Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump the pip group across 2 directories with 7 updates #1

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Apr 30, 2024

Bumps the pip group with 4 updates in the / directory: requests, idna, gevent and setuptools.
Bumps the pip group with 3 updates in the /tools/internal_ci/helper_scripts directory: cryptography, pyjwt and scipy.

Updates requests from 2.25.1 to 2.31.0

Release notes

Sourced from requests's releases.

v2.31.0

2.31.0 (2023-05-22)

Security

  • Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential forwarding of Proxy-Authorization headers to destination servers when following HTTPS redirects.

    When proxies are defined with user info (https://user:pass@proxy:8080), Requests will construct a Proxy-Authorization header that is attached to the request to authenticate with the proxy.

    In cases where Requests receives a redirect response, it previously reattached the Proxy-Authorization header incorrectly, resulting in the value being sent through the tunneled connection to the destination server. Users who rely on defining their proxy credentials in the URL are strongly encouraged to upgrade to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy credentials once the change has been fully deployed.

    Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability.

    Full details can be read in our Github Security Advisory and CVE-2023-32681.

v2.30.0

2.30.0 (2023-05-03)

Dependencies

v2.29.0

2.29.0 (2023-04-26)

Improvements

  • Requests now defers chunked requests to the urllib3 implementation to improve standardization. (#6226)
  • Requests relaxes header component requirements to support bytes/str subclasses. (#6356)

... (truncated)

Changelog

Sourced from requests's changelog.

2.31.0 (2023-05-22)

Security

  • Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential forwarding of Proxy-Authorization headers to destination servers when following HTTPS redirects.

    When proxies are defined with user info (https://user:pass@proxy:8080), Requests will construct a Proxy-Authorization header that is attached to the request to authenticate with the proxy.

    In cases where Requests receives a redirect response, it previously reattached the Proxy-Authorization header incorrectly, resulting in the value being sent through the tunneled connection to the destination server. Users who rely on defining their proxy credentials in the URL are strongly encouraged to upgrade to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy credentials once the change has been fully deployed.

    Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability.

    Full details can be read in our Github Security Advisory and CVE-2023-32681.

2.30.0 (2023-05-03)

Dependencies

2.29.0 (2023-04-26)

Improvements

  • Requests now defers chunked requests to the urllib3 implementation to improve standardization. (#6226)
  • Requests relaxes header component requirements to support bytes/str subclasses. (#6356)

2.28.2 (2023-01-12)

... (truncated)

Commits

Updates idna from 2.7 to 3.7

Release notes

Sourced from idna's releases.

v3.7

What's Changed

  • Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: kjd/idna@v3.6...v3.7

Changelog

Sourced from idna's changelog.

3.7 (2024-04-11) ++++++++++++++++

  • Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

3.6 (2023-11-25) ++++++++++++++++

  • Fix regression to include tests in source distribution.

3.5 (2023-11-24) ++++++++++++++++

  • Update to Unicode 15.1.0
  • String codec name is now "idna2008" as overriding the system codec "idna" was not working.
  • Fix typing error for codec encoding
  • "setup.cfg" has been added for this release due to some downstream lack of adherence to PEP 517. Should be removed in a future release so please prepare accordingly.
  • Removed reliance on a symlink for the "idna-data" tool to comport with PEP 517 and the Python Packaging User Guide for sdist archives.
  • Added security reporting protocol for project

Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions to this release.

3.4 (2022-09-14) ++++++++++++++++

  • Update to Unicode 15.0.0
  • Migrate to pyproject.toml for build information (PEP 621)
  • Correct another instance where generic exception was raised instead of IDNAError for malformed input
  • Source distribution uses zeroized file ownership for improved reproducibility

Thanks to Seth Michael Larson for contributions to this release.

3.3 (2021-10-13) ++++++++++++++++

  • Update to Unicode 14.0.0
  • Update to in-line type annotations
  • Throw IDNAError exception correctly for some malformed input
  • Advertise support for Python 3.10
  • Improve testing regime on Github

... (truncated)

Commits
  • 1d365e1 Release v3.7
  • c1b3154 Merge pull request #172 from kjd/optimize-contextj
  • 0394ec7 Merge branch 'master' into optimize-contextj
  • cd58a23 Merge pull request #152 from elliotwutingfeng/dev
  • 5beb28b More efficient resolution of joiner contexts
  • 1b12148 Update ossf/scorecard-action to v2.3.1
  • d516b87 Update Github actions/checkout to v4
  • c095c75 Merge branch 'master' into dev
  • 60a0a4c Fix typo in GitHub Actions workflow key
  • 5918a0e Merge branch 'master' into dev
  • Additional commits viewable in compare view

Updates gevent from 22.08.0 to 23.9.0

Commits
  • 693181e Preparing release 23.9.0
  • 6fc7898 Set the cython version; go back to default wheel tags.
  • 666e374 Had the constraint wrong.
  • 74ef876 Tweaking the build, and it seems like the greenlet stack issue should be fixed.
  • b652e2a Error handling adjustments from running under a debug build.
  • 70e7318 Tweaking tests and comments; temporary workarounds for 3.12 to enable builds.
  • 495e37a Workaround the 3.12 traceback issue again.
  • 2f53c85 gevent.pywsgi: Much improved handling of chunk trailers.
  • bb06d2d Test builds with greenlet assertions enabled.
  • 6b22af0 pyproject.toml: Bump to latest cython.
  • Additional commits viewable in compare view

Updates setuptools from 44.1.1 to 65.5.1

Release notes

Sourced from setuptools's releases.

v65.5.1

No release notes provided.

v65.5.0

No release notes provided.

v65.4.1

No release notes provided.

v65.4.0

No release notes provided.

v65.3.0

No release notes provided.

v65.2.0

No release notes provided.

v65.1.1

No release notes provided.

v65.1.0

No release notes provided.

v65.0.2

No release notes provided.

v65.0.1

No release notes provided.

v65.0.0

No release notes provided.

v64.0.3

No release notes provided.

v64.0.2

No release notes provided.

v64.0.1

No release notes provided.

v64.0.0

No release notes provided.

v63.4.3

No release notes provided.

v63.4.2

No release notes provided.

... (truncated)

Changelog

Sourced from setuptools's changelog.

v65.5.1

Misc

  • #3638: Drop a test dependency on the mock package, always use :external+python:py:mod:unittest.mock -- by :user:hroncok
  • #3659: Fixed REDoS vector in package_index -- by :user:SCH227

v65.5.0

Changes

  • #3624: Fixed editable install for multi-module/no-package src-layout projects.
  • #3626: Minor refactorings to support distutils using stdlib logging module.

Documentation changes

  • #3419: Updated the example version numbers to be compliant with PEP-440 on the "Specifying Your Project’s Version" page of the user guide.

Misc

  • #3569: Improved information about conflicting entries in the current working directory and editable install (in documentation and as an informational warning).
  • #3576: Updated version of validate_pyproject.

v65.4.1

Misc

v65.4.0

Changes

v65.3.0

... (truncated)

Commits

Updates cryptography from 3.4.6 to 42.0.4

Changelog

Sourced from cryptography's changelog.

42.0.4 - 2024-02-20


* Fixed a null-pointer-dereference and segfault that could occur when creating
  a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
  issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
  and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
  definitions in :rfc:`2633` :rfc:`3370`.

.. _v42-0-3:

42.0.3 - 2024-02-15

  • Fixed an initialization issue that caused key loading failures for some users.

.. _v42-0-2:

42.0.2 - 2024-01-30


* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol objects in
  ``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
  ``X25519PrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
  ``X448PrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
  and ``DHPrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.

.. _v42-0-1:

42.0.1 - 2024-01-24

  • Fixed an issue with incorrect keyword-argument naming with EllipticCurvePrivateKey :meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign.
  • Resolved compatibility issue with loading certain RSA public keys in :func:~cryptography.hazmat.primitives.serialization.load_pem_public_key.

.. _v42-0-0:

42.0.0 - 2024-01-22


</tr></table> 

... (truncated)

Commits

Updates pyjwt from 2.0.1 to 2.4.0

Release notes

Sourced from pyjwt's releases.

2.4.0

Security

What's Changed

New Contributors

Full Changelog: jpadilla/pyjwt@2.3.0...2.4.0

2.3.0

What's Changed

... (truncated)

Changelog

Sourced from pyjwt's changelog.

v2.4.0 <https://github.com/jpadilla/pyjwt/compare/2.3.0...2.4.0>__

Security


- [CVE-2022-29217] Prevent key confusion through non-blocklisted public key formats. https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24

Changed


- Explicit check the key for ECAlgorithm by @estin in https://github.com/jpadilla/pyjwt/pull/713
- Raise DeprecationWarning for jwt.decode(verify=...) by @akx in https://github.com/jpadilla/pyjwt/pull/742

Fixed


- Don't use implicit optionals by @rekyungmin in https://github.com/jpadilla/pyjwt/pull/705
- documentation fix: show correct scope for decode_complete() by @sseering in https://github.com/jpadilla/pyjwt/pull/661
- fix: Update copyright information by @kkirsche in https://github.com/jpadilla/pyjwt/pull/729
- Don't mutate options dictionary in .decode_complete() by @akx in https://github.com/jpadilla/pyjwt/pull/743

Added

v2.3.0 &amp;lt;https://github.com/jpadilla/pyjwt/compare/2.2.0...2.3.0&amp;gt;__

Fixed


- Revert &amp;quot;Remove arbitrary kwargs.&amp;quot; `[#701](https://github.com/jpadilla/pyjwt/issues/701) &amp;lt;https://github.com/jpadilla/pyjwt/pull/701&amp;gt;`__

Added
  • Add exception chaining [#702](https://github.com/jpadilla/pyjwt/issues/702) &amp;lt;https://github.com/jpadilla/pyjwt/pull/702&amp;gt;__

v2.2.0 &amp;lt;https://github.com/jpadilla/pyjwt/compare/2.1.0...2.2.0&amp;gt;__

&lt;/tr&gt;&lt;/table&gt;
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>

<ul>
<li><a href="https://github.com/jpadilla/pyjwt/commit/83ff831a4d11190e3a0bed781da43f8d84352653&quot;&gt;&lt;code&gt;83ff831&lt;/code&gt;&lt;/a> chore: update changelog</li>
<li><a href="https://github.com/jpadilla/pyjwt/commit/4c1ce8fd9019dd312ff257b5141cdb6d897379d9&quot;&gt;&lt;code&gt;4c1ce8f&lt;/code&gt;&lt;/a> chore: update changelog</li>
<li><a href="https://github.com/jpadilla/pyjwt/commit/96f3f0275745c5a455c019a0d3476a054980e8ea&quot;&gt;&lt;code&gt;96f3f02&lt;/code&gt;&lt;/a> fix: failing advisory test</li>
<li><a href="https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc&quot;&gt;&lt;code&gt;9c52867&lt;/code&gt;&lt;/a> Merge pull request from GHSA-ffqj-6fqr-9h24</li>
<li><a href="https://github.com/jpadilla/pyjwt/commit/24b29adfebcb4f057a3cef5aaf35653bc0c1c8cc&quot;&gt;&lt;code&gt;24b29ad&lt;/code&gt;&lt;/a> Update CHANGELOG.rst (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/751&quot;&gt;#751&lt;/a&gt;)&lt;/li>
<li><a href="https://github.com/jpadilla/pyjwt/commit/31f5acb8fb3ec6cdfe2b1b0a4a8f329b5f3ca67f&quot;&gt;&lt;code&gt;31f5acb&lt;/code&gt;&lt;/a> Replace various string interpolations with f-strings (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/744&quot;&gt;#744&lt;/a&gt;)&lt;/li>
<li><a href="https://github.com/jpadilla/pyjwt/commit/5581a31c21de70444c1162bcfa29f7e0fc86edda&quot;&gt;&lt;code&gt;5581a31&lt;/code&gt;&lt;/a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/748&quot;&gt;#748&lt;/a&gt;)&lt;/li>
<li><a href="https://github.com/jpadilla/pyjwt/commit/3d4d82248f1120c87f1f4e0e8793eaa1d54843a6&quot;&gt;&lt;code&gt;3d4d822&lt;/code&gt;&lt;/a> Don't mutate options dictionary in .decode_complete() (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/743&quot;&gt;#743&lt;/a&gt;)&lt;/li>
<li><a href="https://github.com/jpadilla/pyjwt/commit/1f1fe15bb41846c602b3e106176b2c692b93a613&quot;&gt;&lt;code&gt;1f1fe15&lt;/code&gt;&lt;/a> Add a deprecation warning when jwt.decode() is called with the legacy verify=...</li>
<li><a href="https://github.com/jpadilla/pyjwt/commit/35fa28e59d99b99c6a780d2a029a74d6bbba8b1e&quot;&gt;&lt;code&gt;35fa28e&lt;/code&gt;&lt;/a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/740&quot;&gt;#740&lt;/a&gt;)&lt;/li>
<li>Additional commits viewable in <a href="https://github.com/jpadilla/pyjwt/compare/2.0.1...2.4.0&quot;&gt;compare view</a></li>
</ul>
</details>

<br />

Updates scipy from 1.5.4 to 1.11.1

Release notes

Sourced from scipy's releases.

SciPy 1.11.1 Release Notes

SciPy 1.11.1 is a bug-fix release with no new features compared to 1.11.0. In particular, a licensing issue discovered after the release of 1.11.0 has been addressed.

Authors

  • Name (commits)
  • h-vetinari (1)
  • Robert Kern (1)
  • Ilhan Polat (4)
  • Tyler Reddy (8)

A total of 4 people contributed to this release. People with a "+" by their names contributed a patch for the first time. This list of names is automatically generated, and may not be fully complete.

SciPy 1.11.0 Release Notes

SciPy 1.11.0 is the culmination of 6 months of hard work. It contains many new features, numerous bug-fixes, improved test coverage and better documentation. There have been a number of deprecations and API changes in this release, which are documented below. All users are encouraged to upgrade to this release, as there are a large number of bug-fixes and optimizations. Before upgrading, we recommend that users check that their own code does not use deprecated SciPy functionality (to do so, run your code with python -Wd and check for DeprecationWarning s). Our development attention will now shift to bug-fix releases on the 1.11.x branch, and on adding new features on the main branch.

This release requires Python 3.9+ and NumPy 1.21.6 or greater.

For running on PyPy, PyPy3 6.0+ is required.

Highlights of this release

  • Several scipy.sparse array API improvements, including sparse.sparray, a new public base class distinct from the older sparse.spmatrix class, proper 64-bit index support, and numerous deprecations paving the way to a modern sparse array experience.
  • scipy.stats added tools for survival analysis, multiple hypothesis testing, sensitivity analysis, and working with censored data.

... (truncated)

Commits
  • cfe8011 REL: 1.11.1 rel commit [wheel build]
  • 450d8aa Merge pull request #18779 from tylerjereddy/treddy_1_11_1_prep
  • 6f942e8 DOC: update 1.11.1 relnotes
  • 145cec5 MAINT: fix unuran licensing
  • 0760bab MAINT:linalg.det:Return scalars for singleton inputs (#18763)
  • a1c6f99 MAINT:linalg:Use only NumPy types in lu
  • 5cdc2fe MAINT:linalg:Remove memcpy from lu
  • d9ac3f3 FIX:linalg:Guard against possible permute_l out of bound behavior
  • 7ec5010 BUG: fix handling for factorial(..., exact=False) for 0-dim array inputs (#...
  • 90415c6 BUG: Fix work array construction for various weight shapes. (#18741)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the pip group with 4 updates in the / directory: [requests](https://github.com/psf/requests), [idna](https://github.com/kjd/idna), [gevent](https://github.com/gevent/gevent) and [setuptools](https://github.com/pypa/setuptools).
Bumps the pip group with 3 updates in the /tools/internal_ci/helper_scripts directory: [cryptography](https://github.com/pyca/cryptography), [pyjwt](https://github.com/jpadilla/pyjwt) and [scipy](https://github.com/scipy/scipy).


Updates `requests` from 2.25.1 to 2.31.0
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.25.1...v2.31.0)

Updates `idna` from 2.7 to 3.7
- [Release notes](https://github.com/kjd/idna/releases)
- [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst)
- [Commits](kjd/idna@v2.7...v3.7)

Updates `gevent` from 22.08.0 to 23.9.0
- [Release notes](https://github.com/gevent/gevent/releases)
- [Changelog](https://github.com/gevent/gevent/blob/master/docs/changelog_pre.rst)
- [Commits](gevent/gevent@22.08.0...23.9.0)

Updates `setuptools` from 44.1.1 to 65.5.1
- [Release notes](https://github.com/pypa/setuptools/releases)
- [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst)
- [Commits](pypa/setuptools@v44.1.1...v65.5.1)

Updates `cryptography` from 3.4.6 to 42.0.4
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@3.4.6...42.0.4)

Updates `pyjwt` from 2.0.1 to 2.4.0
- [Release notes](https://github.com/jpadilla/pyjwt/releases)
- [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst)
- [Commits](jpadilla/pyjwt@2.0.1...2.4.0)

Updates `scipy` from 1.5.4 to 1.11.1
- [Release notes](https://github.com/scipy/scipy/releases)
- [Commits](scipy/scipy@v1.5.4...v1.11.1)

---
updated-dependencies:
- dependency-name: requests
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: idna
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: gevent
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: setuptools
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: cryptography
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pyjwt
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: scipy
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Apr 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants