⬆️ Upgrade minimum version of python-multipart to >=0.0.7 to fix a vulnerability when using form data with a ReDos attack. You can also simply upgrade python-multipart.
✏️ Update highlighted line in docs/en/docs/tutorial/bigger-applications.md. PR #5490 by @papb.
📝 Add External Link: Explore How to Effectively Use JWT With FastAPI. PR #10212 by @aanchlia.
📝 Add hyperlink to docs/en/docs/tutorial/static-files.md. PR #10243 by @hungtsetse.
📝 Add External Link: Instrument a FastAPI service adding tracing with OpenTelemetry and send/show traces in Grafana Tempo. PR #9440 by @softwarebloat.
📝 Add location info to tutorial/bigger-applications.md. PR #10552 by @nilslindemann.
✏️ Fix Pydantic method name in docs/en/docs/advanced/path-operation-advanced-configuration.md. PR #10826 by @ahmedabdou14.
Translations
🌐 Add Spanish translation for docs/es/docs/external-links.md. PR #10933 by @pablocm83.
🌐 Update Korean translation for docs/ko/docs/tutorial/first-steps.md, docs/ko/docs/tutorial/index.md, docs/ko/docs/tutorial/path-params.md, and docs/ko/docs/tutorial/query-params.md. PR #4218 by @SnowSuno.
This release is a milestone: it fixes Black's first CVE security vulnerability. If you
run Black on untrusted input, or if you habitually put thousands of leading tab
characters in your docstrings, you are strongly encouraged to upgrade immediately to fix
CVE-2024-21503.
This release also fixes a bug in Black's AST safety check that allowed Black to make
incorrect changes to certain f-strings that are valid in Python 3.12 and higher.
Stable style
Don't move comments along with delimiters, which could cause crashes (#4248)
Strengthen AST safety check to catch more unsafe changes to strings. Previous versions
of Black would incorrectly format the contents of certain unusual f-strings containing
nested strings with the same quote type. Now, Black will crash on such strings until
support for the new f-string syntax is implemented. (#4270)
Fix a bug where line-ranges exceeding the last code line would not work as expected
(#4273)
Performance
Fix catastrophic performance on docstrings that contain large numbers of leading tab
characters. This fixes
CVE-2024-21503.
(#4278)
Documentation
Note what happens when --check is used with --quiet (#4236)
24.2.0
Stable style
Fixed a bug where comments where mistakenly removed along with redundant parentheses
(#4218)
Preview style
Move the hug_parens_with_braces_and_square_brackets feature to the unstable style
due to an outstanding crash and proposed formatting tweaks (#4198)
Fixed a bug where base expressions caused inconsistent formatting of ** in tenary
expression (#4154)
Checking for newline before adding one on docstring that is almost at the line limit
(#4185)
Remove redundant parentheses in case statement if guards (#4214).
This release is a milestone: it fixes Black's first CVE security vulnerability. If you
run Black on untrusted input, or if you habitually put thousands of leading tab
characters in your docstrings, you are strongly encouraged to upgrade immediately to fix
CVE-2024-21503.
This release also fixes a bug in Black's AST safety check that allowed Black to make
incorrect changes to certain f-strings that are valid in Python 3.12 and higher.
Stable style
Don't move comments along with delimiters, which could cause crashes (#4248)
Strengthen AST safety check to catch more unsafe changes to strings. Previous versions
of Black would incorrectly format the contents of certain unusual f-strings containing
nested strings with the same quote type. Now, Black will crash on such strings until
support for the new f-string syntax is implemented. (#4270)
Fix a bug where line-ranges exceeding the last code line would not work as expected
(#4273)
Performance
Fix catastrophic performance on docstrings that contain large numbers of leading tab
characters. This fixes
CVE-2024-21503.
(#4278)
Documentation
Note what happens when --check is used with --quiet (#4236)
24.2.0
Stable style
Fixed a bug where comments where mistakenly removed along with redundant parentheses
(#4218)
Preview style
Move the hug_parens_with_braces_and_square_brackets feature to the unstable style
due to an outstanding crash and proposed formatting tweaks (#4198)
Fixed a bug where base expressions caused inconsistent formatting of ** in tenary
expression (#4154)
Checking for newline before adding one on docstring that is almost at the line limit
(#4185)
Remove redundant parentheses in case statement if guards (#4214).
Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.
Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
Invalid header field names containing question mark or slash are now rejected.
Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.
Related issues and pull requests on GitHub:
:issue:7978.
Fixed web.FileResponse doing blocking I/O in the event loop.
Related issues and pull requests on GitHub:
:issue:8012.
Fixed double compress when compression enabled and compressed file exists in server file responses.
Related issues and pull requests on GitHub:
:issue:8014.
Added runtime type check for ClientSessiontimeout parameter.
Related issues and pull requests on GitHub:
:issue:8021.
Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.
Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
Invalid header field names containing question mark or slash are now rejected.
Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.
Related issues and pull requests on GitHub:
:issue:8074.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/amikos-tech/chromadb-data-pipes/network/alerts).
Bumps the pip group with 5 updates in the / directory:
0.108.0
0.109.1
3.9.12
3.9.15
23.3.0
24.3.0
3.9.1
3.9.2
10.2.0
10.3.0
Updates
fastapi
from 0.108.0 to 0.109.1Release notes
Sourced from fastapi's releases.
... (truncated)
Commits
7633d15
🔖 Release version 0.109.1a4de147
📝 Update release notes9d34ad0
Merge pull request from GHSA-qf9m-vfgh-m389ebf9723
📝 Update release notes8590d0c
👥 Update FastAPI People (#11074)063d7ff
📝 Update release notes3c81e62
🌐 Add Spanish translation fordocs/es/docs/external-links.md
(#10933)6c4a143
📝 Update release notesd254e2f
🌐 Update Korean translation fordocs/ko/docs/tutorial/first-steps.md
, `docs...6f6e786
📝 Update release notesUpdates
orjson
from 3.9.12 to 3.9.15Release notes
Sourced from orjson's releases.
Changelog
Sourced from orjson's changelog.
Commits
a348f59
3.9.15b0e4d2c
yyjson 0eca326, recursion limit5067ead
impl_escape_unchecked() byte exact reade04ea73
cargo update, build miscba8c701
3.9.14a2f7b7b
impl_format_simd!() lift create from loop, rotate left528220f
format_escaped_str() fast and slow paths depending on page boundary29884e6
Fix buffer overread in format_escaped_strc825472
cargo update4eb4f00
3.9.13Updates
black
from 23.3.0 to 24.3.0Release notes
Sourced from black's releases.
... (truncated)
Changelog
Sourced from black's changelog.
... (truncated)
Commits
552baf8
Prepare release 24.3.0 (#4279)f000936
Fix catastrophic performance in lines_with_leading_tabs_expanded() (#4278)7b5a657
Fix --line-ranges behavior when ranges are at EOF (#4273)1abcffc
Use regex where we ignore case on windows (#4252)719e674
Fix 4227: Improve documentation for --quiet --check (#4236)e5510af
update plugin url for Thonny (#4259)6af7d11
Fix AST safety check false negative (#4270)f03ee11
Ensureblib2to3.pygram
is initialized before use (#4224)e4bfedb
fix: Don't move comments while splitting delimiters (#4248)d0287e1
Make trailing comma logic more concise (#4202)Updates
aiohttp
from 3.9.1 to 3.9.2Release notes
Sourced from aiohttp's releases.
... (truncated)
Changelog
Sourced from aiohttp's changelog.
... (truncated)
Commits
24a6d64
Release v3.9.2 (#8082)9118a58
[PR #8079/1c335944 backport][3.9] Validate static paths (#8080)435ad46
[PR #3955/8960063e backport][3.9] Replace all tmpdir fixtures with tmp_path (...d33bc21
Improve validation in HTTP parser (#8074) (#8078)0d945d1
[PR #7916/822fbc74 backport][3.9] Add more information to contributing page (...3ec4fa1
[PR #8069/69bbe874 backport][3.9] 📝 Only show changelog draft for non-release...419d715
[PR #8066/cba34699 backport][3.9] 💅📝 Restructure the changelog for clarity (#...a54dab3
[PR #8049/a379e634 backport][3.9] Set cause for ClientPayloadError (#8050)437ac47
[PR #7995/43a5bc50 backport][3.9] Fix examples offallback_charset_resolver
...034e5e3
[PR #8042/4b91b530 backport][3.9] Tightening the runtime type check for ssl (...Updates
pillow
from 10.2.0 to 10.3.0Release notes
Sourced from pillow's releases.
... (truncated)
Changelog
Sourced from pillow's changelog.
... (truncated)
Commits
5c89d88
10.3.0 version bump63cbfcf
Update CHANGES.rst [ci skip]2776126
Merge pull request #7928 from python-pillow/lcmsaeb51cb
Merge branch 'main' into lcms5beb0b6
Update CHANGES.rst [ci skip]cac6ffa
Merge pull request #7927 from python-pillow/imagemathf5eeeac
Name as 'options' in lambda_eval and unsafe_eval, but '_dict' in deprecated evalfacf3af
Added release notes2a93aba
Use strncpy to avoid buffer overflowa670597
Update CHANGES.rst [ci skip]Updates
starlette
from 0.32.0.post1 to 0.35.1Release notes
Sourced from starlette's releases.
... (truncated)
Changelog
Sourced from starlette's changelog.
... (truncated)
Commits
c817605
Version 0.35.1 (#2410)6c4ffee
Maketyping-extensions
optional again (#2409)3734e85
♻️ Do not use the deprecatedmethod
parameter inFileResponse
inside of `...1081520
Version 0.35.0 (#2404)c3c6314
♻️ Refactor logic to handleroot_path
to keep compatibility with ASGI and c...8f2307d
Bump trio from 0.22.2 to 0.23.2 (#2395)d28d491
Bump ruff from 0.1.6 to 0.1.9 (#2396)5f9da0b
Bump coverage from 7.3.2 to 7.4.0 (#2397)04684c2
Bump typing-extensions from 4.8.0 to 4.9.0 (#2393)8924759
Bump importlib-metadata from 6.9.0 to 7.0.1 (#2394)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show