Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump the pip group across 1 directories with 7 updates #44

Closed

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Feb 21, 2024

Bumps the pip group with 6 updates in the /. directory:

Package From To
jupyterlab 4.0.10 4.0.11
aiohttp 3.9.1 3.9.2
cryptography 41.0.7 42.0.4
fastapi 0.108.0 0.109.1
jinja2 3.1.2 3.1.3
jupyter-lsp 2.2.1 2.2.2

Updates jupyterlab from 4.0.10 to 4.0.11

Release notes

Sourced from jupyterlab's releases.

v4.0.11

4.0.11

(Full Changelog)

Security fixes

Bugs fixed

Documentation improvements

Contributors to this release

(GitHub contributors page for this release)

@​brichet | @​fcollonval | @​github-actions | @​jtpio | @​jupyterlab-probot | @​krassowski | @​meeseeksmachine | @​misterfads | @​welcome

Changelog

Sourced from jupyterlab's changelog.

4.0.11

Commits

Updates aiohttp from 3.9.1 to 3.9.2

Release notes

Sourced from aiohttp's releases.

3.9.2

Bug fixes

  • Fixed server-side websocket connection leak.

    Related issues and pull requests on GitHub: #7978.

  • Fixed web.FileResponse doing blocking I/O in the event loop.

    Related issues and pull requests on GitHub: #8012.

  • Fixed double compress when compression enabled and compressed file exists in server file responses.

    Related issues and pull requests on GitHub: #8014.

  • Added runtime type check for ClientSession timeout parameter.

    Related issues and pull requests on GitHub: #8021.

  • Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

    Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected. Invalid header field names containing question mark or slash are now rejected. Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

    Related issues and pull requests on GitHub: #8074.

  • Improved validation of paths for static resources requests to the server -- by :user:bdraco.

... (truncated)

Changelog

Sourced from aiohttp's changelog.

3.9.2 (2024-01-28)

Bug fixes

  • Fixed server-side websocket connection leak.

    Related issues and pull requests on GitHub: :issue:7978.

  • Fixed web.FileResponse doing blocking I/O in the event loop.

    Related issues and pull requests on GitHub: :issue:8012.

  • Fixed double compress when compression enabled and compressed file exists in server file responses.

    Related issues and pull requests on GitHub: :issue:8014.

  • Added runtime type check for ClientSession timeout parameter.

    Related issues and pull requests on GitHub: :issue:8021.

  • Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

    Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected. Invalid header field names containing question mark or slash are now rejected. Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

    Related issues and pull requests on GitHub: :issue:8074.

... (truncated)

Commits
  • 24a6d64 Release v3.9.2 (#8082)
  • 9118a58 [PR #8079/1c335944 backport][3.9] Validate static paths (#8080)
  • 435ad46 [PR #3955/8960063e backport][3.9] Replace all tmpdir fixtures with tmp_path (...
  • d33bc21 Improve validation in HTTP parser (#8074) (#8078)
  • 0d945d1 [PR #7916/822fbc74 backport][3.9] Add more information to contributing page (...
  • 3ec4fa1 [PR #8069/69bbe874 backport][3.9] 📝 Only show changelog draft for non-release...
  • 419d715 [PR #8066/cba34699 backport][3.9] 💅📝 Restructure the changelog for clarity (#...
  • a54dab3 [PR #8049/a379e634 backport][3.9] Set cause for ClientPayloadError (#8050)
  • 437ac47 [PR #7995/43a5bc50 backport][3.9] Fix examples of fallback_charset_resolver...
  • 034e5e3 [PR #8042/4b91b530 backport][3.9] Tightening the runtime type check for ssl (...
  • Additional commits viewable in compare view

Updates cryptography from 41.0.7 to 42.0.4

Changelog

Sourced from cryptography's changelog.

42.0.4 - 2024-02-20


* Fixed a null-pointer-dereference and segfault that could occur when creating
  a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
  issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
  and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
  definitions in :rfc:`2633` :rfc:`3370`.

.. _v42-0-3:

42.0.3 - 2024-02-15

  • Fixed an initialization issue that caused key loading failures for some users.

.. _v42-0-2:

42.0.2 - 2024-01-30


* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol objects in
  ``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
  ``X25519PrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
  ``X448PrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
  and ``DHPrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.

.. _v42-0-1:

42.0.1 - 2024-01-24

  • Fixed an issue with incorrect keyword-argument naming with EllipticCurvePrivateKey :meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign.
  • Resolved compatibility issue with loading certain RSA public keys in :func:~cryptography.hazmat.primitives.serialization.load_pem_public_key.

.. _v42-0-0:

42.0.0 - 2024-01-22


</tr></table> 

... (truncated)

Commits

Updates fastapi from 0.108.0 to 0.109.1

Release notes

Sourced from fastapi's releases.

0.109.1

Security fixes

  • ⬆️ Upgrade minimum version of python-multipart to >=0.0.7 to fix a vulnerability when using form data with a ReDos attack. You can also simply upgrade python-multipart.

Read more in the advisory: Content-Type Header ReDoS.

Features

Refactors

  • ✅ Refactor tests for duplicate operation ID generation for compatibility with other tools running the FastAPI test suite. PR #10876 by @​emmettbutler.
  • ♻️ Simplify string format with f-strings in fastapi/utils.py. PR #10576 by @​eukub.
  • 🔧 Fix Ruff configuration unintentionally enabling and re-disabling mccabe complexity check. PR #10893 by @​jiridanek.
  • ✅ Re-enable test in tests/test_tutorial/test_header_params/test_tutorial003.py after fix in Starlette. PR #10904 by @​ooknimm.

Docs

Translations

  • 🌐 Add Spanish translation for docs/es/docs/external-links.md. PR #10933 by @​pablocm83.
  • 🌐 Update Korean translation for docs/ko/docs/tutorial/first-steps.md, docs/ko/docs/tutorial/index.md, docs/ko/docs/tutorial/path-params.md, and docs/ko/docs/tutorial/query-params.md. PR #4218 by @​SnowSuno.

... (truncated)

Commits

Updates jinja2 from 3.1.2 to 3.1.3

Release notes

Sourced from jinja2's releases.

3.1.3

This is a fix release for the 3.1.x feature branch.

Changelog

Sourced from jinja2's changelog.

Version 3.1.3

Released 2024-01-10

  • Fix compiler error when checking if required blocks in parent templates are empty. :pr:1858
  • xmlattr filter does not allow keys with spaces. GHSA-h5c8-rqwp-cp95
  • Make error messages stemming from invalid nesting of {% trans %} blocks more helpful. :pr:1918
Commits

Updates jupyter-lsp from 2.2.1 to 2.2.2

Changelog

Sourced from jupyter-lsp's changelog.

jupyter-lsp 2.2.2

  • bug fixes:
    • address warning about renamed extension_points (#1035)
    • fix compatibility with jupyter server 1.x
    • fix an authentication-related security vulnerability (see the advisory for details)
  • enhancements:
    • add authorization support (lsp resource, jupyter-server v2+ only) - this allows server operators for fine grained access control, e.g. in case if specific users (such as guest or read-only users) should not be allowed to access LSP; this is in addition to authentication fixes

@jupyter-lsp/jupyterlab-lsp 5.0.1

  • bug fixes:
    • fix false “undefined name” in %%time and %%capture magics #1007 (thanks @​i-aki-y!)
    • fix completion items for paths and other long items being cut off #1025
    • workaround issue with markdown lost on edit #1016
    • fix latex/Greek letters insertion and other completions which do not match prefix (do not pre-filter completions from kernel) #1022
    • fix completions in Console #1023
    • fix customising priority after pre-setting it with overrides.json #1027
    • fix jump to definitions in a file inside root in Pyright on Windows #1024
    • fix typos in setting title and help message #999 and #1010
  • maintenance:
    • fix bootstrap script #1021
    • bump axios from 1.2.1 to 1.6.2 #1019
    • bump @​babel/traverse from 7.22.5 to 7.23.4 #1020
Commits

Updates starlette from 0.32.0.post1 to 0.35.1

Release notes

Sourced from starlette's releases.

Version 0.35.1

Fixed

  • Stop using the deprecated "method" parameter in FileResponse inside of StaticFiles #2406.
  • Make typing-extensions optional again #2409.

Full Changelog: encode/starlette@0.35.0...0.35.1

Version 0.35.0

Added

  • Add *args to Middleware and improve its type hints #2381.

Fixed

  • Use Iterable instead Iterator on iterate_in_threadpool #2362.

Changes

  • Handle root_path to keep compatibility with mounted ASGI applications and WSGI #2400.
  • Turn scope["client"] to None on TestClient #2377.

Full Changelog: encode/starlette@0.34.0...0.35.0

Version 0.34.0

Added

  • Use ParamSpec for run_in_threadpool #2375.
  • Add UploadFile.__repr__ #2360.

Fixed

  • Merge URLs properly on TestClient #2376.
  • Take weak ETags in consideration on StaticFiles #2334.

Deprecated

  • Deprecate FileResponse(method=...) parameter #2366.

Full Changelog: encode/starlette@0.33.0...0.34.0

Version 0.33.0

Added

... (truncated)

Changelog

Sourced from starlette's changelog.

0.35.1

January 11, 2024

Fixed

  • Stop using the deprecated "method" parameter in FileResponse inside of StaticFiles #2406.
  • Make typing-extensions optional again #2409.

0.35.0

January 11, 2024

Added

  • Add *args to Middleware and improve its type hints #2381.

Fixed

  • Use Iterable instead Iterator on iterate_in_threadpool #2362.

Changes

  • Handle root_path to keep compatibility with mounted ASGI applications and WSGI #2400.
  • Turn scope["client"] to None on TestClient #2377.

0.34.0

December 16, 2023

Added

  • Use ParamSpec for run_in_threadpool #2375.
  • Add UploadFile.__repr__ #2360.

Fixed

  • Merge URLs properly on TestClient #2376.
  • Take weak ETags in consideration on StaticFiles #2334.

Deprecated

  • Deprecate FileResponse(method=...) parameter #2366.

0.33.0

December 1, 2023

Added

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the pip group with 6 updates in the /. directory:

| Package | From | To |
| --- | --- | --- |
| [jupyterlab](https://github.com/jupyterlab/jupyterlab) | `4.0.10` | `4.0.11` |
| [aiohttp](https://github.com/aio-libs/aiohttp) | `3.9.1` | `3.9.2` |
| [cryptography](https://github.com/pyca/cryptography) | `41.0.7` | `42.0.4` |
| [fastapi](https://github.com/tiangolo/fastapi) | `0.108.0` | `0.109.1` |
| [jinja2](https://github.com/pallets/jinja) | `3.1.2` | `3.1.3` |
| [jupyter-lsp](https://github.com/jupyter-lsp/jupyterlab-lsp) | `2.2.1` | `2.2.2` |


Updates `jupyterlab` from 4.0.10 to 4.0.11
- [Release notes](https://github.com/jupyterlab/jupyterlab/releases)
- [Changelog](https://github.com/jupyterlab/jupyterlab/blob/@jupyterlab/[email protected]/CHANGELOG.md)
- [Commits](https://github.com/jupyterlab/jupyterlab/compare/@jupyterlab/[email protected]...@jupyterlab/[email protected])

Updates `aiohttp` from 3.9.1 to 3.9.2
- [Release notes](https://github.com/aio-libs/aiohttp/releases)
- [Changelog](https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst)
- [Commits](aio-libs/aiohttp@v3.9.1...v3.9.2)

Updates `cryptography` from 41.0.7 to 42.0.4
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@41.0.7...42.0.4)

Updates `fastapi` from 0.108.0 to 0.109.1
- [Release notes](https://github.com/tiangolo/fastapi/releases)
- [Commits](fastapi/fastapi@0.108.0...0.109.1)

Updates `jinja2` from 3.1.2 to 3.1.3
- [Release notes](https://github.com/pallets/jinja/releases)
- [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst)
- [Commits](pallets/jinja@3.1.2...3.1.3)

Updates `jupyter-lsp` from 2.2.1 to 2.2.2
- [Release notes](https://github.com/jupyter-lsp/jupyterlab-lsp/releases)
- [Changelog](https://github.com/jupyter-lsp/jupyterlab-lsp/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jupyter-lsp/jupyterlab-lsp/commits)

Updates `starlette` from 0.32.0.post1 to 0.35.1
- [Release notes](https://github.com/encode/starlette/releases)
- [Changelog](https://github.com/encode/starlette/blob/master/docs/release-notes.md)
- [Commits](encode/starlette@0.32.0.post1...0.35.1)

---
updated-dependencies:
- dependency-name: jupyterlab
  dependency-type: direct:development
  dependency-group: pip-security-group
- dependency-name: aiohttp
  dependency-type: indirect
  dependency-group: pip-security-group
- dependency-name: cryptography
  dependency-type: indirect
  dependency-group: pip-security-group
- dependency-name: fastapi
  dependency-type: indirect
  dependency-group: pip-security-group
- dependency-name: jinja2
  dependency-type: indirect
  dependency-group: pip-security-group
- dependency-name: jupyter-lsp
  dependency-type: indirect
  dependency-group: pip-security-group
- dependency-name: starlette
  dependency-type: indirect
  dependency-group: pip-security-group
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Feb 21, 2024
Copy link
Author

dependabot bot commented on behalf of github Feb 26, 2024

Superseded by #45.

@dependabot dependabot bot closed this Feb 26, 2024
@dependabot dependabot bot deleted the dependabot/pip/pip-security-group-5c06435876 branch February 26, 2024 22:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants