An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the cleo PyPI package, when an attacker is able to supply arbitrary input to the Table.set_rows method.
Release Notes
python-poetry/cleo (cleo)
### [`v2.0.0`](https://redirect.github.com/python-poetry/cleo/blob/HEAD/CHANGELOG.md#200---2022-11-21)
[Compare Source](https://redirect.github.com/python-poetry/cleo/compare/1.0.0...2.0.0)
No source code changes.
This is a version-only release to replace `1.0.0`, which was yanked on the
grounds that it was incompatible with real dependents (i.e. Poetry) based on
their version specifiers, which explicitly included `1.0.0` pre-releases.
### [`v1.0.0`](https://redirect.github.com/python-poetry/cleo/blob/HEAD/CHANGELOG.md#100---2022-11-21)
[Compare Source](https://redirect.github.com/python-poetry/cleo/compare/0.8.1...1.0.0)
##### Key points
- Supported Python versions are now 3.7 up to 3.11.
- `cleo` is now fully type-checked.
- `cleo` no longer depends on `clikit`.
##### Changed
- Replaced `Terminal` class with `shutil.get_terminal_size()` from standard library
([#175](https://redirect.github.com/python-poetry/cleo/pull/175)).
- Exceptions are now Errors ([#179](https://redirect.github.com/python-poetry/cleo/pull/179)).
- `pylev` was dropped in favor of much faster `rapidfuzz` ([#173](https://redirect.github.com/python-poetry/cleo/pull/173)).
- Default error verbosity was reduced ([#132](https://redirect.github.com/python-poetry/cleo/pull/132) & [#166](https://redirect.github.com/python-poetry/cleo/pull/166)).
##### Removed
- Removed doc comment-based command configuration notation
([#239](https://redirect.github.com/python-poetry/cleo/pull/239)).
##### Fixed
- `--no-interaction` is now automatically set when running in non-TTY terminals ([#245](https://redirect.github.com/python-poetry/cleo/pull/245)).
- Generated completions will no longer cause shell errors for namespaced commands ([#247](https://redirect.github.com/python-poetry/cleo/pull/247)).
- Using `^C` while autocompleting `Question` answer will no longer break terminal ([#240](https://redirect.github.com/python-poetry/cleo/pull/240)).
- Namespaced commands no longer reset interactive state ([#234](https://redirect.github.com/python-poetry/cleo/pull/234)).
- Fixed underlying regex that caused CVE-2022-42966 ([#285](https://redirect.github.com/python-poetry/cleo/pull/285)).
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
==0.8.1->==2.0.0GitHub Vulnerability Alerts
CVE-2022-42966
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the cleo PyPI package, when an attacker is able to supply arbitrary input to the Table.set_rows method.
Release Notes
python-poetry/cleo (cleo)
### [`v2.0.0`](https://redirect.github.com/python-poetry/cleo/blob/HEAD/CHANGELOG.md#200---2022-11-21) [Compare Source](https://redirect.github.com/python-poetry/cleo/compare/1.0.0...2.0.0) No source code changes. This is a version-only release to replace `1.0.0`, which was yanked on the grounds that it was incompatible with real dependents (i.e. Poetry) based on their version specifiers, which explicitly included `1.0.0` pre-releases. ### [`v1.0.0`](https://redirect.github.com/python-poetry/cleo/blob/HEAD/CHANGELOG.md#100---2022-11-21) [Compare Source](https://redirect.github.com/python-poetry/cleo/compare/0.8.1...1.0.0) ##### Key points - Supported Python versions are now 3.7 up to 3.11. - `cleo` is now fully type-checked. - `cleo` no longer depends on `clikit`. ##### Changed - Replaced `Terminal` class with `shutil.get_terminal_size()` from standard library ([#175](https://redirect.github.com/python-poetry/cleo/pull/175)). - Exceptions are now Errors ([#179](https://redirect.github.com/python-poetry/cleo/pull/179)). - `pylev` was dropped in favor of much faster `rapidfuzz` ([#173](https://redirect.github.com/python-poetry/cleo/pull/173)). - Default error verbosity was reduced ([#132](https://redirect.github.com/python-poetry/cleo/pull/132) & [#166](https://redirect.github.com/python-poetry/cleo/pull/166)). ##### Removed - Removed doc comment-based command configuration notation ([#239](https://redirect.github.com/python-poetry/cleo/pull/239)). ##### Fixed - `--no-interaction` is now automatically set when running in non-TTY terminals ([#245](https://redirect.github.com/python-poetry/cleo/pull/245)). - Generated completions will no longer cause shell errors for namespaced commands ([#247](https://redirect.github.com/python-poetry/cleo/pull/247)). - Using `^C` while autocompleting `Question` answer will no longer break terminal ([#240](https://redirect.github.com/python-poetry/cleo/pull/240)). - Namespaced commands no longer reset interactive state ([#234](https://redirect.github.com/python-poetry/cleo/pull/234)). - Fixed underlying regex that caused CVE-2022-42966 ([#285](https://redirect.github.com/python-poetry/cleo/pull/285)).Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.