search

liqd / a4-product

A modern online participation platform for everyone developed by Liquid Democracy
http://beteiligung.in
GNU Affero General Public License v3.0
16 stars 3 forks source link

Scheduled weekly dependency update for week 31 #866

Closed pyup-bot closed 5 years ago

pyup-bot commented 5 years ago

Update wagtail from 2.5.1 to 2.6.1.

Changelog ### 2.6.1 ``` ~~~~~~~~~~~~~~~~~~ * Fix: Prevent Javascript errors caused by unescaped quote characters in translation strings (Matt Westcott) ``` ### 2.6 ``` ~~~~~~~~~~~~~~~~ * Removed support for Python 3.4 * Added support for `short_description` for field labels in modeladmin's `InspectView` (Wesley van Lee) * Rearranged SCSS folder structure to the client folder and split them approximately according to ITCSS. (Naomi Morduch Toubman, Jonny Scholes, Janneke Janssen, Hugo van den Berg) * Added support for specifying cell alignment on TableBlock (Samuel Mendes) * Added more informative error when a non-image object is passed to the `image` template tag (Deniz Dogan) * Added more ARIA landmarks across the admin interface and welcome page for screen reader users to navigate the CMS more easily (Beth Menzies) * Added ButtonHelper examples in the modelAdmin primer page within documentation (Kalob Taulien) * Multiple clarifications, grammar and typo fixes throughout documentation (Dan Swain) * Use correct URL in API example in documentation (Michael Bunsen) * Move datetime widget initialiser JS into the widget's form media instead of page editor media (Matt Westcott) * Add form field prefixes for input forms in chooser modals (Matt Westcott) * Increase font-size across the whole admin (Beth Menzies, Katie Locke) * Improved text color contrast across the whole admin (Beth Menzies, Katie Locke) * Added consistent focus outline styles across the whole admin (Thibaud Colas) * Removed version number from the logo link’s title. The version can now be found under the Settings menu (Thibaud Colas) * Added "don't delete" option to confirmation screen when deleting images, documents and modeladmin models (Kevin Howbrook) * Added `branding_title` template block for the admin title prefix (Dillen Meijboom) * Add image dimensions in image gallery and image choosers for screen reader users (Helen Chapman) * Added support for custom search handler classes to modeladmin's IndexView, and added a class that uses the default Wagtail search backend for searching (Seb Brown, Andy Babic) * Improved heading structure for screen reader users navigating the CMS admin (Beth Menzies, Helen Chapman) * Updated group edit view to expose the Permission object for each checkbox (George Hickman) * Improve performance of Pages for Moderation panel (Fidel Ramos) * Add more contextual information for screen readers in the explorer menu’s links (Helen Chapman) * Added `process_child_object` and `exclude_fields` arguments to ``Page.copy()`` to make it easier for third-party apps to customise copy behavior (Karl Hobley) * Added `Page.with_content_json()`, allowing revision content loading behaviour to be customised on a per-model basis (Karl Hobley) * Improved screen-reader labels for action links in page listing (Helen Chapman, Katie Locke) * Added screen-reader labels for table headings in page listing (Helen Chapman, Katie Locke) * Added screen reader labels for page privacy toggle, edit lock, status tag in page explorer & edit views (Helen Chapman, Katie Locke) * Added screen-reader labels for dashboard summary cards (Helen Chapman, Katie Locke) * Added screen-reader labels for privacy toggle of collections (Helen Chapman, Katie Locke) * Added `construct_settings_menu` hook (Jordan Bauer, Quadric) * Fixed compatibility of date / time choosers with wagtail-react-streamfield (Mike Hearn) * Performance optimization of several admin functions, including breadcrumbs, home and index pages (Fidel Ramos) * Fix: ModelAdmin no longer fails when filtering over a foreign key relation (Jason Dilworth, Matt Westcott) * Fix: The Wagtail version number is now visible within the Settings menu (Kevin Howbrook) * Fix: Scaling images now rounds values to an integer so that images render without errors (Adrian Brunyate) * Fix: Revised test decorator to ensure TestPageEditHandlers test cases run correctly (Alex Tomkins) * Fix: Wagtail bird animation in admin now ends correctly on all browsers (Deniz Dogan) * Fix: Explorer menu no longer shows sibling pages for which the user does not have access (Mike Hearn) * Fix: Fixed occurences of invalid HTML across the CMS admin (Thibaud Colas) * Fix: Admin HTML now includes the correct `dir` attribute for the active language (Andreas Bernacca) * Fix: Fix type error when using `--chunk_size` argument on `./manage.py update_index` (Seb Brown) * Fix: Avoid rendering entire form in EditHandler's `repr` method (Alex Tomkins) * Fix: Add empty alt attributes to HTML output of Embedly and oEmbed embed finders (Andreas Bernacca) * Fix: Add empty alt attributes to all images in the CMS admin (Andreas Bernacca) * Fix: Make URL generator preview image alt translateable (Thibaud Colas) * Fix: Clear pending AJAX request if error occurs on page chooser (Matt Westcott) * Fix: Prevent text from overlapping in focal point editing UI (Beth Menzies) * Fix: Screen readers now announce "Dashboard" for the main nav’s logo link instead of Wagtail’s version number (Thibaud Colas) * Fix: Screen readers now treat page-level action dropdowns as navigation instead of menus (Helen Chapman) * Fix: Make icon font implementation more screen-reader-friendly (Thibaud Colas) * Fix: Remove duplicate labels in image gallery and image choosers for screen reader users (Helen Chapman) * Fix: Restore custom "Date" icon for scheduled publishing panel in Edit page’s Settings tab (Helen Chapman) * Fix: Added missing form media to user edit form template (Matt Westcott) * Fix: Add a label to the modals’ “close” button for screen reader users (Helen Chapman, Katie Locke) * Fix: Ensure the 'add child page' button displays when focused (Helen Chapman, Katie Locke) * Fix: Remove tab order customisations in CMS admin (Jordan Bauer) * Fix: Add labels to permission checkboxes for screen reader users (Helen Chapman, Katie Locke) * Fix: Page.copy() no longer copies child objects when the accesssor name is included in `exclude_fields_in_copy` (Karl Hobley) * Fix: Move focus to the pages explorer menu when open (Helen Chapman) * Fix: Clicking the privacy toggle while the page is still loading no longer loads the wrong data in the page (Helen Chapman) * Fix: Added missing `is_stored_locally` method to `AbstractDocument` (jonny5532) * Fix: Query model no longer removes punctuation as part of string normalisation (William Blackie) * Fix: Make login test helper work with user models with non-default username fields (Andrew Miller) * Fix: Delay dirty form check to prevent "unsaved changes" warning from being wrongly triggered (Thibaud Colas) ``` ### 2.5.2 ``` ~~~~~~~~~~~~~~~~~~ * Fix: Delay dirty form check to prevent "unsaved changes" warning from being wrongly triggered (Thibaud Colas) ```
Links - PyPI: https://pypi.org/project/wagtail - Changelog: https://pyup.io/changelogs/wagtail/ - Homepage: http://wagtail.io/

Update Django from 2.2.3 to 2.2.4.

Changelog ### 2.2.4 ``` ========================== *August 1, 2019* Django 2.2.4 fixes security issues and several bugs in 2.2.3. CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator`` ================================================================================ If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were passed the ``html=True`` argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The ``chars()`` and ``words()`` methods are used to implement the :tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template filters, which were thus vulnerable. The regular expressions used by ``Truncator`` have been simplified in order to avoid potential backtracking issues. As a consequence, trailing punctuation may now at times be included in the truncated output. CVE-2019-14233: Denial-of-service possibility in ``strip_tags()`` ================================================================= Due to the behavior of the underlying ``HTMLParser``, :func:`django.utils.html.strip_tags` would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The ``strip_tags()`` method is used to implement the corresponding :tfilter:`striptags` template filter, which was thus also vulnerable. ``strip_tags()`` now avoids recursive calls to ``HTMLParser`` when progress removing tags, but necessarily incomplete HTML entities, stops being made. Remember that absolutely NO guarantee is provided about the results of ``strip_tags()`` being HTML safe. So NEVER mark safe the result of a ``strip_tags()`` call without escaping it first, for example with :func:`django.utils.html.escape`. CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField`` ==================================================================================================== :lookup:`Key and index lookups <jsonfield.key>` for :class:`~django.contrib.postgres.fields.JSONField` and :lookup:`key lookups <hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField` were subject to SQL injection, using a suitably crafted dictionary, with dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``. CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()`` ===================================================================================== If passed certain inputs, :func:`django.utils.encoding.uri_to_iri` could lead to significant memory usage due to excessive recursion when re-percent-encoding invalid UTF-8 octet sequences. ``uri_to_iri()`` now avoids recursion when re-percent-encoding invalid UTF-8 octet sequences. Bugfixes ======== * Fixed a regression in Django 2.2 when ordering a ``QuerySet.union()``, ``intersection()``, or ``difference()`` by a field type present more than once results in the wrong ordering being used (:ticket:`30628`). * Fixed a migration crash on PostgreSQL when adding a check constraint with a ``contains`` lookup on :class:`~django.contrib.postgres.fields.DateRangeField` or :class:`~django.contrib.postgres.fields.DateTimeRangeField`, if the right hand side of an expression is the same type (:ticket:`30621`). * Fixed a regression in Django 2.2 where auto-reloader crashes if a file path contains nulls characters (``'\x00'``) (:ticket:`30506`). * Fixed a regression in Django 2.2 where auto-reloader crashes if a translation directory cannot be resolved (:ticket:`30647`). ========================== ```
Links - PyPI: https://pypi.org/project/django - Changelog: https://pyup.io/changelogs/django/ - Homepage: https://www.djangoproject.com/

Update django-autoslug from 1.9.5 to 1.9.6.

Changelog ### 1.9.6 ``` ------------------ Handle timezones for datetime fields ```
Links - PyPI: https://pypi.org/project/django-autoslug - Changelog: https://pyup.io/changelogs/django-autoslug/ - Repo: https://github.com/justinmayer/django-autoslug/archive/master.zip - Docs: https://pythonhosted.org/django-autoslug/

Update flake8-docstrings from 1.3.0 to 1.3.1.

The bot wasn't able to find a changelog for this release. Got an idea?

Links - PyPI: https://pypi.org/project/flake8-docstrings - Repo: https://gitlab.com/pycqa/flake8-docstrings