Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump the pip group across 1 directory with 9 updates #46

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Mar 20, 2024

Bumps the pip group with 8 updates in the / directory:

Package From To
jupyterlab 4.0.10 4.0.11
black 23.12.1 24.3.0
aiohttp 3.9.1 3.9.2
cryptography 41.0.7 42.0.4
fastapi 0.108.0 0.109.1
jinja2 3.1.2 3.1.3
jupyter-lsp 2.2.1 2.2.2
orjson 3.9.10 3.9.15

Updates jupyterlab from 4.0.10 to 4.0.11

Release notes

Sourced from jupyterlab's releases.

v4.0.11

4.0.11

(Full Changelog)

Security fixes

Bugs fixed

Documentation improvements

Contributors to this release

(GitHub contributors page for this release)

@​brichet | @​fcollonval | @​github-actions | @​jtpio | @​jupyterlab-probot | @​krassowski | @​meeseeksmachine | @​misterfads | @​welcome

Changelog

Sourced from jupyterlab's changelog.

4.0.11

Commits

Updates black from 23.12.1 to 24.3.0

Release notes

Sourced from black's releases.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

  • Don't move comments along with delimiters, which could cause crashes (#4248)
  • Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
  • Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

  • Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

  • Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

  • Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

  • Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
  • Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
  • Checking for newline before adding one on docstring that is almost at the line limit (#4185)
  • Remove redundant parentheses in case statement if guards (#4214).

Configuration

... (truncated)

Changelog

Sourced from black's changelog.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

  • Don't move comments along with delimiters, which could cause crashes (#4248)
  • Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
  • Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

  • Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

  • Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

  • Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

  • Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
  • Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
  • Checking for newline before adding one on docstring that is almost at the line limit (#4185)
  • Remove redundant parentheses in case statement if guards (#4214).

... (truncated)

Commits

Updates aiohttp from 3.9.1 to 3.9.2

Release notes

Sourced from aiohttp's releases.

3.9.2

Bug fixes

  • Fixed server-side websocket connection leak.

    Related issues and pull requests on GitHub: #7978.

  • Fixed web.FileResponse doing blocking I/O in the event loop.

    Related issues and pull requests on GitHub: #8012.

  • Fixed double compress when compression enabled and compressed file exists in server file responses.

    Related issues and pull requests on GitHub: #8014.

  • Added runtime type check for ClientSession timeout parameter.

    Related issues and pull requests on GitHub: #8021.

  • Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

    Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected. Invalid header field names containing question mark or slash are now rejected. Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

    Related issues and pull requests on GitHub: #8074.

  • Improved validation of paths for static resources requests to the server -- by :user:bdraco.

... (truncated)

Changelog

Sourced from aiohttp's changelog.

3.9.2 (2024-01-28)

Bug fixes

  • Fixed server-side websocket connection leak.

    Related issues and pull requests on GitHub: :issue:7978.

  • Fixed web.FileResponse doing blocking I/O in the event loop.

    Related issues and pull requests on GitHub: :issue:8012.

  • Fixed double compress when compression enabled and compressed file exists in server file responses.

    Related issues and pull requests on GitHub: :issue:8014.

  • Added runtime type check for ClientSession timeout parameter.

    Related issues and pull requests on GitHub: :issue:8021.

  • Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

    Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected. Invalid header field names containing question mark or slash are now rejected. Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

    Related issues and pull requests on GitHub: :issue:8074.

... (truncated)

Commits
  • 24a6d64 Release v3.9.2 (#8082)
  • 9118a58 [PR #8079/1c335944 backport][3.9] Validate static paths (#8080)
  • 435ad46 [PR #3955/8960063e backport][3.9] Replace all tmpdir fixtures with tmp_path (...
  • d33bc21 Improve validation in HTTP parser (#8074) (#8078)
  • 0d945d1 [PR #7916/822fbc74 backport][3.9] Add more information to contributing page (...
  • 3ec4fa1 [PR #8069/69bbe874 backport][3.9] 📝 Only show changelog draft for non-release...
  • 419d715 [PR #8066/cba34699 backport][3.9] 💅📝 Restructure the changelog for clarity (#...
  • a54dab3 [PR #8049/a379e634 backport][3.9] Set cause for ClientPayloadError (#8050)
  • 437ac47 [PR #7995/43a5bc50 backport][3.9] Fix examples of fallback_charset_resolver...
  • 034e5e3 [PR #8042/4b91b530 backport][3.9] Tightening the runtime type check for ssl (...
  • Additional commits viewable in compare view

Updates cryptography from 41.0.7 to 42.0.4

Changelog

Sourced from cryptography's changelog.

42.0.4 - 2024-02-20


* Fixed a null-pointer-dereference and segfault that could occur when creating
  a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
  issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
  and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
  definitions in :rfc:`2633` :rfc:`3370`.

.. _v42-0-3:

42.0.3 - 2024-02-15

  • Fixed an initialization issue that caused key loading failures for some users.

.. _v42-0-2:

42.0.2 - 2024-01-30


* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol objects in
  ``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
  ``X25519PrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
  ``X448PrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
  and ``DHPrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.

.. _v42-0-1:

42.0.1 - 2024-01-24

  • Fixed an issue with incorrect keyword-argument naming with EllipticCurvePrivateKey :meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign.
  • Resolved compatibility issue with loading certain RSA public keys in :func:~cryptography.hazmat.primitives.serialization.load_pem_public_key.

.. _v42-0-0:

42.0.0 - 2024-01-22


</tr></table> 

... (truncated)

Commits

Updates fastapi from 0.108.0 to 0.109.1

Release notes

Sourced from fastapi's releases.

0.109.1

Security fixes

  • ⬆️ Upgrade minimum version of python-multipart to >=0.0.7 to fix a vulnerability when using form data with a ReDos attack. You can also simply upgrade python-multipart.

Read more in the advisory: Content-Type Header ReDoS.

Features

Refactors

  • ✅ Refactor tests for duplicate operation ID generation for compatibility with other tools running the FastAPI test suite. PR #10876 by @​emmettbutler.
  • ♻️ Simplify string format with f-strings in fastapi/utils.py. PR #10576 by @​eukub.
  • 🔧 Fix Ruff configuration unintentionally enabling and re-disabling mccabe complexity check. PR #10893 by @​jiridanek.
  • ✅ Re-enable test in tests/test_tutorial/test_header_params/test_tutorial003.py after fix in Starlette. PR #10904 by @​ooknimm.

Docs

Translations

  • 🌐 Add Spanish translation for docs/es/docs/external-links.md. PR #10933 by @​pablocm83.
  • 🌐 Update Korean translation for docs/ko/docs/tutorial/first-steps.md, docs/ko/docs/tutorial/index.md, docs/ko/docs/tutorial/path-params.md, and docs/ko/docs/tutorial/query-params.md. PR #4218 by @​SnowSuno.

... (truncated)

Commits

Updates jinja2 from 3.1.2 to 3.1.3

Release notes

Sourced from jinja2's releases.

3.1.3

This is a fix release for the 3.1.x feature branch.

Changelog

Sourced from jinja2's changelog.

Version 3.1.3

Released 2024-01-10

  • Fix compiler error when checking if required blocks in parent templates are empty. :pr:1858
  • xmlattr filter does not allow keys with spaces. GHSA-h5c8-rqwp-cp95
  • Make error messages stemming from invalid nesting of {% trans %} blocks more helpful. :pr:1918
Commits

Updates jupyter-lsp from 2.2.1 to 2.2.2

Changelog

Sourced from jupyter-lsp's changelog.

jupyter-lsp 2.2.2

  • bug fixes:
    • address warning about renamed extension_points (#1035)
    • fix compatibility with jupyter server 1.x
    • fix an authentication-related security vulnerability (see the advisory for details)
  • enhancements:
    • add authorization support (lsp resource, jupyter-server v2+ only) - this allows server operators for fine grained access control, e.g. in case if specific users (such as guest or read-only users) should not be allowed to access LSP; this is in addition to authentication fixes

@jupyter-lsp/jupyterlab-lsp 5.0.1

  • bug fixes:
    • fix false “undefined name” in %%time and %%capture magics #1007 (thanks @​i-aki-y!)
    • fix completion items for paths and other long items being cut off #1025
    • workaround issue with markdown lost on edit #1016
    • fix latex/Greek letters insertion and other completions which do not match prefix (do not pre-filter completions from kernel) #1022
    • fix completions in Console #1023
    • fix customising priority after pre-setting it with overrides.json #1027
    • fix jump to definitions in a file inside root in Pyright on Windows #1024
    • fix typos in setting title and help message #999 and #1010
  • maintenance:
    • fix bootstrap script #1021
    • bump axios from 1.2.1 to 1.6.2 #1019
    • bump @​babel/traverse from 7.22.5 to 7.23.4 #1020
Commits

Updates orjson from 3.9.10 to 3.9.15

Release notes

Sourced from orjson's releases.

3.9.15

Fixed

  • Implement recursion limit of 1024 on orjson.loads().
  • Use byte-exact read on str formatting SIMD path to avoid crash.

3.9.14

Fixed

  • Fix crash serializing str introduced in 3.9.11.

Changed

  • Build now depends on Rust 1.72 or later.

3.9.13

Fixed

  • Serialization str escape uses only 128-bit SIMD.
  • Fix compatibility with CPython 3.13 alpha 3.

Changed

  • Publish musllinux_1_2 instead of musllinux_1_1 wheels.
  • Serialization uses small integer optimization in CPython 3.12 or later.

3.9.12

Fixed

  • Minimal musllinux_1_1 build due to sporadic CI failure.

Changed

  • Update benchmarks in README.

3.9.11

Changed

  • Improve performance of serializing. str is significantly faster. Documents using dict, list, and tuple are somewhat faster.
Changelog

Sourced from orjson's changelog.

3.9.15 - 2024-02-23

Fixed

  • Implement recursion limit of 1024 on orjson.loads().
  • Use byte-exact read on str formatting SIMD path to avoid crash.

3.9.14 - 2024-02-14

Fixed

  • Fix crash serializing str introduced in 3.9.11.

Changed

  • Build now depends on Rust 1.72 or later.

3.9.13 - 2024-02-03

Fixed

  • Serialization str escape uses only 128-bit SIMD.
  • Fix compatibility with CPython 3.13 alpha 3.

Changed

  • Publish musllinux_1_2 instead of musllinux_1_1 wheels.
  • Serialization uses small integer optimization in CPython 3.12 or later.

3.9.12 - 2024-01-18

Changed

  • Update benchmarks in README.

Fixed

  • Minimal musllinux_1_1 build due to sporadic CI failure.

3.9.11 - 2024-01-18

Changed

  • Improve performance of serializing. str is significantly faster. Documents using dict, list, and tuple are somewhat faster.
Commits
  • a348f59 3.9.15
  • b0e4d2c yyjson 0eca326, recursion limit
  • 5067ead impl_escape_unchecked() byte exact read
  • e04ea73 cargo update, build misc
  • ba8c701 3.9.14
  • a2f7b7b impl_format_simd!() lift create from loop, rotate left
  • 528220f format_escaped_str() fast and slow paths depending on page boundary
  • 29884e6 Fix buffer overread in format_escaped_str
  • c825472 cargo update
  • 4eb4f00 3.9.13
  • Additional commits viewable in compare view

Updates starlette from 0.32.0.post1 to 0.35.1

Release notes

Sourced from starlette's releases.

Version 0.35.1

Fixed

  • Stop using the deprecated "method" parameter in FileResponse inside of StaticFiles #2406.
  • Make typing-extensions optional again #2409.

Full Changelog: encode/starlette@0.35.0...0.35.1

Version 0.35.0

Added

  • Add *args to Middleware and improve its type hints #2381.

Fixed

  • Use Iterable instead Iterator on iterate_in_threadpool #2362.

Changes

  • Handle root_path to keep compatibility with mounted ASGI applications and WSGI #2400.
  • Turn scope["client"] to None on TestClient #2377.

Full Changelog: encode/starlette@0.34.0...0.35.0

Version 0.34.0

Added

  • Use ParamSpec for run_in_threadpool #2375.
  • Add UploadFile.__repr__ #2360.

Fixed

  • Merge URLs properly on TestClient #2376.
  • Take weak ETags in consideration on StaticFiles #2334.

Deprecated

  • Deprecate FileResponse(method=...) parameter #2366.

Full Changelog: encode/starlette@0.33.0...0.34.0

Version 0.33.0

Added

... (truncated)

Changelog

Sourced from starlette's changelog.

0.35.1

January 11, 2024

Fixed

  • Stop using the deprecated "method" parameter in FileResponse inside of StaticFiles #2406.
  • Make typing-extensions optional again #2409.

0.35.0

January 11, 2024

Added

  • Add *args to Middleware and improve its type hints #2381.

Fixed

  • Use Iterable instead Iterator on iterate_in_threadpool #2362.

Changes

  • Handle root_path to keep compatibility with mounted ASGI applications and WSGI #2400.
  • Turn scope["client"] to None on TestClient #2377.

0.34.0

December 16, 2023

Added

  • Use ParamSpec for run_in_threadpool #2375.
  • Add UploadFile.__repr__ #2360.

Fixed

  • Merge URLs properly on TestClient #2376.
  • Take weak ETags in consideration on StaticFiles #2334.

Deprecated

  • Deprecate FileResponse(method=...) parameter #2366.

0.33.0

December 1, 2023

Added

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the pip group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [jupyterlab](https://github.com/jupyterlab/jupyterlab) | `4.0.10` | `4.0.11` |
| [black](https://github.com/psf/black) | `23.12.1` | `24.3.0` |
| [aiohttp](https://github.com/aio-libs/aiohttp) | `3.9.1` | `3.9.2` |
| [cryptography](https://github.com/pyca/cryptography) | `41.0.7` | `42.0.4` |
| [fastapi](https://github.com/tiangolo/fastapi) | `0.108.0` | `0.109.1` |
| [jinja2](https://github.com/pallets/jinja) | `3.1.2` | `3.1.3` |
| [jupyter-lsp](https://github.com/jupyter-lsp/jupyterlab-lsp) | `2.2.1` | `2.2.2` |
| [orjson](https://github.com/ijl/orjson) | `3.9.10` | `3.9.15` |


Updates `jupyterlab` from 4.0.10 to 4.0.11
- [Release notes](https://github.com/jupyterlab/jupyterlab/releases)
- [Changelog](https://github.com/jupyterlab/jupyterlab/blob/@jupyterlab/[email protected]/CHANGELOG.md)
- [Commits](https://github.com/jupyterlab/jupyterlab/compare/@jupyterlab/[email protected]...@jupyterlab/[email protected])

Updates `black` from 23.12.1 to 24.3.0
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](psf/black@23.12.1...24.3.0)

Updates `aiohttp` from 3.9.1 to 3.9.2
- [Release notes](https://github.com/aio-libs/aiohttp/releases)
- [Changelog](https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst)
- [Commits](aio-libs/aiohttp@v3.9.1...v3.9.2)

Updates `cryptography` from 41.0.7 to 42.0.4
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@41.0.7...42.0.4)

Updates `fastapi` from 0.108.0 to 0.109.1
- [Release notes](https://github.com/tiangolo/fastapi/releases)
- [Commits](fastapi/fastapi@0.108.0...0.109.1)

Updates `jinja2` from 3.1.2 to 3.1.3
- [Release notes](https://github.com/pallets/jinja/releases)
- [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst)
- [Commits](pallets/jinja@3.1.2...3.1.3)

Updates `jupyter-lsp` from 2.2.1 to 2.2.2
- [Release notes](https://github.com/jupyter-lsp/jupyterlab-lsp/releases)
- [Changelog](https://github.com/jupyter-lsp/jupyterlab-lsp/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jupyter-lsp/jupyterlab-lsp/commits)

Updates `orjson` from 3.9.10 to 3.9.15
- [Release notes](https://github.com/ijl/orjson/releases)
- [Changelog](https://github.com/ijl/orjson/blob/master/CHANGELOG.md)
- [Commits](ijl/orjson@3.9.10...3.9.15)

Updates `starlette` from 0.32.0.post1 to 0.35.1
- [Release notes](https://github.com/encode/starlette/releases)
- [Changelog](https://github.com/encode/starlette/blob/master/docs/release-notes.md)
- [Commits](encode/starlette@0.32.0.post1...0.35.1)

---
updated-dependencies:
- dependency-name: jupyterlab
  dependency-type: direct:development
  dependency-group: pip-security-group
- dependency-name: black
  dependency-type: direct:development
  dependency-group: pip-security-group
- dependency-name: aiohttp
  dependency-type: indirect
  dependency-group: pip-security-group
- dependency-name: cryptography
  dependency-type: indirect
  dependency-group: pip-security-group
- dependency-name: fastapi
  dependency-type: indirect
  dependency-group: pip-security-group
- dependency-name: jinja2
  dependency-type: indirect
  dependency-group: pip-security-group
- dependency-name: jupyter-lsp
  dependency-type: indirect
  dependency-group: pip-security-group
- dependency-name: orjson
  dependency-type: indirect
  dependency-group: pip-security-group
- dependency-name: starlette
  dependency-type: indirect
  dependency-group: pip-security-group
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Mar 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants