Bump the pip group across 1 directories with 8 updates

[dependabot]

Bumps the pip group with 7 updates in the / directory:

Package	From	To
jupyterlab	4.0.10	4.0.11
aiohttp	3.9.1	3.9.2
cryptography	41.0.7	42.0.4
fastapi	0.108.0	0.109.1
jinja2	3.1.2	3.1.3
jupyter-lsp	2.2.1	2.2.2
orjson	3.9.10	3.9.15

Updates jupyterlab from 4.0.10 to 4.0.11

Release notes

Sourced from jupyterlab's releases.

v4.0.11

4.0.11

(Full Changelog)

Security fixes

• Potential authentication and CSRF tokens leak in JupyterLab (GHSA-44cc-43rp-5947)
• SXSS in Markdown Preview (GHSA-4m77-cmpx-vjc4)

Bugs fixed

• Fixes focus indicator on input checkbox for Firefox #15612 (@​alden-ilao)

Documentation improvements

• Fix link to yarn docs in extension migration guide #15640 (@​krassowski)

Contributors to this release

(GitHub contributors page for this release)

@​brichet | @​fcollonval | @​github-actions | @​jtpio | @​jupyterlab-probot | @​krassowski | @​meeseeksmachine | @​misterfads | @​welcome

Changelog

Sourced from jupyterlab's changelog.

4.0.11

Commits

• 882dd81 [ci skip] Publish 4.0.11
• 1ef7a4f Merge pull request from GHSA-44cc-43rp-5947
• 0a75101 Fix CI: lint
• dda0033 Merge pull request from GHSA-4m77-cmpx-vjc4
• 0708330 Backport PR #15612: Fixes focus indicator on input checkbox for Firefox (#15653)
• edb23eb Backport PR #15640: Fix link to yarn docs in extension migration guide (#15644)
• See full diff in compare view

Updates aiohttp from 3.9.1 to 3.9.2

Release notes

Sourced from aiohttp's releases.

3.9.2

Bug fixes

• Fixed server-side websocket connection leak.

  Related issues and pull requests on GitHub: #7978.

• Fixed web.FileResponse doing blocking I/O in the event loop.

  Related issues and pull requests on GitHub: #8012.

• Fixed double compress when compression enabled and compressed file exists in server file responses.

  Related issues and pull requests on GitHub: #8014.

• Added runtime type check for ClientSession timeout parameter.

  Related issues and pull requests on GitHub: #8021.

• Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

  Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected. Invalid header field names containing question mark or slash are now rejected. Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

  Related issues and pull requests on GitHub: #8074.

• Improved validation of paths for static resources requests to the server -- by :user:bdraco.

... (truncated)

Changelog

Sourced from aiohttp's changelog.

3.9.2 (2024-01-28)

Bug fixes

• Fixed server-side websocket connection leak.

  Related issues and pull requests on GitHub: :issue:7978.

• Fixed web.FileResponse doing blocking I/O in the event loop.

  Related issues and pull requests on GitHub: :issue:8012.

• Fixed double compress when compression enabled and compressed file exists in server file responses.

  Related issues and pull requests on GitHub: :issue:8014.

• Added runtime type check for ClientSession timeout parameter.

  Related issues and pull requests on GitHub: :issue:8021.

• Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

  Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected. Invalid header field names containing question mark or slash are now rejected. Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

  Related issues and pull requests on GitHub: :issue:8074.

... (truncated)

Commits

• 24a6d64 Release v3.9.2 (#8082)
• 9118a58 [PR #8079/1c335944 backport][3.9] Validate static paths (#8080)
• 435ad46 [PR #3955/8960063e backport][3.9] Replace all tmpdir fixtures with tmp_path (...
• d33bc21 Improve validation in HTTP parser (#8074) (#8078)
• 0d945d1 [PR #7916/822fbc74 backport][3.9] Add more information to contributing page (...
• 3ec4fa1 [PR #8069/69bbe874 backport][3.9] 📝 Only show changelog draft for non-release...
• 419d715 [PR #8066/cba34699 backport][3.9] 💅📝 Restructure the changelog for clarity (#...
• a54dab3 [PR #8049/a379e634 backport][3.9] Set cause for ClientPayloadError (#8050)
• 437ac47 [PR #7995/43a5bc50 backport][3.9] Fix examples of fallback_charset_resolver...
• 034e5e3 [PR #8042/4b91b530 backport][3.9] Tightening the runtime type check for ssl (...
• Additional commits viewable in compare view

Updates cryptography from 41.0.7 to 42.0.4

Changelog

Sourced from cryptography's changelog.

42.0.4 - 2024-02-20

* Fixed a null-pointer-dereference and segfault that could occur when creating
  a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
  issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
  and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
  definitions in :rfc:`2633` :rfc:`3370`.
.. _v42-0-3:
42.0.3 - 2024-02-15

• Fixed an initialization issue that caused key loading failures for some users.

.. _v42-0-2:

42.0.2 - 2024-01-30

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol objects in
  ``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
  ``X25519PrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
  ``X448PrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
  and ``DHPrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.
.. _v42-0-1:
42.0.1 - 2024-01-24

• Fixed an issue with incorrect keyword-argument naming with EllipticCurvePrivateKey :meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign.
• Resolved compatibility issue with loading certain RSA public keys in :func:~cryptography.hazmat.primitives.serialization.load_pem_public_key.

.. _v42-0-0:

42.0.0 - 2024-01-22

</tr></table> 

... (truncated)

Commits

• fe18470 Bump for 42.0.4 release (#10445)
• aaa2dd0 Fix ASN.1 issues in PKCS#7 and S/MIME signing (#10373) (#10442)
• 7a4d012 Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match (#10423) ...
• df314bb backport actions m1 switch to 42.0.x (#10415)
• c49a7a5 changelog and version bump for 42.0.3 (#10396)
• 396bcf6 fix provider loading take two (#10390) (#10395)
• 0e0e46f backport: initialize openssl's legacy provider in rust (#10323) (#10333)
• 2202123 changelog and version bump 42.0.2 (#10268)
• f7032bd bump openssl in CI (#10298) (#10299)
• 002e886 Fixes #10294 -- correct accidental change to exchange kwarg (#10295) (#10296)
• Additional commits viewable in compare view

Updates fastapi from 0.108.0 to 0.109.1

Release notes

Sourced from fastapi's releases.

0.109.1

Security fixes

• ⬆️ Upgrade minimum version of python-multipart to >=0.0.7 to fix a vulnerability when using form data with a ReDos attack. You can also simply upgrade python-multipart.

Read more in the advisory: Content-Type Header ReDoS.

Features

• ✨ Include HTTP 205 in status codes with no body. PR #10969 by @​tiangolo.

Refactors

• ✅ Refactor tests for duplicate operation ID generation for compatibility with other tools running the FastAPI test suite. PR #10876 by @​emmettbutler.
• ♻️ Simplify string format with f-strings in fastapi/utils.py. PR #10576 by @​eukub.
• 🔧 Fix Ruff configuration unintentionally enabling and re-disabling mccabe complexity check. PR #10893 by @​jiridanek.
• ✅ Re-enable test in tests/test_tutorial/test_header_params/test_tutorial003.py after fix in Starlette. PR #10904 by @​ooknimm.

Docs

• 📝 Tweak wording in help-fastapi.md. PR #11040 by @​tiangolo.
• 📝 Tweak docs for Behind a Proxy. PR #11038 by @​tiangolo.
• 📝 Add External Link: 10 Tips for adding SQLAlchemy to FastAPI. PR #11036 by @​Donnype.
• 📝 Add External Link: Tips on migrating from Flask to FastAPI and vice-versa. PR #11029 by @​jtemporal.
• 📝 Deprecate old tutorials: Peewee, Couchbase, encode/databases. PR #10979 by @​tiangolo.
• ✏️ Fix typo in fastapi/security/oauth2.py. PR #10972 by @​RafalSkolasinski.
• 📝 Update HTTPException details in docs/en/docs/tutorial/handling-errors.md. PR #5418 by @​papb.
• ✏️ A few tweaks in docs/de/docs/tutorial/first-steps.md. PR #10959 by @​nilslindemann.
• ✏️ Fix link in docs/en/docs/advanced/async-tests.md. PR #10960 by @​nilslindemann.
• ✏️ Fix typos for Spanish documentation. PR #10957 by @​jlopezlira.
• 📝 Add warning about lifespan functions and backwards compatibility with events. PR #10734 by @​jacob-indigo.
• ✏️ Fix broken link in docs/tutorial/sql-databases.md in several languages. PR #10716 by @​theoohoho.
• ✏️ Remove broken links from external_links.yml. PR #10943 by @​Torabek.
• 📝 Update template docs with more info about url_for. PR #5937 by @​EzzEddin.
• 📝 Update usage of Token model in security docs. PR #9313 by @​piotrszacilowski.
• ✏️ Update highlighted line in docs/en/docs/tutorial/bigger-applications.md. PR #5490 by @​papb.
• 📝 Add External Link: Explore How to Effectively Use JWT With FastAPI. PR #10212 by @​aanchlia.
• 📝 Add hyperlink to docs/en/docs/tutorial/static-files.md. PR #10243 by @​hungtsetse.
• 📝 Add External Link: Instrument a FastAPI service adding tracing with OpenTelemetry and send/show traces in Grafana Tempo. PR #9440 by @​softwarebloat.
• 📝 Review and rewording of en/docs/contributing.md. PR #10480 by @​nilslindemann.
• 📝 Add External Link: ML serving and monitoring with FastAPI and Evidently. PR #9701 by @​mnrozhkov.
• 📝 Reword in docs, from "have in mind" to "keep in mind". PR #10376 by @​malicious.
• 📝 Add External Link: Talk by Jeny Sadadia. PR #10265 by @​JenySadadia.
• 📝 Add location info to tutorial/bigger-applications.md. PR #10552 by @​nilslindemann.
• ✏️ Fix Pydantic method name in docs/en/docs/advanced/path-operation-advanced-configuration.md. PR #10826 by @​ahmedabdou14.

Translations

• 🌐 Add Spanish translation for docs/es/docs/external-links.md. PR #10933 by @​pablocm83.
• 🌐 Update Korean translation for docs/ko/docs/tutorial/first-steps.md, docs/ko/docs/tutorial/index.md, docs/ko/docs/tutorial/path-params.md, and docs/ko/docs/tutorial/query-params.md. PR #4218 by @​SnowSuno.

... (truncated)

Commits

• 7633d15 🔖 Release version 0.109.1
• a4de147 📝 Update release notes
• 9d34ad0 Merge pull request from GHSA-qf9m-vfgh-m389
• ebf9723 📝 Update release notes
• 8590d0c 👥 Update FastAPI People (#11074)
• 063d7ff 📝 Update release notes
• 3c81e62 🌐 Add Spanish translation for docs/es/docs/external-links.md (#10933)
• 6c4a143 📝 Update release notes
• d254e2f 🌐 Update Korean translation for docs/ko/docs/tutorial/first-steps.md, `docs...
• 6f6e786 📝 Update release notes
• Additional commits viewable in compare view

Updates jinja2 from 3.1.2 to 3.1.3

Release notes

Sourced from jinja2's releases.

3.1.3

This is a fix release for the 3.1.x feature branch.

• Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.
• Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-3
• Milestone: https://github.com/pallets/jinja/milestone/15?closed=1

Changelog

Sourced from jinja2's changelog.

Version 3.1.3

Released 2024-01-10

• Fix compiler error when checking if required blocks in parent templates are empty. :pr:1858
• xmlattr filter does not allow keys with spaces. GHSA-h5c8-rqwp-cp95
• Make error messages stemming from invalid nesting of {% trans %} blocks more helpful. :pr:1918

Commits

• d9de4bb release version 3.1.3
• 50124e1 skip test pypi
• 9ea7222 use trusted publishing
• da703f7 use trusted publishing
• bce1746 use trusted publishing
• 7277d80 update pre-commit hooks
• 5c8a105 Make nested-trans-block exceptions nicer (#1918)
• 19a55db Make nested-trans-block exceptions nicer
• 7167953 Merge pull request from GHSA-h5c8-rqwp-cp95
• 7dd3680 xmlattr filter disallows keys with spaces
• Additional commits viewable in compare view

Updates jupyter-lsp from 2.2.1 to 2.2.2

Changelog

Sourced from jupyter-lsp's changelog.

jupyter-lsp 2.2.2

• bug fixes:
  • address warning about renamed extension_points (#1035)
  • fix compatibility with jupyter server 1.x
  • fix an authentication-related security vulnerability (see the advisory for details)
• enhancements:
  • add authorization support (lsp resource, jupyter-server v2+ only) - this allows server operators for fine grained access control, e.g. in case if specific users (such as guest or read-only users) should not be allowed to access LSP; this is in addition to authentication fixes

@jupyter-lsp/jupyterlab-lsp 5.0.1

• bug fixes:
  • fix false “undefined name” in %%time and %%capture magics #1007 (thanks @​i-aki-y!)
  • fix completion items for paths and other long items being cut off #1025
  • workaround issue with markdown lost on edit #1016
  • fix latex/Greek letters insertion and other completions which do not match prefix (do not pre-filter completions from kernel) #1022
  • fix completions in Console #1023
  • fix customising priority after pre-setting it with overrides.json #1027
  • fix jump to definitions in a file inside root in Pyright on Windows #1024
  • fix typos in setting title and help message #999 and #1010
• maintenance:
  • fix bootstrap script #1021
  • bump axios from 1.2.1 to 1.6.2 #1019
  • bump @​babel/traverse from 7.22.5 to 7.23.4 #1020

Commits

• See full diff in compare view

Updates orjson from 3.9.10 to 3.9.15

Release notes

Sourced from orjson's releases.

3.9.15

Fixed

• Implement recursion limit of 1024 on orjson.loads().
• Use byte-exact read on str formatting SIMD path to avoid crash.

3.9.14

Fixed

• Fix crash serializing str introduced in 3.9.11.

Changed

• Build now depends on Rust 1.72 or later.

3.9.13

Fixed

• Serialization str escape uses only 128-bit SIMD.
• Fix compatibility with CPython 3.13 alpha 3.

Changed

• Publish musllinux_1_2 instead of musllinux_1_1 wheels.
• Serialization uses small integer optimization in CPython 3.12 or later.

3.9.12

Fixed

• Minimal musllinux_1_1 build due to sporadic CI failure.

Changed

• Update benchmarks in README.

3.9.11

Changed

• Improve performance of serializing. str is significantly faster. Documents using dict, list, and tuple are somewhat faster.

Changelog

Sourced from orjson's changelog.

3.9.15 - 2024-02-23

Fixed

• Implement recursion limit of 1024 on orjson.loads().
• Use byte-exact read on str formatting SIMD path to avoid crash.

3.9.14 - 2024-02-14

Fixed

• Fix crash serializing str introduced in 3.9.11.

Changed

• Build now depends on Rust 1.72 or later.

3.9.13 - 2024-02-03

Fixed

• Serialization str escape uses only 128-bit SIMD.
• Fix compatibility with CPython 3.13 alpha 3.

Changed

• Publish musllinux_1_2 instead of musllinux_1_1 wheels.
• Serialization uses small integer optimization in CPython 3.12 or later.

3.9.12 - 2024-01-18

Changed

• Update benchmarks in README.

Fixed

• Minimal musllinux_1_1 build due to sporadic CI failure.

3.9.11 - 2024-01-18

Changed

• Improve performance of serializing. str is significantly faster. Documents using dict, list, and tuple are somewhat faster.

Commits

• a348f59 3.9.15
• b0e4d2c yyjson 0eca326, recursion limit
• 5067ead impl_escape_unchecked() byte exact read
• e04ea73 cargo update, build misc
• ba8c701 3.9.14
• a2f7b7b impl_format_simd!() lift create from loop, rotate left
• 528220f format_escaped_str() fast and slow paths depending on page boundary
• 29884e6 Fix buffer overread in format_escaped_str
• c825472 cargo update
• 4eb4f00 3.9.13
• Additional commits viewable in compare view

Updates starlette from 0.32.0.post1 to 0.35.1

Release notes

Sourced from starlette's releases.

Version 0.35.1

Fixed

• Stop using the deprecated "method" parameter in FileResponse inside of StaticFiles #2406.
• Make typing-extensions optional again #2409.

---

Full Changelog: encode/starlette@0.35.0...0.35.1

Version 0.35.0

Added

• Add *args to Middleware and improve its type hints #2381.

Fixed

• Use Iterable instead Iterator on iterate_in_threadpool #2362.

Changes

• Handle root_path to keep compatibility with mounted ASGI applications and WSGI #2400.
• Turn scope["client"] to None on TestClient #2377.

---

Full Changelog: encode/starlette@0.34.0...0.35.0

Version 0.34.0

Added

• Use ParamSpec for run_in_threadpool #2375.
• Add UploadFile.__repr__ #2360.

Fixed

• Merge URLs properly on TestClient #2376.
• Take weak ETags in consideration on StaticFiles #2334.

Deprecated

• Deprecate FileResponse(method=...) parameter #2366.

---

Full Changelog: encode/starlette@0.33.0...0.34.0

Version 0.33.0

Added

... (truncated)

Changelog

Sourced from starlette's changelog.

0.35.1

January 11, 2024

Fixed

• Stop using the deprecated "method" parameter in FileResponse inside of StaticFiles #2406.
• Make typing-extensions optional again #2409.

0.35.0

January 11, 2024

Added

• Add *args to Middleware and improve its type hints #2381.

Fixed

• Use Iterable instead Iterator on iterate_in_threadpool #2362.

Changes

• Handle root_path to keep compatibility with mounted ASGI applications and WSGI #2400.
• Turn scope["client"] to None on TestClient #2377.

0.34.0

December 16, 2023

Added

• Use ParamSpec for run_in_threadpool #2375.
• Add UploadFile.__repr__ #2360.

Fixed

• Merge URLs properly on TestClient #2376.
• Take weak ETags in consideration on StaticFiles #2334.

Deprecated

• Deprecate FileResponse(method=...) parameter #2366.

0.33.0

December 1, 2023

Added

... (truncated)

Commits

• c817605 Version 0.35.1 (#2410)
• 6c4ffee Make typing-extensions optional again (#2409)
• 3734e85 ♻️ Do not use the deprecated method parameter in FileResponse inside of `...
• 1081520 Version 0.35.0 (#2404)
• c3c6314 ♻️ Refactor logic to handle root_path to keep compatibility with ASGI and c...
• 8f2307d Bump trio from 0.22.2 to 0.23.2 (#2395)
• d28d491 Bump ruff from 0.1.6 to 0.1.9 (#2396)
• 5f9da0b Bump coverage from 7.3.2 to 7.4.0 (#2397)
• 04684c2 Bump typing-extensions from 4.8.0 to 4.9.0 (#2393)
• 8924759 Bump importlib-metadata from 6.9.0 to 7.0.1 (#2394)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Superseded by #46.