Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Renovate update minor and patch updates (Python) #2230

Merged
merged 1 commit into from
Jan 6, 2025
Merged

Renovate update minor and patch updates (Python) #2230

merged 1 commit into from
Jan 6, 2025

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 24, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
charset-normalizer (changelog) ==3.4.0 -> ==3.4.1 age adoption passing confidence
click (changelog) ==8.1.7 -> ==8.1.8 age adoption passing confidence
jinja2 (changelog) ==3.1.4 -> ==3.1.5 age adoption passing confidence
locust (source) ==2.32.4 -> ==2.32.5 age adoption passing confidence
psutil ==6.1.0 -> ==6.1.1 age adoption passing confidence
urllib3 (changelog) ==2.2.3 -> ==2.3.0 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-56326

An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code.

To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.

Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's format method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.

CVE-2024-56201

A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.

To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.

Release Notes

jawah/charset_normalizer (charset-normalizer)

v3.4.1

Compare Source

Changed
  • Project metadata are now stored using pyproject.toml instead of setup.cfg using setuptools as the build backend.
  • Enforce annotation delayed loading for a simpler and consistent types in the project.
  • Optional mypyc compilation upgraded to version 1.14 for Python >= 3.8
Added
  • pre-commit configuration.
  • noxfile.
Removed
  • build-requirements.txt as per using pyproject.toml native build configuration.
  • bin/integration.py and bin/serve.py in favor of downstream integration test (see noxfile).
  • setup.cfg in favor of pyproject.toml metadata configuration.
  • Unused utils.range_scan function.
Fixed
  • Converting content to Unicode bytes may insert utf_8 instead of preferred utf-8. (#​572)
  • Deprecation warning "'count' is passed as positional argument" when converting to Unicode bytes on Python 3.13+
pallets/click (click)

v8.1.8

Compare Source

Unreleased

  • Fix an issue with type hints for click.open_file(). :issue:2717
  • Fix issue where error message for invalid click.Path displays on
    multiple lines. :issue:2697
  • Fixed issue that prevented a default value of "" from being displayed in
    the help for an option. :issue:2500
  • The test runner handles stripping color consistently on Windows.
    :issue:2705
  • Show correct value for flag default when using default_map.
    :issue:2632
  • Fix click.echo(color=...) passing color to coloroma so it can be
    forced on Windows. :issue:2606.
pallets/jinja (jinja2)

v3.1.5

Compare Source

Unreleased

  • Calling sync render for an async template uses asyncio.run.
    :pr:1952
  • Avoid unclosed auto_aiter warnings. :pr:1960
  • Return an aclose-able AsyncGenerator from
    Template.generate_async. :pr:1960
  • Avoid leaving root_render_func() unclosed in
    Template.generate_async. :pr:1960
  • Avoid leaving async generators unclosed in blocks, includes and extends.
    :pr:1960
locustio/locust (locust)

v2.32.5

Compare Source

Full Changelog

Merged pull requests:

  • Make cpu usage check sleep BEFORE the first check, and make it slightly less frequent #​3014 (cyberw)
  • FastHttpUser: Fix ssl loading performance issue by avoiding to load certs when they wont be used anyway #​3013 (cyberw)
  • Treat exceptions in init event handler as fatal #​3009 (cyberw)
  • Add create store export #​3004 (andrewbaldwin44)
giampaolo/psutil (psutil)

v6.1.1

Compare Source

=====

2024-12-19

Enhancements

  • 2471_: use Vulture CLI tool to detect dead code.

Bug fixes

  • 2418_, [Linux]: fix race condition in case /proc/PID/stat does not exist, but
    /proc/PID does, resulting in FileNotFoundError.
  • 2470_, [Linux]: users()_ may return "localhost" instead of the actual IP
    address of the user logged in.
urllib3/urllib3 (urllib3)

v2.3.0

Compare Source

==================

Features

  • Added HTTPResponse.shutdown() to stop any ongoing or future reads for a specific response. It calls shutdown(SHUT_RD) on the underlying socket. This feature was sponsored by LaunchDarkly <https://opencollective.com/urllib3/contributions/815307>. (#&#8203;2868 <https://github.com/urllib3/urllib3/issues/2868>)
  • Added support for JavaScript Promise Integration on Emscripten. This enables more efficient WebAssembly
    requests and streaming, and makes it possible to use in Node.js if you launch it as node --experimental-wasm-stack-switching. (#&#8203;3400 <https://github.com/urllib3/urllib3/issues/3400>__)
  • Added the proxy_is_tunneling property to HTTPConnection and HTTPSConnection. (#&#8203;3285 <https://github.com/urllib3/urllib3/issues/3285>__)
  • Added pickling support to NewConnectionError and NameResolutionError. (#&#8203;3480 <https://github.com/urllib3/urllib3/issues/3480>__)

Bugfixes

  • Fixed an issue in debug logs where the HTTP version was rendering as "HTTP/11" instead of "HTTP/1.1". (#&#8203;3489 <https://github.com/urllib3/urllib3/issues/3489>__)

Deprecations and Removals

  • Removed support for Python 3.8. (#&#8203;3492 <https://github.com/urllib3/urllib3/issues/3492>__)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner December 24, 2024 01:11
@renovate renovate bot added dependencies Pull requests that update a dependency file Renovate SecurityAlert labels Dec 24, 2024
@renovate renovate bot had a problem deploying to dev_2230renovateallm December 24, 2024 01:28 Failure
@renovate renovate bot force-pushed the renovate-all-minor-patch-updates-python branch from 6dab224 to 1d1833e Compare December 25, 2024 14:32
@renovate renovate bot changed the title [SECURITY] Renovate update Security Alerts [SECURITY] Renovate update minor and patch updates (Python) Dec 25, 2024
@renovate renovate bot force-pushed the renovate-all-minor-patch-updates-python branch from 1d1833e to 306a003 Compare December 26, 2024 09:25
@renovate renovate bot force-pushed the renovate-all-minor-patch-updates-python branch from 306a003 to e5a364c Compare December 27, 2024 19:19
@nickdavis2001 nickdavis2001 merged commit 11eff45 into main Jan 6, 2025
47 checks passed
@nickdavis2001 nickdavis2001 deleted the renovate-all-minor-patch-updates-python branch January 6, 2025 07:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nickdavis2001 nickdavis2001 nickdavis2001 approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file Renovate SecurityAlert
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nickdavis2001