dependabot[bot]
commented
4 years ago OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.
If you change your mind, just re-open this PR and I'll resolve any conflicts on it.
Bumps httpie from 0.7.2 to 1.0.3.
Release notes
*Sourced from [httpie's releases](https://github.com/jakubroztocil/httpie/releases).* > ## HTTPie 1.0.3 > Fixed CVE-2019-10751 — the way the output filename is generated for `--download` requests without `--output` resulting in a redirect has been changed to only consider the initial URL as the base for the generated filename, and not the final one. This fixes a potential security issue under the following scenario: > > 1. A `--download` request with no explicit `--output` is made (e.g., `$ http -d example.org/file.txt`), instructing HTTPie to [generate the output filename](https://httpie.org/doc#downloaded-filename) from the `Content-Disposition` response header, or from the URL if the header is not provided. > 2. The server handling the request has been modified by an attacker and instead of the expected response the URL returns a redirect to another URL, e.g., `attacker.example.org/.bash_profile`, whose response does not provide a `Content-Disposition` header (i.e., the base for the generated filename becomes `.bash_profile` instead of `file.txt`). > 3. Your current directory doesn’t already contain `.bash_profile` (i.e., no unique suffix is added to the generated filename). > 4. You don’t notice the potentially unexpected output filename as reported by HTTPie in the console output (e.g., `Downloading 100.00 B to ".bash_profile"`). > > ## HTTPie 1.0.2 > * Fixed tests for installation with pyOpenSSL. > > ## HTTPie 1.0.1 > * Removed external URL calls from tests. > > ## HTTPie 1.0.0 > > * Added ``--style=auto`` which follows the terminal ANSI color styles. > * Added support for selecting TLS 1.3 via ``--ssl=tls1.3`` > (available once implemented in upstream libraries). > * Added ``true``/``false`` as valid values for ``--verify`` > (in addition to ``yes``/``no``) and the boolean value is case-insensitive. > * Changed the default ``--style`` from ``solarized`` to ``auto`` (on Windows it stays ``fruity``). > * Fixed default headers being incorrectly case-sensitive. > * Removed Python 2.6 support. > > ## HTTPie 0.9.9 > * Only README changes. > > ## HTTPie 0.9.8 > - Extended auth plugin API. > - Added exit status code `7` for plugin errors. > - Added support for `curses`-less Python installations. > - Fixed `REQUEST_ITEM` arg incorrectly being reported as required. > - Improved `CTRL-C` interrupt handling. > - Added the standard exit status code `130` for keyboard interrupts. > > ## HTTPie 0.9.6 > - Added Python 3 as a dependency for Homebrew installations > to ensure some of the newer HTTP features work out of the box > for macOS users (starting with HTTPie 0.9.4.). > - Added the ability to unset a request header with `Header:`, and send an > empty value with `Header;`. > - Added `--default-schemeChangelog
*Sourced from [httpie's changelog](https://github.com/jakubroztocil/httpie/blob/master/CHANGELOG.rst).* > `1.0.3`_ (2019-08-26) > --------------------- > > * Fixed CVE-2019-10751 — the way the output filename is generated for > ``--download`` requests without ``--output`` resulting in a redirect has > been changed to only consider the initial URL as the base for the generated > filename, and not the final one. This fixes a potential security issue under > the following scenario: > > 1. A ``--download`` request with no explicit ``--output`` is made (e.g., > ``$ http -d example.org/file.txt``), instructing httpie to > `generate the output filenameCommits
- See full diff in [compare view](https://github.com/jakubroztocil/httpie/commits/1.0.3)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/asascience-open/ooi-ui-services/network/alerts).