search

scrapinghub / shub-workflow

BSD 3-Clause "New" or "Revised" License
13 stars 14 forks source link

Bump the pip group with 12 updates #67

Closed dependabot[bot] closed 3 months ago

dependabot[bot] commented 3 months ago

Bumps the pip group with 12 updates:

Package From To
jinja2 3.1.3 3.1.4
black 22.8.0 24.3.0
scrapy 2.9.0 2.11.2
certifi 2023.7.22 2024.7.4
cryptography 41.0.4 42.0.4
idna 3.4 3.7
requests 2.31.0 2.32.2
setuptools 68.2.2 70.0.0
twisted 23.8.0 24.3.0
urllib3 1.26.16 1.26.19
werkzeug 2.3.7 3.0.3
zipp 3.17.0 3.19.1

Updates jinja2 from 3.1.3 to 3.1.4

Release notes

Sourced from jinja2's releases.

3.1.4

This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Jinja2/3.1.4/ Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

  • The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj
Changelog

Sourced from jinja2's changelog.

Version 3.1.4

Released 2024-05-05

  • The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. :ghsa:h75v-3vvj-5mfj
Commits


Updates black from 22.8.0 to 24.3.0

Release notes

Sourced from black's releases.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

  • Don't move comments along with delimiters, which could cause crashes (#4248)
  • Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
  • Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

  • Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

  • Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

  • Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

  • Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
  • Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
  • Checking for newline before adding one on docstring that is almost at the line limit (#4185)
  • Remove redundant parentheses in case statement if guards (#4214).

Configuration

... (truncated)

Changelog

Sourced from black's changelog.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

  • Don't move comments along with delimiters, which could cause crashes (#4248)
  • Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
  • Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

  • Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

  • Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

  • Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

  • Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
  • Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
  • Checking for newline before adding one on docstring that is almost at the line limit (#4185)
  • Remove redundant parentheses in case statement if guards (#4214).

... (truncated)

Commits


Updates scrapy from 2.9.0 to 2.11.2

Release notes

Sourced from scrapy's releases.

2.11.2

Mostly bug fixes, including security bug fixes.

See the full changelog.

2.11.1

  • Security bug fixes.
  • Support for Twisted >= 23.8.0.
  • Documentation improvements.

See the full changelog.

2.11.0

  • Spiders can now modify settings in their from_crawler methods, e.g. based on spider arguments.
  • Periodic logging of stats.
  • Bug fixes.

See the full changelog.

2.10.1

Marked Twisted >= 23.8.0 as unsupported.

2.10.0

  • Added Python 3.12 support, dropped Python 3.7 support.
  • The new add-ons framework simplifies configuring 3rd-party components that support it.
  • Exceptions to retry can now be configured.
  • Many fixes and improvements for feed exports.

See the full changelog.

Changelog

Sourced from scrapy's changelog.

Scrapy 2.11.2 (2024-05-14)

Security bug fixes


-   Redirects to non-HTTP protocols are no longer followed. Please, see the
    `23j4-mw76-5v7h security advisory`_ for more information. (:issue:`457`)

.. _23j4-mw76-5v7h security advisory: https://github.com/scrapy/scrapy/security/advisories/GHSA-23j4-mw76-5v7h



    

  • 

    The Authorization header is now dropped on redirects to a different
    
scheme (http:// or https://) or port, even if the domain is the
    
same. Please, see the 4qqq-9vqf-3h3f security advisory_ for more
    
information.
    

    .. _4qqq-9vqf-3h3f security advisory: https://github.com/scrapy/scrapy/security/advisories/GHSA-4qqq-9vqf-3h3f
    

    • 

  • 

    When using system proxy settings that are different for http:// and
    
https://, redirects to a different URL scheme will now also trigger the
    
corresponding change in proxy settings for the redirected request. Please,
    
see the jm3v-qxmh-hxwv security advisory_ for more information.
    
(:issue:767)
    

    .. _jm3v-qxmh-hxwv security advisory: https://github.com/scrapy/scrapy/security/advisories/GHSA-jm3v-qxmh-hxwv
    

    • 

  • 

    :attr:Spider.allowed_domains <scrapy.Spider.allowed_domains> is now
    
enforced for all requests, and not only requests from spider callbacks.
    
(:issue:1042, :issue:2241, :issue:6358)
    

    • 

  • 

    :func:~scrapy.utils.iterators.xmliter_lxml no longer resolves XML
    
entities. (:issue:6265)
    

    • 

  • 

    defusedxml_ is now used to make
    
:class:scrapy.http.request.rpc.XmlRpcRequest more secure.
    
(:issue:6250, :issue:6251)
    

    .. _defusedxml: https://github.com/tiran/defusedxml
    

    • 



Bug fixes



-   Restored support for brotlipy_, which had been dropped in Scrapy 2.11.1 in
    favor of brotli_. (:issue:`6261`)

    .. _brotli: https://github.com/google/brotli

    .. note:: brotlipy is deprecated, both in Scrapy and upstream. Use brotli
        instead if you can.

</tr></table> 
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>

<ul>
<li><a href="https://github.com/scrapy/scrapy/commit/e8cb5a03b382b98f2c8945355076390f708b918d"><code>e8cb5a0</code></a> Bump version: 2.11.1 → 2.11.2</li>
<li><a href="https://github.com/scrapy/scrapy/commit/2c031f4061ae9bf486cc9e2a699355450638e8c2"><code>2c031f4</code></a> Set the release date of 2.11.2</li>
<li><a href="https://github.com/scrapy/scrapy/commit/3ffa17c0204deb3bdf2c7c60f5a56c9f777698c6"><code>3ffa17c</code></a> Use posargs for pypy3-pinned</li>
<li><a href="https://github.com/scrapy/scrapy/commit/c6a8f0e4d945622a7e71adf635e272b66eddbbd0"><code>c6a8f0e</code></a> Update VERSION references</li>
<li><a href="https://github.com/scrapy/scrapy/commit/60d2577284128cd0cf4af54745730da4a9005177"><code>60d2577</code></a> Merge remote-tracking branch '23j4/2.11.2-release-notes' into 2.11</li>
<li><a href="https://github.com/scrapy/scrapy/commit/36287cb665ab4b0c65fd53181c9a0ef04990ada6"><code>36287cb</code></a> Merge branch 'redirect-protocols' into 2.11</li>
<li><a href="https://github.com/scrapy/scrapy/commit/f138d5d1450ef38ee077c2472c136c70d8d673e8"><code>f138d5d</code></a> Merge branch 'environ-proxy-protocol' into 2.11</li>
<li><a href="https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8"><code>1d0502f</code></a> Merge branch 'advisory-fix' into 2.11</li>
<li><a href="https://github.com/scrapy/scrapy/commit/bb948af00babe545a7fb52700f4ba1424d206677"><code>bb948af</code></a> Release notes for 2.11.2 (<a href="https://redirect.github.com/scrapy/scrapy/issues/6359">#6359</a>)</li>
<li><a href="https://github.com/scrapy/scrapy/commit/5ad9433dd59cd8436ce33bf2c44796516eef4c3c"><code>5ad9433</code></a> Merge remote-tracking branch 'scrapy/2.11' into 2.11</li>
<li>Additional commits viewable in <a href="https://github.com/scrapy/scrapy/compare/2.9.0...2.11.2">compare view</a></li>
</ul>
</details>

<br />



Updates `certifi` from 2023.7.22 to 2024.7.4


Commits






Updates `cryptography` from 41.0.4 to 42.0.4


Changelog

Sourced from cryptography's changelog.




42.0.4 - 2024-02-20



* Fixed a null-pointer-dereference and segfault that could occur when creating
  a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
  issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
  and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
  definitions in :rfc:`2633` :rfc:`3370`.

.. _v42-0-3:


42.0.3 - 2024-02-15




    

  • Fixed an initialization issue that caused key loading failures for some
users.
    • 



.. _v42-0-2:


42.0.2 - 2024-01-30



* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol objects in
  ``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
  ``X25519PrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
  ``X448PrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
  and ``DHPrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.

.. _v42-0-1:


42.0.1 - 2024-01-24




    

  • Fixed an issue with incorrect keyword-argument naming with EllipticCurvePrivateKey
:meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign.
    • 

  • Resolved compatibility issue with loading certain RSA public keys in
:func:~cryptography.hazmat.primitives.serialization.load_pem_public_key.
    • 



.. _v42-0-0:


42.0.0 - 2024-01-22



</tr></table> 





... (truncated)





Commits






Updates `idna` from 3.4 to 3.7


Release notes

Sourced from idna's releases.




v3.7


What's Changed


    

  • Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]
    • 



Thanks to Guido Vranken for reporting the issue.


Full Changelog: https://github.com/kjd/idna/compare/v3.6...v3.7







Changelog

Sourced from idna's changelog.




3.7 (2024-04-11)
++++++++++++++++


    

  • Fix issue where specially crafted inputs to encode() could
take exceptionally long amount of time to process. [CVE-2024-3651]
    • 



Thanks to Guido Vranken for reporting the issue.


3.6 (2023-11-25)
++++++++++++++++


    

  • Fix regression to include tests in source distribution.
    • 



3.5 (2023-11-24)
++++++++++++++++


    

  • Update to Unicode 15.1.0
    • 

  • String codec name is now "idna2008" as overriding the system codec
"idna" was not working.
    • 

  • Fix typing error for codec encoding
    • 

  • "setup.cfg" has been added for this release due to some downstream
lack of adherence to PEP 517. Should be removed in a future release
so please prepare accordingly.
    • 

  • Removed reliance on a symlink for the "idna-data" tool to comport
with PEP 517 and the Python Packaging User Guide for sdist archives.
    • 

  • Added security reporting protocol for project
    • 



Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions
to this release.







Commits

    

  • 1d365e1 Release v3.7
    • 

  • c1b3154 Merge pull request #172 from kjd/optimize-contextj
    • 

  • 0394ec7 Merge branch 'master' into optimize-contextj
    • 

  • cd58a23 Merge pull request #152 from elliotwutingfeng/dev
    • 

  • 5beb28b More efficient resolution of joiner contexts
    • 

  • 1b12148 Update ossf/scorecard-action to v2.3.1
    • 

  • d516b87 Update Github actions/checkout to v4
    • 

  • c095c75 Merge branch 'master' into dev
    • 

  • 60a0a4c Fix typo in GitHub Actions workflow key
    • 

  • 5918a0e Merge branch 'master' into dev
    • 

  • Additional commits viewable in compare view
    • 







Updates `requests` from 2.31.0 to 2.32.2


Release notes

Sourced from requests's releases.




v2.32.2


2.32.2 (2024-05-21)


Deprecations


    

  • 

    To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed _get_connection to
a new public API, get_connection_with_tls_context. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
get_connection is considered deprecated in all versions of Requests>=2.32.0.
    

    A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (#6710)
    

    • 



v2.32.1


2.32.1 (2024-05-20)


Bugfixes


    

  • Add missing test certs to the sdist distributed on PyPI.
    • 



v2.32.0


2.32.0 (2024-05-20)


🐍 PYCON US 2024 EDITION 🐍


Security



Improvements


    

  • verify=True now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (#6667)
    • 

  • Requests now supports optional use of character detection
(chardet or charset_normalizer) when repackaged or vendored.
This enables pip and other projects to minimize their vendoring
surface area. The Response.text() and apparent_encoding APIs
will default to utf-8 if neither library is present. (#6702)
    • 



Bugfixes


    

  • Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (#6589)
    • 

  • Fixed deserialization bug in JSONDecodeError. (#6629)
    • 

  • Fixed bug where an extra leading / (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (#6644)
    • 






... (truncated)





Changelog

Sourced from requests's changelog.




2.32.2 (2024-05-21)


Deprecations


    

  • 

    To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed _get_connection to
a new public API, get_connection_with_tls_context. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
get_connection is considered deprecated in all versions of Requests>=2.32.0.
    

    A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (#6710)
    

    • 



2.32.1 (2024-05-20)


Bugfixes


    

  • Add missing test certs to the sdist distributed on PyPI.
    • 



2.32.0 (2024-05-20)


Security



Improvements


    

  • verify=True now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (#6667)
    • 

  • Requests now supports optional use of character detection
(chardet or charset_normalizer) when repackaged or vendored.
This enables pip and other projects to minimize their vendoring
surface area. The Response.text() and apparent_encoding APIs
will default to utf-8 if neither library is present. (#6702)
    • 



Bugfixes


    

  • Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (#6589)
    • 

  • Fixed deserialization bug in JSONDecodeError. (#6629)
    • 

  • Fixed bug where an extra leading / (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (#6644)
    • 



Deprecations





... (truncated)





Commits

    

  • 88dce9d v2.32.2
    • 

  • c98e4d1 Merge pull request #6710 from nateprewitt/api_rename
    • 

  • 92075b3 Add deprecation warning
    • 

  • aa1461b Move _get_connection to get_connection_with_tls_context
    • 

  • 970e8ce v2.32.1
    • 

  • d6ebc4a v2.32.0
    • 

  • 9a40d12 Avoid reloading root certificates to improve concurrent performance (#6667)
    • 

  • 0c030f7 Merge pull request #6702 from nateprewitt/no_char_detection
    • 

  • 555b870 Allow character detection dependencies to be optional in post-packaging steps
    • 

  • d6dded3 Merge pull request #6700 from franekmagiera/update-redirect-to-invalid-uri-test
    • 

  • Additional commits viewable in compare view
    • 







Updates `setuptools` from 68.2.2 to 70.0.0


Changelog

Sourced from setuptools's changelog.




v70.0.0


Features


    

  • Emit a warning when [tools.setuptools] is present in pyproject.toml and will be ignored. -- by :user:SnoopJ (#4150)
    • 

  • Improved AttributeError error message if pkg_resources.EntryPoint.require is called without extras or distribution
Gracefully "do nothing" when trying to activate a pkg_resources.Distribution with a None location, rather than raising a TypeError
-- by :user:Avasam (#4262)
    • 

  • Typed the dynamically defined variables from pkg_resources -- by :user:Avasam (#4267)
    • 

  • Modernized and refactored VCS handling in package_index. (#4332)
    • 



Bugfixes


    

  • In install command, use super to call the superclass methods. Avoids race conditions when monkeypatching from _distutils_system_mod occurs late. (#4136)
    • 

  • Fix finder template for lenient editable installs of implicit nested namespaces
constructed by using package_dir to reorganise directory structure. (#4278)
    • 

  • Fix an error with UnicodeDecodeError handling in pkg_resources when trying to read files in UTF-8 with a fallback -- by :user:Avasam (#4348)
    • 



Improved Documentation


    

  • Uses RST substitution to put badges in 1 line. (#4312)
    • 



Deprecations and Removals


    

  • 

    Further adoption of UTF-8 in setuptools.
This change regards mostly files produced and consumed during the build process
(e.g. metadata files, script wrappers, automatically updated config files, etc..)
Although precautions were taken to minimize disruptions, some edge cases might
be subject to backwards incompatibility.
    

    Support for "locale" encoding is now deprecated. (#4309)
    

    • 

  • 

    Remove setuptools.convert_path after long deprecation period.
This function was never defined by setuptools itself, but rather a
side-effect of an import for internal usage. (#4322)
    

    • 

  • 

    Remove fallback for customisations of distutils' build.sub_command after long
deprecated period.
Users are advised to import build directly from setuptools.command.build. (#4322)
    

    • 

  • 

    Removed typing_extensions from vendored dependencies -- by :user:Avasam (#4324)
    

    • 

  • 

    Remove deprecated setuptools.dep_util.
The provided alternative is setuptools.modified. (#4360)
    

    • 






... (truncated)





Commits

    

  • 5cbf12a Workaround for release error in v70
    • 

  • 9c1bcc3 Bump version: 69.5.1 → 70.0.0
    • 

  • 4dc0c31 Remove deprecated setuptools.dep_util (#4360)
    • 

  • 6c1ef57 Remove xfail now that test passes. Ref #4371.
    • 

  • d14fa01 Add all site-packages dirs when creating simulated environment for test_edita...
    • 

  • 6b7f7a1 Prevent bin folders to be taken as extern packages when vendoring (#4370)
    • 

  • 69141f6 Add doctest for vendorised bin folder
    • 

  • 2a53cc1 Prevent 'bin' folders to be taken as extern packages
    • 

  • 7208628 Replace call to deprecated validate_pyproject command (#4363)
    • 

  • 96d681a Remove call to deprecated validate_pyproject command
    • 

  • Additional commits viewable in compare view
    • 







Updates `twisted` from 23.8.0 to 24.3.0


Release notes

Sourced from twisted's releases.




Twisted 24.3.0 (2024-03-01)


This release supports PyPy v7.3.14.


Bugfixes


    

  • twisted.logger.formatEvent now honors dotted method names, not just
flat function names, in format strings, as it has long been
explicitly documented to do. So, you will now get the expected
result from [formatEvent("here's the result of calling a method at
log-format time: {obj.method()}", obj=...)]{.title-ref} (#9347)
    • 

  • twisted.web.http.HTTPChannel now ignores the trailer headers
provided in the last chunk of a chunked encoded response, rather
than raising an exception. (#11997)
    • 

  • twisted.protocols.tls.BufferingTLSTransport, used by default by
twisted.protocols.tls.TLSMemoryBIOFactory, was refactored for
improved performance when doing a high number of small writes.
(#12011)
    • 

  • twisted.python.failure.Failure now throws exception for generators
without triggering a deprecation warnings on Python 3.12. (#12026)
    • 

  • twisted.internet.process.Process, used by reactor.spawnProcess,
now copies the parent environment when the [env=None]{.title-ref}
argument is passed on Posix systems and os.posix_spawnp is used
internally. (#12068)
    • 

  • twisted.internet.defer.inlineCallbacks.returnValue's stack
introspection was adjusted for the latest PyPy 7.3.14 release,
allowing legacy @​inlineCallbacks to run on new PyPY versions.
(#12084)
    • 



Deprecations and Removals


    

  • twisted.trial.reporter.TestRun.startTest() is no longer called for
tests with skip annotation or skip attribute for Python 3.12.1 or
newer. This is the result of upstream Python gh-106584 change. The
behavior is not change in 3.12.0 or older. (#12052)
    • 



Misc



Conch


No significant changes.





... (truncated)





Changelog

Sourced from twisted's changelog.




Twisted 24.3.0 (2024-03-01)


This release supports PyPy v7.3.14.


Bugfixes


    

  • twisted.logger.formatEvent now honors dotted method names, not just flat
function names, in format strings, as it has long been explicitly documented to
do.  So, you will now get the expected result from formatEvent("here's the result of calling a method at log-format time: {obj.method()}", obj=...) (#9347)
    • 

  • twisted.web.http.HTTPChannel now ignores the trailer headers provided in the last chunk of a chunked encoded response, rather than raising an exception. (#11997)
    • 

  • twisted.protocols.tls.BufferingTLSTransport, used by default by twisted.protocols.tls.TLSMemoryBIOFactory, was refactored for improved performance when doing a high number of small writes. (#12011)
    • 

  • twisted.python.failure.Failure now throws exception for generators without triggering a deprecation warnings on Python 3.12. (#12026)
    • 

  • twisted.internet.process.Process, used by reactor.spawnProcess, now copies the parent environment when the env=None argument is passed on Posix systems and os.posix_spawnp is used internally. (#12068)
    • 

  • twisted.internet.defer.inlineCallbacks.returnValue's stack introspection was adjusted for the latest PyPy 7.3.14 release, allowing legacy @​inlineCallbacks to run on new PyPY versions. (#12084)
    • 



Deprecations and Removals


    

  • twisted.trial.reporter.TestRun.startTest() is no longer called for tests
with skip annotation or skip attribute for Python 3.12.1 or newer.
This is the result of upstream Python gh-106584 change.
The behavior is not change in 3.12.0 or older. (#12052)
    • 



Misc



Conch


No significant changes.


Web


Bugfixes



- The documentation for twisted.web.client.CookieAgent no longer references
  long-deprecated ``cookielib`` and ``urllib2`` standard library modules. ([#12044](https://github.com/twisted/twisted/issues/12044))

</tr></table>





... (truncated)





Commits






Updates `urllib3` from 1.26.16 to 1.26.19


Release notes

Sourced from urllib3's releases.




1.26.19


🚀 urllib3 is fundraising for HTTP/2 support


urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support for 2023. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.


Thank you for your support.


Changes


    

  • Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.
    • 



Full Changelog: https://github.com/urllib3/urllib3/compare/1.26.18...1.26.19


Note that due to an issue with our release automation, no  multiple.intoto.jsonl file is available for this release.


1.26.18


    

  • Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (GHSA-g4mx-q9vg-27p4)
    • 



1.26.17


    

  • Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. (GHSA-v845-jxx5-vc9f)
    • 








Changelog

Sourced from urllib3's changelog.




1.26.19 (2024-06-17)


    

  • Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.
    • 

  • Fixed handling of OpenSSL 3.2.0 new error message for misconfiguring an HTTP proxy as HTTPS. ([#3405](https://github.com/urllib3/urllib3/issues/3405) <https://github.com/urllib3/urllib3/issues/3405>__)
    • 



1.26.18 (2023-10-17)


    

  • Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses.
    • 



1.26.17 (2023-10-02)


    

  • Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. ([#3139](https://github.com/urllib3/urllib3/issues/3139) <https://github.com/urllib3/urllib3/pull/3139>_)
    • 








Commits






Updates `werkzeug` from 2.3.7 to 3.0.3


Release notes

Sourced from werkzeug's releases.




3.0.3


This is the Werkzeug 3.0.3 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.


PyPI: https://pypi.org/project/Werkzeug/3.0.3/
Changes: https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-3
Milestone: https://github.com/pallets/werkzeug/milestone/35?closed=1


    

  • Only allow localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger UI makes requests using the full URL rather than only the path. GHSA-2g68-c3qc-8985
    • 

  • Make reloader more robust when "" is in sys.path. #2823
    • 

  • Better TLS cert format with adhoc dev certs. #2891
    • 

  • Inform Python < 3.12 how to handle itms-services URIs correctly, rather than using an overly-broad workaround in Werkzeug that caused some redirect URIs to be passed on without encoding. #2828
    • 

  • Type annotation for Rule.endpoint and other uses of endpoint is Any. #2836
    • 



3.0.2


This is a fix release for the 3.0.x feature branch.



3.0.1


This is a security release for the 3.0.x feature branch.



3.0.0


This is a feature release, which includes new features, removes previously deprecated code, and adds new deprecations. The 3.0.x branch is now the supported fix branch, the 2.3.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.



2.3.8


This is a security release for the 2.3.x feature branch.








Changelog

Sourced from werkzeug's changelog.




Version 3.0.3


Released 2024-05-05


    

  • 

    Only allow localhost, .localhost, 127.0.0.1, or the specified
hos...

_Description has been truncated_