search

JanssenProject / jans

An open source enterprise digital identity platform for CIAM or workforce... Janssen is a distribution of standards-based, developer friendly, components that are engineered to work together in any cloud. #OAuth #OpenID #FIDO
https://docs.jans.io
Apache License 2.0
479 stars 75 forks source link

chore(deps): bump setuptools from 65.6.3 to 75.6.0 in /docs #10218

Open dependabot[bot] opened 1 week ago

dependabot[bot] commented 1 week ago

Bumps setuptools from 65.6.3 to 75.6.0.

Changelog

Sourced from setuptools's changelog.

v75.6.0

Features

  • Preserve original PKG-INFO into METADATA when creating wheel (instead of calling wheel.metadata.pkginfo_to_metadata). This helps to be more compliant with the flow specified in PEP 517. (#4701)
  • Changed the WindowsSdkVersion, FrameworkVersion32 and FrameworkVersion64 properties of setuptools.msvc.PlatformInfo to return an empty tuple instead of None as a fallthrough case -- by :user:Avasam (#4754)

v75.5.0

Features

  • Removed support for SETUPTOOLS_DANGEROUSLY_SKIP_PYPROJECT_VALIDATION, as it is deemed prone to errors. (#4746)

v75.4.0

Features

  • Added support for the environment variable SETUPTOOLS_DANGEROUSLY_SKIP_PYPROJECT_VALIDATION=true, allowing users to bypass the validation of pyproject.toml. This option should be used only as a last resort when resolving dependency issues, as it may lead to improper functioning. Users who enable this setting are responsible for ensuring that pyproject.toml complies with setuptools requirements. (#4611)

    .. attention:: This environment variable was removed in a later version of setuptools.

  • Require Python 3.9 or later. (#4718)

  • Remove dependency on importlib_resources and the vendored copy of the library. Instead, setuptools consistently rely on stdlib's importlib.resources (available on Python 3.9+). (#4718)

  • Setuptools' bdist_wheel implementation no longer produces wheels with the m SOABI flag (pymalloc-related). This flag was removed on Python 3.8+ (see :obj:sys.abiflags). (#4718)

  • Updated vendored packaging version to 24.2. (#4740)

... (truncated)

Commits
  • bf2ced2 Bump version: 75.5.0 → 75.6.0
  • 8685c80 Empty tuple instead of None for PlatformInfo version properties fallthrough (...
  • 50d671b Rename news fragment
  • 2b471c2 Changed the WindowsSdkVersion, FrameworkVersion32 and ``FrameworkVers...
  • 2c77cd2 Runtime typing fixes for typeshed return type merge (#4753
  • 9a4c8d4 Runtime typing fixes for typeshed return type merge
  • e622859 Preserve original PKG-INFO contents when creating wheel (instead of calling...
  • 0b5b417 Mark tests that may depend on external network
  • a4fa01d Add news fragment
  • 089aca9 Ignore coverage in test code
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dryrunsecurity[bot] commented 1 week ago

DryRun Security Summary

The pull request updates the requirements.txt file in the docs directory to include a newer version of the setuptools dependency, which is a positive security update that helps ensure the integrity of the installed packages and protects against supply chain attacks.

Expand for full summary
**Summary:** The code change in this pull request is an update to the `requirements.txt` file in the `docs` directory of a GitHub repository. The key change is the update of the `setuptools` dependency from version `65.6.3` to `75.6.0`. This is a positive security update, as the newer version of `setuptools` likely includes bug fixes and security patches to address known vulnerabilities. The use of a `requirements.txt` file and the inclusion of hash values for each dependency is a good practice for secure dependency management. This helps ensure the integrity of the installed packages and protects against supply chain attacks. Additionally, the presence of the Snyk security tool in the dependency management process suggests that the project is actively monitoring and addressing known vulnerabilities in its dependencies, which is a recommended security practice for any application. **Files Changed:** - `docs/requirements.txt`: The `requirements.txt` file has been updated to include a newer version of the `setuptools` dependency, which was pinned by the Snyk security tool to avoid a known vulnerability. This is a positive security change, as keeping dependencies up-to-date is a crucial security practice.

Code Analysis

We ran 9 analyzers against 1 file and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding

Riskiness

:green_circle: Risk threshold not exceeded.

View PR in the DryRun Dashboard.