fossasia / badgeyay

Attendee Badge Generator for Conferences
GNU General Public License v3.0
1.79k stars 447 forks source link

Bump cairosvg from 2.1.3 to 2.5.1 in /backend #2194

Closed dependabot[bot] closed 3 years ago

dependabot[bot] commented 3 years ago

Bumps cairosvg from 2.1.3 to 2.5.1.

Release notes

Sourced from cairosvg's releases.

2.5.1

WARNING: this is a security update.

When processing SVG files, CairoSVG was using two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS).

If an attacker provided a malicious SVG, it could make CairoSVG get stuck processing the file for a very long time.

Other bug fixes:

  • Fix marker positions for unclosed paths
  • Follow hint when only output_width or output_height is set
  • Handle opacity on raster images
  • Don’t crash when use tags reference unknown tags
  • Take care of the next letter when A/a is replaced by l
  • Fix misalignment in node.vertices

2.5.0

  • Drop support of Python 3.5, add support of Python 3.9.
  • Add EPS export
  • Add background-color, negate-colors, and invert-images options
  • Improve support for font weights
  • Fix opacity of patterns and gradients
  • Support auto-start-reverse value for orient
  • Draw images contained in defs
  • Add Exif transposition support
  • Handle dominant-baseline
  • Support transform-origin

2.4.2

  • Fix race condition in tests
  • Fix scale for images with no viewBox

2.4.1

  • Fix the --scale parameter
  • Allow href attributes with no namespace
  • Fix the tree root detection

2.4.0

  • Fix aspect and position when resizing root SVG tag
  • Follow aspect and position hints when using forced output size

2.3.1

  • Fix relative paths on Windows

2.3.0

  • Drop Python 3.4 support
  • Make text selectable on generated PDF files
  • Don't inherit dx and dy attributes
  • Fix support of alignment-baseline="hanging"
  • Fix backslashes in docstrings and comments

... (truncated)

Changelog

Sourced from cairosvg's changelog.

Version 2.5.1 released on 2021-01-06

WARNING: this is a security update.

When processing SVG files, CairoSVG was using two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS).

If an attacker provided a malicious SVG, it could make CairoSVG get stuck processing the file for a very long time.

Other bug fixes:

  • Fix marker positions for unclosed paths
  • Follow hint when only output_width or output_height is set
  • Handle opacity on raster images
  • Don’t crash when use tags reference unknown tags
  • Take care of the next letter when A/a is replaced by l
  • Fix misalignment in node.vertices

Version 2.5.0 released on 2020-10-29

  • Drop support of Python 3.5, add support of Python 3.9.
  • Add EPS export
  • Add background-color, negate-colors, and invert-images options
  • Improve support for font weights
  • Fix opacity of patterns and gradients
  • Support auto-start-reverse value for orient
  • Draw images contained in defs
  • Add Exif transposition support
  • Handle dominant-baseline
  • Support transform-origin

Version 2.4.2 released on 2019-09-10

  • Fix race condition in tests
  • Fix scale for images with no viewBox

Version 2.4.1 released on 2019-08-21

  • Fix the --scale parameter
  • Allow href attributes with no namespace
  • Fix the tree root detection

... (truncated)

Commits
  • 44c5d42 Version 2.5.1
  • cfc9175 Merge pull request from GHSA-hq37-853p-g5cf
  • 063185b Don’t use overlapping groups for regular expressions
  • 9c4a982 Take care of the next letter when A/a is replaced by l
  • f0edc6e Don’t crash when use tags reference unknown tags
  • 73349a7 Handle opacity on raster images
  • dcfbca4 Merge pull request #254 from yig/master
  • 1d61bfd Merge branch 'master' into master
  • 83c0b83 Follow hint when only output_width or output_height is set
  • 6b4f2ba Fix angle for absolute vertical lines
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/fossasia/badgeyay/network/alerts).
dependabot[bot] commented 3 years ago

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.