search

guibranco / progressbar

Generates a dynamic progress bar image (SVG)
https://guibranco.github.io/progressbar/
MIT License
21 stars 0 forks source link

Bump the pip group across 1 directory with 8 updates #3

Closed dependabot[bot] closed 1 month ago

dependabot[bot] commented 1 month ago

Bumps the pip group with 8 updates in the / directory:

Package From To
aiohttp 3.8.4 3.10.2
certifi 2023.5.7 2024.7.4
cryptography 41.0.3 42.0.4
gitpython 3.1.31 3.1.41
idna 3.4 3.7
tqdm 4.65.0 4.66.3
urllib3 1.26.16 1.26.19
zipp 3.15.0 3.19.1

Updates aiohttp from 3.8.4 to 3.10.2

Release notes

Sourced from aiohttp's releases.

3.10.2

Bug fixes

  • Fixed server checks for circular symbolic links to be compatible with Python 3.13 -- by :user:steverep.

    Related issues and pull requests on GitHub: #8565.

  • Fixed request body not being read when ignoring an Upgrade request -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub: #8597.

  • Fixed an edge case where shutdown would wait for timeout when the handler was already completed -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub: #8611.

  • Fixed connecting to npipe://, tcp://, and unix:// urls -- by :user:bdraco.

    Related issues and pull requests on GitHub: #8632.

  • Fixed WebSocket ping tasks being prematurely garbage collected -- by :user:bdraco.

    There was a small risk that WebSocket ping tasks would be prematurely garbage collected because the event loop only holds a weak reference to the task. The garbage collection risk has been fixed by holding a strong reference to the task. Additionally, the task is now scheduled eagerly with Python 3.12+ to increase the chance it can be completed immediately and avoid having to hold any references to the task.

    Related issues and pull requests on GitHub: #8641.

  • Fixed incorrectly following symlinks for compressed file variants -- by :user:steverep.

    Related issues and pull requests on GitHub:

... (truncated)

Changelog

Sourced from aiohttp's changelog.

3.10.2 (2024-08-08)

Bug fixes

  • Fixed server checks for circular symbolic links to be compatible with Python 3.13 -- by :user:steverep.

    Related issues and pull requests on GitHub: :issue:8565.

  • Fixed request body not being read when ignoring an Upgrade request -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub: :issue:8597.

  • Fixed an edge case where shutdown would wait for timeout when the handler was already completed -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub: :issue:8611.

  • Fixed connecting to npipe://, tcp://, and unix:// urls -- by :user:bdraco.

    Related issues and pull requests on GitHub: :issue:8632.

  • Fixed WebSocket ping tasks being prematurely garbage collected -- by :user:bdraco.

    There was a small risk that WebSocket ping tasks would be prematurely garbage collected because the event loop only holds a weak reference to the task. The garbage collection risk has been fixed by holding a strong reference to the task. Additionally, the task is now scheduled eagerly with Python 3.12+ to increase the chance it can be completed immediately and avoid having to hold any references to the task.

    Related issues and pull requests on GitHub: :issue:8641.

  • Fixed incorrectly following symlinks for compressed file variants -- by :user:steverep.

... (truncated)

Commits
  • 491106e Release 3.10.2 (#8655)
  • ce2e975 [PR #8652/b0536ae6 backport][3.10] Do not follow symlinks for compressed file...
  • 6a77806 [PR #8636/51d872e backport][3.10] Remove Request.wait_for_disconnection() met...
  • 1f92213 [PR #8642/e4942771 backport][3.10] Fix response to circular symlinks with Pyt...
  • 2ef14a6 [PR #8641/0a88bab backport][3.10] Fix WebSocket ping tasks being prematurely ...
  • 68e8496 [PR #8608/c4acabc backport][3.10] Fix timer handle churn in websocket heartbe...
  • 72f41aa [PR #8632/b2691f2 backport][3.10] Fix connecting to npipe://, tcp://, and uni...
  • bf83dbe [PR #8634/c7293e19 backport][3.10] Backport #8620 as improvements to various ...
  • 4815765 [PR #8597/c99a1e27 backport][3.10] Fix reading of body when ignoring an upgra...
  • 266608d [PR #8611/1fcef940 backport][3.10] Fix handler waiting on shutdown (#8627)
  • Additional commits viewable in compare view


Updates certifi from 2023.5.7 to 2024.7.4

Commits


Updates cryptography from 41.0.3 to 42.0.4

Changelog

Sourced from cryptography's changelog.

42.0.4 - 2024-02-20


* Fixed a null-pointer-dereference and segfault that could occur when creating
  a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
  issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
  and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
  definitions in :rfc:`2633` :rfc:`3370`.

.. _v42-0-3:


42.0.3 - 2024-02-15

  • Fixed an initialization issue that caused key loading failures for some users.

.. _v42-0-2:

42.0.2 - 2024-01-30


* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol objects in
  ``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
  ``X25519PrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
  ``X448PrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
  and ``DHPrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.

.. _v42-0-1:


42.0.1 - 2024-01-24

  • Fixed an issue with incorrect keyword-argument naming with EllipticCurvePrivateKey :meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign.
  • Resolved compatibility issue with loading certain RSA public keys in :func:~cryptography.hazmat.primitives.serialization.load_pem_public_key.

.. _v42-0-0:

42.0.0 - 2024-01-22


</tr></table>

... (truncated)

Commits


Updates gitpython from 3.1.31 to 3.1.41

Release notes

Sourced from gitpython's releases.

3.1.41 - fix Windows security issue

The details about the Windows security issue can be found in this advisory.

Special thanks go to @​EliahKagan who reported the issue and fixed it in a single stroke, while being responsible for an incredible amount of improvements that he contributed over the last couple of months ❤️.

What's Changed

... (truncated)

Commits
  • f288738 bump patch level
  • ef3192c Merge pull request #1792 from EliahKagan/popen
  • 1f3caa3 Further clarify comment in test_hook_uses_shell_not_from_cwd
  • 3eb7c2a Move safer_popen from git.util to git.cmd
  • c551e91 Extract shared logic for using Popen safely on Windows
  • 15ebb25 Clarify comment in test_hook_uses_shell_not_from_cwd
  • f44524a Avoid spurious "location may have moved" on Windows
  • a42ea0a Cover absent/no-distro bash.exe in hooks "not from cwd" test
  • 7751436 Extract venv management from test_installation
  • 66ff4c1 Omit CWD in search for bash.exe to run hooks on Windows
  • Additional commits viewable in compare view


Updates idna from 3.4 to 3.7

Release notes

Sourced from idna's releases.

v3.7

What's Changed

  • Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: https://github.com/kjd/idna/compare/v3.6...v3.7

Changelog

Sourced from idna's changelog.

3.7 (2024-04-11) ++++++++++++++++

  • Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

3.6 (2023-11-25) ++++++++++++++++

  • Fix regression to include tests in source distribution.

3.5 (2023-11-24) ++++++++++++++++

  • Update to Unicode 15.1.0
  • String codec name is now "idna2008" as overriding the system codec "idna" was not working.
  • Fix typing error for codec encoding
  • "setup.cfg" has been added for this release due to some downstream lack of adherence to PEP 517. Should be removed in a future release so please prepare accordingly.
  • Removed reliance on a symlink for the "idna-data" tool to comport with PEP 517 and the Python Packaging User Guide for sdist archives.
  • Added security reporting protocol for project

Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions to this release.

Commits
  • 1d365e1 Release v3.7
  • c1b3154 Merge pull request #172 from kjd/optimize-contextj
  • 0394ec7 Merge branch 'master' into optimize-contextj
  • cd58a23 Merge pull request #152 from elliotwutingfeng/dev
  • 5beb28b More efficient resolution of joiner contexts
  • 1b12148 Update ossf/scorecard-action to v2.3.1
  • d516b87 Update Github actions/checkout to v4
  • c095c75 Merge branch 'master' into dev
  • 60a0a4c Fix typo in GitHub Actions workflow key
  • 5918a0e Merge branch 'master' into dev
  • Additional commits viewable in compare view


Updates tqdm from 4.65.0 to 4.66.3

Release notes

Sourced from tqdm's releases.

tqdm v4.66.3 stable

  • cli: eval safety (fixes CVE-2024-34062, GHSA-g7vv-2v7x-gj9p)

tqdm v4.66.2 stable

  • pandas: add DataFrame.progress_map (#1549)
  • notebook: fix HTML padding (#1506)
  • keras: fix resuming training when verbose>=2 (#1508)
  • fix format_num negative fractions missing leading zero (#1548)
  • fix Python 3.12 DeprecationWarning on import (#1519)
  • linting: use f-strings (#1549)
  • update tests (#1549)
  • CI: bump actions (#1549)

tqdm v4.66.1 stable

  • fix utils.envwrap types (#1493 <- #1491, #1320 <- #966, #1319)
    • e.g. cloudwatch & kubernetes workaround: export TQDM_POSITION=-1
  • drop mentions of unsupported Python versions

tqdm v4.66.0 stable

  • environment variables to override defaults (TQDM_*) (#1491 <- #1061, #950 <- #614, #1318, #619, #612, #370)
    • e.g. in CI jobs, export TQDM_MININTERVAL=5 to avoid log spam
    • add tests & docs for tqdm.utils.envwrap
  • fix & update CLI completion
  • fix & update API docs
  • minor code tidy: replace os.path => pathlib.Path
  • fix docs image hosting
  • release with CI bot account again (cli/cli#6680)

tqdm v4.65.2 stable

  • exclude examples from distributed wheel (#1492)

tqdm v4.65.1 stable

  • migrate setup.{cfg,py} => pyproject.toml (#1490)
    • fix asv benchmarks
    • update docs
  • fix snap build (#1490)
  • fix & update tests (#1490)
    • fix flaky notebook tests
    • bump pre-commit
    • bump workflow actions
Commits


Updates urllib3 from 1.26.16 to 1.26.19

Release notes

Sourced from urllib3's releases.

1.26.19

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support for 2023. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

  • Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.

Full Changelog: https://github.com/urllib3/urllib3/compare/1.26.18...1.26.19

Note that due to an issue with our release automation, no multiple.intoto.jsonl file is available for this release.

1.26.18

  • Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (GHSA-g4mx-q9vg-27p4)

1.26.17

  • Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. (GHSA-v845-jxx5-vc9f)
Changelog

Sourced from urllib3's changelog.

1.26.19 (2024-06-17)

  • Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.
  • Fixed handling of OpenSSL 3.2.0 new error message for misconfiguring an HTTP proxy as HTTPS. ([#3405](https://github.com/urllib3/urllib3/issues/3405) <https://github.com/urllib3/urllib3/issues/3405>__)

1.26.18 (2023-10-17)

  • Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses.

1.26.17 (2023-10-02)

  • Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. ([#3139](https://github.com/urllib3/urllib3/issues/3139) <https://github.com/urllib3/urllib3/pull/3139>_)
Commits


Updates zipp from 3.15.0 to 3.19.1

Changelog

Sourced from zipp's changelog.

v3.19.1

Bugfixes

  • Improved handling of malformed zip files. (#119)

v3.19.0

Features

  • Implement is_symlink. (#117)

v3.18.2

No significant changes.

v3.18.1

No significant changes.

v3.18.0

Features

  • Bypass ZipFile.namelist in glob for better performance. (#106)
  • Refactored glob functionality to support a more generalized solution with support for platform-specific path separators. (#108)

Bugfixes

  • Add special accounting for pypy when computing the stack level for text encoding warnings. (#114)

v3.17.0

Features

... (truncated)

Commits


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will merge this PR once CI passes on it, as requested by @guibranco.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/guibranco/progressbar/network/alerts).
guibranco commented 1 month ago

@dependabot squash and merge

socket-security[bot] commented 1 month ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
pypi/aiohttp@3.10.2 environment, eval, filesystem, network, shell, unsafe 0 14.3 MB Andrew.Svetlov, fafhrd, webknjaz
pypi/certifi@2024.7.4 filesystem 0 306 kB Lukasa
pypi/cryptography@42.0.4 environment, eval, filesystem, network, shell, unsafe 0 18.1 MB reaperhulk
pypi/gitpython@3.1.41 environment, eval, filesystem, network, shell 0 768 kB ByronBates, mtrier
pypi/idna@3.7 filesystem, network 0 1.1 MB kjd
pypi/regex@2023.6.3 eval, unsafe 0 2.98 MB mrabarnett

🚮 Removed packages: pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/aiohttp@3.8.4, pypi/certifi@2023.5.7, pypi/certifi@2023.5.7, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/cryptography@41.0.3, pypi/gitpython@3.1.31, pypi/gitpython@3.1.31, pypi/idna@3.4, pypi/idna@3.4

View full report↗︎

dependabot[bot] commented 1 month ago

One of your CI runs failed on this pull request, so Dependabot won't merge it.

Dependabot will still automatically merge this pull request if you amend it and your tests pass.

socket-security[bot] commented 1 month ago

Report is too large to display inline. View full report↗︎

Next steps

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore pypi/regex@2023.6.3
  • @SocketSecurity ignore pypi/gitpython@3.1.41
  • @SocketSecurity ignore pypi/cryptography@42.0.4
  • @SocketSecurity ignore pypi/idna@3.7
  • @SocketSecurity ignore pypi/certifi@2024.7.4
  • @SocketSecurity ignore pypi/aiohttp@3.10.2