Skip to content

Commit

Permalink
chore(deps): update dependency werkzeug to v3.0.6 [security] (#51)
Browse files Browse the repository at this point in the history 
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| Werkzeug ([changelog](https://werkzeug.palletsprojects.com/changes/))
| `==3.0.4` -> `==3.0.6` |
[![age](https://developer.mend.io/api/mc/badges/age/pypi/Werkzeug/3.0.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/Werkzeug/3.0.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/Werkzeug/3.0.4/3.0.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/Werkzeug/3.0.4/3.0.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-49766](https://redirect.github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j)

On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths
like `//server/share`. Werkzeug's `safe_join()` relies on this check,
and so can produce a path that is not safe, potentially allowing
unintended access to data. Applications using Python >= 3.11, or not
using Windows, are not vulnerable.

####
[CVE-2024-49767](https://redirect.github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2)

Applications using Werkzeug to parse `multipart/form-data` requests are
vulnerable to resource exhaustion. A specially crafted form body can
bypass the `Request.max_form_memory_size` setting.

The `Request.max_content_length` setting, as well as resource limits
provided by deployment software and platforms, are also available to
limit the resources used during a request. This vulnerability does not
affect those settings. All three types of limits should be considered
and set appropriately when deploying an application.

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/Nextdoor/gogo).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4xMjAuMSIsInVwZGF0ZWRJblZlciI6IjM4LjEyMC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
  • Loading branch information
@renovate
renovate[bot] authored Oct 26, 2024
1 parent 4604911 commit d685e8f
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion resources/requirements.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,4 @@ six==1.16.0
SQLAlchemy==2.0.36
uritemplate==4.1.1
urllib3==2.2.3
Werkzeug==3.0.4
Werkzeug==3.0.6

0 comments on commit d685e8f

Please sign in to comment.