search

pypa / pip-audit

Audits Python environments, requirements files and dependency trees for known security vulnerabilities, and can automatically fix them
https://pypi.org/project/pip-audit/
Apache License 2.0
964 stars 63 forks source link

build(deps-dev): update cyclonedx-python-lib requirement from <7,>=5 to >=5,<8 #760

Closed dependabot[bot] closed 5 months ago

dependabot[bot] commented 5 months ago

Updates the requirements on cyclonedx-python-lib to permit the latest version.

Release notes

Sourced from cyclonedx-python-lib's releases.

v7.0.0 (2024-04-09)

Breaking

  • feat!: Support for CycloneDX v1.6

  • added draft v1.6 schemas and boilerplate for v1.6

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • re-generated test snapshots for v1.6

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • note bom.metadata.manufacture as deprecated

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • work on bom.metadata for v1.6

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • Deprecated .component.author. Added .component.authors and .component.manufacturer

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • work to add .component.omniborid - but tests deserialisation tests fail due to schema differences (.component.author not in 1.6)

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • work to get deserialization tests passing

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • chore(deps): bump py-serializable to >=1.0.3 to resolve issues with deserialization to XML

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • imports tidied

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • properly added .component.swhid

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • add .component.cryptoProperties - with test failures for SchemaVersion < 1.6

Signed-off-by: Paul Horton <paul.horton@owasp.org>

... (truncated)

Changelog

Sourced from cyclonedx-python-lib's changelog.

v7.0.0 (2024-04-09)

Breaking

  • feat!: Support for CycloneDX v1.6

  • added draft v1.6 schemas and boilerplate for v1.6

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • re-generated test snapshots for v1.6

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • note bom.metadata.manufacture as deprecated

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • work on bom.metadata for v1.6

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • Deprecated .component.author. Added .component.authors and .component.manufacturer

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • work to add .component.omniborid - but tests deserialisation tests fail due to schema differences (.component.author not in 1.6)

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • work to get deserialization tests passing

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • chore(deps): bump py-serializable to >=1.0.3 to resolve issues with deserialization to XML

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • imports tidied

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • properly added .component.swhid

Signed-off-by: Paul Horton <paul.horton@owasp.org>

  • add .component.cryptoProperties - with test failures for SchemaVersion < 1.6

Signed-off-by: Paul Horton <paul.horton@owasp.org>

... (truncated)

Commits
  • a28013b chore(release): 7.0.0
  • 8bbdf46 feat!: Support for CycloneDX v1.6
  • 35749c6 chore(deps-dev): update autopep8 requirement from 2.0.4 to 2.1.0 (#573)
  • d60f457 chore(deps-dev): update tox requirement from 4.14.1 to 4.14.2 (#574)
  • 4965bf9 chore(release): 6.4.4
  • 10e38e2 fix: wrong extra name for xml validation (#571)
  • 3a2e427 chore(deps-dev): update coverage requirement from 7.4.3 to 7.4.4 (#570)
  • d20a590 chore(deps): bump python-semantic-release/python-semantic-release (#564)
  • 2dcc60e chore(deps-dev): update tox requirement from 4.13.0 to 4.14.1 (#567)
  • eb1a252 chore(deps-dev): update bandit requirement from 1.7.7 to 1.7.8 (#566)
  • Additional commits viewable in compare view


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)