Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.
Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
Invalid header field names containing question mark or slash are now rejected.
Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.
Related issues and pull requests on GitHub:
:issue:7978.
Fixed web.FileResponse doing blocking I/O in the event loop.
Related issues and pull requests on GitHub:
:issue:8012.
Fixed double compress when compression enabled and compressed file exists in server file responses.
Related issues and pull requests on GitHub:
:issue:8014.
Added runtime type check for ClientSessiontimeout parameter.
Related issues and pull requests on GitHub:
:issue:8021.
Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.
Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
Invalid header field names containing question mark or slash are now rejected.
Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.
Related issues and pull requests on GitHub:
:issue:8074.
* Fixed a null-pointer-dereference and segfault that could occur when creating
a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
definitions in :rfc:`2633` :rfc:`3370`.
.. _v42-0-3:
42.0.3 - 2024-02-15
Fixed an initialization issue that caused key loading failures for some
users.
.. _v42-0-2:
42.0.2 - 2024-01-30
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol objects in
``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
``X25519PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
``X448PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
and ``DHPrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.
.. _v42-0-1:
42.0.1 - 2024-01-24
Fixed an issue with incorrect keyword-argument naming with EllipticCurvePrivateKey
:meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign.
Resolved compatibility issue with loading certain RSA public keys in
:func:~cryptography.hazmat.primitives.serialization.load_pem_public_key.
[varLib.iup] Added workaround for a Cython bug in iup_delta_optimize that was leading to IUP tolerance being incorrectly initialised, resulting in sub-optimal deltas (60126435d, cython/cython#5732).
[varLib] Added new command-line entry point fonttools varLib.avar to add an avar table to an existing VF from axes mappings in a .designspace file (0a3360e52).
[instancer] Fixed bug whereby no longer used variation regions were not correctly pruned after VarData optimization (#3268).
[varLib.iup] Added workaround for a Cython bug in iup_delta_optimize that was
leading to IUP tolerance being incorrectly initialised, resulting in sub-optimal deltas
(60126435d, cython/cython#5732).
[varLib] Added new command-line entry point fonttools varLib.avar to add an
avar table to an existing VF from axes mappings in a .designspace file (0a3360e52).
[instancer] Fixed bug whereby no longer used variation regions were not correctly pruned
after VarData optimization (#3268).
v4.36: Mixtral, Llava/BakLlava, SeamlessM4T v2, AMD ROCm, F.sdpa wide-spread support
New model additions
Mixtral
Mixtral is the new open-source model from Mistral AI announced by the blogpost Mixtral of Experts. The model has been proven to have comparable capabilities to Chat-GPT according to the benchmark results shared on the release blogpost.
The architecture is a sparse Mixture of Experts with Top-2 routing strategy, similar as NllbMoe architecture in transformers. You can use it through AutoModelForCausalLM interface:
>>> import torch
>>> from transformers import AutoModelForCausalLM, AutoTokenizer
>>> model = AutoModelForCausalLM.from_pretrained("mistralai/Mixtral-8x7B", torch_dtype=torch.float16, device_map="auto")
>>> tokenizer = AutoTokenizer.from_pretrained("mistralai/Mistral-8x7B")
The model is compatible with existing optimisation tools such Flash Attention 2, bitsandbytes and PEFT library. The checkpoints are release under mistralai organisation on the Hugging Face Hub.
Llava / BakLlava
Llava is an open-source chatbot trained by fine-tuning LlamA/Vicuna on GPT-generated multimodal instruction-following data. It is an auto-regressive language model, based on the transformer architecture. In other words, it is an multi-modal version of LLMs fine-tuned for chat / instructions.
Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (GHSA-g4mx-q9vg-27p4)
2.0.6
Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. (GHSA-v845-jxx5-vc9f)
2.0.5
Allowed pyOpenSSL third-party module without any deprecation warning. #3126
Fixed default blocksize of HTTPConnection classes to match high-level classes. Previously was 8KiB, now 16KiB. #3066
Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses.
2.0.6 (2023-10-02)
Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.
2.0.5 (2023-09-20)
Allowed pyOpenSSL third-party module without any deprecation warning. ([#3126](https://github.com/urllib3/urllib3/issues/3126) <https://github.com/urllib3/urllib3/issues/3126>__)
Fixed default blocksize of HTTPConnection classes to match high-level classes. Previously was 8KiB, now 16KiB. ([#3066](https://github.com/urllib3/urllib3/issues/3066) <https://github.com/urllib3/urllib3/issues/3066>__)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/String-sg/ai-starter-kit/network/alerts).
Bumps the pip group with 10 updates in the /. directory:
3.8.5
3.9.2
41.0.3
42.0.4
4.42.1
4.43.0
3.1.2
3.1.3
0.0.314
0.0.329
13.0.0
14.0.1
0.0.6
0.0.7
1.27.2
1.30.0
4.33.1
4.36.0
2.0.4
2.0.7
Updates
aiohttp
from 3.8.5 to 3.9.2Release notes
Sourced from aiohttp's releases.
... (truncated)
Changelog
Sourced from aiohttp's changelog.
... (truncated)
Commits
24a6d64
Release v3.9.2 (#8082)9118a58
[PR #8079/1c335944 backport][3.9] Validate static paths (#8080)435ad46
[PR #3955/8960063e backport][3.9] Replace all tmpdir fixtures with tmp_path (...d33bc21
Improve validation in HTTP parser (#8074) (#8078)0d945d1
[PR #7916/822fbc74 backport][3.9] Add more information to contributing page (...3ec4fa1
[PR #8069/69bbe874 backport][3.9] 📝 Only show changelog draft for non-release...419d715
[PR #8066/cba34699 backport][3.9] 💅📝 Restructure the changelog for clarity (#...a54dab3
[PR #8049/a379e634 backport][3.9] Set cause for ClientPayloadError (#8050)437ac47
[PR #7995/43a5bc50 backport][3.9] Fix examples offallback_charset_resolver
...034e5e3
[PR #8042/4b91b530 backport][3.9] Tightening the runtime type check for ssl (...Updates
cryptography
from 41.0.3 to 42.0.4Changelog
Sourced from cryptography's changelog.
... (truncated)
Commits
fe18470
Bump for 42.0.4 release (#10445)aaa2dd0
Fix ASN.1 issues in PKCS#7 and S/MIME signing (#10373) (#10442)7a4d012
Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match (#10423) ...df314bb
backport actions m1 switch to 42.0.x (#10415)c49a7a5
changelog and version bump for 42.0.3 (#10396)396bcf6
fix provider loading take two (#10390) (#10395)0e0e46f
backport: initialize openssl's legacy provider in rust (#10323) (#10333)2202123
changelog and version bump 42.0.2 (#10268)f7032bd
bump openssl in CI (#10298) (#10299)002e886
Fixes #10294 -- correct accidental change to exchange kwarg (#10295) (#10296)Updates
fonttools
from 4.42.1 to 4.43.0Release notes
Sourced from fonttools's releases.
Changelog
Sourced from fonttools's changelog.
Commits
145460e
Release 4.43.064f3fd8
Update changelog [skip ci]7aea49e
Merge pull request #3283 from hugovk/main4470c44
Bump requirements.txt to support Python 3.120c87cba
Bump scipy for Python 3.12 supporteda6fa5
Add support for Python 3.120e033b0
Bump reportlab from 3.6.12 to 3.6.13 in /Doc6012643
[iup] Work around cython bugb14268a
[iup] Remove copy/pasta0a3360e
[varLib.avar] New module to compile avar from .designspace fileUpdates
jinja2
from 3.1.2 to 3.1.3Release notes
Sourced from jinja2's releases.
Changelog
Sourced from jinja2's changelog.
Commits
d9de4bb
release version 3.1.350124e1
skip test pypi9ea7222
use trusted publishingda703f7
use trusted publishingbce1746
use trusted publishing7277d80
update pre-commit hooks5c8a105
Make nested-trans-block exceptions nicer (#1918)19a55db
Make nested-trans-block exceptions nicer7167953
Merge pull request from GHSA-h5c8-rqwp-cp957dd3680
xmlattr filter disallows keys with spacesUpdates
langchain
from 0.0.314 to 0.0.329Release notes
Sourced from langchain's releases.
... (truncated)
Commits
979501c
bump 329 (#12778)9369d6a
Fixes to the docs for timescale vector template (#12756)3381012
Update chat prompt structure in LLaMA SQL cookbook (#12364)58b90f3
Update llama.cpp integration (#11864)a228f34
Semantic search within postgreSQL using pgvector (#12365)da82132
Fixes 'Nonetype' not iterable for ObsidianLoader (#12751)67b6f4d
Update google_vertex_ai_palm.ipynb (#12715)b1caae6
APIChain add restrictions to domains (CVE-2023-32786) (#12747)4421ba4
Demo Server, Fix Timescale (#12746)0e1aedb
Use jinja2 sandboxing by default (#12733)Updates
pyarrow
from 13.0.0 to 14.0.1Commits
ba53748
MINOR: [Release] Update versions for 14.0.1529f376
MINOR: [Release] Update .deb/.rpm changelogs for 14.0.1b84bbca
MINOR: [Release] Update CHANGELOG.md for 14.0.1f141709
GH-38607: [Python] Disable PyExtensionType autoload (#38608)5a37e74
GH-38431: [Python][CI] Update fs.type_name checks for s3fs tests (#38455)2dcee3f
MINOR: [Release] Update versions for 14.0.0297428c
MINOR: [Release] Update .deb/.rpm changelogs for 14.0.03e9734f
MINOR: [Release] Update CHANGELOG.md for 14.0.09f90995
GH-38332: [CI][Release] Resolve symlinks in RAT lint (#38337)bd61239
GH-35531: [Python] C Data Interface PyCapsule Protocol (#37797)Updates
python-multipart
from 0.0.6 to 0.0.7Changelog
Sourced from python-multipart's changelog.
Commits
c83e6da
Version 0.0.7 (#77)fb7d3c9
Bump pygments from 2.7.4 to 2.15.0 (#66)20f0ef6
♻️ Refactor header option parser to use the standard library instead of a cus...d3d16da
Use latest invoke version (2.2.0) (#73)8e59feb
Use single quotes to avoid special zsh chars '[' and ']' (#71)86d422c
Update changelog URL (#68)3929f8e
Move tests folder to root folder (#61)Updates
streamlit
from 1.27.2 to 1.30.0Release notes
Sourced from streamlit's releases.
... (truncated)
Commits
2c39710
Support latest importlib-metadata v7 (#7925)005d62a
Up version to 1.30.033e347a
Fix embed params being dropped in page swaps (#7918)899cbbd
Docstrings for release 1.30.0 (#7916)02022e7
Reduce e2e test flakiness by using waiting methods (#7907)7ee8f2b
Update the frontend audit exceptions (#7909)adb236b
Don't disable tab on stale flag (#7905)bd0a899
Use commonpath rather than common prefix for more secure access (#7901)ee41c84
Add check that individual elements are "python comparable" (#7840)d428d91
Fix shrunk icon size in st.expander (#7596)Updates
transformers
from 4.33.1 to 4.36.0Release notes
Sourced from transformers's releases.
... (truncated)
Commits
1466677
Release: v4.36.0accccdd
[Add Mixtral
] Adds support for the Mixtral MoE (#27942)0676d99
[from_pretrained
] Make from_pretrained fast again (#27709)9f18cc6
Fix SDPA dispatch & make SDPA CI compatible with torch<2.1.1 (#27940)7ea21f1
[LLaVa] Some improvements (#27895)5e620a9
FixSeamlessM4Tv2ModelIntegrationTest
(#27911)e96c1de
SkipUnivNetModelTest::test_multi_gpu_data_parallel_forward
(#27912)8d8970e
[BEiT] Fix test (#27934)235be08
[DETA] fix backbone freeze/unfreeze function (#27843)df5c5c6
Fix typo (#27918)Updates
urllib3
from 2.0.4 to 2.0.7Release notes
Sourced from urllib3's releases.
Changelog
Sourced from urllib3's changelog.
Commits
56f01e0
Release 2.0.74e50fbc
Merge pull request from GHSA-g4mx-q9vg-27p480808b0
Fix docs build on Python 3.12 (#3144)f28deff
Add 1.26.17 to the current changelog262e3e3
Release 2.0.6644124e
Merge pull request from GHSA-v845-jxx5-vc9f740380c
Bump cryptography from 41.0.3 to 41.0.4 (#3131)d9f85a7
Release 2.0.5d41f412
Undeprecate pyOpenSSL module (#3127)b6c04cb
Fix a link to "absolute URI" definition (#3128)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show