Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pyup: Scheduled weekly dependency update for week 31 #6042

merged 14 commits into from Aug 6, 2019


Copy link

@pyup-bot pyup-bot commented Aug 5, 2019

Update pip from 19.1.1 to 19.2.1.




Deprecations and Removals

- Drop support for EOL Python 3.4. (`6685 <>`_)
- Improve deprecation messages to include the version in which the functionality will be removed. (`6549 <>`_)


- Credentials will now be loaded using `keyring` when installed. (`5948 <>`_)
- Fully support using ``--trusted-host`` inside requirements files. (`3799 <>`_)
- Update timestamps in pip's ``--log`` file to include milliseconds. (`6587 <>`_)
- Respect whether a file has been marked as "yanked" from a simple repository
(see `PEP 592 <>`__ for details). (`6633 <>`_)
- When choosing candidates to install, prefer candidates with a hash matching
one of the user-provided hashes. (`5874 <>`_)
- Improve the error message when ``METADATA`` or ``PKG-INFO`` is None when
accessing metadata. (`5082 <>`_)
- Add a new command ``pip debug`` that can display e.g. the list of compatible
tags for the current Python. (`6638 <>`_)
- Display hint on installing with --pre when search results include pre-release versions. (`5169 <>`_)
- Report to Warehouse that pip is running under CI if the ``PIP_IS_CI`` environment variable is set. (`5499 <>`_)
- Allow ``--python-version`` to be passed as a dotted version string (e.g.
``3.7`` or ``3.7.3``). (`6585 <>`_)
- Log the final filename and SHA256 of a ``.whl`` file when done building a
wheel. (`5908 <>`_)
- Include the wheel's tags in the log message explanation when a candidate
wheel link is found incompatible. (`6121 <>`_)
- Add a ``--path`` argument to ``pip freeze`` to support ``--target``
installations. (`6404 <>`_)
- Add a ``--path`` argument to ``pip list`` to support ``--target``
installations. (`6551 <>`_)

Bug Fixes

- Set ``sys.argv[0]`` to the underlying ```` when invoking ````
via the setuptools shim so setuptools doesn't think the path is ``-c``. (`1890 <>`_)
- Update ``pip download`` to respect the given ``--python-version`` when checking
``"Requires-Python"``. (`5369 <>`_)
- Respect ``--global-option`` and ``--install-option`` when installing from
a version control url (e.g. ``git``). (`5518 <>`_)
- Make the "ascii" progress bar really be "ascii" and not Unicode. (`5671 <>`_)
- Fail elegantly when trying to set an incorrectly formatted key in config. (`5963 <>`_)
- Prevent DistutilsOptionError when prefix is indicated in the global environment and `--target` is used. (`6008 <>`_)
- Fix ``pip install`` to respect ``--ignore-requires-python`` when evaluating
links. (`6371 <>`_)
- Fix a debug log message when freezing an editable, non-version controlled
requirement. (`6383 <>`_)
- Extend to Subversion 1.8+ the behavior of calling Subversion in
interactive mode when pip is run interactively. (`6386 <>`_)
- Prevent ``pip install <url>`` from permitting directory traversal if e.g.
a malicious server sends a ``Content-Disposition`` header with a filename
containing ``../`` or ``..\\``. (`6413 <>`_)
- Hide passwords in output when using ``--find-links``. (`6489 <>`_)
- Include more details in the log message if ``pip freeze`` can't generate a
requirement string for a particular distribution. (`6513 <>`_)
- Add the line number and file location to the error message when reading an
invalid requirements file in certain situations. (`6527 <>`_)
- Prefer ``os.confstr`` to ``ctypes`` when extracting glibc version info. (`6543 <>`_, `6675 <>`_)
- Improve error message printed when an invalid editable requirement is provided. (`6648 <>`_)
- Improve error message formatting when a command errors out in a subprocess. (`6651 <>`_)

Vendored Libraries

- Upgrade certifi to 2019.6.16
- Upgrade distlib to 0.2.9.post0
- Upgrade msgpack to 0.6.1
- Upgrade requests to 2.22.0
- Upgrade urllib3 to 1.25.3
- Patch vendored html5lib, to prefer using `` where possible.

Improved Documentation

- Document how Python 2.7 support will be maintained. (`6726 <>`_)
- Upgrade Sphinx version used to build documentation. (`6471 <>`_)
- Fix generation of subcommand manpages. (`6724 <>`_)
- Mention that pip can install from git refs. (`6512 <>`_)
- Replace a failing example of pip installs with extras with a working one. (`4733 <>`_)

Update virtualenv from 16.6.2 to 16.7.2.





- pip bumped to 19.2.1 (`1392 <>`_)




- ``activate.ps1`` syntax and style updated to follow ``PSStyleAnalyzer`` rules (`1371 <>`_)
- Allow creating virtual environments for ``3.xy``. (`1385 <>`_)
- Report error when running activate scripts directly, instead of sourcing. By reporting an error instead of running silently, the user get immediate feedback that the script was not used correctly. Only Bash and PowerShell are supported for now. (`1388 <>`_)
- * add pip 19.2 (19.1.1 is kept to still support python 3.4 dropped by latest pip) (`1389 <>`_)

Update django from 1.11.22 to 1.11.23.




*August 1, 2019*

Django 1.11.23 fixes security issues in 1.11.22.

CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``

If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods
were passed the ``html=True`` argument, they were extremely slow to evaluate
certain inputs due to a catastrophic backtracking vulnerability in a regular
expression. The ``chars()`` and ``words()`` methods are used to implement the
:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
filters, which were thus vulnerable.

The regular expressions used by ``Truncator`` have been simplified in order to
avoid potential backtracking issues. As a consequence, trailing punctuation may
now at times be included in the truncated output.

CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``

Due to the behavior of the underlying ``HTMLParser``,
:func:`django.utils.html.strip_tags` would be extremely slow to evaluate
certain inputs containing large sequences of nested incomplete HTML entities.
The ``strip_tags()`` method is used to implement the corresponding
:tfilter:`striptags` template filter, which was thus also vulnerable.

``strip_tags()`` now avoids recursive calls to ``HTMLParser`` when progress
removing tags, but necessarily incomplete HTML entities, stops being made.

Remember that absolutely NO guarantee is provided about the results of
``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
``strip_tags()`` call without escaping it first, for example with

CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``

:lookup:`Key and index lookups <jsonfield.key>` for
:class:`~django.contrib.postgres.fields.JSONField` and :lookup:`key lookups
<hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField`
were subject to SQL injection, using a suitably crafted dictionary, with
dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``.

CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``

If passed certain inputs, :func:`django.utils.encoding.uri_to_iri` could lead
to significant memory usage due to excessive recursion when re-percent-encoding
invalid UTF-8 octet sequences.

``uri_to_iri()`` now avoids recursion when re-percent-encoding invalid UTF-8
octet sequences.


Update djangorestframework from 3.10.1 to 3.10.2.

The bot wasn't able to find a changelog for this release. Got an idea?


Update pyyaml from 5.1.1 to 5.1.2.

The bot wasn't able to find a changelog for this release. Got an idea?


Update GitPython from 2.1.12 to 2.1.13.

The bot wasn't able to find a changelog for this release. Got an idea?


Update lxml from 4.3.4 to 4.4.0.




Features added

* ``Element.clear()`` accepts a new keyword argument ``keep_tail=True`` to
clear everything but the tail text.  This is helpful in some document-style
use cases.

* When creating attributes or namespaces from a dict in Python 3.6+, lxml now
preserves the original insertion order of that dict, instead of always sorting
the items by name.  A similar change was made for ElementTree in CPython 3.8.

* Integer elements in ``lxml.objectify`` implement the ``__index__()`` special method.

* GH269: Read-only elements in XSLT were missing the ``nsmap`` property.
Original patch by Jan Pazdziora.

* ElementInclude can now restrict the maximum inclusion depth via a ``max_depth``
argument to prevent content explosion.  It is limited to 6 by default.

* The ``target`` object of the XMLParser can have ``start_ns()`` and ``end_ns()``
callback methods to listen to namespace declarations.

* The ``TreeBuilder`` has new arguments ``comment_factory`` and ``pi_factory`` to
pass factories for creating comments and processing instructions, as well as
flag arguments ``insert_comments`` and ``insert_pis`` to discard them from the
tree when set to false.

* A `C14N 2.0 <>`_ implementation was added as
``etree.canonicalize()``, a corresponding ``C14NWriterTarget`` class, and
a ``c14n2`` serialisation method.

Bugs fixed

* When writing to file paths that contain the URL escape character '%', the file
path could wrongly be mangled by URL unescaping and thus write to a different
file or directory.  Code that writes to file paths that are provided by untrusted
sources, but that must work with previous versions of lxml, should best either
reject paths that contain '%' characters, or otherwise make sure that the path
does not contain maliciously injected '%XX' URL hex escapes for paths like '../'.

* Assigning to Element child slices with negative step could insert the slice at
the wrong position, starting too far on the left.

* Assigning to Element child slices with overly large step size could take very
long, regardless of the length of the actual slice.

* Assigning to Element child slices of the wrong size could sometimes fail to
raise a ValueError (like a list assignment would) and instead assign outside
of the original slice bounds or leave parts of it unreplaced.

* The ``comment`` and ``pi`` events in ``iterwalk()`` were never triggered, and
instead, comments and processing instructions in the tree were reported as
``start`` elements.  Also, when walking an ElementTree (as opposed to its root
element), comments and PIs outside of the root element are now reported.

* LP1827833: The RelaxNG compact syntax support was broken with recent versions
of ``rnc2rng``.

* LP1758553: The HTML elements ``source`` and ``track`` were added to the list
of empty tags in ``lxml.html.defs``.

* Registering a prefix other than "xml" for the XML namespace is now rejected.

* Failing to write XSLT output to a file could raise a misleading exception.
It now raises ``IOError``.

Other changes

* Support for Python 3.4 was removed.

* When using ``Element.find*()`` with prefix-namespace mappings, the empty string
is now accepted to define a default namespace, in addition to the previously
supported ``None`` prefix.  Empty strings are more convenient since they keep
all prefix keys in a namespace dict strings, which simplifies sorting etc.

* The ``ElementTree.write_c14n()`` method has been deprecated in favour of the
long preferred ``ElementTree.write(f, method="c14n")``.  It will be removed
in a future release.



* Rebuilt with Cython 0.29.13 to support Python 3.8.

Update pytz from 2019.1 to 2019.2.

The bot wasn't able to find a changelog for this release. Got an idea?


Update stripe from 2.32.1 to 2.33.0.



* [595]( Listing `BalanceTransaction` objects now uses `/v1/balance_transactions` instead of `/v1/balance/history`

Update packaging from 19.0 to 19.1.

The bot wasn't able to find a changelog for this release. Got an idea?


Update prospector from to 1.1.7.



- [299]( Output path tests and abspaths for windows
- [300]( Fix `check_paths` definition for pep8tool
- [318]( Add support pylint --load-plugins option in profile
- [336]( Pylint fix for message definitions usage
- [340]( Bump pylint django
- [343]( Support more kinds of mypy messages
- [5ea0e95]( Pin astroid to 2.2.5

Update execnet from 1.6.0 to 1.6.1.




* `98 <>`__: Internal change to avoid
using deprecated ``funcargs`` name in pytest 5+.

Update ipdb from 0.12 to 0.12.2.




- Avoid emitting term-title bytes



- Fix --help 
stsewd approved these changes Aug 6, 2019
@humitos humitos merged commit d8e917c into master Aug 6, 2019
2 checks passed
@humitos humitos deleted the pyup/scheduled-update-2019-08-05 branch Aug 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants