Softmax for Arbitrary Label Trees (SALT) is a framework for training segmentation networks using conditional probabilities to model hierarchical relationships in the data.
This release is a milestone: it fixes Black's first CVE security vulnerability. If you
run Black on untrusted input, or if you habitually put thousands of leading tab
characters in your docstrings, you are strongly encouraged to upgrade immediately to fix
CVE-2024-21503.
This release also fixes a bug in Black's AST safety check that allowed Black to make
incorrect changes to certain f-strings that are valid in Python 3.12 and higher.
Stable style
Don't move comments along with delimiters, which could cause crashes (#4248)
Strengthen AST safety check to catch more unsafe changes to strings. Previous versions
of Black would incorrectly format the contents of certain unusual f-strings containing
nested strings with the same quote type. Now, Black will crash on such strings until
support for the new f-string syntax is implemented. (#4270)
Fix a bug where line-ranges exceeding the last code line would not work as expected
(#4273)
Performance
Fix catastrophic performance on docstrings that contain large numbers of leading tab
characters. This fixes
CVE-2024-21503.
(#4278)
Documentation
Note what happens when --check is used with --quiet (#4236)
24.2.0
Stable style
Fixed a bug where comments where mistakenly removed along with redundant parentheses
(#4218)
Preview style
Move the hug_parens_with_braces_and_square_brackets feature to the unstable style
due to an outstanding crash and proposed formatting tweaks (#4198)
Fixed a bug where base expressions caused inconsistent formatting of ** in tenary
expression (#4154)
Checking for newline before adding one on docstring that is almost at the line limit
(#4185)
Remove redundant parentheses in case statement if guards (#4214).
This release is a milestone: it fixes Black's first CVE security vulnerability. If you
run Black on untrusted input, or if you habitually put thousands of leading tab
characters in your docstrings, you are strongly encouraged to upgrade immediately to fix
CVE-2024-21503.
This release also fixes a bug in Black's AST safety check that allowed Black to make
incorrect changes to certain f-strings that are valid in Python 3.12 and higher.
Stable style
Don't move comments along with delimiters, which could cause crashes (#4248)
Strengthen AST safety check to catch more unsafe changes to strings. Previous versions
of Black would incorrectly format the contents of certain unusual f-strings containing
nested strings with the same quote type. Now, Black will crash on such strings until
support for the new f-string syntax is implemented. (#4270)
Fix a bug where line-ranges exceeding the last code line would not work as expected
(#4273)
Performance
Fix catastrophic performance on docstrings that contain large numbers of leading tab
characters. This fixes
CVE-2024-21503.
(#4278)
Documentation
Note what happens when --check is used with --quiet (#4236)
24.2.0
Stable style
Fixed a bug where comments where mistakenly removed along with redundant parentheses
(#4218)
Preview style
Move the hug_parens_with_braces_and_square_brackets feature to the unstable style
due to an outstanding crash and proposed formatting tweaks (#4198)
Fixed a bug where base expressions caused inconsistent formatting of ** in tenary
expression (#4154)
Checking for newline before adding one on docstring that is almost at the line limit
(#4185)
Remove redundant parentheses in case statement if guards (#4214).
Changed the type annotations to allow dict on :meth:aiohttp.MultipartWriter.append,
:meth:aiohttp.MultipartWriter.append_json and
:meth:aiohttp.MultipartWriter.append_form -- by :user:cakemanny
The asynchronous internals now set the underlying causes
when assigning exceptions to the future objects
-- by :user:webknjaz.
Related issues and pull requests on GitHub:
:issue:8089.
Treated values of Accept-Encoding header as case-insensitive when checking
for gzip files -- by :user:steverep.
Related issues and pull requests on GitHub:
:issue:8104.
Improved the DNS resolution performance on cache hit -- by :user:bdraco.
This is achieved by avoiding an :mod:asyncio task creation in this case.
Related issues and pull requests on GitHub:
:issue:8163.
Changed the type annotations to allow dict on :meth:aiohttp.MultipartWriter.append,
:meth:aiohttp.MultipartWriter.append_json and
:meth:aiohttp.MultipartWriter.append_form -- by :user:cakemanny
Related issues and pull requests on GitHub:
:issue:7741.
Ensure websocket transport is closed when client does not close it
-- by :user:bdraco.
The transport could remain open if the client did not close it. This
change ensures the transport is closed when the client does not close
it.
Fix issue where specially crafted inputs to encode() could
take exceptionally long amount of time to process. [CVE-2024-3651]
Thanks to Guido Vranken for reporting the issue.
3.6 (2023-11-25)
++++++++++++++++
Fix regression to include tests in source distribution.
3.5 (2023-11-24)
++++++++++++++++
Update to Unicode 15.1.0
String codec name is now "idna2008" as overriding the system codec
"idna" was not working.
Fix typing error for codec encoding
"setup.cfg" has been added for this release due to some downstream
lack of adherence to PEP 517. Should be removed in a future release
so please prepare accordingly.
Removed reliance on a symlink for the "idna-data" tool to comport
with PEP 517 and the Python Packaging User Guide for sdist archives.
Added security reporting protocol for project
Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions
to this release.
Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
forwarding of Proxy-Authorization headers to destination servers when
following HTTPS redirects.
When proxies are defined with user info (https://user:pass@proxy:8080), Requests
will construct a Proxy-Authorization header that is attached to the request to
authenticate with the proxy.
In cases where Requests receives a redirect response, it previously reattached
the Proxy-Authorization header incorrectly, resulting in the value being
sent through the tunneled connection to the destination server. Users who rely on
defining their proxy credentials in the URL are strongly encouraged to upgrade
to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
credentials once the change has been fully deployed.
Users who do not use a proxy or do not supply their proxy credentials through
the user information portion of their proxy URL are not subject to this
vulnerability.
Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
forwarding of Proxy-Authorization headers to destination servers when
following HTTPS redirects.
When proxies are defined with user info (https://user:pass@proxy:8080), Requests
will construct a Proxy-Authorization header that is attached to the request to
authenticate with the proxy.
In cases where Requests receives a redirect response, it previously reattached
the Proxy-Authorization header incorrectly, resulting in the value being
sent through the tunneled connection to the destination server. Users who rely on
defining their proxy credentials in the URL are strongly encouraged to upgrade
to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
credentials once the change has been fully deployed.
Users who do not use a proxy or do not supply their proxy credentials through
the user information portion of their proxy URL are not subject to this
vulnerability.
Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (GHSA-g4mx-q9vg-27p4)
1.26.17
Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. (GHSA-v845-jxx5-vc9f)
1.26.16
Fixed thread-safety issue where accessing a PoolManager with many distinct origins would cause connection pools to be closed while requests are in progress (#2954)
Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses.
1.26.17 (2023-10-02)
Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. ([#3139](https://github.com/urllib3/urllib3/issues/3139) <https://github.com/urllib3/urllib3/pull/3139>_)
1.26.16 (2023-05-23)
Fixed thread-safety issue where accessing a PoolManager with many distinct origins
would cause connection pools to be closed while requests are in progress ([#2954](https://github.com/urllib3/urllib3/issues/2954) <https://github.com/urllib3/urllib3/pull/2954>_)
1.26.15 (2023-03-10)
Fix socket timeout value when HTTPConnection is reused ([#2645](https://github.com/urllib3/urllib3/issues/2645) <https://github.com/urllib3/urllib3/issues/2645>__)
Remove "!" character from the unreserved characters in IPv6 Zone ID parsing
([#2899](https://github.com/urllib3/urllib3/issues/2899) <https://github.com/urllib3/urllib3/issues/2899>__)
Fix IDNA handling of '\x80' byte ([#2901](https://github.com/urllib3/urllib3/issues/2901) <https://github.com/urllib3/urllib3/issues/2901>__)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/UMEssen/SALT/network/alerts).
dependabot[bot]
commented
6 months ago
Bumps the pip group with 8 updates in the / directory:
23.1.024.3.03.8.43.9.42022.12.72023.7.223.43.79.4.010.3.02.27.12.31.04.64.14.66.31.26.141.26.18Updates
blackfrom 23.1.0 to 24.3.0Release notes
Sourced from black's releases.
... (truncated)
Changelog
Sourced from black's changelog.
... (truncated)
Commits
552baf8Prepare release 24.3.0 (#4279)f000936Fix catastrophic performance in lines_with_leading_tabs_expanded() (#4278)7b5a657Fix --line-ranges behavior when ranges are at EOF (#4273)1abcffcUse regex where we ignore case on windows (#4252)719e674Fix 4227: Improve documentation for --quiet --check (#4236)e5510afupdate plugin url for Thonny (#4259)6af7d11Fix AST safety check false negative (#4270)f03ee11Ensureblib2to3.pygramis initialized before use (#4224)e4bfedbfix: Don't move comments while splitting delimiters (#4248)d0287e1Make trailing comma logic more concise (#4202)Updates
aiohttpfrom 3.8.4 to 3.9.4Release notes
Sourced from aiohttp's releases.
... (truncated)
Changelog
Sourced from aiohttp's changelog.
... (truncated)
Commits
b3397c7Release v3.9.4 (#8201)a7e240a[PR #8320/9ba9a4e5 backport][3.9] Fix Python parser to mark responses without...2833552Escape filenames and paths in HTML when generating index pages (#8317) (#8319)ed43040[PR #8309/c29945a1 backport][3.9] Improve reliability of run_app test (#8315)ec2be05[PR #8299/28d026eb backport][3.9] Create marker for internal tests (#8307)292d961[PR #8304/88c80c14 backport][3.9] Check for backports in CI (#8305)cebe526Fix handling of multipart/form-data (#8280) (#8302)270ae9c[PR #8297/d15f07cf backport][3.9] Upgrade to llhttp 9.2.1 (#8292) (#8298)bb23105[PR #8283/54e13b0a backport][3.9] Fix blocking I/O in the event loop while pr...3f79241[PR #8286/28f1fd88 backport][3.9] docs: remove repetitive word in comment (#8...Updates
certififrom 2022.12.7 to 2023.7.22Commits
8fb96ed2023.07.22afe7722Bump actions/setup-python from 4.6.1 to 4.7.0 (#230)2038739Bump dessant/lock-threads from 3.0.0 to 4.0.1 (#229)44df761Hash pin Actions and enable dependabot (#228)8b3d7ba2023.05.0753da240ci: Add Python 3.12-dev to the testing (#224)c2fc3b1Create a Security Policy (#222)c211ef4Set up permissions to github workflows (#218)2087de5Don't let deprecation warning fail CI (#219)e0b9fc5remove paragraphs about 1024-bit roots from READMEUpdates
idnafrom 3.4 to 3.7Release notes
Sourced from idna's releases.
Changelog
Sourced from idna's changelog.
Commits
1d365e1Release v3.7c1b3154Merge pull request #172 from kjd/optimize-contextj0394ec7Merge branch 'master' into optimize-contextjcd58a23Merge pull request #152 from elliotwutingfeng/dev5beb28bMore efficient resolution of joiner contexts1b12148Update ossf/scorecard-action to v2.3.1d516b87Update Github actions/checkout to v4c095c75Merge branch 'master' into dev60a0a4cFix typo in GitHub Actions workflow key5918a0eMerge branch 'master' into devUpdates
pillowfrom 9.4.0 to 10.3.0Release notes
Sourced from pillow's releases.
... (truncated)
Changelog
Sourced from pillow's changelog.
... (truncated)
Commits
5c89d8810.3.0 version bump63cbfcfUpdate CHANGES.rst [ci skip]2776126Merge pull request #7928 from python-pillow/lcmsaeb51cbMerge branch 'main' into lcms5beb0b6Update CHANGES.rst [ci skip]cac6ffaMerge pull request #7927 from python-pillow/imagemathf5eeeacName as 'options' in lambda_eval and unsafe_eval, but '_dict' in deprecated evalfacf3afAdded release notes2a93abaUse strncpy to avoid buffer overflowa670597Update CHANGES.rst [ci skip]Updates
requestsfrom 2.27.1 to 2.31.0Release notes
Sourced from requests's releases.
... (truncated)
Changelog
Sourced from requests's changelog.
... (truncated)
Commits
147c851v2.31.074ea7cfMerge pull request from GHSA-j8r2-6x86-q33q3022253test on pypy 3.8 and pypy 3.9 on windows and macos (#6424)b639e66test on py3.12 (#6448)d3d5044Fixed a small typo (#6452)2ad18e0v2.30.0f2629e9Remove strict parameter (#6434)87d63dev2.29.051716c4enable the warnings plugin (#6416)a7da1abtry on ubuntu 22.04 (#6418)Updates
tqdmfrom 4.64.1 to 4.66.3Release notes
Sourced from tqdm's releases.
Commits
4e613f8Merge pull request from GHSA-g7vv-2v7x-gj9pb53348ccli: eval safetycc372d0bump version, merge pull request #1549 from tqdm/devele9f0c05use PyPI trusted publishing7323d5bslight makefile clean5306125tests: bump pre-commit4a6fd4ffix datetime.utcfromtimestamp py3.12 warning (#1519)6f13759tests: fix macos notebook indentation3abcd2atests: fix asva4d15c8tests: fix pandas warningsUpdates
urllib3from 1.26.14 to 1.26.18Release notes
Sourced from urllib3's releases.
Changelog
Sourced from urllib3's changelog.
Commits
9c2c230Release 1.26.18 (#3159)b594c5cMerge pull request from GHSA-g4mx-q9vg-27p4944f0eb[1.26] Use vendored six in urllib3.contrib.securetransportc9016bfRelease 1.26.170122035Backport GHSA-v845-jxx5-vc9f (#3139)e63989fFix installingbrotliextra on Python 2.72e7a24d[1.26] Configure OS for RTD to fix building docs57181d6[1.26] Improve error message when calling urllib3.request() (#3058)3c01480[1.26] Run coverage even with failed jobsd94029bRelease 1.26.16Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show