This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.
The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj
The xmlattr filter does not allow keys with / solidus, >
greater-than sign, or = equals sign, in addition to disallowing spaces.
Regardless of any validation done by Jinja, user input should never be used
as keys to this filter, or must be separately validated first.
:ghsa:h75v-3vvj-5mfj
This release is a milestone: it fixes Black's first CVE security vulnerability. If you
run Black on untrusted input, or if you habitually put thousands of leading tab
characters in your docstrings, you are strongly encouraged to upgrade immediately to fix
CVE-2024-21503.
This release also fixes a bug in Black's AST safety check that allowed Black to make
incorrect changes to certain f-strings that are valid in Python 3.12 and higher.
Stable style
Don't move comments along with delimiters, which could cause crashes (#4248)
Strengthen AST safety check to catch more unsafe changes to strings. Previous versions
of Black would incorrectly format the contents of certain unusual f-strings containing
nested strings with the same quote type. Now, Black will crash on such strings until
support for the new f-string syntax is implemented. (#4270)
Fix a bug where line-ranges exceeding the last code line would not work as expected
(#4273)
Performance
Fix catastrophic performance on docstrings that contain large numbers of leading tab
characters. This fixes
CVE-2024-21503.
(#4278)
Documentation
Note what happens when --check is used with --quiet (#4236)
24.2.0
Stable style
Fixed a bug where comments where mistakenly removed along with redundant parentheses
(#4218)
Preview style
Move the hug_parens_with_braces_and_square_brackets feature to the unstable style
due to an outstanding crash and proposed formatting tweaks (#4198)
Fixed a bug where base expressions caused inconsistent formatting of ** in tenary
expression (#4154)
Checking for newline before adding one on docstring that is almost at the line limit
(#4185)
Remove redundant parentheses in case statement if guards (#4214).
This release is a milestone: it fixes Black's first CVE security vulnerability. If you
run Black on untrusted input, or if you habitually put thousands of leading tab
characters in your docstrings, you are strongly encouraged to upgrade immediately to fix
CVE-2024-21503.
This release also fixes a bug in Black's AST safety check that allowed Black to make
incorrect changes to certain f-strings that are valid in Python 3.12 and higher.
Stable style
Don't move comments along with delimiters, which could cause crashes (#4248)
Strengthen AST safety check to catch more unsafe changes to strings. Previous versions
of Black would incorrectly format the contents of certain unusual f-strings containing
nested strings with the same quote type. Now, Black will crash on such strings until
support for the new f-string syntax is implemented. (#4270)
Fix a bug where line-ranges exceeding the last code line would not work as expected
(#4273)
Performance
Fix catastrophic performance on docstrings that contain large numbers of leading tab
characters. This fixes
CVE-2024-21503.
(#4278)
Documentation
Note what happens when --check is used with --quiet (#4236)
24.2.0
Stable style
Fixed a bug where comments where mistakenly removed along with redundant parentheses
(#4218)
Preview style
Move the hug_parens_with_braces_and_square_brackets feature to the unstable style
due to an outstanding crash and proposed formatting tweaks (#4198)
Fixed a bug where base expressions caused inconsistent formatting of ** in tenary
expression (#4154)
Checking for newline before adding one on docstring that is almost at the line limit
(#4185)
Remove redundant parentheses in case statement if guards (#4214).
The Authorization header is now dropped on redirects to a different
scheme (http:// or https://) or port, even if the domain is the
same. Please, see the 4qqq-9vqf-3h3f security advisory_ for more
information.
When using system proxy settings that are different for http:// and https://, redirects to a different URL scheme will now also trigger the
corresponding change in proxy settings for the redirected request. Please,
see the jm3v-qxmh-hxwv security advisory_ for more information.
(:issue:767)
:attr:Spider.allowed_domains <scrapy.Spider.allowed_domains> is now
enforced for all requests, and not only requests from spider callbacks.
(:issue:1042, :issue:2241, :issue:6358)
:func:~scrapy.utils.iterators.xmliter_lxml no longer resolves XML
entities. (:issue:6265)
defusedxml_ is now used to make
:class:scrapy.http.request.rpc.XmlRpcRequest more secure.
(:issue:6250, :issue:6251)
- Restored support for brotlipy_, which had been dropped in Scrapy 2.11.1 in
favor of brotli_. (:issue:`6261`)
.. _brotli: https://github.com/google/brotli
.. note:: brotlipy is deprecated, both in Scrapy and upstream. Use brotli
instead if you can.
</tr></table>
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/scrapy/scrapy/commit/e8cb5a03b382b98f2c8945355076390f708b918d"><code>e8cb5a0</code></a> Bump version: 2.11.1 → 2.11.2</li>
<li><a href="https://github.com/scrapy/scrapy/commit/2c031f4061ae9bf486cc9e2a699355450638e8c2"><code>2c031f4</code></a> Set the release date of 2.11.2</li>
<li><a href="https://github.com/scrapy/scrapy/commit/3ffa17c0204deb3bdf2c7c60f5a56c9f777698c6"><code>3ffa17c</code></a> Use posargs for pypy3-pinned</li>
<li><a href="https://github.com/scrapy/scrapy/commit/c6a8f0e4d945622a7e71adf635e272b66eddbbd0"><code>c6a8f0e</code></a> Update VERSION references</li>
<li><a href="https://github.com/scrapy/scrapy/commit/60d2577284128cd0cf4af54745730da4a9005177"><code>60d2577</code></a> Merge remote-tracking branch '23j4/2.11.2-release-notes' into 2.11</li>
<li><a href="https://github.com/scrapy/scrapy/commit/36287cb665ab4b0c65fd53181c9a0ef04990ada6"><code>36287cb</code></a> Merge branch 'redirect-protocols' into 2.11</li>
<li><a href="https://github.com/scrapy/scrapy/commit/f138d5d1450ef38ee077c2472c136c70d8d673e8"><code>f138d5d</code></a> Merge branch 'environ-proxy-protocol' into 2.11</li>
<li><a href="https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8"><code>1d0502f</code></a> Merge branch 'advisory-fix' into 2.11</li>
<li><a href="https://github.com/scrapy/scrapy/commit/bb948af00babe545a7fb52700f4ba1424d206677"><code>bb948af</code></a> Release notes for 2.11.2 (<a href="https://redirect.github.com/scrapy/scrapy/issues/6359">#6359</a>)</li>
<li><a href="https://github.com/scrapy/scrapy/commit/5ad9433dd59cd8436ce33bf2c44796516eef4c3c"><code>5ad9433</code></a> Merge remote-tracking branch 'scrapy/2.11' into 2.11</li>
<li>Additional commits viewable in <a href="https://github.com/scrapy/scrapy/compare/2.9.0...2.11.2">compare view</a></li>
</ul>
</details>
<br />
Updates `certifi` from 2023.7.22 to 2024.7.4
Commits
* Fixed a null-pointer-dereference and segfault that could occur when creating
a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
definitions in :rfc:`2633` :rfc:`3370`.
.. _v42-0-3:
42.0.3 - 2024-02-15
Fixed an initialization issue that caused key loading failures for some
users.
.. _v42-0-2:
42.0.2 - 2024-01-30
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol objects in
``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
``X25519PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
``X448PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
and ``DHPrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.
.. _v42-0-1:
42.0.1 - 2024-01-24
Fixed an issue with incorrect keyword-argument naming with EllipticCurvePrivateKey
:meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign.
Resolved compatibility issue with loading certain RSA public keys in
:func:~cryptography.hazmat.primitives.serialization.load_pem_public_key.
Fix issue where specially crafted inputs to encode() could
take exceptionally long amount of time to process. [CVE-2024-3651]
Thanks to Guido Vranken for reporting the issue.
3.6 (2023-11-25)
++++++++++++++++
Fix regression to include tests in source distribution.
3.5 (2023-11-24)
++++++++++++++++
Update to Unicode 15.1.0
String codec name is now "idna2008" as overriding the system codec
"idna" was not working.
Fix typing error for codec encoding
"setup.cfg" has been added for this release due to some downstream
lack of adherence to PEP 517. Should be removed in a future release
so please prepare accordingly.
Removed reliance on a symlink for the "idna-data" tool to comport
with PEP 517 and the Python Packaging User Guide for sdist archives.
Added security reporting protocol for project
Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions
to this release.
To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed _get_connection to
a new public API, get_connection_with_tls_context. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
get_connection is considered deprecated in all versions of Requests>=2.32.0.
A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (#6710)
v2.32.1
2.32.1 (2024-05-20)
Bugfixes
Add missing test certs to the sdist distributed on PyPI.
verify=True now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (#6667)
Requests now supports optional use of character detection
(chardet or charset_normalizer) when repackaged or vendored.
This enables pip and other projects to minimize their vendoring
surface area. The Response.text() and apparent_encoding APIs
will default to utf-8 if neither library is present. (#6702)
Bugfixes
Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (#6589)
Fixed deserialization bug in JSONDecodeError. (#6629)
Fixed bug where an extra leading / (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (#6644)
To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed _get_connection to
a new public API, get_connection_with_tls_context. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
get_connection is considered deprecated in all versions of Requests>=2.32.0.
A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (#6710)
2.32.1 (2024-05-20)
Bugfixes
Add missing test certs to the sdist distributed on PyPI.
verify=True now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (#6667)
Requests now supports optional use of character detection
(chardet or charset_normalizer) when repackaged or vendored.
This enables pip and other projects to minimize their vendoring
surface area. The Response.text() and apparent_encoding APIs
will default to utf-8 if neither library is present. (#6702)
Bugfixes
Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (#6589)
Fixed deserialization bug in JSONDecodeError. (#6629)
Fixed bug where an extra leading / (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (#6644)
twisted.logger.formatEvent now honors dotted method names, not just
flat function names, in format strings, as it has long been
explicitly documented to do. So, you will now get the expected
result from [formatEvent("here's the result of calling a method at
log-format time: {obj.method()}", obj=...)]{.title-ref} (#9347)
twisted.web.http.HTTPChannel now ignores the trailer headers
provided in the last chunk of a chunked encoded response, rather
than raising an exception. (#11997)
twisted.protocols.tls.BufferingTLSTransport, used by default by
twisted.protocols.tls.TLSMemoryBIOFactory, was refactored for
improved performance when doing a high number of small writes.
(#12011)
twisted.python.failure.Failure now throws exception for generators
without triggering a deprecation warnings on Python 3.12. (#12026)
twisted.internet.process.Process, used by reactor.spawnProcess,
now copies the parent environment when the [env=None]{.title-ref}
argument is passed on Posix systems and os.posix_spawnp is used
internally. (#12068)
twisted.internet.defer.inlineCallbacks.returnValue's stack
introspection was adjusted for the latest PyPy 7.3.14 release,
allowing legacy @inlineCallbacks to run on new PyPY versions.
(#12084)
Deprecations and Removals
twisted.trial.reporter.TestRun.startTest() is no longer called for
tests with skip annotation or skip attribute for Python 3.12.1 or
newer. This is the result of upstream Python gh-106584 change. The
behavior is not change in 3.12.0 or older. (#12052)
twisted.logger.formatEvent now honors dotted method names, not just flat
function names, in format strings, as it has long been explicitly documented to
do. So, you will now get the expected result from formatEvent("here's the result of calling a method at log-format time: {obj.method()}", obj=...) (#9347)
twisted.web.http.HTTPChannel now ignores the trailer headers provided in the last chunk of a chunked encoded response, rather than raising an exception. (#11997)
twisted.protocols.tls.BufferingTLSTransport, used by default by twisted.protocols.tls.TLSMemoryBIOFactory, was refactored for improved performance when doing a high number of small writes. (#12011)
twisted.python.failure.Failure now throws exception for generators without triggering a deprecation warnings on Python 3.12. (#12026)
twisted.internet.process.Process, used by reactor.spawnProcess, now copies the parent environment when the env=None argument is passed on Posix systems and os.posix_spawnp is used internally. (#12068)
twisted.internet.defer.inlineCallbacks.returnValue's stack introspection was adjusted for the latest PyPy 7.3.14 release, allowing legacy @inlineCallbacks to run on new PyPY versions. (#12084)
Deprecations and Removals
twisted.trial.reporter.TestRun.startTest() is no longer called for tests
with skip annotation or skip attribute for Python 3.12.1 or newer.
This is the result of upstream Python gh-106584 change.
The behavior is not change in 3.12.0 or older. (#12052)
- The documentation for twisted.web.client.CookieAgent no longer references
long-deprecated ``cookielib`` and ``urllib2`` standard library modules. ([#12044](https://github.com/twisted/twisted/issues/12044))
</tr></table>
... (truncated)
Commits
2e59e1f Merge remote-tracking branch 'origin/release-24.2.0-12097' into release-24.2....
urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support for 2023. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.
Thank you for your support.
Changes
Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.
Note that due to an issue with our release automation, no multiple.intoto.jsonl file is available for this release.
1.26.18
Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (GHSA-g4mx-q9vg-27p4)
1.26.17
Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. (GHSA-v845-jxx5-vc9f)
Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.
Fixed handling of OpenSSL 3.2.0 new error message for misconfiguring an HTTP proxy as HTTPS. ([#3405](https://github.com/urllib3/urllib3/issues/3405) <https://github.com/urllib3/urllib3/issues/3405>__)
1.26.18 (2023-10-17)
Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses.
1.26.17 (2023-10-02)
Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. ([#3139](https://github.com/urllib3/urllib3/issues/3139) <https://github.com/urllib3/urllib3/pull/3139>_)
This is the Werkzeug 3.0.3 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.
Only allow localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger UI makes requests using the full URL rather than only the path. GHSA-2g68-c3qc-8985
Make reloader more robust when "" is in sys.path. #2823
Better TLS cert format with adhoc dev certs. #2891
Inform Python < 3.12 how to handle itms-services URIs correctly, rather than using an overly-broad workaround in Werkzeug that caused some redirect URIs to be passed on without encoding. #2828
Type annotation for Rule.endpoint and other uses of endpoint is Any. #2836
3.0.2
This is a fix release for the 3.0.x feature branch.
This is a feature release, which includes new features, removes previously deprecated code, and adds new deprecations. The 3.0.x branch is now the supported fix branch, the 2.3.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.
Only allow localhost, .localhost, 127.0.0.1, or the specified
hostname when running the dev server, to make debugger requests. Additional
hosts can be added by using the debugger middleware directly. The debugger
UI makes requests using the full URL rather than only the path.
:ghsa:2g68-c3qc-8985
Make reloader more robust when "" is in sys.path. :pr:2823
Better TLS cert format with adhoc dev certs. :pr:2891
Inform Python < 3.12 how to handle itms-services URIs correctly, rather
than using an overly-broad workaround in Werkzeug that caused some redirect
URIs to be passed on without encoding. :issue:2828
Type annotation for Rule.endpoint and other uses of endpoint is
Any. :issue:2836
Make reloader more robust when "" is in sys.path. :pr:2823
Version 3.0.2
Released 2024-04-01
Ensure setting merge_slashes to False results in NotFound for
repeated-slash requests against single slash routes. :issue:2834
Fix handling of TypeError in TypeConversionDict.get() to match
ValueError. :issue:2843
Fix response_wrapper type check in test client. :issue:2831
Make the return type of MultiPartParser.parse more precise.
:issue:2840
Raise an error if converter arguments cannot be parsed. :issue:2822
Version 3.0.1
Released 2023-10-24
Fix slow multipart parsing for large parts potentially enabling DoS attacks.
Bumps the pip group with 11 updates:
3.1.3
3.1.4
22.8.0
24.3.0
2.9.0
2.11.2
2023.7.22
2024.7.4
41.0.4
42.0.4
3.4
3.7
2.31.0
2.32.2
23.8.0
24.3.0
1.26.16
1.26.19
2.3.7
3.0.3
3.17.0
3.19.1
Updates
jinja2
from 3.1.3 to 3.1.4Release notes
Sourced from jinja2's releases.
Changelog
Sourced from jinja2's changelog.
Commits
dd4a8b5
release version 3.1.40668239
Merge pull request from GHSA-h75v-3vvj-5mfjd655030
disallow invalid characters in keys to xmlattr filtera7863ba
add ghsa linksb5c98e7
start version 3.1.4da3a9f0
update project files (#1968)0ee5eb4
satisfy formatter, linter, and strict mypy20477c6
update project files (#5457)e491223
update pyyaml dev dependency36f9885
fix pr linkUpdates
black
from 22.8.0 to 24.3.0Release notes
Sourced from black's releases.
... (truncated)
Changelog
Sourced from black's changelog.
... (truncated)
Commits
552baf8
Prepare release 24.3.0 (#4279)f000936
Fix catastrophic performance in lines_with_leading_tabs_expanded() (#4278)7b5a657
Fix --line-ranges behavior when ranges are at EOF (#4273)1abcffc
Use regex where we ignore case on windows (#4252)719e674
Fix 4227: Improve documentation for --quiet --check (#4236)e5510af
update plugin url for Thonny (#4259)6af7d11
Fix AST safety check false negative (#4270)f03ee11
Ensureblib2to3.pygram
is initialized before use (#4224)e4bfedb
fix: Don't move comments while splitting delimiters (#4248)d0287e1
Make trailing comma logic more concise (#4202)Updates
scrapy
from 2.9.0 to 2.11.2Release notes
Sourced from scrapy's releases.
Changelog
Sourced from scrapy's changelog.