search

Teahouse-Studios / akari-bot

茶馆群内QQ机器人(小可)
https://bot.teahouse.team
GNU Affero General Public License v3.0
189 stars 37 forks source link

Update dependency quart to v0.19.7 [SECURITY] #1412

Closed renovate[bot] closed 2 weeks ago

renovate[bot] commented 2 weeks ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
quart ==0.19.6 -> ==0.19.7 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-49767

Applications using Werkzeug to parse multipart/form-data requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the Request.max_form_memory_size setting.

The Request.max_content_length setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.

Release Notes

pallets/quart (quart) ### [`v0.19.7`](https://redirect.github.com/pallets/quart/blob/HEAD/CHANGES.rst#0197-2024-10-25) [Compare Source](https://redirect.github.com/pallets/quart/compare/0.19.6...0.19.7) - Security Fix how `max_form_memory_size` is applied when parsing large non-file fields. https://github.com/advisories/GHSA-q34m-jh98-gwm2

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.