Python dependency: Bump paramiko from 3.5.1 to 5.0.0#9927
Python dependency: Bump paramiko from 3.5.1 to 5.0.0#9927dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [paramiko](https://github.com/paramiko/paramiko) from 3.5.1 to 5.0.0. - [Commits](paramiko/paramiko@3.5.1...5.0.0) --- updated-dependencies: - dependency-name: paramiko dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
the
Dependencies
…#9954) Python: - requirements.txt: google-auth-oauthlib 1.3.1 -> 1.4.0 (#9929 / #9931), gated so Python 3.9 stays on 1.3.1 (1.4.0 requires python_version >= 3.10). Mirrors the existing boto3 1.42.*/1.43.* split. - tools/requirements.txt: requests >=2.33.1 -> >=2.34.2 on python_version > '3.9' (#9943 / #9944). - web/regression/requirements.txt: selenium 4.43.0 -> 4.44.0 (#9946). The selenium pin already requires Python >=3.10 in master, so the bump introduces no new 3.9 gap. JavaScript (web/package.json, web/yarn.lock): - postcss 8.5.12 -> 8.5.14 (#9874 / #9889) - @tanstack/react-query 5.100.5 -> 5.100.9 (#9878) - ip-address 10.1.0 -> 10.1.1 (#9918) - packageManager pin yarn@4.14.0 -> yarn@4.15.0 and regenerate yarn.lock at lockfile __metadata.version 10. CI runs yarn 4.15.0 with hardened mode on public PRs and refuses to migrate the lockfile from version 9 (yarn 4.14.x) to 10; master passes today only because hardened mode is PR-only. Electron runtime (runtime/package.json, runtime/yarn.lock): - axios 1.16.0 -> 1.16.1 (#9948) - eslint 10.3.0 -> 10.4.0 (#9947) Skipped (genuine breaking changes, deferred to follow-up PRs): - @mui/material 7 -> 9 (#9843) - @mui/x-date-pickers 8 -> 9 (#9888) - cryptography 47.0.* -> 48.0.* (#9926 / #9932) - paramiko 3.5.1 -> 5.0.0 (#9927 / #9930) - electron 41.5.0 -> 42.1.0 (#9945) Verified in an isolated worktree: - jest: 140/0/0 suites, 824/0/0 tests - eslint: clean (web + runtime, both silent) - pycodestyle: 0 violations project-wide Each version was cross-checked against the corresponding dependabot PR diff via `gh pr diff`. Each Python bump was cross-checked against PyPI's requires_python so Python 3.9 support stays intact.
|
Audited on 2026-05-20 and intentionally deferred for now (re-evaluate ~Q4 2026). Leaving this PR open as a tracking item. Why deferred — short versionparamiko 5 is not blocked by the GSSAPI removal that initial review flagged. pgAdmin's SSH tunnel only offers password + identity-file auth ( The real concern is legacy SSH bastion compatibility. paramiko 5 removed:
Users tunneling through SSH daemons older than OpenSSH 7.2 (2016) — or 8.2 (2020) for the modern RSA-SHA2 signatures — would break. Modern Linux distros and cloud bastion services are unaffected, but enterprise users with legacy Cisco/Juniper/older RHEL bastion hosts could see SSH tunnels stop working. The DSA-key removal in paramiko 4 and the Python 3.8 drop are non-issues — pgAdmin requires Python 3.9+ and DSA was deprecated upstream a decade ago. When to applyWhen applied eventually, the release notes must state the SHA2 requirement explicitly and point legacy-server users at either upgrading the bastion or staying on a prior pgAdmin release. |
1 participant
Bumps paramiko from 3.5.1 to 5.0.0.
Commits
710cc5cWhat's a few weeks between friends?ea93c59Fix up Ed25519Key so it has non-erroring repr() during fatal errors5b90ef9ruff/isortf3864b6Changelog fixesacd4bc1Replace hardcoded PEM format in PKey.write* with new parameter6fa1556Bump group-exchange kex min_bits to 2048eb87ad3Fix some tests that were incorrectly passing1ecc933Remove GSSAPI support :(9bf5fcaRemove SHA1-based (non-GSS) kex methodsb8f75c7Lintin' ain't easyDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)