Closed dependabot[bot] closed 1 year ago
@Dependabot merge
Sincerely, Flo
On May 23, 2023, ZyberSE @.***> wrote:
This automated pull request fixes a security vulnerability https://github.com/HelloThisIsFlo/Appdaemon-Test- Framework/security/dependabot/35 (moderate severity). Learn more about Dependabot security updates https://docs.github.com/github/managing-security- vulnerabilities/configuring-dependabot-security-updates.
Bumps requests https://github.com/psf/requests from 2.26.0 to 2.31.0.
Release notes Sourced from requests's releases https://github.com/psf/requests/releases.
v2.31.02.31.0 (2023-05-22)Security
Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential forwarding of Proxy-Authorization headers to destination servers when following HTTPS redirects.
When proxies are defined with user info @.***:8080>), Requests will construct a Proxy-Authorization header that is attached to the request to authenticate with the proxy.
In cases where Requests receives a redirect response, it previously reattached the Proxy-Authorization header incorrectly, resulting in the value being sent through the tunneled connection to the destination server. Users who rely on defining their proxy credentials in the URL are strongly encouraged to upgrade to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy credentials once the change has been fully deployed.
Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability.
Full details can be read in our Github Security Advisory https://github.com/psf/requests/security/advisories/GHSA-j8r2- 6x86-q33q and CVE-2023-32681 https://nvd.nist.gov/vuln/detail/CVE-2023-32681.
v2.30.02.30.0 (2023-05-03)Dependencies
⚠️ Added support for urllib3 2.0. ⚠️
This may contain minor breaking changes so we advise careful testing and reviewing https://urllib3.readthedocs.io/en/latest/v2-migration- guide.html prior to upgrading.
Users who wish to stay on urllib3 1.x can pin to urllib3<2.
v2.29.02.29.0 (2023-04-26)Improvements
- Requests now defers chunked requests to the urllib3 implementation to improve standardization. (#6226 https://redirect.github.com/psf/requests/issues/6226)
- Requests relaxes header component requirements to support bytes/str subclasses. (#6356 https://redirect.github.com/psf/requests/issues/6356)
... (truncated)
Changelog Sourced from requests's changelog https://github.com/psf/requests/blob/main/HISTORY.md.
2.31.0 (2023-05-22)Security
Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential forwarding of Proxy-Authorization headers to destination servers when following HTTPS redirects.
When proxies are defined with user info @.***:8080>), Requests will construct a Proxy-Authorization header that is attached to the request to authenticate with the proxy.
In cases where Requests receives a redirect response, it previously reattached the Proxy-Authorization header incorrectly, resulting in the value being sent through the tunneled connection to the destination server. Users who rely on defining their proxy credentials in the URL are strongly encouraged to upgrade to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy credentials once the change has been fully deployed.
Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability.
Full details can be read in our Github Security Advisory https://github.com/psf/requests/security/advisories/GHSA-j8r2- 6x86-q33q and CVE-2023-32681 https://nvd.nist.gov/vuln/detail/CVE-2023-32681.
2.30.0 (2023-05-03)Dependencies
⚠️ Added support for urllib3 2.0. ⚠️
This may contain minor breaking changes so we advise careful testing and reviewing https://urllib3.readthedocs.io/en/latest/v2-migration- guide.html prior to upgrading.
Users who wish to stay on urllib3 1.x can pin to urllib3<2.
2.29.0 (2023-04-26)Improvements
- Requests now defers chunked requests to the urllib3 implementation to improve standardization. (#6226 https://redirect.github.com/psf/requests/issues/6226)
- Requests relaxes header component requirements to support bytes/str subclasses. (#6356 https://redirect.github.com/psf/requests/issues/6356)
2.28.2 (2023-01-12)
... (truncated)
Commits
- 147c851 https://github.com/psf/requests/commit/147c8511ddbfa5e8f71bbf5c18ede0c4ceb3bba4 v2.31.0
- 74ea7cf https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5 Merge pull request from GHSA-j8r2-6x86-q33q https://github.com/advisories/GHSA- j8r2-6x86-q33q
- 3022253 https://github.com/psf/requests/commit/302225334678490ec66b3614a9dddb8a02c5f4fe test on pypy 3.8 and pypy 3.9 on windows and macos (#6424 https://redirect.github.com/psf/requests/issues/6424)
- b639e66 https://github.com/psf/requests/commit/b639e66c816514e40604d46f0088fbceec1a5149 test on py3.12 (#6448 https://redirect.github.com/psf/requests/issues/6448)
- d3d5044 https://github.com/psf/requests/commit/d3d504436ef0c2ac7ec8af13738b04dcc8c694be Fixed a small typo (#6452 https://redirect.github.com/psf/requests/issues/6452)
- 2ad18e0 https://github.com/psf/requests/commit/2ad18e0e10e7d7ecd5384c378f25ec8821a10a29 v2.30.0
- f2629e9 https://github.com/psf/requests/commit/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773 Remove strict parameter (#6434 https://redirect.github.com/psf/requests/issues/6434)
- 87d63de https://github.com/psf/requests/commit/87d63de8739263bbe17034fba2285c79780da7e8 v2.29.0
- 51716c4 https://github.com/psf/requests/commit/51716c4ef390136b0d4b800ec7665dd5503e64fc enable the warnings plugin (#6416 https://redirect.github.com/psf/requests/issues/6416)
- a7da1ab https://github.com/psf/requests/commit/a7da1ab3498b10ec3a3582244c94b2845f8a8e71 try on ubuntu 22.04 (#6418 https://redirect.github.com/psf/requests/issues/6418)
- Additional commits viewable in compare view https://github.com/psf/requests/compare/v2.26.0...v2.31.0
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page https://github.com/HelloThisIsFlo/Appdaemon- Test-Framework/network/alerts.
You can view, comment on, or merge this pull request online at: https://github.com/HelloThisIsFlo/Appdaemon-Test-Framework/pull/77
Commit Summary
- 8705c73 https://github.com/HelloThisIsFlo/Appdaemon-Test- Framework/pull/77/commits/8705c73ab4ca7edf5fb3a9585c096717662c9593 Bump requests from 2.26.0 to 2.31.0
File Changes
(1 file https://github.com/HelloThisIsFlo/Appdaemon-Test- Framework/pull/77/files)
- M Pipfile.lock https://github.com/HelloThisIsFlo/Appdaemon-Test- Framework/pull/77/files#diff- a86c67a0a29ed0e95909b9b7c420140f302d17399ee6dcce4e1a51a14d27fd51 (966)
Patch Links:
- https://github.com/HelloThisIsFlo/Appdaemon-Test- Framework/pull/77.patch
- https://github.com/HelloThisIsFlo/Appdaemon-Test- Framework/pull/77.diff — Reply to this email directly, view it on GitHub https://github.com/HelloThisIsFlo/Appdaemon-Test- Framework/pull/77, or unsubscribe https://github.com/notifications/unsubscribe- auth/ACSUOIJM6Y7I6V3MU4GHDKTXHQS55ANCNFSM6AAAAAAYLHSWVA. You are receiving this because you are subscribed to this thread.Message ID: <HelloThisIsFlo/Appdaemon-Test- @.***>
Bumps requests from 2.26.0 to 2.31.0.
Release notes
Sourced from requests's releases.
... (truncated)
Changelog
Sourced from requests's changelog.
... (truncated)
Commits
147c851
v2.31.074ea7cf
Merge pull request from GHSA-j8r2-6x86-q33q3022253
test on pypy 3.8 and pypy 3.9 on windows and macos (#6424)b639e66
test on py3.12 (#6448)d3d5044
Fixed a small typo (#6452)2ad18e0
v2.30.0f2629e9
Remove strict parameter (#6434)87d63de
v2.29.051716c4
enable the warnings plugin (#6416)a7da1ab
try on ubuntu 22.04 (#6418)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/HelloThisIsFlo/Appdaemon-Test-Framework/network/alerts).