Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump the pip group across 3 directories with 7 updates #3

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump the pip group across 3 directories with 7 updates #3

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Apr 16, 2024

Updates the requirements on pyyaml, gunicorn, eventlet, gitpython, paramiko, pymongo and python-gnupg to permit the latest version.
Updates pyyaml to 6.0.1

Changelog

Sourced from pyyaml's changelog.

6.0.1 (2023-07-18)

6.0 (2021-10-13)

5.4.1 (2021-01-20)

  • yaml/pyyaml#480 -- Fix stub compat with older pyyaml versions that may unwittingly load it

5.4 (2021-01-19)

5.3.1 (2020-03-18)

  • yaml/pyyaml#386 -- Prevents arbitrary code execution during python/object/new constructor

5.3 (2020-01-06)

... (truncated)

Commits

Updates gunicorn from 19.7.1 to 22.0.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

    

  • use utime to notify workers liveness
    • 

  • migrate setup to pyproject.toml
    • 

  • fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
    • 

  • parsing additional requests is no longer attempted past unsupported request framing
    • 

  • on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
    • 

  • requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
    • 

  • Trailer fields are no longer inspected for headers indicating secure scheme
    • 

  • support Python 3.12
    • 



** Breaking changes **


    

  • minimum version is Python 3.7
    • 

  • the limitations on valid characters in the HTTP method have been bounded to Internet Standards
    • 

  • requests specifying unsupported transfer coding (order) are refused by default (rare)
    • 

  • HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
    • 

  • HTTP methods containing the number sign (#) are no longer accepted by default (rare)
    • 

  • HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
    • 

  • HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
    • 

  • HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
    • 

  • HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
    • 

  • requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
    • 

  • empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)
    • 



** SECURITY **


    

  • fix CVE-2024-1135
  1. Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
  2. Packages: https://pypi.org/project/gunicorn/

Gunicorn 21.2.0 has been released

Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.

Changes:

21.2.0 - 2023-07-19
===================
fix thread worker: revert change considering connection as idle .
</tr></table>

... (truncated)

Commits
  • f63d59e bump to 22.0
  • 4ac81e0 Merge pull request #3175 from e-kwsm/typo
  • 401cecf Merge pull request #3179 from dhdaines/exclude-eventlet-0360
  • 0243ec3 fix(deps): exclude eventlet 0.36.0
  • 628a0bc chore: fix typos
  • 88fc4a4 Merge pull request #3131 from pajod/patch-py12-rebased
  • deae2fc CI: back off the agressive timeout
  • f470382 docs: promise 3.12 compat
  • 5e30bfa add changelog to project.urls (updated for PEP621)
  • 481c3f9 remove setup.cfg - overridden by pyproject.toml
  • Additional commits viewable in compare view

Updates eventlet from 0.19.0 to 0.35.2

Changelog

Sourced from eventlet's changelog.

0.35.2

0.35.1

0.35.0

0.34.3

0.34.2

... (truncated)

Commits

Updates gitpython from 2.1.7 to 3.1.41

Release notes

Sourced from gitpython's releases.

3.1.41 - fix Windows security issue

The details about the Windows security issue can be found in this advisory.

Special thanks go to @​EliahKagan who reported the issue and fixed it in a single stroke, while being responsible for an incredible amount of improvements that he contributed over the last couple of months ❤️.

What's Changed

... (truncated)

Commits
  • f288738 bump patch level
  • ef3192c Merge pull request #1792 from EliahKagan/popen
  • 1f3caa3 Further clarify comment in test_hook_uses_shell_not_from_cwd
  • 3eb7c2a Move safer_popen from git.util to git.cmd
  • c551e91 Extract shared logic for using Popen safely on Windows
  • 15ebb25 Clarify comment in test_hook_uses_shell_not_from_cwd
  • f44524a Avoid spurious "location may have moved" on Windows
  • a42ea0a Cover absent/no-distro bash.exe in hooks "not from cwd" test
  • 7751436 Extract venv management from test_installation
  • 66ff4c1 Omit CWD in search for bash.exe to run hooks on Windows
  • Additional commits viewable in compare view

Updates paramiko from 2.2.1 to 2.2.4

Commits

Updates pymongo from 3.4.0 to 4.6.3

Release notes

Sourced from pymongo's releases.

PyMongo 4.6.2

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-2-released/267404

PyMongo 4.6.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-1-released/255752

PyMongo 4.6.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-0-released/251866

PyMongo 4.5.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-5-0-released/240662

PyMongo 4.4.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-1-released/235045

PyMongo 4.4.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-released/232211

PyMongo 4.4.0b0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-0b0-release/210471

PyMongo 4.3.3

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-3-3-release/200145

PyMongo 4.3.2

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-3-2-released/194266

PyMongo 4.2.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-2-0-released/176012

PyMongo 4.2.0b0

Release notes: https://www.mongodb.com/community/forums/t/python-driver-4-2-0-beta-available/168488

PyMongo 4.1.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-1-1-released/157895

PyMongo 4.1.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-1-0-released/156029

PyMongo 4.0.2

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-0-2-released/150457

PyMongo 4.0.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-0-1-released/135979

PyMongo 4.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-0-released/134677

PyMongo 3.13.0

Release notes https://www.mongodb.com/community/forums/t/pymongo-3-13-0-released/197141

... (truncated)

Changelog

Sourced from pymongo's changelog.

Changelog

Changes in Version 4.7

PyMongo 4.7 brings a number of improvements including:

  • Added the :class:pymongo.hello.Hello.connection_id, :attr:pymongo.monitoring.CommandStartedEvent.server_connection_id, :attr:pymongo.monitoring.CommandSucceededEvent.server_connection_id, and :attr:pymongo.monitoring.CommandFailedEvent.server_connection_id properties.

  • Fixed a bug where inflating a :class:~bson.raw_bson.RawBSONDocument containing a :class:~bson.code.Code would cause an error.

  • Significantly improved the performance of encoding BSON documents to JSON.

  • Support for named KMS providers for client side field level encryption. Previously supported KMS providers were only: aws, azure, gcp, kmip, and local. The KMS provider is now expanded to support name suffixes (e.g. local:myname). Named KMS providers enables more than one of each KMS provider type to be configured. See the docstring for :class:~pymongo.encryption_options.AutoEncryptionOpts. Note that named KMS providers requires pymongocrypt >=1.9 and libmongocrypt >=1.9.

  • :meth:~pymongo.encryption.ClientEncryption.encrypt and :meth:~pymongo.encryption.ClientEncryption.encrypt_expression now allow key_id to be passed in as a :class:uuid.UUID.

  • Fixed a bug where :class:~bson.int64.Int64 instances could not always be encoded by orjson_. The following now works::

    import orjson from bson import json_util orjson.dumps({'a': Int64(1)}, default=json_util.default, option=orjson.OPT_PASSTHROUGH_SUBCLASS)

.. _orjson: https://github.com/ijl/orjson

  • Fixed a bug appearing in Python 3.12 where "RuntimeError: can't create new thread at interpreter shutdown" could be written to stderr when a MongoClient's thread starts as the python interpreter is shutting down.
  • Added a warning when connecting to DocumentDB and CosmosDB clusters. For more information regarding feature compatibility and support please visit mongodb.com/supportability/documentdb <https://mongodb.com/supportability/documentdb>_ and mongodb.com/supportability/cosmosdb <https://mongodb.com/supportability/cosmosdb>_.
  • Added the :attr:pymongo.monitoring.ConnectionCheckedOutEvent.duration, :attr:pymongo.monitoring.ConnectionCheckOutFailedEvent.duration, and :attr:pymongo.monitoring.ConnectionReadyEvent.duration properties.
  • Added the type and kwargs arguments to :class:~pymongo.operations.SearchIndexModel to enable creating vector search indexes in MongoDB Atlas.
  • Fixed a bug where read_concern and write_concern were improperly added to :meth:~pymongo.collection.Collection.list_search_indexes queries.
  • Deprecated :attr:pymongo.write_concern.WriteConcern.wtimeout and :attr:pymongo.mongo_client.MongoClient.wTimeoutMS. Use :meth:~pymongo.timeout instead.

Unavoidable breaking changes ............................

... (truncated)

Commits
  • 8da192f BUMP 4.6.3
  • 56b6b6d PYTHON-4305 Fix bson size check (#1564)
  • 449d0f3 BUMP to 4.6.3.dev0
  • e04576d DEVPROD-3871 Use teardown_task when there is one function/command (#1533)
  • cf1c6a1 PYTHON-4219 Prep for 4.6.2 Release (#1530)
  • d29b2b7 PYTHON-4147 [v4.6]: Silence noisy thread.start() RuntimeError at shutdown (#1...
  • 0477b9b PYTHON-4077 [v4.6]: Ensure there is a MacOS wheel for Python 3.7 (#1527)
  • ecad17d BUMP 4.6.2.dev0
  • 485e0a5 BUMP 4.6.1
  • 995365c PYTHON-4038 [v4.6]: Ensure retryable read OperationFailures re-raise except...
  • Additional commits viewable in compare view

Updates python-gnupg from 0.4.1 to 0.4.4

Commits
  • e2b2d82 Changes for 0.4.4.
  • 1a4db06 Updated tox configuration.
  • 5cc9020 Expand passphrase check to include NUL bytes.
  • 55390b1 Removed 3.3 from Travis configuration.
  • 456c871 Updated Python versions in Travis configuration.
  • 5f640bc Remove Xenial, add Python 3.7-dev.
  • 75a762c Updated Travis configuration with Python 3.7.
  • 1a51968 Added checks to disallow newline-type characters in passphrases.
  • 47213ed Fixed #21: Collected signature information for multiple signatures when verif...
  • c3d2840 Updated change log, tox configuration.
  • Additional commits viewable in compare view

Updates pyyaml to 6.0.1

Changelog

Sourced from pyyaml's changelog.

6.0.1 (2023-07-18)

6.0 (2021-10-13)

5.4.1 (2021-01-20)

  • yaml/pyyaml#480 -- Fix stub compat with older pyyaml versions that may unwittingly load it

5.4 (2021-01-19)

5.3.1 (2020-03-18)

  • yaml/pyyaml#386 -- Prevents arbitrary code execution during python/object/new constructor

5.3 (2020-01-06)

... (truncated)

Commits

Updates pyyaml to 6.0.1

Changelog

Sourced from pyyaml's changelog.

6.0.1 (2023-07-18)

6.0 (2021-10-13)

5.4.1 (2021-01-20)

  • yaml/pyyaml#480 -- Fix stub compat with older pyyaml versions that may unwittingly load it

5.4 (2021-01-19)

5.3.1 (2020-03-18)

  • yaml/pyyaml#386 -- Prevents arbitrary code execution during python/object/new constructor

5.3 (2020-01-06)

... (truncated)

Commits

Updates eventlet from 0.19.0 to 0.35.2

Changelog

Sourced from eventlet's changelog.

0.35.2

0.35.1

0.35.0

0.34.3

@dependabot
Bump the pip group across 3 directories with 7 updates
5d2af51 
Updates the requirements on [pyyaml](https://github.com/yaml/pyyaml), [gunicorn](https://github.com/benoitc/gunicorn), [eventlet](https://github.com/eventlet/eventlet), [gitpython](https://github.com/gitpython-developers/GitPython), [paramiko](https://github.com/paramiko/paramiko), [pymongo](https://github.com/mongodb/mongo-python-driver) and [python-gnupg](https://github.com/vsajip/python-gnupg) to permit the latest version.

Updates `pyyaml` to 6.0.1
- [Changelog](https://github.com/yaml/pyyaml/blob/main/CHANGES)
- [Commits](yaml/pyyaml@3.12...6.0.1)

Updates `gunicorn` from 19.7.1 to 22.0.0
- [Release notes](https://github.com/benoitc/gunicorn/releases)
- [Commits](benoitc/gunicorn@19.7.1...22.0.0)

Updates `eventlet` from 0.19.0 to 0.35.2
- [Changelog](https://github.com/eventlet/eventlet/blob/master/NEWS)
- [Commits](eventlet/eventlet@v0.19.0...v0.35.2)

Updates `gitpython` from 2.1.7 to 3.1.41
- [Release notes](https://github.com/gitpython-developers/GitPython/releases)
- [Changelog](https://github.com/gitpython-developers/GitPython/blob/main/CHANGES)
- [Commits](gitpython-developers/GitPython@2.1.7...3.1.41)

Updates `paramiko` from 2.2.1 to 2.2.4
- [Commits](paramiko/paramiko@2.2.1...2.2.4)

Updates `pymongo` from 3.4.0 to 4.6.3
- [Release notes](https://github.com/mongodb/mongo-python-driver/releases)
- [Changelog](https://github.com/mongodb/mongo-python-driver/blob/master/doc/changelog.rst)
- [Commits](mongodb/mongo-python-driver@3.4.0...4.6.3)

Updates `python-gnupg` from 0.4.1 to 0.4.4
- [Release notes](https://github.com/vsajip/python-gnupg/releases)
- [Changelog](https://github.com/vsajip/python-gnupg/blob/master/release)
- [Commits](vsajip/python-gnupg@0.4.1...0.4.4)

Updates `pyyaml` to 6.0.1
- [Changelog](https://github.com/yaml/pyyaml/blob/main/CHANGES)
- [Commits](yaml/pyyaml@3.12...6.0.1)

Updates `pyyaml` to 6.0.1
- [Changelog](https://github.com/yaml/pyyaml/blob/main/CHANGES)
- [Commits](yaml/pyyaml@3.12...6.0.1)

Updates `eventlet` from 0.19.0 to 0.35.2
- [Changelog](https://github.com/eventlet/eventlet/blob/master/NEWS)
- [Commits](eventlet/eventlet@v0.19.0...v0.35.2)

Updates `paramiko` from 2.2.1 to 2.2.4
- [Commits](paramiko/paramiko@2.2.1...2.2.4)

Updates `pymongo` from 3.4.0 to 4.6.3
- [Release notes](https://github.com/mongodb/mongo-python-driver/releases)
- [Changelog](https://github.com/mongodb/mongo-python-driver/blob/master/doc/changelog.rst)
- [Commits](mongodb/mongo-python-driver@3.4.0...4.6.3)

---
updated-dependencies:
- dependency-name: pyyaml
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: gunicorn
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: eventlet
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: gitpython
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: paramiko
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pymongo
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: python-gnupg
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pyyaml
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pyyaml
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: eventlet
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: paramiko
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pymongo
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Apr 16, 2024
@dependabot dependabot bot mentioned this pull request Apr 16, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants