search

pypa / pip-audit

Audits Python environments, requirements files and dependency trees for known security vulnerabilities, and can automatically fix them
https://pypi.org/project/pip-audit/
Apache License 2.0
942 stars 62 forks source link

build(deps-dev): update cyclonedx-python-lib requirement from <6,>=4 to >=4,<7 #705

Closed dependabot[bot] closed 6 months ago

dependabot[bot] commented 6 months ago

Updates the requirements on cyclonedx-python-lib to permit the latest version.

Release notes

Sourced from cyclonedx-python-lib's releases.

v6.0.0 (2023-12-10)

Breaking

  • feat!: v6.0.0 (#492)

Breaking Changes

  • Removed symbols that were already marked as deprecated (via #493)
  • Removed symbols in parser.* (#489 via #495)
  • Removed output.LATEST_SUPPORTED_SCHEMA_VERSION (#491 via #494)
  • Serialization of unsupported enum values might downgrade/migrate/omit them (#490 via #496)
    Handling might raise warnings if a data loss occurred due to omitting.
    The result is a guaranteed valid XML/JSON, since no (enum-)invalid values are rendered.
  • Serialization of any model.component.Component with unsupported type raises exception.serialization.SerializationOfUnsupportedComponentTypeException (#490 via #496)
  • Object model.bom_ref.BomRef&#39;s property value defaults to Null, was arbitrary UUID (#504 via #505)
    This change does not affect serialization. All bom-refs are guaranteed to have unique values on rendering.
  • Removed helpers from public API (#503 via #506)

Added

  • Basic support for CycloneDX 1.5 (#404 via #488) -- Thanks to @​Churro
    • No data models were enhanced nor added, yet.
      Pull requests to add functionality are welcome.
    • Existing enumerable got new cases, to reflect features of CycloneDX 1.5 (#404 via #488)
    • Outputters were enabled to render CycloneDX 1.5 (#404 via #488)

Tests

  • Created (regression/unit/integration/functional) tests for CycloneDX 1.5 (#404 via #488)
  • Created (regression/functional) tests for Enums&#39; handling and completeness (#490 via #496)

Misc

  • Bumped dependency py-serializable@^0.16, was @^0.15 (via #496)

API Changes — the details for migration

  • Added new sub-package exception.serialization (via #496)
  • Removed class models.ComparableTuple (#503 via #506)
  • Enum model.ExternalReferenceType got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
  • Removed function models.get_now_utc (#503 via #506)
  • Removed function models.sha1sum (#503 via #506)
  • Enum model.component.ComponentType got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
  • Removed model.component.Component.__init__()&#39;s deprecated optional kwarg namespace (via #493)
    Use kwarg group instead.
  • Removed model.component.Component.__init__()&#39;s deprecated optional kwarg license_str (via #493)

... (truncated)

Changelog

Sourced from cyclonedx-python-lib's changelog.

v6.0.0 (2023-12-10)

Breaking

  • feat!: v6.0.0 (#492)

Breaking Changes

  • Removed symbols that were already marked as deprecated (via #493)
  • Removed symbols in parser.* (#489 via #495)
  • Removed output.LATEST_SUPPORTED_SCHEMA_VERSION (#491 via #494)
  • Serialization of unsupported enum values might downgrade/migrate/omit them (#490 via #496)
    Handling might raise warnings if a data loss occurred due to omitting.
    The result is a guaranteed valid XML/JSON, since no (enum-)invalid values are rendered.
  • Serialization of any model.component.Component with unsupported type raises exception.serialization.SerializationOfUnsupportedComponentTypeException (#490 via #496)
  • Object model.bom_ref.BomRef&#39;s property value defaults to Null, was arbitrary UUID (#504 via #505)
    This change does not affect serialization. All bom-refs are guaranteed to have unique values on rendering.
  • Removed helpers from public API (#503 via #506)

Added

  • Basic support for CycloneDX 1.5 (#404 via #488)
    • No data models were enhanced nor added, yet.
      Pull requests to add functionality are welcome.
    • Existing enumerable got new cases, to reflect features of CycloneDX 1.5 (#404 via #488)
    • Outputters were enabled to render CycloneDX 1.5 (#404 via #488)

Tests

  • Created (regression/unit/integration/functional) tests for CycloneDX 1.5 (#404 via #488)
  • Created (regression/functional) tests for Enums&#39; handling and completeness (#490 via #496)

Misc

  • Bumped dependency py-serializable@^0.16, was @^0.15 (via #496)

API Changes — the details for migration

  • Added new sub-package exception.serialization (via #496)
  • Removed class models.ComparableTuple (#503 via #506)
  • Enum model.ExternalReferenceType got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
  • Removed function models.get_now_utc (#503 via #506)
  • Removed function models.sha1sum (#503 via #506)
  • Enum model.component.ComponentType got new cases, to reflect features for CycloneDX 1.5 (#404 via #488)
  • Removed model.component.Component.__init__()&#39;s deprecated optional kwarg namespace (via #493)
    Use kwarg group instead.
  • Removed model.component.Component.__init__()&#39;s deprecated optional kwarg license_str (via #493)

... (truncated)

Commits
  • 8800b68 chore(release): 6.0.0
  • 74865f8 feat!: v6.0.0 (#492)
  • 9ed9ab1 chore(deps): bump python-semantic-release/python-semantic-release (#509)
  • 0eba631 chore(deps-dev): update isort requirement from 5.12.0 to 5.13.0 (#512)
  • 153b07a chore(deps-dev): update bandit requirement from 1.7.5 to 1.7.6 (#510)
  • 4e3e0e0 chore(deps): bump actions/setup-python from 4 to 5 (#508)
  • 5d6dd41 chore(deps): update sphinx-rtd-theme requirement (#499)
  • e9a12b9 chore(deps-dev): update flake8-bugbear requirement (#500)
  • 04435ab chore(deps): update py-serializable requirement (#501)
  • 8bf0e39 chore(deps-dev): update tox requirement from 4.11.3 to 4.11.4 (#502)
  • Additional commits viewable in compare view


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
woodruffw commented 6 months ago

@dependabot rebase

dependabot[bot] commented 6 months ago

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.