyyaml#279 -- A more flexible fix for custom tag constructors yaml/pyyaml#287 -- Change default loader for yaml.add_constructor yaml/pyyaml#305 -- Change default loader for add_implicit_resolver, add_path_resolver
  • Make FullLoader safer by removing python/object/apply from the default FullLoader yaml/pyyaml#347 -- Move constructor for object/apply to UnsafeConstructor
  • Fix bug introduced in 5.1 where quoting went wrong on systems with sys.maxunicode <= 0xffff yaml/pyyaml#276 -- Fix logic for quoting special characters
  • Other PRs: yaml/pyyaml#280 -- Update CHANGES for 5.1

5.1.2 (2019-07-30)

  • Re-release of 5.1 with regenerated Cython sources to build properly for Python 3.8b2+

... (truncated)

Commits
  • 58d0cb7 5.4 release
  • a60f7a1 Fix compatibility with Jython
  • ee98abd Run CI on PR base branch changes
  • ddf2033 constructor.timezone: _copy & deepcopy
  • fc914d5 Avoid repeatedly appending to yaml_implicit_resolvers
  • a001f27 Fix for CVE-2020-14343
  • fe15062 Add 3.9 to appveyor file for completeness sake
  • 1e1c7fb Add a newline character to end of pyproject.toml
  • 0b6b7d6 Start sentences and phrases for capital letters
  • c976915 Shell code improvements
  • Additional commits viewable in compare view

Updates requests from 2.5.3 to 2.31.0

Release notes

Sourced from requests's releases.

v2.31.0

2.31.0 (2023-05-22)

Security

  • Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential forwarding of Proxy-Authorization headers to destination servers when following HTTPS redirects.

    When proxies are defined with user info (https://user:pass@proxy:8080), Requests will construct a Proxy-Authorization header that is attached to the request to authenticate with the proxy.

    In cases where Requests receives a redirect response, it previously reattached the Proxy-Authorization header incorrectly, resulting in the value being sent through the tunneled connection to the destination server. Users who rely on defining their proxy credentials in the URL are strongly encouraged to upgrade to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy credentials once the change has been fully deployed.

    Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability.

    Full details can be read in our Github Security Advisory and CVE-2023-32681.

v2.30.0

2.30.0 (2023-05-03)

Dependencies

v2.29.0

2.29.0 (2023-04-26)

Improvements

  • Requests now defers chunked requests to the urllib3 implementation to improve standardization. (#6226)
  • Requests relaxes header component requirements to support bytes/str subclasses. (#6356)

... (truncated)

Changelog

Sourced from requests's changelog.

2.31.0 (2023-05-22)

Security

  • Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential forwarding of Proxy-Authorization headers to destination servers when following HTTPS redirects.

    When proxies are defined with user info (https://user:pass@proxy:8080), Requests will construct a Proxy-Authorization header that is attached to the request to authenticate with the proxy.

    In cases where Requests receives a redirect response, it previously reattached the Proxy-Authorization header incorrectly, resulting in the value being sent through the tunneled connection to the destination server. Users who rely on defining their proxy credentials in the URL are strongly encouraged to upgrade to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy credentials once the change has been fully deployed.

    Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability.

    Full details can be read in our Github Security Advisory and CVE-2023-32681.

2.30.0 (2023-05-03)

Dependencies

2.29.0 (2023-04-26)

Improvements

  • Requests now defers chunked requests to the urllib3 implementation to improve standardization. (#6226)
  • Requests relaxes header component requirements to support bytes/str subclasses. (#6356)

2.28.2 (2023-01-12)

... (truncated)

Commits

Updates ecdsa from 0.13 to 0.19.0

Release notes

Sourced from ecdsa's releases.

ecdsa 0.19.0

New API:

  • to_ssh in VerifyingKey and SigningKey, supports Ed25519 keys only (Pablo Mazzini)

New features:

  • Support for twisted Brainpool curves

Doc fix:

  • Fix curve equation in glossary
  • Documentation for signature encoding and signature decoding functions

Maintenance:

  • Dropped official support for 3.3 and 3.4 (because of problems running them in CI, not because it's actually incompatible; support for 2.6 and 2.7 is unaffected)
  • Fixes around hypothesis parameters
  • Officially support Python 3.11 and 3.12
  • Small updates to test suite to make it work with 3.11 and 3.12 and new releases of test dependencies
  • Dropped the internal _rwlock module as it's unused
  • Added mutation testing to CI, lots of speed-ups to the test suite to make it happen
  • Removal of unnecessary six.b literals (Alexandre Detiste)

Deprecations:

  • int_to_string, string_to_int, and digest_integer from ecdsa.ecdsa module are now considered deprecated, they will be removed in a future release

ecdsa 0.18.0

New features:

  • Support for EdDSA (Ed25519, Ed448) signature creation and verification.
  • Support for Ed25519 and Ed448 in PKCS#8 and public key files.
  • Support for point precomputation for EdDSA.

New API:

  • CurveEdTw class to represent the Twisted Edwards curve parameters.
  • PointEdwards class to represent points on Twisted Edwards curve and provide point arithmetic on it.
  • curve_by_name in curves module to get a Curve object by providing curve name.

Bug fix:

... (truncated)

Changelog

Sourced from ecdsa's changelog.

  • Release 0.19.0 (08 Apr 2024)

New API:

  • to_ssh in VerifyingKey and SigningKey, supports Ed25519 keys only (Pablo Mazzini)

New features:

  • Support for twisted Brainpool curves

Doc fix:

  • Fix curve equation in glossary
  • Documentation for signature encoding and signature decoding functions

Maintenance:

  • Dropped official support for 3.3 and 3.4 (because of problems running them in CI, not because it's actually incompatible; support for 2.6 and 2.7 is unaffected)
  • Fixes aroung hypothesis parameters
  • Officially support Python 3.11 and 3.12
  • Small updates to test suite to make it work with 3.11 and 3.12 and new releases of test dependencies
  • Dropped the internal _rwlock module as it's unused
  • Added mutation testing to CI, lots of speed-ups to the test suite to make it happen
  • Removal of unnecessary six.b literals (Alexandre Detiste)

Deprecations:

  • int_to_string, string_to_int, and digest_integer from ecdsa.ecdsa module are now considered deprecated, they will be removed in a future release

  • Release 0.18.0 (09 Jul 2022)

New API:

  • curve_by_name in curves module to get a Curve object by providing curve name.

Bug fix:

  • Make the VerifyingKey encoded with explicit parameters use the same kind of point encoding for public key and curve generator.
  • Better handling of malformed curve parameters (as in CVE-2022-0778); make python-ecdsa raise MalformedPointError instead of AssertionError.

Doc fix:

  • Publish the documentation on https://ecdsa.readthedocs.io/, include explanation of basics of handling of ECC data formats and how to use the library for elliptic curve arithmetic.
  • Make object names more consistent, make them into hyperlinks on the readthedocs documentation.
  • Make security note more explicit (Ian Rodney)

... (truncated)

Commits
  • be70016 Merge pull request #337 from tlsfuzzer/release-0.19
  • 217735b allow early exit from worker processes when running mutation testing
  • 6e7adff don't check rate if no tests executed
  • c56030e make coveralls submission work with py2.6 again
  • 66d0d74 add release notes for 0.19.0 release
  • 0d5a38c Merge pull request #156 from tomato42/cosmic-ray
  • 02c8350 be more permissive for the PR mutation test coverage
  • 4845e8f better is_prime()
  • 09f0d10 add hard timeout for test mutation test suite
  • e16173b two digit precision for the mutation score badge
  • Additional commits viewable in compare view

Updates paramiko from 1.15.2 to 2.0.9

Commits
  • f83156a Cut 2.0.9
  • 81ba2ac Almost left the 1.17+ marker in the changelog.
  • a5ce12d Fix a Python 2.6 oops
  • e6f9842 Formatting
  • 56c96a6 Fix and changelog re #1283
  • 852176d Fix a pseudo-bug re: responding to MSG_UNIMPLEMENTED w/ itself
  • 0b2e154 Merge branch 'crypto-1.5-agnostisicm' into 2.0
  • 238a862 Missing verbose/color for 2.6/3.3 backported pytest setup
  • 35b1f57 Backport support for newer cryptography sign/verify APIs.
  • 40fde0e Try testing against different cryptography.io versions
  • Additional commits viewable in compare view

Updates protobuf from 3.0.0b2 to 3.18.3

Release notes

Sourced from protobuf's releases.

Protocol Buffers v3.18.3

C++

Protocol Buffers v3.18.2

Java

  • Improve performance characteristics of UnknownFieldSet parsing (#9371)

Protocol Buffers v3.18.1

Python

  • Update setup.py to reflect that we now require at least Python 3.5 (#8989)
  • Performance fix for DynamicMessage: force GetRaw() to be inlined (#9023)

Ruby

  • Update ruby_generator.cc to allow proto2 imports in proto3 (#9003)

Protocol Buffers v3.18.0

C++

  • Fix warnings raised by clang 11 (#8664)
  • Make StringPiece constructible from std::string_view (#8707)
  • Add missing capability attributes for LLVM 12 (#8714)
  • Stop using std::iterator (deprecated in C++17). (#8741)
  • Move field_access_listener from libprotobuf-lite to libprotobuf (#8775)
  • Fix #7047 Safely handle setlocale (#8735)
  • Remove deprecated version of SetTotalBytesLimit() (#8794)
  • Support arena allocation of google::protobuf::AnyMetadata (#8758)
  • Fix undefined symbol error around SharedCtor() (#8827)
  • Fix default value of enum(int) in json_util with proto2 (#8835)
  • Better Smaller ByteSizeLong
  • Introduce event filters for inject_field_listener_events
  • Reduce memory usage of DescriptorPool
  • For lazy fields copy serialized form when allowed.
  • Re-introduce the InlinedStringField class
  • v2 access listener
  • Reduce padding in the proto's ExtensionRegistry map.
  • GetExtension performance optimizations
  • Make tracker a static variable rather than call static functions
  • Support extensions in field access listener
  • Annotate MergeFrom for field access listener
  • Fix incomplete types for field access listener
  • Add map_entry/new_map_entry to SpecificField in MessageDifferencer. They record the map items which are different in MessageDifferencer's reporter.
  • Reduce binary size due to fieldless proto messages
  • TextFormat: ParseInfoTree supports getting field end location in addition to start.
  • Fix repeated enum extension size in field listener
  • Enable Any Text Expansion for Descriptors::DebugString()
  • Switch from int{8,16,32,64} to int{8,16,32,64}_t

... (truncated)

Commits

Updates jinja2 from 2.8 to 3.1.4

Release notes

Sourced from jinja2's releases.

3.1.4

This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Jinja2/3.1.4/ Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

  • The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj

3.1.3

This is a fix release for the 3.1.x feature branch.

3.1.2

This is a fix release for the 3.1.0 feature release.

3.1.1

3.1.0

This is a feature release, which includes new features and removes previously deprecated features. The 3.1.x branch is now the supported bugfix branch, the 3.0.x branch has become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. We also encourage upgrading to MarkupSafe 2.1.1, the latest version at this time.

3.0.3

3.0.2

3.0.1

3.0.0

New major versions of all the core Pallets libraries, including Jinja 3.0, have been released! :tada:

This represents a significant amount of work, and there are quite a few changes. Be sure to carefully read the changelog, and use tools such as pip-compile and Dependabot to pin your dependencies and control your updates.

... (truncated)

Changelog

Sourced from jinja2's changelog.

Version 3.1.4

Released 2024-05-05

  • The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. :ghsa:h75v-3vvj-5mfj

Version 3.1.3

Released 2024-01-10

  • Fix compiler error when checking if required blocks in parent templates are empty. :pr:1858
  • xmlattr filter does not allow keys with spaces. :ghsa:h5c8-rqwp-cp95
  • Make error messages stemming from invalid nesting of {% trans %} blocks more helpful. :pr:1918

Version 3.1.2

Released 2022-04-28

  • Add parameters to Environment.overlay to match __init__. :issue:1645
  • Handle race condition in FileSystemBytecodeCache. :issue:1654

Version 3.1.1

Released 2022-03-25

  • The template filename on Windows uses the primary path separator. :issue:1637

Version 3.1.0

Released 2022-03-24

  • Drop support for Python 3.6. :pr:1534
  • Remove previously deprecated code. :pr:1544

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the Security Alerts page.

dependabot[bot] avatar May 06 '24 17:05 dependabot[bot]