Repair incompatibilities introduced with 5.1. The default Loader was changed,
but several methods like add_constructor still used the old default
yaml/pyyaml#279 -- A more flexible fix for custom tag constructors
yaml/pyyaml#287 -- Change default loader for yaml.add_constructor
yaml/pyyaml#305 -- Change default loader for add_implicit_resolver, add_path_resolver
Make FullLoader safer by removing python/object/apply from the default FullLoader
yaml/pyyaml#347 -- Move constructor for object/apply to UnsafeConstructor
Fix bug introduced in 5.1 where quoting went wrong on systems with sys.maxunicode <= 0xffff
yaml/pyyaml#276 -- Fix logic for quoting special characters
verify=True now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (#6667)
Requests now supports optional use of character detection
(chardet or charset_normalizer) when repackaged or vendored.
This enables pip and other projects to minimize their vendoring
surface area. The Response.text() and apparent_encoding APIs
will default to utf-8 if neither library is present. (#6702)
Bugfixes
Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (#6589)
Fixed deserialization bug in JSONDecodeError. (#6629)
Fixed bug where an extra leading / (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (#6644)
Deprecations
Requests has officially added support for CPython 3.12 (#6503)
Requests has officially added support for PyPy 3.9 and 3.10 (#6641)
Requests has officially dropped support for CPython 3.7 (#6642)
Requests has officially dropped support for PyPy 3.7 and 3.8 (#6641)
Documentation
Various typo fixes and doc improvements.
Packaging
Requests has started adopting some modern packaging practices.
The source files for the projects (formerly requests) is now located
in src/requests in the Requests sdist. (#6506)
Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system
using hatchling. This should not impact the average user, but extremely old
versions of packaging utilities may have issues with the new packaging format.
verify=True now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (#6667)
Requests now supports optional use of character detection
(chardet or charset_normalizer) when repackaged or vendored.
This enables pip and other projects to minimize their vendoring
surface area. The Response.text() and apparent_encoding APIs
will default to utf-8 if neither library is present. (#6702)
Bugfixes
Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (#6589)
Fixed deserialization bug in JSONDecodeError. (#6629)
Fixed bug where an extra leading / (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (#6644)
Deprecations
Requests has officially added support for CPython 3.12 (#6503)
Requests has officially added support for PyPy 3.9 and 3.10 (#6641)
Requests has officially dropped support for CPython 3.7 (#6642)
Requests has officially dropped support for PyPy 3.7 and 3.8 (#6641)
Documentation
Various typo fixes and doc improvements.
Packaging
Requests has started adopting some modern packaging practices.
The source files for the projects (formerly requests) is now located
in src/requests in the Requests sdist. (#6506)
Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system
using hatchling. This should not impact the average user, but extremely old
versions of packaging utilities may have issues with the new packaging format.
to_ssh in VerifyingKey and SigningKey, supports Ed25519 keys only
(Pablo Mazzini)
New features:
Support for twisted Brainpool curves
Doc fix:
Fix curve equation in glossary
Documentation for signature encoding and signature decoding functions
Maintenance:
Dropped official support for 3.3 and 3.4 (because of problems running them
in CI, not because it's actually incompatible; support for 2.6 and 2.7 is
unaffected)
Fixes around hypothesis parameters
Officially support Python 3.11 and 3.12
Small updates to test suite to make it work with 3.11 and 3.12 and new
releases of test dependencies
Dropped the internal _rwlock module as it's unused
Added mutation testing to CI, lots of speed-ups to the test suite
to make it happen
Removal of unnecessary six.b literals (Alexandre Detiste)
Deprecations:
int_to_string, string_to_int, and digest_integer from ecdsa.ecdsa
module are now considered deprecated, they will be removed in a future
release
ecdsa 0.18.0
New features:
Support for EdDSA (Ed25519, Ed448) signature creation and verification.
Support for Ed25519 and Ed448 in PKCS#8 and public key files.
Support for point precomputation for EdDSA.
New API:
CurveEdTw class to represent the Twisted Edwards curve parameters.
PointEdwards class to represent points on Twisted Edwards curve and
provide point arithmetic on it.
curve_by_name in curves module to get a Curve object by providing curve
name.
to_ssh in VerifyingKey and SigningKey, supports Ed25519 keys only
(Pablo Mazzini)
New features:
Support for twisted Brainpool curves
Doc fix:
Fix curve equation in glossary
Documentation for signature encoding and signature decoding functions
Maintenance:
Dropped official support for 3.3 and 3.4 (because of problems running them
in CI, not because it's actually incompatible; support for 2.6 and 2.7 is
unaffected)
Fixes aroung hypothesis parameters
Officially support Python 3.11 and 3.12
Small updates to test suite to make it work with 3.11 and 3.12 and new
releases of test dependencies
Dropped the internal _rwlock module as it's unused
Added mutation testing to CI, lots of speed-ups to the test suite
to make it happen
Removal of unnecessary six.b literals (Alexandre Detiste)
Deprecations:
int_to_string, string_to_int, and digest_integer from ecdsa.ecdsa
module are now considered deprecated, they will be removed in a future
release
Release 0.18.0 (09 Jul 2022)
New API:
curve_by_name in curves module to get a Curve object by providing curve
name.
Bug fix:
Make the VerifyingKey encoded with explicit parameters use the same
kind of point encoding for public key and curve generator.
Better handling of malformed curve parameters (as in CVE-2022-0778);
make python-ecdsa raise MalformedPointError instead of AssertionError.
Doc fix:
Publish the documentation on https://ecdsa.readthedocs.io/,
include explanation of basics of handling of ECC data formats and how to use
the library for elliptic curve arithmetic.
Make object names more consistent, make them into hyperlinks on the
readthedocs documentation.
Make security note more explicit (Ian Rodney)
... (truncated)
Commits
be70016 Merge pull request #337 from tlsfuzzer/release-0.19
217735b allow early exit from worker processes when running mutation testing
This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.
The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj
3.1.3
This is a fix release for the 3.1.x feature branch.
Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.
This is a feature release, which includes new features and removes previously deprecated features. The 3.1.x branch is now the supported bugfix branch, the 3.0.x branch has become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. We also encourage upgrading to MarkupSafe 2.1.1, the latest version at this time.
Follow our blog, Twitter, or GitHub to see future announcements.
This represents a significant amount of work, and there are quite a few changes. Be sure to carefully read the changelog, and use tools such as pip-compile and Dependabot to pin your dependencies and control your updates.
The xmlattr filter does not allow keys with / solidus, >
greater-than sign, or = equals sign, in addition to disallowing spaces.
Regardless of any validation done by Jinja, user input should never be used
as keys to this filter, or must be separately validated first.
:ghsa:h75v-3vvj-5mfj
Version 3.1.3
Released 2024-01-10
Fix compiler error when checking if required blocks in parent templates are
empty. :pr:1858
xmlattr filter does not allow keys with spaces. :ghsa:h5c8-rqwp-cp95
Make error messages stemming from invalid nesting of {% trans %} blocks
more helpful. :pr:1918
Version 3.1.2
Released 2022-04-28
Add parameters to Environment.overlay to match __init__.
:issue:1645
Handle race condition in FileSystemBytecodeCache. :issue:1654
Version 3.1.1
Released 2022-03-25
The template filename on Windows uses the primary path separator.
:issue:1637
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/scrapinghub/exporters/network/alerts).
Bumps the pip group with 6 updates in the / directory:
3.115.42.5.32.32.00.130.19.01.15.22.0.93.0.0b23.18.32.83.1.4Updates
pyyamlfrom 3.11 to 5.4Changelog
Sourced from pyyaml's changelog.
... (truncated)
Commits
58d0cb75.4 releasea60f7a1Fix compatibility with Jythonee98abdRun CI on PR base branch changesddf2033constructor.timezone: _copy & deepcopyfc914d5Avoid repeatedly appending to yaml_implicit_resolversa001f27Fix for CVE-2020-14343fe15062Add 3.9 to appveyor file for completeness sake1e1c7fbAdd a newline character to end of pyproject.toml0b6b7d6Start sentences and phrases for capital lettersc976915Shell code improvementsUpdates
requestsfrom 2.5.3 to 2.32.0Release notes
Sourced from requests's releases.
... (truncated)
Changelog
Sourced from requests's changelog.
... (truncated)
Commits
d6ebc4av2.32.09a40d12Avoid reloading root certificates to improve concurrent performance (#6667)0c030f7Merge pull request #6702 from nateprewitt/no_char_detection555b870Allow character detection dependencies to be optional in post-packaging stepsd6dded3Merge pull request #6700 from franekmagiera/update-redirect-to-invalid-uri-testbf24b7dUse an invalid URI that will not cause httpbin to throw 5002d5f547Pin 3.8 and 3.9 runners back to macos-13 (#6688)f1bb07dMerge pull request #6687 from psf/dependabot/github_actions/github/codeql-act...60047adBump github/codeql-action from 3.24.0 to 3.25.031ebb81Merge pull request #6682 from frenzymadness/pytest8Updates
ecdsafrom 0.13 to 0.19.0Release notes
Sourced from ecdsa's releases.
... (truncated)
Changelog
Sourced from ecdsa's changelog.
... (truncated)
Commits
be70016Merge pull request #337 from tlsfuzzer/release-0.19217735ballow early exit from worker processes when running mutation testing6e7adffdon't check rate if no tests executedc56030emake coveralls submission work with py2.6 again66d0d74add release notes for 0.19.0 release0d5a38cMerge pull request #156 from tomato42/cosmic-ray02c8350be more permissive for the PR mutation test coverage4845e8fbetter is_prime()09f0d10add hard timeout for test mutation test suitee16173btwo digit precision for the mutation score badgeUpdates
paramikofrom 1.15.2 to 2.0.9Commits
f83156aCut 2.0.981ba2acAlmost left the 1.17+ marker in the changelog.a5ce12dFix a Python 2.6 oopse6f9842Formatting56c96a6Fix and changelog re #1283852176dFix a pseudo-bug re: responding to MSG_UNIMPLEMENTED w/ itself0b2e154Merge branch 'crypto-1.5-agnostisicm' into 2.0238a862Missing verbose/color for 2.6/3.3 backported pytest setup35b1f57Backport support for newer cryptography sign/verify APIs.40fde0eTry testing against different cryptography.io versionsUpdates
protobuffrom 3.0.0b2 to 3.18.3Release notes
Sourced from protobuf's releases.
... (truncated)
Commits
Updates
jinja2from 2.8 to 3.1.4Release notes
Sourced from jinja2's releases.
... (truncated)
Changelog
Sourced from jinja2's changelog.
... (truncated)
Commits
dd4a8b5release version 3.1.40668239Merge pull request from GHSA-h75v-3vvj-5mfjd655030disallow invalid characters in keys to xmlattr filtera7863baadd ghsa linksb5c98e7start version 3.1.4da3a9f0update project files (#1968)0ee5eb4satisfy formatter, linter, and strict mypy20477c6update project files (#5457)e491223update pyyaml dev dependency36f9885fix pr linkDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show