search

googleapis / python-spanner-sqlalchemy

Apache License 2.0
38 stars 28 forks source link

chore(deps): update dependency sqlparse to v0.4.4 [security] - abandoned #317

Open renovate-bot opened 1 year ago

renovate-bot commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
sqlparse (changelog) ==0.4.3 -> ==0.4.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-30608

Impact

The SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). The vulnerability may lead to Denial of Service (DoS).

Patches

This issues has been fixed in sqlparse 0.4.4.

Workarounds

None.

References

This issue was discovered and reported by GHSL team member @​erik-krogh (Erik Krogh Kristensen).

Release Notes

andialbrecht/sqlparse ### [`v0.4.4`](https://togithub.com/andialbrecht/sqlparse/blob/HEAD/CHANGELOG#Release-044-Apr-18-2023) [Compare Source](https://togithub.com/andialbrecht/sqlparse/compare/0.4.3...0.4.4) Notable Changes - IMPORTANT: This release fixes a security vulnerability in the parser where a regular expression vulnerable to ReDOS (Regular Expression Denial of Service) was used. See the security advisory for details: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2 The vulnerability was discovered by [@​erik-krogh](https://togithub.com/erik-krogh) from GitHub Security Lab (GHSL). Thanks for reporting! Bug Fixes - Revert a change from 0.4.0 that changed IN to be a comparison (issue694). The primary expectation is that IN is treated as a keyword and not as a comparison operator. That also follows the definition of reserved keywords for the major SQL syntax definitions. - Fix regular expressions for string parsing. Other - sqlparse now uses pyproject.toml instead of setup.cfg (issue685).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

forking-renovate[bot] commented 1 year ago

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

forking-renovate[bot] commented 8 months ago

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.