v3.0.2
Security
-
Dependency floor bumps for 13 CVEs flagged by Component Governance (#909) — bumped minimum versions for direct dependencies with known vulnerabilities, and added explicit minimum-version pins for vulnerable transitive dependencies to prevent silent downgrades:
Package Old Min New Min azure-core>=1.24.0>=1.38.0cryptography>=43.0.1>=48.0.0jinja2>=3.1.5>=3.1.6lxml>=4.6.5>=6.1.1pyjwt>=2.3.0>=2.13.0urllib3>=2.6.3>=2.7.0tornado>=6.4.2>=6.5.5aiohttp(unpinned) >=3.14.0h11(unpinned) >=0.16.0idna(unpinned) >=3.15jaraco.context(unpinned) >=6.1.0Pillow(unpinned) >=12.2.0filelock(dev)>=3.0.0>=3.29.1
Bug Fixes
- Cybereason driver: failsafe JSON parsing — added a try/except around response JSON parsing to avoid unhandled exceptions on malformed API responses. (#908)
azure-mgmt-resource26.0.0 compatibility — the 26.0.0 release movedResourceManagementClientto a new import path and introduced other breaking changes, which broke every Sentinel/Azure context provider import. Capped the dependency to<26.0.0.- mypy false positive on numpy 2.5 stubs — mypy was inferring its syntax-checking target from
setup.cfg's minimum supported Python version instead of the interpreter actually running it, causing a spurious failure on numpy's PEP 695 stub syntax. mypy now runs with an explicit--python-versionmatching the CI job. Also fixed 6 real (previously-masked) type errors this uncovered acrossnbinit.py,azure_ml_tools.py,pivot_magic_core.py,polling_detection.py,eventcluster.py, andfoliummap.py.
Removed
conda/requirements files andrequirements-all.txtare no longer tracked in the repository. These were unmaintained/unenforced duplicates of the dependency set already declared insetup.py's extras. Usepip install -e ".[test]"(or.[all]for just the optional extras) instead.tools/create_reqs_all.pyremains available as a manual, on-demand generator if you need a frozenrequirements-all.txtlocally.- Removed the
check_reqs_allpre-commit hook, which used to auto-rewriterequirements-all.txt(and strip its hand-maintained comments) on every commit touching a Python file. - Removed
tests/test_pkg_imports.py::test_conda_reqs; kept and simplifiedtest_missing_pkgs_req.
Internal / CI
- Fixed a stdlib-detection bug in
tools/toollib/import_analyzer.pythat misclassified standard-library modules as missing packages when run from auv-managed virtual environment (usedsys.prefixonly; now also checkssys.base_prefix). - Simplified GitHub Actions and Azure Pipelines CI installs to use
pip install -e ".[test]"in place of separaterequirements-all.txt+requirements-dev.txtsteps; updated pip cache keys accordingly and fixed a stray cache-key path typo in the docs job. - Updated
.devcontainer/Dockerfileto installmsticpy[test]directly. sphinxrequirement split by Python version (>=8.1.3for Python ≤3.11,>=9.1.0for Python ≥3.12). (#902)azure-storage-blobminimum bumped to>=12.28.0. (#903)
Dependency Updates
Development / CI
| Package | Old | New |
|---|---|---|
coverage |
>=7.13.5 |
>=7.14.1 |
filelock |
>=3.0.0 |
>=3.29.1 |
ruff |
>=0.15.12 |
>=0.15.16 |
respx |
>=0.20.1 |
>=0.22.0 (required for httpx>=0.28.0 compatibility) |
sphinx |
>=5.0.1,<8.0.0 |
>=8.1.3 (py≤3.11) / >=9.1.0 (py≥3.12) |
Runtime
| Package | Old | New |
|---|---|---|
tldextract |
>=2.2.2 |
>=5.3.1 |
python-dateutil |
>=2.8.1 |
>=2.9.0.post0 |
azure-storage-blob |
>=12.5.0 |
>=12.28.0 |
Full Changelog: v3.0.1...v3.0.2