Commit 6df0dee
![bors[bot]](https://avatars.githubusercontent.com/in/1847?v=4&size=40){kind=avatar}
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4&size=40){kind=avatar}
Merge #160
160: Bump scrapy from 2.5.0 to 2.5.1 r=brunoocasali a=dependabot[bot]
Bumps [scrapy](https://github.com/scrapy/scrapy) from 2.5.0 to 2.5.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/scrapy/scrapy/releases">scrapy's releases</a>.</em></p>
<blockquote>
<h2>2.5.1</h2>
<p><strong>Security bug fix:</strong></p>
<p>If you use <a href="https://docs.scrapy.org/en/2.5/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth"><code>HttpAuthMiddleware</code></a> (i.e. the <code>http_user</code> and <code>http_pass</code> spider attributes) for HTTP authentication, any request exposes your credentials to the request target.</p>
<p>To prevent unintended exposure of authentication credentials to unintended domains, you must now additionally set a new, additional spider attribute, <code>http_auth_domain</code>, and point it to the specific domain to which the authentication credentials must be sent.</p>
<p>If the <code>http_auth_domain</code> spider attribute is not set, the domain of the first request will be considered the HTTP authentication target, and authentication credentials will only be sent in requests targeting that domain.</p>
<p>If you need to send the same HTTP authentication credentials to multiple domains, you can use <code>w3lib.http.basic_auth_header</code> instead to set the value of the <code>Authorization</code> header of your requests.</p>
<p>If you <em>really</em> want your spider to send the same HTTP authentication credentials to any domain, set the <code>http_auth_domain</code> spider attribute to <code>None</code>.</p>
<p>Finally, if you are a user of <a href="https://github.com/scrapy-plugins/scrapy-splash">scrapy-splash</a>, know that this version of Scrapy breaks compatibility with scrapy-splash 0.7.2 and earlier. You will need to upgrade scrapy-splash to a greater version for it to continue to work.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/scrapy/scrapy/blob/2.5.1/docs/news.rst">scrapy's changelog</a>.</em></p>
<blockquote>
<h2>Scrapy 2.5.1 (2021-10-05)</h2>
<ul>
<li>
<p><strong>Security bug fix:</strong></p>
<p>If you use
:class:<code>~scrapy.downloadermiddlewares.httpauth.HttpAuthMiddleware</code>
(i.e. the <code>http_user</code> and <code>http_pass</code> spider attributes) for HTTP
authentication, any request exposes your credentials to the request target.</p>
<p>To prevent unintended exposure of authentication credentials to unintended
domains, you must now additionally set a new, additional spider attribute,
<code>http_auth_domain</code>, and point it to the specific domain to which the
authentication credentials must be sent.</p>
<p>If the <code>http_auth_domain</code> spider attribute is not set, the domain of the
first request will be considered the HTTP authentication target, and
authentication credentials will only be sent in requests targeting that
domain.</p>
<p>If you need to send the same HTTP authentication credentials to multiple
domains, you can use :func:<code>w3lib.http.basic_auth_header</code> instead to
set the value of the <code>Authorization</code> header of your requests.</p>
<p>If you <em>really</em> want your spider to send the same HTTP authentication
credentials to any domain, set the <code>http_auth_domain</code> spider attribute
to <code>None</code>.</p>
<p>Finally, if you are a user of <code>scrapy-splash</code>_, know that this version of
Scrapy breaks compatibility with scrapy-splash 0.7.2 and earlier. You will
need to upgrade scrapy-splash to a greater version for it to continue to
work.</p>
</li>
</ul>
<p>.. _scrapy-splash: <a href="https://github.com/scrapy-plugins/scrapy-splash">https://github.com/scrapy-plugins/scrapy-splash</a></p>
<p>.. _release-2.5.0:</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/scrapy/scrapy/commit/61130c8aad7adec056823edd6f85748ce17e54d6"><code>61130c8</code></a> Bump version: 2.5.0 → 2.5.1</li>
<li><a href="https://github.com/scrapy/scrapy/commit/98d21738a2241b4c94cbfe0b57ca4a58f23fac95"><code>98d2173</code></a> Pin the libxml2 version in CI as a newer one breaks lxml (<a href="https://github-redirect.dependabot.com/scrapy/scrapy/issues/5208">#5208</a>)</li>
<li><a href="https://github.com/scrapy/scrapy/commit/47fb908a0e750ab058bee07e856b80d2f15e9a6c"><code>47fb908</code></a> [CI] fail-fast: false (<a href="https://github-redirect.dependabot.com/scrapy/scrapy/issues/5200">#5200</a>)</li>
<li><a href="https://github.com/scrapy/scrapy/commit/6d7179b6b782bcc81e77e5cba4f7da8ba5cdac38"><code>6d7179b</code></a> tests: freeze pylint==2.7.4</li>
<li><a href="https://github.com/scrapy/scrapy/commit/d06dcb8246e4357096565f7409296af822b12c61"><code>d06dcb8</code></a> tests: force queuelib < 1.6.0</li>
<li><a href="https://github.com/scrapy/scrapy/commit/d99b1a189c1989ad7e620bf97033540cab6ac2f0"><code>d99b1a1</code></a> Cover 2.5.1 in the release notes</li>
<li><a href="https://github.com/scrapy/scrapy/commit/c9485a51518b999192df39ac30c0cdcfaac1ad6b"><code>c9485a5</code></a> Small documentation fixes.</li>
<li><a href="https://github.com/scrapy/scrapy/commit/a1728449712c8df68ad636a7abb9e715a13e1bd0"><code>a172844</code></a> Add http_auth_domain to HttpAuthMiddleware.</li>
<li><a href="https://github.com/scrapy/scrapy/commit/5fd75f865fb83438ab29966cce197e418f9a2e7d"><code>5fd75f8</code></a> docs: require sphinx-rtd-theme>=0.5.2 and the latest pip to prevent installin...</li>
<li>See full diff in <a href="https://github.com/scrapy/scrapy/compare/2.5.0...2.5.1">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
You can trigger a rebase of this PR by commenting ``@dependabot` rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- ``@dependabot` rebase` will rebase this PR
- ``@dependabot` recreate` will recreate this PR, overwriting any edits that have been made to it
- ``@dependabot` merge` will merge this PR after your CI passes on it
- ``@dependabot` squash and merge` will squash and merge this PR after your CI passes on it
- ``@dependabot` cancel merge` will cancel a previously requested merge and block automerging
- ``@dependabot` reopen` will reopen this PR if it is closed
- ``@dependabot` close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- ``@dependabot` ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- ``@dependabot` ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- ``@dependabot` ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
</details>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>2 files changed
+5
-5
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
7 | | - | |
| 7 | + | |
8 | 8 | | |
9 | 9 | | |
10 | 10 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments