search

theupdateframework / tuf-on-ci

A TUF repository and signing tool
Other
20 stars 11 forks source link

build(deps): bump the pyproject-dependencies group across 2 directories with 12 updates #306

Closed dependabot[bot] closed 3 months ago

dependabot[bot] commented 4 months ago

Updates the requirements on securesystemslib[awskms,azurekms,gcpkms,pynacl,sigstore], tuf, mypy, ruff, boto3, botocore, cryptography, grpcio-status, protobuf, securesystemslib, sigstore-rekor-types and securesystemslib[awskms,azurekms,gcpkms,hsm,sigstore] to permit the latest version. Updates securesystemslib[awskms,azurekms,gcpkms,pynacl,sigstore] to 1.0.0

Release notes

Sourced from securesystemslib[awskms,azurekms,gcpkms,pynacl,sigstore]'s releases.

v1.0.0

See CHANGELOG.md for details.

Changelog

Sourced from securesystemslib[awskms,azurekms,gcpkms,pynacl,sigstore]'s changelog.

securesystemslib v1.0.0

Securesystemslib API is now considered stable. The core functionality is provided in the Signer interface and the half a dozen integrated Signer implementations that can be found in the signer module. Smaller helper modules dsse, formats, hash and storage are also part of the API. Several legacy modules have been removed.

Added

  • Signer: add public_key attribute to interface (#756)
  • VaultSigner: Signer implementation for HashiCorp Vault (#800)
  • CryptoSigner: support ecdsa keytype that is no longer in spec (#711)
  • CryptoSigner: add private_bytes property (#799)
  • CryptoSigner: add "file2" signer uri (#759)
  • test: use localstack to test AWSSigner (#777)

Removed

  • CryptoSigner: remove "file" signer uri (#759)
  • migration script for legacy keys (#770)
  • SSlibSigner class and *_securesystemslib_key methods (#771)
  • legacy key key*, interface, util and schema modules (#772, #773, #776)
  • unused functions in hash, and formats module (#774, #776)
  • unused global key constants (#806)

Changed

  • SSlibKey: strengthen input validation (#780, #795)
  • AWSSigner: support default scheme and add stronger input validation (#724, #778)
  • dsse: change Envelope.signatures type to dict (#743)
  • vendor: update ed25519 copy (#793)
  • docs: improve user and contributor docs (#744, #745, #746, #749, #759, #796)
  • test: improve and temporarily disable SigstoreSigner test (#779, #785)
  • ci: use dependabot groups, update weekly (#735)
  • ci: test macOS and Windows on latest Python only (#797)
  • Make securessystemslib.gpg internal (#792)

Fixed

  • Fix check-upstream-ed25519 workflow permission (#706)
  • SSlibKey: fix default scheme and test for ecdsa nistp384 key (#763 #794)

securesystemslib v0.31.0

Added

  • CryptoSigner: create from cryptography private key with new constructor (#675)
  • SSlibKey: create from cryptography public key with new from_crypto method (#678)
  • Release: auto-release with PyPI Trusted Publishing (#683)
  • Docs to migrate legacy key files (#658)

Removed

  • Removed SSlibKey.from_pem factory method in favor of from_crypto (#678)

... (truncated)

Commits
  • 1092ac6 Merge pull request #807 from lukpueh/release-1.0.0
  • fe34bac Update v1.0.0 entry in CHANGELOG
  • c682259 Release 1.0.0
  • 5789578 Merge pull request #800 from lukpueh/vault-signer
  • acae70a Add VaultSigner and tests
  • 66a56cb Merge pull request #804 from secure-systems-lab/dependabot/pip/dependencies-9...
  • c48a451 Merge pull request #803 from secure-systems-lab/dependabot/pip/test-and-lint-...
  • 557378e Merge pull request #806 from lukpueh/rm-stray-globals
  • 6975b81 Remove 3 stray global key type constants
  • 402c898 Merge pull request #802 from lukpueh/rm-stability-disclaimers
  • Additional commits viewable in compare view


Updates tuf from 3.1.1 to 4.0.0

Release notes

Sourced from tuf's releases.

v4.0.0

This release is a small API change for Metadata API users (see below). ngclient API is compatible but optional DSSE support has been added.

Added

  • Added optional DSSE support to Metadata API and ngclient (#2436)

Changed

  • Metadata API: Improved verification functionality for repository users (#2551):
    • This is an API change for Metadata API users ( Root.get_verification_result() and Targets.get_verification_result() specifically)
    • Root.get_root_verification_result() has been added to handle the special case of root verification
  • Started using UTC datetimes instead of naive datetimes internally (#2573)
  • Constrain securesystemslib dependency to <0.32.0 in preparation for future securesystemslib API changes
  • Various build, test and lint improvements
Changelog

Sourced from tuf's changelog.

v4.0.0

This release is a small API change for Metadata API users (see below). ngclient API is compatible but optional DSSE support has been added.

Added

  • Added optional DSSE support to Metadata API and ngclient (#2436)

Changed

  • Metadata API: Improved verification functionality for repository users (#2551):
    • This is an API change for Metadata API users ( Root.get_verification_result() and Targets.get_verification_result() specifically)
    • Root.get_root_verification_result() has been added to handle the special case of root verification
  • Started using UTC datetimes instead of naive datetimes internally (#2573)
  • Constrain securesystemslib dependency to <0.32.0 in preparation for future securesystemslib API changes
  • Various build, test and lint improvements
Commits
  • 2d6fc74 Merge pull request #2601 from jku/release-v4
  • 928702a Release v4.0.0
  • 892c789 Merge pull request #2600 from lukpueh/set-max-sslib-version
  • bc3ebd8 Constrain securesystemslib dependency to <0.32.0
  • 5947bd0 Merge pull request #2594 from theupdateframework/dependabot/pip/build-and-rel...
  • afa4619 Merge pull request #2596 from theupdateframework/dependabot/github_actions/ac...
  • 7c5cae3 Merge pull request #2595 from theupdateframework/dependabot/pip/test-and-lint...
  • ad2c98a Merge pull request #2593 from theupdateframework/dependabot/pip/dependencies-...
  • 6cd2d22 build(deps): bump the dependencies group with 1 update
  • 9f4906b build(deps): bump the test-and-lint-dependencies group with 1 update
  • Additional commits viewable in compare view


Updates mypy from 1.9.0 to 1.10.0

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next release

Mypy 1.10

We’ve just uploaded mypy 1.10 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance improvements and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Support TypeIs (PEP 742)

Mypy now supports TypeIs (PEP 742), which allows functions to narrow the type of a value, similar to isinstance(). Unlike TypeGuard, TypeIs can narrow in both the if and else branches of an if statement:

from typing_extensions import TypeIs

def is_str(s: object) -> TypeIs[str]:
return isinstance(s, str)


def f(o: str | int) -> None:
if is_str(o):
# Type of o is 'str'
...
else:
# Type of o is 'int'
...

TypeIs will be added to the typing module in Python 3.13, but it can be used on earlier Python versions by importing it from typing_extensions.

This feature was contributed by Jelle Zijlstra (PR 16898).

Support TypeVar Defaults (PEP 696)

PEP 696 adds support for type parameter defaults. Example:

from typing import Generic
from typing_extensions import TypeVar

</tr></table>

... (truncated)

Commits


Updates ruff from 0.3.5 to 0.4.3

Release notes

Sourced from ruff's releases.

v0.4.3

Changes

Enhancements

  • Add support for PEP 696 syntax (#11120)

Preview features

  • [refurb] Use function range for reimplemented-operator diagnostics (#11271)
  • [refurb] Ignore methods in reimplemented-operator (FURB118) (#11270)
  • [refurb] Implement fstring-number-format (FURB116) (#10921)
  • [ruff] Implement redirected-noqa (RUF101) (#11052)
  • [pyflakes] Distinguish between first-party and third-party imports for fix suggestions (#11168)

Rule changes

  • [flake8-bugbear] Ignore non-abstract class attributes when enforcing B024 (#11210)
  • [flake8-logging] Include inline instantiations when detecting loggers (#11154)
  • [pylint] Also emit PLR0206 for properties with variadic parameters (#11200)
  • [ruff] Detect duplicate codes as part of unused-noqa (RUF100) (#10850)

Formatter

  • Avoid multiline expression if format specifier is present (#11123)

LSP

  • Write ruff server setup guide for Helix (#11183)
  • ruff server no longer hangs after shutdown (#11222)
  • ruff server reads from a configuration TOML file in the user configuration directory if no local configuration exists (#11225)
  • ruff server respects per-file-ignores configuration (#11224)
  • ruff server: Support a custom TOML configuration file (#11140)
  • ruff server: Support setting to prioritize project configuration over editor configuration (#11086)

Bug fixes

  • Avoid debug assertion around NFKC renames (#11249)
  • [pyflakes] Prioritize redefined-while-unused over unused-import (#11173)
  • [ruff] Respect async expressions in comprehension bodies (#11219)
  • [pygrep_hooks] Fix blanket-noqa panic when last line has noqa with no newline (PGH004) (#11108)
  • [perflint] Ignore list-copy recommendations for async for loops (#11250)
  • [pyflakes] Improve invalid-print-syntax documentation (#11171)

Performance

  • Avoid allocations for isort module names (#11251)
  • Build a separate ARM wheel for macOS (#11149)

Contributors

... (truncated)

Changelog

Sourced from ruff's changelog.

0.4.3

Enhancements

  • Add support for PEP 696 syntax (#11120)

Preview features

  • [refurb] Use function range for reimplemented-operator diagnostics (#11271)
  • [refurb] Ignore methods in reimplemented-operator (FURB118) (#11270)
  • [refurb] Implement fstring-number-format (FURB116) (#10921)
  • [ruff] Implement redirected-noqa (RUF101) (#11052)
  • [pyflakes] Distinguish between first-party and third-party imports for fix suggestions (#11168)

Rule changes

  • [flake8-bugbear] Ignore non-abstract class attributes when enforcing B024 (#11210)
  • [flake8-logging] Include inline instantiations when detecting loggers (#11154)
  • [pylint] Also emit PLR0206 for properties with variadic parameters (#11200)
  • [ruff] Detect duplicate codes as part of unused-noqa (RUF100) (#10850)

Formatter

  • Avoid multiline expression if format specifier is present (#11123)

LSP

  • Write ruff server setup guide for Helix (#11183)
  • ruff server no longer hangs after shutdown (#11222)
  • ruff server reads from a configuration TOML file in the user configuration directory if no local configuration exists (#11225)
  • ruff server respects per-file-ignores configuration (#11224)
  • ruff server: Support a custom TOML configuration file (#11140)
  • ruff server: Support setting to prioritize project configuration over editor configuration (#11086)

Bug fixes

  • Avoid debug assertion around NFKC renames (#11249)
  • [pyflakes] Prioritize redefined-while-unused over unused-import (#11173)
  • [ruff] Respect async expressions in comprehension bodies (#11219)
  • [pygrep_hooks] Fix blanket-noqa panic when last line has noqa with no newline (PGH004) (#11108)
  • [perflint] Ignore list-copy recommendations for async for loops (#11250)
  • [pyflakes] Improve invalid-print-syntax documentation (#11171)

Performance

  • Avoid allocations for isort module names (#11251)
  • Build a separate ARM wheel for macOS (#11149)

0.4.2

... (truncated)

Commits


Updates boto3 from 1.34.98 to 1.34.99

Changelog

Sourced from boto3's changelog.

1.34.99

  • api-change:medialive: [botocore] AWS Elemental MediaLive now supports configuring how SCTE 35 passthrough triggers segment breaks in HLS and MediaPackage output groups. Previously, messages triggered breaks in all these output groups. The new option is to trigger segment breaks only in groups that have SCTE 35 passthrough enabled.
Commits
  • 4897613 Merge branch 'release-1.34.99'
  • 1b78aed Bumping version to 1.34.99
  • c8a5b57 Add changelog entries from botocore
  • 9213bfe Merge branch 'release-1.34.98' into develop
  • See full diff in compare view


Updates botocore from 1.34.98 to 1.34.99

Changelog

Sourced from botocore's changelog.

1.34.99

  • api-change:medialive: AWS Elemental MediaLive now supports configuring how SCTE 35 passthrough triggers segment breaks in HLS and MediaPackage output groups. Previously, messages triggered breaks in all these output groups. The new option is to trigger segment breaks only in groups that have SCTE 35 passthrough enabled.
Commits


Updates cryptography from 42.0.6 to 42.0.7

Changelog

Sourced from cryptography's changelog.

42.0.7 - 2024-05-06


* Restored Windows 7 compatibility for our pre-built wheels. Note that we do
  not test on Windows 7 and wheels for our next release will not support it.
  Microsoft no longer provides support for Windows 7 and users are encouraged
  to upgrade.

.. _v42-0-6:

Commits


Updates grpcio-status from 1.62.2 to 1.63.0

Updates protobuf from 4.25.3 to 5.26.1

Commits
  • 2434ef2 Updating version.json and repo version numbers to: 26.1
  • 49253b1 Merge pull request #16308 from protocolbuffers/cp-26x-3
  • 9bf69ec Fix validateFeatures to be called after resolved features are actually set to...
  • b752bc2 Merge pull request #16307 from protocolbuffers/cp-26x-2
  • f7d2326 Merge pull request #16309 from protocolbuffers/cp-26x-4
  • 2e51ff6 Cherry-pick required label handling in JRuby field descriptor from https://gi...
  • a2f5303 Update cmake stalenes
  • 6a177d2 Merge branch '26.x' into cp-26x-4
  • 2d3d8ba Expand cpp_features_proto_srcs visibility
  • e1092ee Merge pull request #16294 from protocolbuffers/cp-26x
  • Additional commits viewable in compare view


Updates securesystemslib from 0.31.0 to 1.0.0

Release notes

Sourced from securesystemslib's releases.

v1.0.0

See CHANGELOG.md for details.

Changelog

Sourced from securesystemslib's changelog.

securesystemslib v1.0.0

Securesystemslib API is now considered stable. The core functionality is provided in the Signer interface and the half a dozen integrated Signer implementations that can be found in the signer module. Smaller helper modules dsse, formats, hash and storage are also part of the API. Several legacy modules have been removed.

Added

  • Signer: add public_key attribute to interface (#756)
  • VaultSigner: Signer implementation for HashiCorp Vault (#800)
  • CryptoSigner: support ecdsa keytype that is no longer in spec (#711)
  • CryptoSigner: add private_bytes property (#799)
  • CryptoSigner: add "file2" signer uri (#759)
  • test: use localstack to test AWSSigner (#777)

Removed

  • CryptoSigner: remove "file" signer uri (#759)
  • migration script for legacy keys (#770)
  • SSlibSigner class and *_securesystemslib_key methods (#771)
  • legacy key key*, interface, util and schema modules (#772, #773, #776)
  • unused functions in hash, and formats module (#774, #776)
  • unused global key constants (#806)

Changed

  • SSlibKey: strengthen input validation (#780, #795)
  • AWSSigner: support default scheme and add stronger input validation (#724, #778)
  • dsse: change Envelope.signatures type to dict (#743)
  • vendor: update ed25519 copy (#793)
  • docs: improve user and contributor docs (#744, #745, #746, #749, #759, #796)
  • test: improve and temporarily disable SigstoreSigner test (#779, #785)
  • ci: use dependabot groups, update weekly (#735)
  • ci: test macOS and Windows on latest Python only (#797)
  • Make securessystemslib.gpg internal (#792)

Fixed

  • Fix check-upstream-ed25519 workflow permission (#706)
  • SSlibKey: fix default scheme and test for ecdsa nistp384 key (#763 #794)
Commits
  • 1092ac6 Merge pull request #807 from lukpueh/release-1.0.0
  • fe34bac Update v1.0.0 entry in CHANGELOG
  • c682259 Release 1.0.0
  • 5789578 Merge pull request #800 from lukpueh/vault-signer
  • acae70a Add VaultSigner and tests
  • 66a56cb Merge pull request #804 from secure-systems-lab/dependabot/pip/dependencies-9...
  • c48a451 Merge pull request #803 from secure-systems-lab/dependabot/pip/test-and-lint-...
  • 557378e Merge pull request #806 from lukpueh/rm-stray-globals
  • 6975b81 Remove 3 stray global key type constants
  • 402c898 Merge pull request #802 from lukpueh/rm-stability-disclaimers
  • Additional commits viewable in compare view


Updates sigstore-rekor-types from 0.0.11 to 0.0.13

Release notes

Sourced from sigstore-rekor-types's releases.

v0.0.13

What's Changed

Full Changelog: https://github.com/trailofbits/sigstore-rekor-types/compare/v0.0.12...v0.0.13

v0.0.12

What's Changed

New Contributors

Full Changelog: https://github.com/trailofbits/sigstore-rekor-types/compare/v0.0.11...v0.0.12

Commits
  • cb51dc2 rekor_types: 0.0.13
  • 0bbbec8 bump rekor to 1.3.6 (#26)
  • 7637117 build(deps): bump actions/deploy-pages from 4.0.4 to 4.0.5 (#37)
  • 86ca37e build(deps-dev): update ruff requirement from <0.3.4 to <0.3.5 (#38)
  • a1fa8f3 build(deps-dev): update ruff requirement from <0.3.3 to <0.3.4 (#36)
  • 734dd39 build(deps-dev): update ruff requirement from <0.3.1 to <0.3.3 (#34)
  • dcd6305 build(deps): bump pypa/gh-action-pypi-publish from 1.8.12 to 1.8.14 (#35)
  • b5391b1 build(deps-dev): update ruff requirement from <0.2.3 to <0.3.1 (#32)
  • 8d5a1c2 build(deps): bump pypa/gh-action-pypi-publish from 1.8.11 to 1.8.12 (#33)
  • 2ef01cc build(deps-dev): update ruff requirement from <0.2.2 to <0.2.3 (#31)
  • Additional commits viewable in compare view


Updates tuf to 4.0.0

Release notes

Sourced from tuf's releases.

v4.0.0

This release is a small API change for Metadata API users (see below). ngclient API is compatible but optional DSSE support has been added.

Added

  • Added optional DSSE support to Metadata API and ngclient (#2436)

Changed

  • Metadata API: Improved verification functionality for repository users (#2551):
    • This is an API change for Metadata API users ( Root.get_verification_result() and Targets.get_verification_result() specifically)
    • Root.get_root_verification_result() has been added to handle the special case of root verification
  • Started using UTC datetimes instead of naive datetimes internally (#2573)
  • Constrain securesystemslib dependency to <0.32.0 in preparation for future securesystemslib API changes
  • Various build, test and lint improvements
Changelog

Sourced from tuf's changelog.

v4.0.0

This release is a small API change for Metadata API users (see below). ngclient API is compatible but optional DSSE support has been added.

Added

  • Added optional DSSE support to Metadata API and ngclient (#2436)

Changed

  • Metadata API: Improved verification functionality for repository users (#2551):
    • This is an API change for Metadata API users ( Root.get_verification_result() and Targets.get_verification_result() specifically)
    • Root.get_root_verification_result() has been added to handle the special case of root verification
  • Started using UTC datetimes instead of naive datetimes internally (#2573)
  • Constrain securesystemslib dependency to <0.32.0 in preparation for future securesystemslib API changes
  • Various build, test and lint improvements
Commits
  • 2d6fc74 Merge pull request #2601 from jku/release-v4
  • 928702a Release v4.0.0
  • 892c789 Merge pull request #2600 from lukpueh/set-max-sslib-version
  • bc3ebd8 Constrain securesystemslib dependency to <0.32.0
  • 5947bd0 Merge pull request #2594 from theupdateframework/dependabot/pip/build-and-rel...
  • afa4619 Merge pull request #2596 from theupdateframework/dependabot/github_actions/ac...
  • 7c5cae3 Merge pull request #2595 from theupdateframework/dependabot/pip/test-and-lint...
  • ad2c98a Merge pull request #2593 from theupdateframework/dependabot/pip/dependencies-...
  • 6cd2d22 build(deps): bump the dependencies group with 1 update
  • 9f4906b build(deps): bump the test-and-lint-dependencies group with 1 update
  • Additional commits viewable in compare view


Updates mypy from 1.9.0 to 1.10.0

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next release

Mypy 1.10

We’ve just uploaded mypy 1.10 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance improvements and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Support TypeIs (PEP 742)

Mypy now supports TypeIs (PEP 742), which allows functions to narrow the type of a value, similar to isinstance(). Unlike TypeGuard, TypeIs can narrow in both the if and else branches of an if statement:

from typing_extensions import TypeIs

def is_str(s: object) -> TypeIs[str]:
return isinstance(s, str)


def f(o: str | int) -> None:
if is_str(o):
# Type of o is 'str'
...
else:
# Type of o is 'int'
...

TypeIs will be added to the typing module in Python 3.13, but it can be used on earlier Python versions by importing it from typing_extensions.

This feature was contributed by Jelle Zijlstra (PR 16898).

Support TypeVar Defaults (PEP 696)

PEP 696 adds support for type parameter defaults. Example:

from typing import Generic
from typing_extensions import TypeVar

</tr></table>

... (truncated)

Commits


Updates ruff from 0.3.5 to 0.4.3

Release notes

Sourced from ruff's releases.

v0.4.3

Changes

Enhancements

  • Add support for PEP 696 syntax (#11120)

Preview features

  • [refurb] Use ... _Description has been truncated_
jku commented 4 months ago

So currently we have the same requirements in signer and repo (apart from securesystemslib options):

  "securesystemslib[...] ~= 0.31.0",
  "tuf ~= 3.0",

For repo it's offering this upgrade

  "securesystemslib[...] ~= 1.0.0",
  "tuf ~= 4.0",

For signer it's offering this one:

  "securesystemslib[...] >= 0.31,< 1.1",
  "tuf >= 3,< 5",

I'm not impressed by the consistency. I'm sure there is a reason to do completely different things in these two cases but since those reasons are never spelled out... :shrug:

jku commented 4 months ago

I rewrote this one pretty extensively, I think it's fine now.

dependabot[bot] commented 3 months ago

Looks like these dependencies are updatable in another way, so this is no longer needed.

jku commented 3 months ago

wow thanks