Bumps the pip group with 1 update in the /applications/accounts-api/backend directory: werkzeug.
Bumps the pip group with 9 updates in the /applications/portal/backend directory:
This is a feature release, which includes new features, removes previously deprecated code, and adds new deprecations. The 2.3.x branch is now the supported fix branch, the 2.2.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.
Fix slow multipart parsing for large parts potentially enabling DoS
attacks.
Version 2.3.7
Released 2023-08-14
Use flit_core instead of setuptools as build backend.
Fix parsing of multipart bodies. :issue:2734
Adjust index of last newline in data start. :issue:2761
Parsing ints from header values strips spacing first. :issue:2734
Fix empty file streaming when testing. :issue:2740
Clearer error message when URL rule does not start with slash. :pr:2750
Acceptq value can be a float without a decimal part. :issue:2751
Version 2.3.6
Released 2023-06-08
FileStorage.content_length does not fail if the form data did not provide a
value. :issue:2726
Version 2.3.5
Released 2023-06-07
Python 3.12 compatibility. :issue:2704
Fix handling of invalid base64 values in Authorization.from_header. :issue:2717
The debugger escapes the exception message in the page title. :pr:2719
When binding routing.Map, a long IDNA server_name with a port does not fail
encoding. :issue:2700
iri_to_uri shows a deprecation warning instead of an error when passing bytes.
:issue:2708
When parsing numbers in HTTP request headers such as Content-Length, only ASCII
digits are accepted rather than any format that Python's int and float
accept. :issue:2716
This is a feature release, which includes new features, removes previously deprecated code, and adds new deprecations. The 2.3.x branch is now the supported fix branch, the 2.2.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.
Fix slow multipart parsing for large parts potentially enabling DoS
attacks.
Version 2.3.7
Released 2023-08-14
Use flit_core instead of setuptools as build backend.
Fix parsing of multipart bodies. :issue:2734
Adjust index of last newline in data start. :issue:2761
Parsing ints from header values strips spacing first. :issue:2734
Fix empty file streaming when testing. :issue:2740
Clearer error message when URL rule does not start with slash. :pr:2750
Acceptq value can be a float without a decimal part. :issue:2751
Version 2.3.6
Released 2023-06-08
FileStorage.content_length does not fail if the form data did not provide a
value. :issue:2726
Version 2.3.5
Released 2023-06-07
Python 3.12 compatibility. :issue:2704
Fix handling of invalid base64 values in Authorization.from_header. :issue:2717
The debugger escapes the exception message in the page title. :pr:2719
When binding routing.Map, a long IDNA server_name with a port does not fail
encoding. :issue:2700
iri_to_uri shows a deprecation warning instead of an error when passing bytes.
:issue:2708
When parsing numbers in HTTP request headers such as Content-Length, only ASCII
digits are accepted rather than any format that Python's int and float
accept. :issue:2716
This release is a milestone: it fixes Black's first CVE security vulnerability. If you
run Black on untrusted input, or if you habitually put thousands of leading tab
characters in your docstrings, you are strongly encouraged to upgrade immediately to fix
CVE-2024-21503.
This release also fixes a bug in Black's AST safety check that allowed Black to make
incorrect changes to certain f-strings that are valid in Python 3.12 and higher.
Stable style
Don't move comments along with delimiters, which could cause crashes (#4248)
Strengthen AST safety check to catch more unsafe changes to strings. Previous versions
of Black would incorrectly format the contents of certain unusual f-strings containing
nested strings with the same quote type. Now, Black will crash on such strings until
support for the new f-string syntax is implemented. (#4270)
Fix a bug where line-ranges exceeding the last code line would not work as expected
(#4273)
Performance
Fix catastrophic performance on docstrings that contain large numbers of leading tab
characters. This fixes
CVE-2024-21503.
(#4278)
Documentation
Note what happens when --check is used with --quiet (#4236)
24.2.0
Stable style
Fixed a bug where comments where mistakenly removed along with redundant parentheses
(#4218)
Preview style
Move the hug_parens_with_braces_and_square_brackets feature to the unstable style
due to an outstanding crash and proposed formatting tweaks (#4198)
Fixed a bug where base expressions caused inconsistent formatting of ** in tenary
expression (#4154)
Checking for newline before adding one on docstring that is almost at the line limit
(#4185)
Remove redundant parentheses in case statement if guards (#4214).
This release is a milestone: it fixes Black's first CVE security vulnerability. If you
run Black on untrusted input, or if you habitually put thousands of leading tab
characters in your docstrings, you are strongly encouraged to upgrade immediately to fix
CVE-2024-21503.
This release also fixes a bug in Black's AST safety check that allowed Black to make
incorrect changes to certain f-strings that are valid in Python 3.12 and higher.
Stable style
Don't move comments along with delimiters, which could cause crashes (#4248)
Strengthen AST safety check to catch more unsafe changes to strings. Previous versions
of Black would incorrectly format the contents of certain unusual f-strings containing
nested strings with the same quote type. Now, Black will crash on such strings until
support for the new f-string syntax is implemented. (#4270)
Fix a bug where line-ranges exceeding the last code line would not work as expected
(#4273)
Performance
Fix catastrophic performance on docstrings that contain large numbers of leading tab
characters. This fixes
CVE-2024-21503.
(#4278)
Documentation
Note what happens when --check is used with --quiet (#4236)
24.2.0
Stable style
Fixed a bug where comments where mistakenly removed along with redundant parentheses
(#4218)
Preview style
Move the hug_parens_with_braces_and_square_brackets feature to the unstable style
due to an outstanding crash and proposed formatting tweaks (#4198)
Fixed a bug where base expressions caused inconsistent formatting of ** in tenary
expression (#4154)
Checking for newline before adding one on docstring that is almost at the line limit
(#4185)
Remove redundant parentheses in case statement if guards (#4214).
* Fixed a null-pointer-dereference and segfault that could occur when creating
a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
definitions in :rfc:`2633` :rfc:`3370`.
.. _v42-0-3:
42.0.3 - 2024-02-15
Fixed an initialization issue that caused key loading failures for some
users.
This is a bug fix release for 2.6.0 where the "TuDoor" fix erroneously
suppressed legitimate Truncated exceptions. This caused the stub
resolver to timeout instead of failing over to TCP when a legitimate
truncated response was received over UDP.
This release addresses the potential DoS issue discussed in the
"TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is
vulnerable to a potential DoS if a bad-in-some-way response from the
right address and port forged by an attacker arrives before a
legitimate one on the UDP port dnspython is using for that query. In
this situation, dnspython might switch to querying another resolver or
give up entirely, possibly denying service for that resolution. This
release addresses the issue by adopting the recommended mitigation,
which is ignoring the bad packets and continuing to listen for a
legitimate response until the timeout for the query has expired.
Thank you to all the contributors to this release, and, as usual,
thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian
Wellington.
This release addresses the potential DoS issue discussed in the "TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.
Thank you to all the contributors to this release, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.
The Tudoor fix ate legitimate Truncated exceptions, preventing the resolver from
failing over to TCP and causing the query to timeout #1053.
2.6.0
As mentioned in the "TuDoor" paper and the associated CVE-2023-29483, the dnspython
stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the
right address and port forged by an attacker arrives before a legitimate one on the
UDP port dnspython is using for that query.
This release addresses the issue by adopting the recommended mitigation, which is
ignoring the bad packets and continuing to listen for a legitimate response until
the timeout for the query has expired.
Added support for the NSID EDNS option.
Dnspython now looks for version metadata for optional packages and will not
use them if they are too old. This prevents possible exceptions when a
feature like DoH is not desired in dnspython, but an old httpx is installed
along with dnspython for some other purpose.
The DoHNameserver class now allows GET to be used instead of the default POST,
and also passes source and source_port correctly to the underlying query
methods.
to_ssh in VerifyingKey and SigningKey, supports Ed25519 keys only
(Pablo Mazzini)
New features:
Support for twisted Brainpool curves
Doc fix:
Fix curve equation in glossary
Documentation for signature encoding and signature decoding functions
Maintenance:
Dropped official support for 3.3 and 3.4 (because of problems running them
in CI, not because it's actually incompatible; support for 2.6 and 2.7 is
unaffected)
Fixes around hypothesis parameters
Officially support Python 3.11 and 3.12
Small updates to test suite to make it work with 3.11 and 3.12 and new
releases of test dependencies
Dropped the internal _rwlock module as it's unused
Added mutation testing to CI, lots of speed-ups to the test suite
to make it happen
Removal of unnecessary six.b literals (Alexandre Detiste)
Deprecations:
int_to_string, string_to_int, and digest_integer from ecdsa.ecdsa
module are now considered deprecated, they will be removed in a future
release
to_ssh in VerifyingKey and SigningKey, supports Ed25519 keys only
(Pablo Mazzini)
New features:
Support for twisted Brainpool curves
Doc fix:
Fix curve equation in glossary
Documentation for signature encoding and signature decoding functions
Maintenance:
Dropped official support for 3.3 and 3.4 (because of problems running them
in CI, not because it's actually incompatible; support for 2.6 and 2.7 is
unaffected)
Fixes aroung hypothesis parameters
Officially support Python 3.11 and 3.12
Small updates to test suite to make it work with 3.11 and 3.12 and new
releases of test dependencies
Dropped the internal _rwlock module as it's unused
Added mutation testing to CI, lots of speed-ups to the test suite
to make it happen
Removal of unnecessary six.b literals (Alexandre Detiste)
Deprecations:
int_to_string, string_to_int, and digest_integer from ecdsa.ecdsa
module are now considered deprecated, they will be removed in a future
release
Release 0.18.0 (09 Jul 2022)
New API:
curve_by_name in curves module to get a Curve object by providing curve
name.
Bug fix:
Make the VerifyingKey encoded with explicit parameters use the same
kind of point encoding for public key and curve generator.
Better handling of malformed curve parameters (as in CVE-2022-0778);
make python-ecdsa raise MalformedPointError instead of AssertionError.
Doc fix:
Publish the documentation on https://ecdsa.readthedocs.io/,
include explanation of basics of handling of ECC data formats and how to use
the library for elliptic curve arithmetic.
Make object names more consistent, make them into hyperlinks on the
readthedocs documentation.
Make security note more explicit (Ian Rodney)
... (truncated)
Commits
be70016 Merge pull request #337 from tlsfuzzer/release-0.19
217735b allow early exit from worker processes when running mutation testing
[varLib.iup] Added workaround for a Cython bug in iup_delta_optimize that was leading to IUP tolerance being incorrectly initialised, resulting in sub-optimal deltas (60126435d, cython/cython#5732).
[varLib] Added new command-line entry point fonttools varLib.avar to add an avar table to an existing VF from axes mappings in a .designspace file (0a3360e52).
[instancer] Fixed bug whereby no longer used variation regions were not correctly pruned after VarData optimization (#3268).
[t1Lib] Fixed several Type 1 issues (#3238, #3240).
[otBase/packer] Allow sharing tables reached by different offset sizes (#3241, #3236, 457f11c2).
[varLib/merger] Fix Cursive attachment merging error when all anchors are NULL (#3248, #3247).
[ttLib] Fixed warning when calling addMultilingualName and ttFont parameter was not passed on to findMultilingualName (#3253).
4.42.0
[varLib] Use sentinel value 0xFFFF to mark a glyph advance in hmtx/vmtx as non participating, allowing sparse masters to contain glyphs for variation purposes other than {H,V}VAR (#3235).
[varLib/cff] Treat empty glyphs in non-default masters as missing, thus not participating in CFF2 delta computation, similarly to how varLib already treats them for gvar (#3234).
Added varLib.avarPlanner script to deduce 'correct' avar v1 axis mappings based on glyph average weights (#3223).
4.41.1
[subset] Fixed perf regression in v4.41.0 by making NameRecordVisitor only visit tables that do contain nameID references (#3213, #3214).
[varLib.instancer] Support instancing fonts containing null ConditionSet offsets in FeatureVariationRecords (#3211, #3212).
[statisticsPen] Report font glyph-average weight/width and font-wide slant.
[fontBuilder] Fixed head.created date incorrectly set to 0 instead of the current timestamp, regression introduced in v4.40.0 (#3210).
[varLib.merger] Support sparse CursivePos masters (#3209).
4.41.0
[fontBuilder] Fixed bug in setupOS2 with default panose attribute incorrectly being set to a dict instead of a Panose object (#3201).
[name] Added method to removeUnusedNameRecords in the user range (#3185).
[varLib.instancer] Fixed issue with L4 instancing (moving default) (#3179).
[cffLib] Use latin1 so we can roundtrip non-ASCII in {Full,Font,Family}Name (#3202).
[designspaceLib] Mark as optional in docs (as it is in the code).
[fontBuilder] Propagate the 'hidden' flag to the fvar Axis instance (#3184).
[fontBuilder] Update setupAvar() to also support avar 2, fixing _add_avar() call site (#3183).
Added new voltLib.voltToFea submodule (originally Tiro Typeworks' "Volto") for converting VOLT OpenType Layout sources to FEA format (#3164).
4.40.0
Published native binary wheels to PyPI for all the python minor versions and platform and architectures currently supported that would benefit from this. They will include precompiled Cython-accelerated modules (e.g. cu2qu) without requiring to compile them from source. The pure-python wheel and source distribution will continue to be published as always (pip will automatically chose them when no binary wheel is available for the given platform, e.g. pypy). Use pip install --no-binary=fonttools fonttools to expliclity request pip to install from the pure-python source.
[designspaceLib|varLib] Add initial support for specifying axis mappings and build avar2 table from those (#3123).
[feaLib] Support variable ligature caret position (#3130).
[varLib|glyf] Added option to --drop-implied-oncurves; test for impliable oncurve points either before or after rounding (#3146, #3147, #3155, #3156).
[TTGlyphPointPen] Don't error with empty contours, simply ignore them (#3145).
[sfnt] Fixed str vs bytes remnant of py3 transition in code dealing with de/compiling WOFF metadata (#3129).
[instancer-solver] Fixed bug when moving default instance with sparse masters (#3139, #3140).
[feaLib] Simplify variable scalars that don’t vary (#3132).
[pens] Added filter pen that explicitly emits closing line when lastPt != movePt (#3100).
[varStore] Improve optimize algorithm and better document the algorithm (#3124, #3127).
Added quantization option (#3126).
Added CI workflow config file for building native binary wheels (#3121).
[fontBuilder] Added glyphDataFormat=0 option; raise error when glyphs contain cubic outlines but glyphDataFormat was not explicitly set to 1 (#3113, #3119).
[varLib.iup] Added workaround for a Cython bug in iup_delta_optimize that was
leading to IUP tolerance being incorrectly initialised, resulting in sub-optimal deltas
(60126435d, cython/cython#5732).
[varLib] Added new command-line entry point fonttools varLib.avar to add an
avar table to an existing VF from axes mappings in a .designspace file (0a3360e52).
[instancer] Fixed bug whereby no longer used variation regions were not correctly pruned
after VarData optimization (#3268).
[t1Lib] Fixed several Type 1 issues (#3238, #3240).
[otBase/packer] Allow sharing tables reached by different offset sizes (#3241, #3236).
[varLib/merger] Fix Cursive attachment merging error when all anchors are NULL (#3248, #3247).
[ttLib] Fixed warning when calling addMultilingualName and ttFont parameter was not
passed on to findMultilingualName (#3253).
4.42.0 (released 2023-08-02)
[varLib] Use sentinel value 0xFFFF to mark a glyph advance in hmtx/vmtx as non
participating, allowing sparse masters to contain glyphs for variation purposes other
than {H,V}VAR (#3235).
[varLib/cff] Treat empty glyphs in non-default masters as missing, thus not participating
in CFF2 delta computation, similarly to how varLib already treats them for gvar (#3234).
Added varLib.avarPlanner script to deduce 'correct' avar v1 axis mappings based on
glyph average weights (#3223).
4.41.1 (released 2023-07-21)
[subset] Fixed perf regression in v4.41.0 by making NameRecordVisitor only visit
tables that do contain nameID references (#3213, #3214).
[varLib.instancer] Support instancing fonts containing null ConditionSet offsets in
FeatureVariationRecords (#3211, #3212).
[statisticsPen] Report font glyph-average weight/width and font-wide slant.
[fontBuilder] Fixed head.created date incorrectly set to 0 instead of the current
timestamp, regression introduced in v4.40.0 (#3210).
[varLib.merger] Support sparse CursivePos masters (#3209).
Bumps the pip group with 1 update in the /applications/accounts-api/backend directory: werkzeug. Bumps the pip group with 9 updates in the /applications/portal/backend directory:
3.0.13.0.224.1.124.3.042.0.242.0.44.2.104.2.112.5.02.6.10.18.00.19.04.38.04.43.010.2.010.3.00.4.40.5.0Updates
werkzeugfrom 0.16.1 to 2.3.8Release notes
Sourced from werkzeug's releases.
... (truncated)
Changelog
Sourced from werkzeug's changelog.
... (truncated)
Commits
dc90943Release version 2.3.8f230020Fix: slow multipart parsing for huge files with few CR/LF characters26f3e95reformat lines828bab4Start version 2.3.83c2ba3dRelease version 2.3.7ac9974cFix qvalue parsing (#2753)88f4ed6qvalue parsing accepts float without decimaldd1f137Fix: Improve Error Message (#2750)fdc295aclearer url rule slash errora0f4bf4fix: improve error messageUpdates
werkzeugfrom 3.0.1 to 3.0.2Release notes
Sourced from werkzeug's releases.
... (truncated)
Changelog
Sourced from werkzeug's changelog.
... (truncated)
Commits
dc90943Release version 2.3.8f230020Fix: slow multipart parsing for huge files with few CR/LF characters26f3e95reformat lines828bab4Start version 2.3.83c2ba3dRelease version 2.3.7ac9974cFix qvalue parsing (#2753)88f4ed6qvalue parsing accepts float without decimaldd1f137Fix: Improve Error Message (#2750)fdc295aclearer url rule slash errora0f4bf4fix: improve error messageUpdates
blackfrom 24.1.1 to 24.3.0Release notes
Sourced from black's releases.
... (truncated)
Changelog
Sourced from black's changelog.
... (truncated)
Commits
552baf8Prepare release 24.3.0 (#4279)f000936Fix catastrophic performance in lines_with_leading_tabs_expanded() (#4278)7b5a657Fix --line-ranges behavior when ranges are at EOF (#4273)1abcffcUse regex where we ignore case on windows (#4252)719e674Fix 4227: Improve documentation for --quiet --check (#4236)e5510afupdate plugin url for Thonny (#4259)6af7d11Fix AST safety check false negative (#4270)f03ee11Ensureblib2to3.pygramis initialized before use (#4224)e4bfedbfix: Don't move comments while splitting delimiters (#4248)d0287e1Make trailing comma logic more concise (#4202)Updates
cryptographyfrom 42.0.2 to 42.0.4Changelog
Sourced from cryptography's changelog.
Commits
fe18470Bump for 42.0.4 release (#10445)aaa2dd0Fix ASN.1 issues in PKCS#7 and S/MIME signing (#10373) (#10442)7a4d012Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match (#10423) ...df314bbbackport actions m1 switch to 42.0.x (#10415)c49a7a5changelog and version bump for 42.0.3 (#10396)396bcf6fix provider loading take two (#10390) (#10395)0e0e46fbackport: initialize openssl's legacy provider in rust (#10323) (#10333)Updates
djangofrom 4.2.10 to 4.2.11Commits
61a986f[4.2.x] Bumped version for 4.2.11 release.3c9a277[4.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words().7973951[4.2.x] Added release date for 4.2.11 and 3.2.25.86d8034[4.2.x] Refs #34900, Refs #34118 -- Updated assertion in test_skip_class_unle...cb173bb[4.2.x] Fixed #35172 -- Fixed intcomma for string floats.227ef29[4.2.x] Added CVE-2024-24680 to security archive.e2f1907[4.2.x] Post release version bump.Updates
dnspythonfrom 2.5.0 to 2.6.1Release notes
Sourced from dnspython's releases.
Changelog
Sourced from dnspython's changelog.
Commits
0a742b9update CI0ea5ad0The Tudoor fix should not eat valid Truncated exceptions #1053 (#1054)f12d3982.6.1 version prepcecb853Further improve CVE fix coverage to 100% for sync and async.7952e31test IgnoreErrorse093299For the Tudoor fix, we also need the UDP nameserver to ignore_unexpected.3af9f782.6.0 versioningca63d95Require cryptography >=41 instead of 42.902cbf3Create CODE_OF_CONDUCT.mded9795fgithub contributing and pull request templateUpdates
ecdsafrom 0.18.0 to 0.19.0Release notes
Sourced from ecdsa's releases.
Changelog
Sourced from ecdsa's changelog.
... (truncated)
Commits
be70016Merge pull request #337 from tlsfuzzer/release-0.19217735ballow early exit from worker processes when running mutation testing6e7adffdon't check rate if no tests executedc56030emake coveralls submission work with py2.6 again66d0d74add release notes for 0.19.0 release0d5a38cMerge pull request #156 from tomato42/cosmic-ray02c8350be more permissive for the PR mutation test coverage4845e8fbetter is_prime()09f0d10add hard timeout for test mutation test suitee16173btwo digit precision for the mutation score badgeUpdates
fonttoolsfrom 4.38.0 to 4.43.0Release notes
Sourced from fonttools's releases.
... (truncated)
Changelog
Sourced from fonttools's changelog.
... (truncated)
Commits
145460eRelease 4.43.064f3fd8Update changelog [skip ci]7aea49eMerge pull request #3283 from hugovk/main4470c44Bump requirements.txt to support Python 3.120c87cbaBump scipy for Python 3.12 supporteda6fa5Add support for Python 3.120e033b0Bump reportlab from 3.6.12 to 3.6.13 in /Doc6012643[iup] Work around cython bugb14268a[iup] Remove copy/pasta0a3360e[varLib.avar] New module to compile avar from .designspace fileUpdates
pillowfrom 10.2.0 to 10.3.0Release notes
Sourced from pillow's releases.