This release is a milestone: it fixes Black's first CVE security vulnerability. If you
run Black on untrusted input, or if you habitually put thousands of leading tab
characters in your docstrings, you are strongly encouraged to upgrade immediately to fix
CVE-2024-21503.
This release also fixes a bug in Black's AST safety check that allowed Black to make
incorrect changes to certain f-strings that are valid in Python 3.12 and higher.
Stable style
Don't move comments along with delimiters, which could cause crashes (#4248)
Strengthen AST safety check to catch more unsafe changes to strings. Previous versions
of Black would incorrectly format the contents of certain unusual f-strings containing
nested strings with the same quote type. Now, Black will crash on such strings until
support for the new f-string syntax is implemented. (#4270)
Fix a bug where line-ranges exceeding the last code line would not work as expected
(#4273)
Performance
Fix catastrophic performance on docstrings that contain large numbers of leading tab
characters. This fixes
CVE-2024-21503.
(#4278)
Documentation
Note what happens when --check is used with --quiet (#4236)
24.2.0
Stable style
Fixed a bug where comments where mistakenly removed along with redundant parentheses
(#4218)
Preview style
Move the hug_parens_with_braces_and_square_brackets feature to the unstable style
due to an outstanding crash and proposed formatting tweaks (#4198)
Fixed a bug where base expressions caused inconsistent formatting of ** in tenary
expression (#4154)
Checking for newline before adding one on docstring that is almost at the line limit
(#4185)
Remove redundant parentheses in case statement if guards (#4214).
This release is a milestone: it fixes Black's first CVE security vulnerability. If you
run Black on untrusted input, or if you habitually put thousands of leading tab
characters in your docstrings, you are strongly encouraged to upgrade immediately to fix
CVE-2024-21503.
This release also fixes a bug in Black's AST safety check that allowed Black to make
incorrect changes to certain f-strings that are valid in Python 3.12 and higher.
Stable style
Don't move comments along with delimiters, which could cause crashes (#4248)
Strengthen AST safety check to catch more unsafe changes to strings. Previous versions
of Black would incorrectly format the contents of certain unusual f-strings containing
nested strings with the same quote type. Now, Black will crash on such strings until
support for the new f-string syntax is implemented. (#4270)
Fix a bug where line-ranges exceeding the last code line would not work as expected
(#4273)
Performance
Fix catastrophic performance on docstrings that contain large numbers of leading tab
characters. This fixes
CVE-2024-21503.
(#4278)
Documentation
Note what happens when --check is used with --quiet (#4236)
24.2.0
Stable style
Fixed a bug where comments where mistakenly removed along with redundant parentheses
(#4218)
Preview style
Move the hug_parens_with_braces_and_square_brackets feature to the unstable style
due to an outstanding crash and proposed formatting tweaks (#4198)
Fixed a bug where base expressions caused inconsistent formatting of ** in tenary
expression (#4154)
Checking for newline before adding one on docstring that is almost at the line limit
(#4185)
Remove redundant parentheses in case statement if guards (#4214).
Special thanks go to @EliahKagan who reported the issue and fixed it in a single stroke, while being responsible for an incredible amount of improvements that he contributed over the last couple of months ❤️.
Fix issue where specially crafted inputs to encode() could
take exceptionally long amount of time to process. [CVE-2024-3651]
Thanks to Guido Vranken for reporting the issue.
3.6 (2023-11-25)
++++++++++++++++
Fix regression to include tests in source distribution.
3.5 (2023-11-24)
++++++++++++++++
Update to Unicode 15.1.0
String codec name is now "idna2008" as overriding the system codec
"idna" was not working.
Fix typing error for codec encoding
"setup.cfg" has been added for this release due to some downstream
lack of adherence to PEP 517. Should be removed in a future release
so please prepare accordingly.
Removed reliance on a symlink for the "idna-data" tool to comport
with PEP 517 and the Python Packaging User Guide for sdist archives.
Added security reporting protocol for project
Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions
to this release.
This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.
The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj
3.1.3
This is a fix release for the 3.1.x feature branch.
Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.
The xmlattr filter does not allow keys with / solidus, >
greater-than sign, or = equals sign, in addition to disallowing spaces.
Regardless of any validation done by Jinja, user input should never be used
as keys to this filter, or must be separately validated first.
:ghsa:h75v-3vvj-5mfj
Version 3.1.3
Released 2024-01-10
Fix compiler error when checking if required blocks in parent templates are
empty. :pr:1858
xmlattr filter does not allow keys with spaces. :ghsa:h5c8-rqwp-cp95
Make error messages stemming from invalid nesting of {% trans %} blocks
more helpful. :pr:1918
Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
forwarding of Proxy-Authorization headers to destination servers when
following HTTPS redirects.
When proxies are defined with user info (https://user:pass@proxy:8080), Requests
will construct a Proxy-Authorization header that is attached to the request to
authenticate with the proxy.
In cases where Requests receives a redirect response, it previously reattached
the Proxy-Authorization header incorrectly, resulting in the value being
sent through the tunneled connection to the destination server. Users who rely on
defining their proxy credentials in the URL are strongly encouraged to upgrade
to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
credentials once the change has been fully deployed.
Users who do not use a proxy or do not supply their proxy credentials through
the user information portion of their proxy URL are not subject to this
vulnerability.
Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
forwarding of Proxy-Authorization headers to destination servers when
following HTTPS redirects.
When proxies are defined with user info (https://user:pass@proxy:8080), Requests
will construct a Proxy-Authorization header that is attached to the request to
authenticate with the proxy.
In cases where Requests receives a redirect response, it previously reattached
the Proxy-Authorization header incorrectly, resulting in the value being
sent through the tunneled connection to the destination server. Users who rely on
defining their proxy credentials in the URL are strongly encouraged to upgrade
to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
credentials once the change has been fully deployed.
Users who do not use a proxy or do not supply their proxy credentials through
the user information portion of their proxy URL are not subject to this
vulnerability.
Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (GHSA-g4mx-q9vg-27p4)
1.26.17
Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. (GHSA-v845-jxx5-vc9f)
1.26.16
Fixed thread-safety issue where accessing a PoolManager with many distinct origins would cause connection pools to be closed while requests are in progress (#2954)
Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses.
1.26.17 (2023-10-02)
Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. ([#3139](https://github.com/urllib3/urllib3/issues/3139) <https://github.com/urllib3/urllib3/pull/3139>_)
1.26.16 (2023-05-23)
Fixed thread-safety issue where accessing a PoolManager with many distinct origins
would cause connection pools to be closed while requests are in progress ([#2954](https://github.com/urllib3/urllib3/issues/2954) <https://github.com/urllib3/urllib3/pull/2954>_)
1.26.15 (2023-03-10)
Fix socket timeout value when HTTPConnection is reused ([#2645](https://github.com/urllib3/urllib3/issues/2645) <https://github.com/urllib3/urllib3/issues/2645>__)
Remove "!" character from the unreserved characters in IPv6 Zone ID parsing
([#2899](https://github.com/urllib3/urllib3/issues/2899) <https://github.com/urllib3/urllib3/issues/2899>__)
Fix IDNA handling of '\x80' byte ([#2901](https://github.com/urllib3/urllib3/issues/2901) <https://github.com/urllib3/urllib3/issues/2901>__)
1.26.14 (2023-01-11)
Fixed parsing of port 0 (zero) returning None, instead of 0. ([#2850](https://github.com/urllib3/urllib3/issues/2850) <https://github.com/urllib3/urllib3/issues/2850>__)
Removed deprecated getheaders() calls in contrib module. Fixed the type hint of PoolKey.key_retries by adding bool to the union. ([#2865](https://github.com/urllib3/urllib3/issues/2865) <https://github.com/urllib3/urllib3/issues/2865>__)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/PythonBiellaGroup/Bear/network/alerts).
dependabot[bot]
commented
6 months ago
Bumps the pip group with 9 updates in the / directory:
22.12.024.3.02022.12.72023.7.223.1.303.1.413.43.73.1.23.1.42.0.62.11.22.28.12.31.06.26.3.31.26.131.26.18Updates
blackfrom 22.12.0 to 24.3.0Release notes
Sourced from black's releases.
... (truncated)
Changelog
Sourced from black's changelog.
... (truncated)
Commits
552baf8Prepare release 24.3.0 (#4279)f000936Fix catastrophic performance in lines_with_leading_tabs_expanded() (#4278)7b5a657Fix --line-ranges behavior when ranges are at EOF (#4273)1abcffcUse regex where we ignore case on windows (#4252)719e674Fix 4227: Improve documentation for --quiet --check (#4236)e5510afupdate plugin url for Thonny (#4259)6af7d11Fix AST safety check false negative (#4270)f03ee11Ensureblib2to3.pygramis initialized before use (#4224)e4bfedbfix: Don't move comments while splitting delimiters (#4248)d0287e1Make trailing comma logic more concise (#4202)Updates
certififrom 2022.12.7 to 2023.7.22Commits
8fb96ed2023.07.22afe7722Bump actions/setup-python from 4.6.1 to 4.7.0 (#230)2038739Bump dessant/lock-threads from 3.0.0 to 4.0.1 (#229)44df761Hash pin Actions and enable dependabot (#228)8b3d7ba2023.05.0753da240ci: Add Python 3.12-dev to the testing (#224)c2fc3b1Create a Security Policy (#222)c211ef4Set up permissions to github workflows (#218)2087de5Don't let deprecation warning fail CI (#219)e0b9fc5remove paragraphs about 1024-bit roots from READMEUpdates
gitpythonfrom 3.1.30 to 3.1.41Release notes
Sourced from gitpython's releases.
... (truncated)
Commits
f288738bump patch levelef3192cMerge pull request #1792 from EliahKagan/popen1f3caa3Further clarify comment in test_hook_uses_shell_not_from_cwd3eb7c2aMove safer_popen from git.util to git.cmdc551e91Extract shared logic for using Popen safely on Windows15ebb25Clarify comment in test_hook_uses_shell_not_from_cwdf44524aAvoid spurious "location may have moved" on Windowsa42ea0aCover absent/no-distro bash.exe in hooks "not from cwd" test7751436Extract venv management from test_installation66ff4c1Omit CWD in search for bash.exe to run hooks on WindowsUpdates
idnafrom 3.4 to 3.7Release notes
Sourced from idna's releases.
Changelog
Sourced from idna's changelog.
Commits
1d365e1Release v3.7c1b3154Merge pull request #172 from kjd/optimize-contextj0394ec7Merge branch 'master' into optimize-contextjcd58a23Merge pull request #152 from elliotwutingfeng/dev5beb28bMore efficient resolution of joiner contexts1b12148Update ossf/scorecard-action to v2.3.1d516b87Update Github actions/checkout to v4c095c75Merge branch 'master' into dev60a0a4cFix typo in GitHub Actions workflow key5918a0eMerge branch 'master' into devUpdates
jinja2from 3.1.2 to 3.1.4Release notes
Sourced from jinja2's releases.
Changelog
Sourced from jinja2's changelog.
Commits
dd4a8b5release version 3.1.40668239Merge pull request from GHSA-h75v-3vvj-5mfjd655030disallow invalid characters in keys to xmlattr filtera7863baadd ghsa linksb5c98e7start version 3.1.4da3a9f0update project files (#1968)0ee5eb4satisfy formatter, linter, and strict mypy20477c6update project files (#5457)e491223update pyyaml dev dependency36f9885fix pr linkUpdates
jupyter-serverfrom 2.0.6 to 2.11.2Release notes
Sourced from jupyter-server's releases.
... (truncated)
Changelog
Sourced from jupyter-server's changelog.
... (truncated)
Commits
9bd9657Publish 2.11.20056c3aMerge pull request from GHSA-h56g-gq9v-vc8r88eca99Bump to 2.12.0.dev03755794Publish 2.11.140a95e5avoid unhandled error on some invalid paths (#1369)ecd5b1fChange md5 to hash and hash_algorithm, fix incompatibility (#1367)8e5d766Bump to 2.12.0.dev0cc74bb6Publish 2.11.0e7c0f33Update api docs with md5 param (#1364)0983b71Update ruff and typings (#1365)Updates
requestsfrom 2.28.1 to 2.31.0Release notes
Sourced from requests's releases.
... (truncated)
Changelog
Sourced from requests's changelog.
... (truncated)
Commits
147c851v2.31.074ea7cfMerge pull request from GHSA-j8r2-6x86-q33q3022253test on pypy 3.8 and pypy 3.9 on windows and macos (#6424)b639e66test on py3.12 (#6448)d3d5044Fixed a small typo (#6452)2ad18e0v2.30.0f2629e9Remove strict parameter (#6434)87d63dev2.29.051716c4enable the warnings plugin (#6416)a7da1abtry on ubuntu 22.04 (#6418)Updates
tornadofrom 6.2 to 6.3.3Changelog
Sourced from tornado's changelog.
... (truncated)
Commits
e4d6984Merge pull request #3307 from bdarnell/branch6.36a9e6fbci: Don't test py312 in branch6.35c8a9a4Set version to 6.3.37dfe8b5httpserver_test: Add ExpectLog to fix CI217295bhttp1connection: Make content-length parsing more stricte3aa6c5Merge pull request #3267 from bdarnell/branch6.334f5c1cVersion 6.3.232ad07cweb: Fix an open redirect in StaticFileHandlere0fa53eMerge pull request #3257 from bdarnell/build-workflow-wstest-warningf5a1d5cci: Only run pypi actions from the main repoUpdates
urllib3from 1.26.13 to 1.26.18Release notes
Sourced from urllib3's releases.
Changelog
Sourced from urllib3's changelog.
Commits
9c2c230Release 1.26.18 (#3159)b594c5cMerge pull request from GHSA-g4mx-q9vg-27p4944f0eb[1.26] Use vendored six in urllib3.contrib.securetransportc9016bfRelease 1.26.170122035Backport GHSA-v845-jxx5-vc9f (#3139)e63989fFix installingbrotliextra on Python 2.72e7a24d[1.26] Configure OS for RTD to fix building docs57181d6[1.26] Improve error message when calling urllib3.request() (#3058)3c01480[1.26] Run coverage even with failed jobsd94029bRelease 1.26.16Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show