search

glotzerlab / signac-dashboard

Rapidly visualize signac projects through a customizable dashboard interface.
https://signac.io
BSD 3-Clause "New" or "Revised" License
16 stars 6 forks source link

Update werkzeug requirement from <3.0,>=2.1.0 to >=2.1.0,<4.0 #203

Closed dependabot[bot] closed 11 months ago

dependabot[bot] commented 1 year ago

Updates the requirements on werkzeug to permit the latest version.

Release notes

Sourced from werkzeug's releases.

3.0.1

This is a security release for the 3.0.x feature branch.

Changelog

Sourced from werkzeug's changelog.

Version 3.0.1

Released 2023-10-24

  • Fix slow multipart parsing for large parts potentially enabling DoS attacks. :cwe:CWE-407

Version 3.0.0

Released 2023-09-30

  • Remove previously deprecated code. :pr:2768
  • Deprecate the __version__ attribute. Use feature detection, or importlib.metadata.version("werkzeug"), instead. :issue:2770
  • generate_password_hash uses scrypt by default. :issue:2769
  • Add the "werkzeug.profiler" item to the WSGI environ dictionary passed to ProfilerMiddleware's filename_format function. It contains the elapsed and time values for the profiled request. :issue:2775
  • Explicitly marked the PathConverter as non path isolating. :pr:2784

Version 2.3.8

Unreleased

Version 2.3.7

Released 2023-08-14

  • Use flit_core instead of setuptools as build backend.
  • Fix parsing of multipart bodies. :issue:2734 Adjust index of last newline in data start. :issue:2761
  • Parsing ints from header values strips spacing first. :issue:2734
  • Fix empty file streaming when testing. :issue:2740
  • Clearer error message when URL rule does not start with slash. :pr:2750
  • Accept q value can be a float without a decimal part. :issue:2751

Version 2.3.6

Released 2023-06-08

  • FileStorage.content_length does not fail if the form data did not provide a value. :issue:2726

... (truncated)

Commits
  • ce4eff5 Release version 3.0.1
  • b1916c0 Fix: slow multipart parsing for huge files with few CR/LF characters
  • 726eaa2 Release version 3.0.0
  • 6427542 Default the PathConverter (and descendants) to be non part isolating
  • 4820d8c Provide elapsed and timestamp info to filename_format
  • 599993d Bump pypa/gh-action-pypi-publish from 1.8.8 to 1.8.10 (#2780)
  • a2394ed Bump slsa-framework/slsa-github-generator from 1.7.0 to 1.9.0 (#2779)
  • 1efd6f3 Bump actions/checkout from 3.5.3 to 3.6.0 (#2778)
  • 76a5419 Bump pypa/gh-action-pypi-publish from 1.8.8 to 1.8.10
  • ce8cfe7 Bump slsa-framework/slsa-github-generator from 1.7.0 to 1.9.0
  • Additional commits viewable in compare view


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
codecov[bot] commented 1 year ago

Codecov Report

Merging #203 (df1f292) into main (5ece7d6) will decrease coverage by 0.23%. The diff coverage is n/a.

:exclamation: Current head df1f292 differs from pull request most recent head 890cff3. Consider uploading reports for the commit 890cff3 to get more accurate results

@@            Coverage Diff             @@
##             main     #203      +/-   ##
==========================================
- Coverage   69.98%   69.76%   -0.23%     
==========================================
  Files          21       21              
  Lines         883      883              
  Branches      159      122      -37     
==========================================
- Hits          618      616       -2     
- Misses        220      224       +4     
+ Partials       45       43       -2

see 1 file with indirect coverage changes

bdice commented 1 year ago

We have an upper bound pinning on werkzeug, see discussion from #196. This can't be lifted yet.

dependabot[bot] commented 11 months ago

Looks like werkzeug is no longer updatable, so this is no longer needed.