Fix issue where specially crafted inputs to encode() could
take exceptionally long amount of time to process. [CVE-2024-3651]
Thanks to Guido Vranken for reporting the issue.
3.6 (2023-11-25)
++++++++++++++++
Fix regression to include tests in source distribution.
3.5 (2023-11-24)
++++++++++++++++
Update to Unicode 15.1.0
String codec name is now "idna2008" as overriding the system codec
"idna" was not working.
Fix typing error for codec encoding
"setup.cfg" has been added for this release due to some downstream
lack of adherence to PEP 517. Should be removed in a future release
so please prepare accordingly.
Removed reliance on a symlink for the "idna-data" tool to comport
with PEP 517 and the Python Packaging User Guide for sdist archives.
Added security reporting protocol for project
Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions
to this release.
3.4 (2022-09-14)
++++++++++++++++
Update to Unicode 15.0.0
Migrate to pyproject.toml for build information (PEP 621)
Correct another instance where generic exception was raised instead of
IDNAError for malformed input
Source distribution uses zeroized file ownership for improved
reproducibility
Thanks to Seth Michael Larson for contributions to this release.
This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.
The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj
3.1.3
This is a fix release for the 3.1.x feature branch.
Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.
This is a feature release, which includes new features and removes previously deprecated features. The 3.1.x branch is now the supported bugfix branch, the 3.0.x branch has become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. We also encourage upgrading to MarkupSafe 2.1.1, the latest version at this time.
The xmlattr filter does not allow keys with / solidus, >
greater-than sign, or = equals sign, in addition to disallowing spaces.
Regardless of any validation done by Jinja, user input should never be used
as keys to this filter, or must be separately validated first.
:ghsa:h75v-3vvj-5mfj
Version 3.1.3
Released 2024-01-10
Fix compiler error when checking if required blocks in parent templates are
empty. :pr:1858
xmlattr filter does not allow keys with spaces. :ghsa:h5c8-rqwp-cp95
Make error messages stemming from invalid nesting of {% trans %} blocks
more helpful. :pr:1918
Version 3.1.2
Released 2022-04-28
Add parameters to Environment.overlay to match __init__.
:issue:1645
Handle race condition in FileSystemBytecodeCache. :issue:1654
Version 3.1.1
Released 2022-03-25
The template filename on Windows uses the primary path separator.
:issue:1637
⬆️ UPGRADE: Update from upstream markdown-it 12.2.0 to 13.0.0
A key change is the addition of a new Token type, text_special, which is used to represent HTML entities and backslash escaped characters.
This ensures that (core) typographic transformation rules are not incorrectly applied to these texts.
The final core rule is now the new text_join rule, which joins adjacent text/text_special tokens,
and so no text_special tokens should be present in the final token stream.
Any custom typographic rules should be inserted before text_join.
A new linkify rule has also been added to the inline chain, which will linkify full URLs (e.g. https://example.com),
and fixes collision of emphasis and linkifier (so http://example.org/foo._bar_-_baz is now a single link, not emphasized).
Emails and fuzzy links are not affected by this.
♻️ REFACTOR: Replace most character code use with strings
The use of StateBase.srcCharCode is deprecated (with backward-compatibility), and all core uses are replaced by StateBase.src.
Conversion of source string characters to an integer representing the Unicode character is prevalent in the upstream JavaScript implementation, to improve performance.
However, it is unnecessary in Python and leads to harder to read code and performance deprecations (during the conversion in the StateBase initialisation).
For CommonMark, the presence of indented code blocks prevent any other block element from having an indent of greater than 4 spaces.
Certain Markdown flavors and derivatives, such as mdx and djot, disable these code blocks though, since it is more common to use code fences and/or arbitrary indenting is desirable.
Previously, disabling code blocks did not remove the indent limitation, since most block elements had the 3 space limitation hard-coded.
This change centralised the logic of applying this limitation (in StateBlock.is_code_block), and only applies it when indented code blocks are enabled.
verify=True now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (#6667)
Requests now supports optional use of character detection
(chardet or charset_normalizer) when repackaged or vendored.
This enables pip and other projects to minimize their vendoring
surface area. The Response.text() and apparent_encoding APIs
will default to utf-8 if neither library is present. (#6702)
Bugfixes
Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (#6589)
Fixed deserialization bug in JSONDecodeError. (#6629)
Fixed bug where an extra leading / (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (#6644)
Deprecations
Requests has officially added support for CPython 3.12 (#6503)
Requests has officially added support for PyPy 3.9 and 3.10 (#6641)
Requests has officially dropped support for CPython 3.7 (#6642)
Requests has officially dropped support for PyPy 3.7 and 3.8 (#6641)
Documentation
Various typo fixes and doc improvements.
Packaging
Requests has started adopting some modern packaging practices.
The source files for the projects (formerly requests) is now located
in src/requests in the Requests sdist. (#6506)
Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system
using hatchling. This should not impact the average user, but extremely old
versions of packaging utilities may have issues with the new packaging format.
verify=True now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (#6667)
Requests now supports optional use of character detection
(chardet or charset_normalizer) when repackaged or vendored.
This enables pip and other projects to minimize their vendoring
surface area. The Response.text() and apparent_encoding APIs
will default to utf-8 if neither library is present. (#6702)
Bugfixes
Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (#6589)
Fixed deserialization bug in JSONDecodeError. (#6629)
Fixed bug where an extra leading / (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (#6644)
Deprecations
Requests has officially added support for CPython 3.12 (#6503)
Requests has officially added support for PyPy 3.9 and 3.10 (#6641)
Requests has officially dropped support for CPython 3.7 (#6642)
Requests has officially dropped support for PyPy 3.7 and 3.8 (#6641)
Documentation
Various typo fixes and doc improvements.
Packaging
Requests has started adopting some modern packaging practices.
The source files for the projects (formerly requests) is now located
in src/requests in the Requests sdist. (#6506)
Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system
using hatchling. This should not impact the average user, but extremely old
versions of packaging utilities may have issues with the new packaging format.
Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (GHSA-g4mx-q9vg-27p4)
1.26.17
Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. (GHSA-v845-jxx5-vc9f)
1.26.16
Fixed thread-safety issue where accessing a PoolManager with many distinct origins would cause connection pools to be closed while requests are in progress (#2954)
Fixed parsing of port 0 (zero) returning None, instead of 0 (#2850)
Removed deprecated HTTPResponse.getheaders() calls in urllib3.contrib module.
1.26.13
Deprecated the HTTPResponse.getheaders() and HTTPResponse.getheader() methods.
Fixed an issue where parsing a URL with leading zeroes in the port would be rejected even when the port number after removing the zeroes was valid.
Fixed a deprecation warning when using cryptography v39.0.0.
Removed the <4 in the Requires-Python packaging metadata field.
1.26.12
Deprecated the urllib3[secure] extra and the urllib3.contrib.pyopenssl module. Both will be removed in v2.x. See this GitHub issue for justification and info on how to migrate.
1.26.11
If you or your organization rely on urllib3 consider supporting us via GitHub Sponsors.
:closed_lock_with_key: This is the first release to be signed with Sigstore! You can verify the distributables using the .sig and .crt files included on this release.
Removed support for Python 3.5
Fixed an issue where a ProxyError recommending configuring the proxy as HTTP instead of HTTPS could appear even when an HTTPS proxy wasn't configured.
1.26.9
If you or your organization rely on urllib3 consider supporting us via GitHub Sponsors.
Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses.
1.26.17 (2023-10-02)
Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. ([#3139](https://github.com/urllib3/urllib3/issues/3139) <https://github.com/urllib3/urllib3/pull/3139>_)
1.26.16 (2023-05-23)
Fixed thread-safety issue where accessing a PoolManager with many distinct origins
would cause connection pools to be closed while requests are in progress ([#2954](https://github.com/urllib3/urllib3/issues/2954) <https://github.com/urllib3/urllib3/pull/2954>_)
1.26.15 (2023-03-10)
Fix socket timeout value when HTTPConnection is reused ([#2645](https://github.com/urllib3/urllib3/issues/2645) <https://github.com/urllib3/urllib3/issues/2645>__)
Remove "!" character from the unreserved characters in IPv6 Zone ID parsing
([#2899](https://github.com/urllib3/urllib3/issues/2899) <https://github.com/urllib3/urllib3/issues/2899>__)
Fix IDNA handling of '\x80' byte ([#2901](https://github.com/urllib3/urllib3/issues/2901) <https://github.com/urllib3/urllib3/issues/2901>__)
1.26.14 (2023-01-11)
Fixed parsing of port 0 (zero) returning None, instead of 0. ([#2850](https://github.com/urllib3/urllib3/issues/2850) <https://github.com/urllib3/urllib3/issues/2850>__)
Removed deprecated getheaders() calls in contrib module. Fixed the type hint of PoolKey.key_retries by adding bool to the union. ([#2865](https://github.com/urllib3/urllib3/issues/2865) <https://github.com/urllib3/urllib3/issues/2865>__)
1.26.13 (2022-11-23)
Deprecated the HTTPResponse.getheaders() and HTTPResponse.getheader() methods.
Fixed an issue where parsing a URL with leading zeroes in the port would be rejected
even when the port number after removing the zeroes was valid.
Fixed a deprecation warning when using cryptography v39.0.0.
Removed the <4 in the Requires-Python packaging metadata field.
1.26.12 (2022-08-22)
Deprecated the urllib3[secure] extra and the urllib3.contrib.pyopenssl module.
Both will be removed in v2.x. See this GitHub issue <https://github.com/urllib3/urllib3/issues/2680>_
for justification and info on how to migrate.
1.26.11 (2022-07-25)
Fixed an issue where reading more than 2 GiB in a call to HTTPResponse.read would
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/google/grr-doc/network/alerts).
Bumps the pip group with 6 updates in the / directory:
2021.10.8
2023.7.22
3.3
3.7
3.0.3
3.1.4
1.1.0
2.2.0
2.26.0
2.32.0
1.26.7
1.26.18
Updates
certifi
from 2021.10.8 to 2023.7.22Commits
8fb96ed
2023.07.22afe7722
Bump actions/setup-python from 4.6.1 to 4.7.0 (#230)2038739
Bump dessant/lock-threads from 3.0.0 to 4.0.1 (#229)44df761
Hash pin Actions and enable dependabot (#228)8b3d7ba
2023.05.0753da240
ci: Add Python 3.12-dev to the testing (#224)c2fc3b1
Create a Security Policy (#222)c211ef4
Set up permissions to github workflows (#218)2087de5
Don't let deprecation warning fail CI (#219)e0b9fc5
remove paragraphs about 1024-bit roots from READMEUpdates
idna
from 3.3 to 3.7Release notes
Sourced from idna's releases.
Changelog
Sourced from idna's changelog.
Commits
1d365e1
Release v3.7c1b3154
Merge pull request #172 from kjd/optimize-contextj0394ec7
Merge branch 'master' into optimize-contextjcd58a23
Merge pull request #152 from elliotwutingfeng/dev5beb28b
More efficient resolution of joiner contexts1b12148
Update ossf/scorecard-action to v2.3.1d516b87
Update Github actions/checkout to v4c095c75
Merge branch 'master' into dev60a0a4c
Fix typo in GitHub Actions workflow key5918a0e
Merge branch 'master' into devUpdates
jinja2
from 3.0.3 to 3.1.4Release notes
Sourced from jinja2's releases.
Changelog
Sourced from jinja2's changelog.
... (truncated)
Commits
dd4a8b5
release version 3.1.40668239
Merge pull request from GHSA-h75v-3vvj-5mfjd655030
disallow invalid characters in keys to xmlattr filtera7863ba
add ghsa linksb5c98e7
start version 3.1.4da3a9f0
update project files (#1968)0ee5eb4
satisfy formatter, linter, and strict mypy20477c6
update project files (#5457)e491223
update pyyaml dev dependency36f9885
fix pr linkUpdates
markdown-it-py
from 1.1.0 to 2.2.0Release notes
Sourced from markdown-it-py's releases.
... (truncated)
Changelog
Sourced from markdown-it-py's changelog.
... (truncated)
Commits
73a0147
🚀 RELEASE: v2.2.0 (#250)53ca3e9
🐛 FIX: CLI crash on non-utf8 character (#247)6491bc2
📚 Add email to security section (#249)cf8b2d8
🔧 Create SECURITY.md (#248)ae03c61
🐛 FIX: CVE-2023-26303 (#246)2c93e0b
📚 DOCS: Update the example (#229)4670f0c
⬆️ UPGRADE: Allow linkify-it-py v2 (#218)032c742
📚 DOCS: Add section about markdown renderer (#227)c9f6856
🔧 Update benchmark pkg versions (#245)2160a3d
🔧 Bump GH actions (#244)Updates
requests
from 2.26.0 to 2.32.0Release notes
Sourced from requests's releases.
... (truncated)
Changelog
Sourced from requests's changelog.
... (truncated)
Commits
d6ebc4a
v2.32.09a40d12
Avoid reloading root certificates to improve concurrent performance (#6667)0c030f7
Merge pull request #6702 from nateprewitt/no_char_detection555b870
Allow character detection dependencies to be optional in post-packaging stepsd6dded3
Merge pull request #6700 from franekmagiera/update-redirect-to-invalid-uri-testbf24b7d
Use an invalid URI that will not cause httpbin to throw 5002d5f547
Pin 3.8 and 3.9 runners back to macos-13 (#6688)f1bb07d
Merge pull request #6687 from psf/dependabot/github_actions/github/codeql-act...60047ad
Bump github/codeql-action from 3.24.0 to 3.25.031ebb81
Merge pull request #6682 from frenzymadness/pytest8Updates
urllib3
from 1.26.7 to 1.26.18Release notes
Sourced from urllib3's releases.
... (truncated)
Changelog
Sourced from urllib3's changelog.
... (truncated)
Commits
9c2c230
Release 1.26.18 (#3159)b594c5c
Merge pull request from GHSA-g4mx-q9vg-27p4944f0eb
[1.26] Use vendored six in urllib3.contrib.securetransportc9016bf
Release 1.26.170122035
Backport GHSA-v845-jxx5-vc9f (#3139)e63989f
Fix installingbrotli
extra on Python 2.72e7a24d
[1.26] Configure OS for RTD to fix building docs57181d6
[1.26] Improve error message when calling urllib3.request() (#3058)3c01480
[1.26] Run coverage even with failed jobsd94029b
Release 1.26.16Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show