Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Bump parso from 0.3.1 to 0.5.0 #42

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

dependabot-preview[bot]
Copy link

Bumps parso from 0.3.1 to 0.5.0. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects parso
A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution.

Affected versions: <= 0.4.0

Changelog

Sourced from parso's changelog.

0.5.0 (2019-06-20)

  • Breaking Change comp_for is now called sync_comp_for for all Python versions to be compatible with the Python 3.8 Grammar
  • Added .pyi stubs for a lot of the parso API
  • Small FileIO changes

0.4.0 (2019-04-05)

  • Python 3.8 support
  • FileIO support, it's now possible to use abstract file IO, support is alpha

0.3.4 (2018-02-13)

  • Fix an f-string tokenizer error

0.3.3 (2018-02-06)

  • Fix async errors in the diff parser
  • A fix in iter_errors
  • This is a very small bugfix release

0.3.2 (2018-01-24)

  • 20+ bugfixes in the diff parser and 3 in the tokenizer
  • A fuzzer for the diff parser, to give confidence that the diff parser is in a good shape.
  • Some bugfixes for f-string
Commits
  • 59df3fa Some small changes to the changelog
  • 803cb5f Make parso work at least somewhat with an older Jedi version
  • 3fa8630 Use an immutable map for used names, so that it can be use for hashing
  • 1ca5ae4 Bump the version number to the next release: 0.5.0
  • c3c1616 Ignore positional only arguments slash when listing params
  • ecbe2b9 Add positional only arguments to grammar
  • 1929c14 Increate the _PICKLE_VERSION to avoid issues with the latest breaking change
  • b5d5039 comp_for is now called sync_comp_for for all Python versions to be compatible...
  • a7aa23a Parse named expressions
  • 5430415 Change a test, because it doesn't really matter
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

Bumps [parso](https://github.com/davidhalter/parso) from 0.3.1 to 0.5.0. **This update includes security fixes.**
- [Release notes](https://github.com/davidhalter/parso/releases)
- [Changelog](https://github.com/davidhalter/parso/blob/master/CHANGELOG.rst)
- [Commits](davidhalter/parso@v0.3.1...v0.5.0)

Signed-off-by: dependabot-preview[bot] <[email protected]>
@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Jun 21, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants