Skip to content

Bump waitress from 1.4.2 to 1.4.3#9

Closed
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/pip/waitress-1.4.3
Closed

Bump waitress from 1.4.2 to 1.4.3#9
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/pip/waitress-1.4.3

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Feb 4, 2020
edited
Loading

Bumps waitress from 1.4.2 to 1.4.3.

Changelog

Sourced from waitress's changelog.

1.4.3 (2020-02-02)

Security Fixes


- In Waitress version 1.4.2 a new regular expression was added to validate the
  headers that Waitress receives to make sure that it matches RFC7230.
  Unfortunately the regular expression was written in a way that with invalid
  input it leads to catastrophic backtracking which allows for a Denial of
  Service and CPU usage going to a 100%.

  This was reported by Fil Zembowicz to the Pylons Project. Please see
  https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc
  for more information.
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Feb 4, 2020
@dependabot dependabot Bot force-pushed the dependabot/pip/waitress-1.4.3 branch 2 times, most recently from 9106b0d to 5b49c35 Compare February 5, 2020 20:48
@dependabot
Bump waitress from 1.4.2 to 1.4.3
fb727e2 
Bumps [waitress](https://github.com/Pylons/waitress) from 1.4.2 to 1.4.3.
- [Release notes](https://github.com/Pylons/waitress/releases)
- [Changelog](https://github.com/Pylons/waitress/blob/master/CHANGES.txt)
- [Commits](Pylons/waitress@v1.4.2...v1.4.3)

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/pip/waitress-1.4.3 branch from 5b49c35 to fb727e2 Compare March 29, 2020 13:23
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Mar 29, 2020

Looks like waitress is up-to-date now, so this is no longer needed.

@dependabot dependabot Bot closed this Mar 29, 2020
@dependabot dependabot Bot deleted the dependabot/pip/waitress-1.4.3 branch March 29, 2020 22:03
This was referenced Apr 27, 2026
Merged
Closed
mpasternak added a commit that referenced this pull request May 3, 2026
@mpasternak @claude
fix: audit-driven cleanup (auth, healthcheck, n+1, celery, logging)
7b7b923 
Odpowiedź na ANALYSIS.md (2026-05-02). Łącznie #1, #3, #4, #5, #7,
#9, #10 — bugfixy bezpieczeństwa, wydajności i niezawodności + testy.

Bezpieczeństwo (#1):
  LoginRequiredMixin na 5 endpointach API (RokHabilitacji,
  PunktacjaZrodla, UploadPunktacjaZrodla, OstatniaJednostkaIDyscyplina,
  GetPubmedID). Anonimowy POST do upload-punktacja-zrodla nie tworzy
  już Punktacja_Zrodla. Regression test parametryzowany 5x.

Healthcheck (#3):
  /health/ pinguje DB (SELECT 1) + Redis (PING, timeout 2s) ->
  503 z listą failed components zamiast 200 hardcoded.

Browse N+1 (#4):
  get_available_letters: jedno SELECT DISTINCT na pierwszym znaku
  z mapowaniem polskich diakrytyków zamiast 26+ EXISTS.

Logging (#7):
  Timestamp ISO + nazwa loggera. Dodane django.security,
  django.request, celery loggers. pbn_import zachowuje stary format.

Celery (#9):
  - import_dyscyplin: select_for_update().get() w transakcji
    zamiast leniwego .filter() (lock realnie działa) + regression
    test sprawdzający SELECT...FOR UPDATE w SQL
  - bpp.tasks.zaktualizuj_liczbe_cytowan: Singleton z 2h lockiem
    + time_limit/soft_time_limit przeciw zawieszonym WoS requests
  - pbn_export_queue.queue_pbn_export_batch: logger.exception +
    rollbar.report_exc_info zamiast except Exception: pass
  - pbn_downloader_app: usunięty redundant non-atomic check
    poza create_task_with_lock (race-window eliminated)
  - skasowane martwe my_limit() + task_limits dict z bpp/tasks.py

Testy (#5):
  + 4 edge case'y wyczysc_przypisania (full wrap, branch 3 standalone,
    multi-row, parent_od=None contract)
  + 9 testów scoring deduplikator_zrodel.ocen_podobienstwo
  + 6 testów ewaluacja_dwudyscyplinowcy.core
  + 3 regression testy locka w import_dyscyplin (parametryzowane)
  + 4 testy /health/ + auth API regression

Cleanup (#10):
  - usunięte: sentry_support.py, test_sentry_support.py, /sentry_test/,
    sekcja SENTRYSDK_* w .env.example
  - font-awesome 4.1.0 z package.json + yarn.lock (orphaned, EOL)
  - test_exception_view zachowane do testów Rollbara

Towncrier: 9 fragmentów w src/bpp/newsfragments/.

Pre-existing test_przeanalizuj_import_dyscyplin failuje też przed
zmianą (test zakłada eager Celery, settings.local ma False) —
nie ruszane.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants