build(deps): bump the pip group across 1 directory with 5 updates #12

dependabot · 2024-07-15T19:18:25Z

Bumps the pip group with 5 updates in the / directory:

Package	From	To
django	`5.0.2`	`5.0.7`
pillow	`10.2.0`	`10.3.0`
idna	`3.6`	`3.7`
setuptools	`69.1.0`	`70.0.0`
sqlparse	`0.4.4`	`0.5.0`

Updates django from 5.0.2 to 5.0.7

Commits

deec9b9 [5.0.x] Bumped version for 5.0.7 release.
3a7bf7f [5.0.x] Made cosmetic edits to 5.0.7 release notes.
8e7a44e [5.0.x] Fixed CVE-2024-39614 -- Mitigated potential DoS in get_supported_lang...
9f4f63e [5.0.x] Fixed CVE-2024-39330 -- Added extra file name validation in Storage's...
07cefde [5.0.x] Fixed CVE-2024-39329 -- Standarized timing of verify_password() when ...
7285644 [5.0.x] Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and urlizet...
8303400 [5.0.x] Fixed 35506 -- Clarified initial references to URLconf in tutorial 1.
c76089b [5.0.x] Refs #35560 -- Corrected CheckConstraint argument name in model_field...
43aa0c1 [5.0.x] Removed outdated note about limitations in Clickjacking protection.
0602fc2 [5.0.x] Fixed #35560 -- Made Model.full_clean() ignore GeneratedFields for co...
Additional commits viewable in compare view

Updates pillow from 10.2.0 to 10.3.0

Release notes

Sourced from pillow's releases.

10.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html

Changes

CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [@hugovk]

Use functools.lru_cache for hopper() #7912 [@hugovk]

Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [@radarhere]

Improve speed of loading QOI images #7925 [@radarhere]

Added RGB to I;16N conversion #7920 [@radarhere]

Add --report argument to main.py to omit supported formats #7818 [@nulano]

Added RGB to I;16, I;16L and I;16B conversion #7918 [@radarhere]

Fix editable installation with custom build backend and configuration options #7658 [@nulano]

Fix putdata() for I;16N on big-endian #7209 [@Yay295]

Determine MPO size from markers, not EXIF data #7884 [@radarhere]

Improved conversion from RGB to RGBa, LA and La #7888 [@radarhere]

Support FITS images with GZIP_1 compression #7894 [@radarhere]

Use I;16 mode for 9-bit JPEG 2000 images #7900 [@scaramallion]

Raise ValueError if kmeans is negative #7891 [@radarhere]

Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [@radarhere]

Raise ValueError for negative values when loading P1-P3 PPM images #7882 [@radarhere]

Added reading of JPEG2000 palettes #7870 [@radarhere]

Added alpha_quality argument when saving WebP images #7872 [@radarhere]

Fixed joined corners for ImageDraw rounded_rectangle() non-integer dimensions #7881 [@radarhere]

Removed Python and NumPy pinning on Cygwin #7880 [@radarhere]

Update UnidentifiedImageError and version imports #7644 [@radarhere]

Stop reading EPS image at EOF marker #7753 [@radarhere]

PSD layer co-ordinates may be negative #7706 [@radarhere]

Use subprocess with CREATE_NO_WINDOW flag in ImageShow WindowsViewer #7791 [@radarhere]

When saving GIF frame that restores to background color, do not fill identical pixels #7788 [@radarhere]

Fixed reading PNG iCCP compression method #7823 [@radarhere]

Allow writing IFDRational to UNDEFINED tag #7840 [@radarhere]

Fix logged tag name when loading Exif data #7842 [@radarhere]

Use maximum frame size in IHDR chunk when saving APNG images #7821 [@radarhere]

Prevent opening P TGA images without a palette #7797 [@radarhere]

Use palette when loading ICO images #7798 [@radarhere]

Use consistent arguments for load_read and load_seek #7713 [@radarhere]

Turn off nullability warnings for macOS SDK #7827 [@radarhere]

Fix shift-sign issue in Convert.c #7838 [@r-barnes]

winbuild: Refactor dependency versions into constants #7843 [@hugovk]

Build macOS arm64 wheels natively #7852 [@radarhere]

Fixed typo #7855 [@radarhere]

Open 16-bit grayscale PNGs as I;16 #7849 [@radarhere]

Handle truncated chunks at the end of PNG images #7709 [@lajiyuan]

Match mask size to pasted image size in GifImagePlugin #7779 [@radarhere]

Changed SupportsGetMesh protocol to be public #7841 [@radarhere]

Release GIL while calling WebPAnimDecoderGetNext #7782 [@evanmiller]

Fixed reading FLI/FLC images with a prefix chunk #7804 [@twolife]

Updated package name for Tidelift #7810 [@radarhere]

Removed unused code #7744 [@radarhere]

... (truncated)

Changelog

Sourced from pillow's changelog.

10.3.0 (2024-04-01)

CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [radarhere, hugovk]

Deprecate eval(), replacing it with lambda_eval() and unsafe_eval() #7927 [radarhere, hugovk]

Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [radarhere]

Add --report argument to __main__.py to omit supported formats #7818 [nulano, radarhere, hugovk]

Added RGB to I;16, I;16L, I;16B and I;16N conversion #7918, #7920 [radarhere]

Fix editable installation with custom build backend and configuration options #7658 [nulano, radarhere]

Fix putdata() for I;16N on big-endian #7209 [Yay295, hugovk, radarhere]

Determine MPO size from markers, not EXIF data #7884 [radarhere]

Improved conversion from RGB to RGBa, LA and La #7888 [radarhere]

Support FITS images with GZIP_1 compression #7894 [radarhere]

Use I;16 mode for 9-bit JPEG 2000 images #7900 [scaramallion, radarhere]

Raise ValueError if kmeans is negative #7891 [radarhere]

Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [radarhere]

Raise ValueError for negative values when loading P1-P3 PPM images #7882 [radarhere]

Added reading of JPEG2000 palettes #7870 [radarhere]

Added alpha_quality argument when saving WebP images #7872 [radarhere]

... (truncated)

Commits

5c89d88 10.3.0 version bump
63cbfcf Update CHANGES.rst [ci skip]
2776126 Merge pull request #7928 from python-pillow/lcms
aeb51cb Merge branch 'main' into lcms
5beb0b6 Update CHANGES.rst [ci skip]
cac6ffa Merge pull request #7927 from python-pillow/imagemath
f5eeeac Name as 'options' in lambda_eval and unsafe_eval, but '_dict' in deprecated eval
facf3af Added release notes
2a93aba Use strncpy to avoid buffer overflow
a670597 Update CHANGES.rst [ci skip]
Additional commits viewable in compare view

Updates idna from 3.6 to 3.7

Release notes

Sourced from idna's releases.

v3.7

What's Changed

Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: kjd/idna@v3.6...v3.7

Changelog

Sourced from idna's changelog.

3.7 (2024-04-11) ++++++++++++++++

Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Commits

1d365e1 Release v3.7
c1b3154 Merge pull request #172 from kjd/optimize-contextj
0394ec7 Merge branch 'master' into optimize-contextj
cd58a23 Merge pull request #152 from elliotwutingfeng/dev
5beb28b More efficient resolution of joiner contexts
1b12148 Update ossf/scorecard-action to v2.3.1
d516b87 Update Github actions/checkout to v4
c095c75 Merge branch 'master' into dev
60a0a4c Fix typo in GitHub Actions workflow key
5918a0e Merge branch 'master' into dev
Additional commits viewable in compare view

Updates setuptools from 69.1.0 to 70.0.0

Changelog

Sourced from setuptools's changelog.

v70.0.0

Features

Emit a warning when [tools.setuptools] is present in pyproject.toml and will be ignored. -- by :user:SnoopJ (#4150)

Improved AttributeError error message if pkg_resources.EntryPoint.require is called without extras or distribution Gracefully "do nothing" when trying to activate a pkg_resources.Distribution with a None location, rather than raising a TypeError -- by :user:Avasam (#4262)

Typed the dynamically defined variables from pkg_resources -- by :user:Avasam (#4267)

Modernized and refactored VCS handling in package_index. (#4332)

Bugfixes

In install command, use super to call the superclass methods. Avoids race conditions when monkeypatching from _distutils_system_mod occurs late. (#4136)

Fix finder template for lenient editable installs of implicit nested namespaces constructed by using package_dir to reorganise directory structure. (#4278)

Fix an error with UnicodeDecodeError handling in pkg_resources when trying to read files in UTF-8 with a fallback -- by :user:Avasam (#4348)

Improved Documentation

Uses RST substitution to put badges in 1 line. (#4312)

Deprecations and Removals

Further adoption of UTF-8 in setuptools. This change regards mostly files produced and consumed during the build process (e.g. metadata files, script wrappers, automatically updated config files, etc..) Although precautions were taken to minimize disruptions, some edge cases might be subject to backwards incompatibility.

Support for "locale" encoding is now deprecated. (#4309)

Remove setuptools.convert_path after long deprecation period. This function was never defined by setuptools itself, but rather a side-effect of an import for internal usage. (#4322)

Remove fallback for customisations of distutils' build.sub_command after long deprecated period. Users are advised to import build directly from setuptools.command.build. (#4322)

Removed typing_extensions from vendored dependencies -- by :user:Avasam (#4324)

Remove deprecated setuptools.dep_util. The provided alternative is setuptools.modified. (#4360)

... (truncated)

Commits

5cbf12a Workaround for release error in v70
9c1bcc3 Bump version: 69.5.1 → 70.0.0
4dc0c31 Remove deprecated setuptools.dep_util (#4360)
6c1ef57 Remove xfail now that test passes. Ref #4371.
d14fa01 Add all site-packages dirs when creating simulated environment for test_edita...
6b7f7a1 Prevent bin folders to be taken as extern packages when vendoring (#4370)
69141f6 Add doctest for vendorised bin folder
2a53cc1 Prevent 'bin' folders to be taken as extern packages
7208628 Replace call to deprecated validate_pyproject command (#4363)
96d681a Remove call to deprecated validate_pyproject command
Additional commits viewable in compare view

Updates sqlparse from 0.4.4 to 0.5.0

Changelog

Sourced from sqlparse's changelog.

Release 0.5.0 (Apr 13, 2024)

Notable Changes

Drop support for Python 3.5, 3.6, and 3.7.

Python 3.12 is now supported (pr725, by hugovk).

IMPORTANT: Fixes a potential denial of service attack (DOS) due to recursion error for deeply nested statements. Instead of recursion error a generic SQLParseError is raised. See the security advisory for details: GHSA-2m57-hf25-phgg The vulnerability was discovered by @uriyay-jfrog. Thanks for reporting!

Enhancements

Splitting statements now allows to remove the semicolon at the end. Some database backends love statements without semicolon (issue742).

Support TypedLiterals in get_parameters (pr749, by Khrol).

Improve splitting of Transact SQL when using GO keyword (issue762).

Support for some JSON operators (issue682).

Improve formatting of statements containing JSON operators (issue542).

Support for BigQuery and Snowflake keywords (pr699, by griffatrasgo).

Support parsing of OVER clause (issue701, pr768 by r33s3n6).

Bug Fixes

Ignore dunder attributes when creating Tokens (issue672).

Allow operators to precede dollar-quoted strings (issue763).

Fix parsing of nested order clauses (issue745, pr746 by john-bodley).

Thread-safe initialization of Lexer class (issue730).

Classify TRUNCATE as DDL and GRANT/REVOKE as DCL keywords (based on pr719 by josuc1, thanks for bringing this up!).

Fix parsing of PRIMARY KEY (issue740).

Other

Optimize performance of matching function (pr799, by admachainz).

Commits

ddbd0ec Bump version.
29f2e0a Raise recursion limit for tests.
b4a39d9 Raise SQLParseError instead of RecursionError.
f1bcf2f Update AUHTORS and Changelog.
e03b74e Fix Function.get_parameters(), add Funtion.get_window()
617b8f6 Add OVER clause, and group it into Function (fixes #701)
d8f8147 Update AUHTORS and Changelog.
012c9f1 Optimize sqlparse.utils.imt().
46971e5 Fix parsing of PRIMARY KEY (fixes #740).
fc4b0be Code cleanup.
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the pip group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [django](https://github.com/django/django) | `5.0.2` | `5.0.7` | | [pillow](https://github.com/python-pillow/Pillow) | `10.2.0` | `10.3.0` | | [idna](https://github.com/kjd/idna) | `3.6` | `3.7` | | [setuptools](https://github.com/pypa/setuptools) | `69.1.0` | `70.0.0` | | [sqlparse](https://github.com/andialbrecht/sqlparse) | `0.4.4` | `0.5.0` | Updates `django` from 5.0.2 to 5.0.7 - [Commits](django/django@5.0.2...5.0.7) Updates `pillow` from 10.2.0 to 10.3.0 - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](python-pillow/Pillow@10.2.0...10.3.0) Updates `idna` from 3.6 to 3.7 - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](kjd/idna@v3.6...v3.7) Updates `setuptools` from 69.1.0 to 70.0.0 - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](pypa/setuptools@v69.1.0...v70.0.0) Updates `sqlparse` from 0.4.4 to 0.5.0 - [Changelog](https://github.com/andialbrecht/sqlparse/blob/master/CHANGELOG) - [Commits](andialbrecht/sqlparse@0.4.4...0.5.0) --- updated-dependencies: - dependency-name: django dependency-type: direct:production dependency-group: pip - dependency-name: pillow dependency-type: direct:production dependency-group: pip - dependency-name: idna dependency-type: indirect dependency-group: pip - dependency-name: setuptools dependency-type: indirect dependency-group: pip - dependency-name: sqlparse dependency-type: indirect dependency-group: pip ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot bot added the dependencies Pull requests that update a dependency file label Jul 15, 2024

dependabot bot mentioned this pull request Jul 15, 2024

build(deps): bump the pip group across 1 directory with 4 updates #11

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the pip group across 1 directory with 5 updates #12

build(deps): bump the pip group across 1 directory with 5 updates #12

dependabot bot commented on behalf of github Jul 15, 2024

build(deps): bump the pip group across 1 directory with 5 updates #12

Are you sure you want to change the base?

build(deps): bump the pip group across 1 directory with 5 updates #12

Conversation

dependabot bot commented on behalf of github Jul 15, 2024

10.3.0

Changes

10.3.0 (2024-04-01)

v3.7

What's Changed

v70.0.0

Features

Bugfixes

Improved Documentation

Deprecations and Removals

Release 0.5.0 (Apr 13, 2024)