search

qnbhd / mljet

Minimalistic ML-models auto deployment tool
MIT License
67 stars 4 forks source link

chore(deps): update requirements to v2.2.5 [security] #144

Open renovate[bot] opened 1 year ago

renovate[bot] commented 1 year ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
flask (changelog) ==2.2.2 -> ==2.2.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-30861

When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by a proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one client's session cookie to other clients. The severity depends on the application's use of the session, and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.

  1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
  2. The application sets session.permanent = True.
  3. The application does not access or modify the session at any point during a request.
  4. SESSION_REFRESH_EACH_REQUEST is enabled (the default).
  5. The application does not set a Cache-Control header to indicate that a page is private or should not be cached.

This happens because vulnerable versions of Flask only set the Vary: Cookie header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified.

Release Notes

pallets/flask (flask) ### [`v2.2.5`](https://redirect.github.com/pallets/flask/blob/HEAD/CHANGES.rst#Version-225) [Compare Source](https://redirect.github.com/pallets/flask/compare/2.2.4...2.2.5) Released 2023-05-02 - Update for compatibility with Werkzeug 2.3.3. - Set `Vary: Cookie` header when the session is accessed, modified, or refreshed. ### [`v2.2.4`](https://redirect.github.com/pallets/flask/blob/HEAD/CHANGES.rst#Version-224) [Compare Source](https://redirect.github.com/pallets/flask/compare/2.2.3...2.2.4) Released 2023-04-25 - Update for compatibility with Werkzeug 2.3. ### [`v2.2.3`](https://redirect.github.com/pallets/flask/blob/HEAD/CHANGES.rst#Version-223) [Compare Source](https://redirect.github.com/pallets/flask/compare/2.2.2...2.2.3) Released 2023-02-15 - Autoescape is enabled by default for `.svg` template files. :issue:`4831` - Fix the type of `template_folder` to accept `pathlib.Path`. :issue:`4892` - Add `--debug` option to the `flask run` command. :issue:`4777`

Configuration

πŸ“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

πŸ”• Ignore: Close this PR and you won't be reminded about these updates again.

This PR was generated by Mend Renovate. View the repository job log.

codecov-commenter commented 1 year ago

Codecov Report

Patch and project coverage have no change.

Comparison is base (6c78b08) 86.66% compared to head (6e6e6b6) 86.66%.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #144 +/- ## ======================================= Coverage 86.66% 86.66% ======================================= Files 42 42 Lines 1155 1155 ======================================= Hits 1001 1001 Misses 154 154 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.