Data4Democracy / nyc-accessibility

6 stars 11 forks source link

Bump twisted from 22.2.0 to 22.4.0 in /elevator-pipeline #84

Closed dependabot[bot] closed 2 years ago

dependabot[bot] commented 2 years ago

Bumps twisted from 22.2.0 to 22.4.0.

Release notes

Sourced from twisted's releases.

Twisted 22.4.0 (2022-04-11)

Features

  • twisted.python.failure.Failure tracebacks now capture module information, improving compatibility with the Raven Sentry client. (#7796)
  • twisted.python.failure.Failure objects are now compatible with dis.distb, improving compatibility with post-mortem debuggers. (#9599)

Bugfixes

  • twisted.internet.interfaces.IReactorSSL.listenSSL now has correct type annotations. (#10274)
  • twisted.internet.test.test_glibbase.GlibReactorBaseTests now passes. (#10317)

Conch

Features


- twisted.conch.ssh now supports using RSA keys with SHA-2 signatures (RFC 8332) when acting as a server.  The rsa-sha2-512 and rsa-sha2-256 public key signature algorithms are automatically preferred over ssh-rsa if the client advertises support for them; the actual public keys do not need to change. ([#9765](https://github.com/twisted/twisted/issues/9765))
- twisted.conch.ssh now has an alternative Ed25519 implementation using PyNaCl, in order to support platforms that lack OpenSSL >= 1.1.1b.  The new "conch_nacl" extra has the necessary dependency. ([#10208](https://github.com/twisted/twisted/issues/10208))

Misc


-  ([#10313](https://github.com/twisted/twisted/issues/10313))

Web
---

Features
</code></pre>
<ul>
<li>Twisted is now compatible with h2 4.x.x. (<a href="https://github-redirect.dependabot.com/twisted/twisted/issues/10182">#10182</a>)</li>
</ul>
<p>Bugfixes</p>
<pre><code>
- twisted.web.http had several several defects in HTTP request parsing that could permit HTTP request smuggling. It now disallows signed Content-Length headers, forbids illegal characters in chunked extensions, forbids a ``0x`` prefix to chunk lengths, and only strips spaces and horizontal tab characters from header values. These changes address CVE-2022-24801 and GHSA-c2jg-hw38-jrqq. ([#10323](https://github.com/twisted/twisted/issues/10323))

Mail
----
&lt;/tr&gt;&lt;/table&gt; 
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>

<p><em>Sourced from <a href="https://github.com/twisted/twisted/blob/trunk/NEWS.rst">twisted's changelog</a>.</em></p>
<blockquote>
<h1>Twisted 22.4.0 (2022-04-11)</h1>
<h2>Features</h2>
<ul>
<li>twisted.python.failure.Failure tracebacks now capture module information, improving compatibility with the Raven Sentry client. (<a href="https://github-redirect.dependabot.com/twisted/twisted/issues/7796">#7796</a>)</li>
<li>twisted.python.failure.Failure objects are now compatible with dis.distb, improving compatibility with post-mortem debuggers. (<a href="https://github-redirect.dependabot.com/twisted/twisted/issues/9599">#9599</a>)</li>
</ul>
<h2>Bugfixes</h2>
<ul>
<li>twisted.internet.interfaces.IReactorSSL.listenSSL now has correct type annotations. (<a href="https://github-redirect.dependabot.com/twisted/twisted/issues/10274">#10274</a>)</li>
<li>twisted.internet.test.test_glibbase.GlibReactorBaseTests now passes. (<a href="https://github-redirect.dependabot.com/twisted/twisted/issues/10317">#10317</a>)</li>
</ul>
<h2>Conch</h2>
<p>Features</p>
<pre><code>
- twisted.conch.ssh now supports using RSA keys with SHA-2 signatures (RFC 8332) when acting as a server.  The rsa-sha2-512 and rsa-sha2-256 public key signature algorithms are automatically preferred over ssh-rsa if the client advertises support for them; the actual public keys do not need to change. ([#9765](https://github.com/twisted/twisted/issues/9765))
- twisted.conch.ssh now has an alternative Ed25519 implementation using PyNaCl, in order to support platforms that lack OpenSSL &gt;= 1.1.1b.  The new &quot;conch_nacl&quot; extra has the necessary dependency. ([#10208](https://github.com/twisted/twisted/issues/10208))

Misc

Web

Features

  • Twisted is now compatible with h2 4.x.x. (#10182)

Bugfixes


- twisted.web.http had several several defects in HTTP request parsing that could permit HTTP request smuggling. It now disallows signed Content-Length headers, forbids illegal characters in chunked extensions, forbids a ``0x`` prefix to chunk lengths, and only strips spaces and horizontal tab characters from header values. These changes address CVE-2022-24801 and GHSA-c2jg-hw38-jrqq. ([#10323](https://github.com/twisted/twisted/issues/10323))

Mail

</tr></table>

... (truncated)

Commits
  • ed86633 Mark as misc.
  • c894617 Update format for release notes item.
  • 5c5c046 Revert coverage reporting changes.
  • 682f2c3 Manual fix the news.
  • dd98e9c python -m incremental.update Twisted --newversion 22.4.0
  • 3eabae5 Fix coverage reporting as codecov v1 was removed.
  • a265267 Update after review.
  • efac92c tox -e towncrier
  • 5ece2d4 python -m incremental.update Twisted --rc
  • 592217e Merge pull request from GHSA-c2jg-hw38-jrqq
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Data4Democracy/nyc-accessibility/network/alerts).
dependabot[bot] commented 2 years ago

Superseded by #95.