Bumps requests from 2.19.1 to 2.21.0. This update includes security fixes.
Vulnerabilities fixed
*Sourced from The GitHub Security Advisory Database.*
> **Moderate severity vulnerability that affects requests**
> The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
>
> Affected versions: <= 2.19.1
Changelog
*Sourced from [requests's changelog](https://github.com/requests/requests/blob/master/HISTORY.md).*
> 2.21.0 (2018-12-10)
> -------------------
>
> **Dependencies**
>
> - Requests now supports idna v2.8.
>
> 2.20.1 (2018-11-08)
> -------------------
>
> **Bugfixes**
>
> - Fixed bug with unintended Authorization header stripping for
> redirects using default ports (http/80, https/443).
>
> 2.20.0 (2018-10-18)
> -------------------
>
> **Bugfixes**
>
> - Content-Type header parsing is now case-insensitive (e.g.
> charset=utf8 v Charset=utf8).
> - Fixed exception leak where certain redirect urls would raise
> uncaught urllib3 exceptions.
> - Requests removes Authorization header from requests redirected
> from https to http on the same hostname. (CVE-2018-18074)
> - `should_bypass_proxies` now handles URIs without hostnames (e.g.
> files).
>
> **Dependencies**
>
> - Requests now supports urllib3 v1.24.
>
> **Deprecations**
>
> - Requests has officially stopped support for Python 2.6.
Commits
- [`5a1e738`](https://github.com/requests/requests/commit/5a1e738ea9c399c3f59977f2f98b083986d6037a) v2.21.0
- [`8761e97`](https://github.com/requests/requests/commit/8761e9736f7d5508a5547cdf3adecbe0b7306278) Bumped maximum version of idna
- [`abe950c`](https://github.com/requests/requests/commit/abe950cfd3ee437279ca23866da6571571b637a6) Revert "Set up Azure Pipelines for Linux and Windows"
- [`c35f342`](https://github.com/requests/requests/commit/c35f34263ae9162b91b7a57ca64594e9a296b617) Merge pull request [#4898](https://github-redirect.dependabot.com/requests/requests/issues/4898) from requests/revert_azure
- [`0dd4752`](https://github.com/requests/requests/commit/0dd4752598719c4466e46c58e9de862bdb925934) revert azure pipeline changes
- [`57d7284`](https://github.com/requests/requests/commit/57d7284c1a245cf9fbcecb594f50471d86e879f7) Merge pull request [#4874](https://github-redirect.dependabot.com/requests/requests/issues/4874) from kaylangan/patch-1
- [`fc9dfac`](https://github.com/requests/requests/commit/fc9dfac2b9d1861734fabd0eb2da7b9bd14fa736) Add build badge for Azure Pipelines
- [`bc3eddc`](https://github.com/requests/requests/commit/bc3eddc6eda5ec1937a9103a475a73ed6557cb9b) Delete settings.json
- [`d911f27`](https://github.com/requests/requests/commit/d911f278689bf10b7a74c5b1e8e4f2af103e87d7) Delete install.ps1
- [`3da2f10`](https://github.com/requests/requests/commit/3da2f10290a0dc78e34031856438ef1fed4e7435) Delete .travis.yml
- Additional commits viewable in [compare view](https://github.com/requests/requests/compare/v2.19.1...v2.21.0)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Finally, you can contact us by mentioning @dependabot.
Coverage remained the same at ?% when pulling 8c373e9ad86c80f2abdfc3f261bef8b19642e1a8 on dependabot/pip/requests-2.21.0 into e01d75ed801c6b06927ab2cc3d1e308c43da9be8 on master.
Bumps requests from 2.19.1 to 2.21.0. This update includes security fixes.
Vulnerabilities fixed
*Sourced from The GitHub Security Advisory Database.* > **Moderate severity vulnerability that affects requests** > The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. > > Affected versions: <= 2.19.1Changelog
*Sourced from [requests's changelog](https://github.com/requests/requests/blob/master/HISTORY.md).* > 2.21.0 (2018-12-10) > ------------------- > > **Dependencies** > > - Requests now supports idna v2.8. > > 2.20.1 (2018-11-08) > ------------------- > > **Bugfixes** > > - Fixed bug with unintended Authorization header stripping for > redirects using default ports (http/80, https/443). > > 2.20.0 (2018-10-18) > ------------------- > > **Bugfixes** > > - Content-Type header parsing is now case-insensitive (e.g. > charset=utf8 v Charset=utf8). > - Fixed exception leak where certain redirect urls would raise > uncaught urllib3 exceptions. > - Requests removes Authorization header from requests redirected > from https to http on the same hostname. (CVE-2018-18074) > - `should_bypass_proxies` now handles URIs without hostnames (e.g. > files). > > **Dependencies** > > - Requests now supports urllib3 v1.24. > > **Deprecations** > > - Requests has officially stopped support for Python 2.6.Commits
- [`5a1e738`](https://github.com/requests/requests/commit/5a1e738ea9c399c3f59977f2f98b083986d6037a) v2.21.0 - [`8761e97`](https://github.com/requests/requests/commit/8761e9736f7d5508a5547cdf3adecbe0b7306278) Bumped maximum version of idna - [`abe950c`](https://github.com/requests/requests/commit/abe950cfd3ee437279ca23866da6571571b637a6) Revert "Set up Azure Pipelines for Linux and Windows" - [`c35f342`](https://github.com/requests/requests/commit/c35f34263ae9162b91b7a57ca64594e9a296b617) Merge pull request [#4898](https://github-redirect.dependabot.com/requests/requests/issues/4898) from requests/revert_azure - [`0dd4752`](https://github.com/requests/requests/commit/0dd4752598719c4466e46c58e9de862bdb925934) revert azure pipeline changes - [`57d7284`](https://github.com/requests/requests/commit/57d7284c1a245cf9fbcecb594f50471d86e879f7) Merge pull request [#4874](https://github-redirect.dependabot.com/requests/requests/issues/4874) from kaylangan/patch-1 - [`fc9dfac`](https://github.com/requests/requests/commit/fc9dfac2b9d1861734fabd0eb2da7b9bd14fa736) Add build badge for Azure Pipelines - [`bc3eddc`](https://github.com/requests/requests/commit/bc3eddc6eda5ec1937a9103a475a73ed6557cb9b) Delete settings.json - [`d911f27`](https://github.com/requests/requests/commit/d911f278689bf10b7a74c5b1e8e4f2af103e87d7) Delete install.ps1 - [`3da2f10`](https://github.com/requests/requests/commit/3da2f10290a0dc78e34031856438ef1fed4e7435) Delete .travis.yml - Additional commits viewable in [compare view](https://github.com/requests/requests/compare/v2.19.1...v2.21.0)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.