Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pyup: Scheduled weekly dependency update for week 22 #5762

Merged
merged 5 commits into from Jun 6, 2019

Conversation

@pyup-bot
Copy link
Contributor

@pyup-bot pyup-bot commented Jun 3, 2019

Update django from 1.11.20 to 1.11.21.

Changelog

1.11.21

============================

*June 3, 2019*

Django 1.11.21 fixes a security issue in 1.11.20.

CVE-2019-12308: AdminURLFieldWidget XSS
---------------------------------------

The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed
the provided value without validating it as a safe URL. Thus, an unvalidated
value stored in the database, or a value provided as a URL query parameter
payload, could result in an clickable JavaScript link.

``AdminURLFieldWidget`` now validates the provided value using
:class:`~django.core.validators.URLValidator` before displaying the clickable
link. You may customise the validator by passing a ``validator_class`` kwarg to
``AdminURLFieldWidget.__init__()``, e.g. when using
:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.


============================
Links

Update Pygments from 2.4.1 to 2.4.2.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

Update elasticsearch from 6.3.1 to 6.4.0.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

Update stripe from 2.29.0 to 2.29.3.

Changelog

2.29.3

Version 2.29.2 was non-functional due to a bugged `version.py` file. This release is identical to 2.29.2 save for the version number.

2.29.2

* [561](https://github.com/stripe/stripe-python/pull/561) Replace pipenv with poetry

2.29.1

* [578](https://github.com/stripe/stripe-python/pull/578) Verify signatures before deserializing events
Links
@@ -53,7 +53,7 @@ django-allauth==0.39.1
GitPython==2.1.10 # pyup: ignore

# Search
elasticsearch==6.3.1 # pyup: <7.0.0
elasticsearch==6.4.0 # pyup: <7.0.0
stsewd
stsewd approved these changes Jun 3, 2019
Copy link
Member

@stsewd stsewd left a comment

Nothing breaking

@ericholscher ericholscher merged commit 7eaa2b9 into master Jun 6, 2019
2 checks passed
@delete-merged-branch delete-merged-branch bot deleted the pyup/scheduled-update-2019-06-03 branch Jun 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants