Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pyup: Scheduled weekly dependency update for week 19 #8170

Merged
merged 12 commits into from May 11, 2021
Merged

pyup: Scheduled weekly dependency update for week 19 #8170

merged 12 commits into from May 11, 2021

Conversation

pyup-bot
Copy link
Collaborator

Update virtualenv from 20.4.4 to 20.4.6.

Changelog

20.4.6

~~~~~~~~~~~~~~~~~
- Fix ``site.getsitepackages()`` broken on python2 on debian - by :user:`freundTech`. (`2105 <https://github.com/pypa/virtualenv/issues/2105>`_)

20.4.5

~~~~~~~~~~~~~~~~~
- Bump pip to ``21.1.1`` from ``21.0.1`` - by :user:`gaborbernat`. (`2104 <https://github.com/pypa/virtualenv/issues/2104>`_)
- Fix ``site.getsitepackages()`` ignoring ``--system-site-packages`` on python2 - by :user:`freundTech`. (`2106 <https://github.com/pypa/virtualenv/issues/2106>`_)
Links

Update django from 2.2.20 to 2.2.22.

Changelog

2.2.22

===========================

*May 6, 2021*

Django 2.2.22 fixes a security issue in 2.2.21.

CVE-2021-32052: Header injection possibility since ``URLValidator`` accepted newlines in input on Python 3.9.5+
===============================================================================================================

On Python 3.9.5+, :class:`~django.core.validators.URLValidator` didn't prohibit
newlines and tabs. If you used values with newlines in HTTP response, you could
suffer from header injection attacks. Django itself wasn't vulnerable because
:class:`~django.http.HttpResponse` prohibits newlines in HTTP headers.

Moreover, the ``URLField`` form field which uses ``URLValidator`` silently
removes newlines and tabs on Python 3.9.5+, so the possibility of newlines
entering your data only existed if you are using this validator outside of the
form fields.

This issue was introduced by the :bpo:`43882` fix.


===========================

2.2.21

===========================

*May 4, 2021*

Django 2.2.21 fixes a security issue in 2.2.20.

CVE-2021-31542: Potential directory-traversal via uploaded files
================================================================

``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed
directory-traversal via uploaded files with suitably crafted file names.

In order to mitigate this risk, stricter basename and path sanitation is now
applied. Specifically, empty file names and paths with dot segments will be
rejected.


===========================
Links

Update Sphinx from 3.5.4 to 4.0.0.

Changelog

4.0.0

=====================================

Dependencies
------------

4.0.0b3

* 9167: html: Failed to add CSS files to the specific page

4.0.0b2

* C, C++, fix ``KeyError`` when an ``alias`` directive is the first C/C++
directive in a file with another C/C++ directive later.

4.0.0b1

* 8917: autodoc: Raises a warning if function has wrong __globals__ value
* 8415: autodoc: a TypeVar imported from other module is not resolved (in
Python 3.7 or above)
* 8992: autodoc: Failed to resolve types.TracebackType type annotation
* 8905: html: html_add_permalinks=None and html_add_permalinks="" are ignored
* 8380: html search: Paragraphs in search results are not identified as ``<p>``
* 8915: html theme: The translation of sphinx_rtd_theme does not work
* 8342: Emit a warning if a unknown domain is given for directive or role (ex.
``:unknown:doc:``)
* 7241: LaTeX: No wrapping for ``cpp:enumerator``
* 8711: LaTeX: backticks in code-blocks trigger latexpdf build warning (and font
change) with late TeXLive 2019
* 8253: LaTeX: Figures with no size defined get overscaled (compared to images
with size explicitly set in pixels) (fixed for ``'pdflatex'/'lualatex'`` only)
* 8881: LaTeX: The depth of bookmarks panel in PDF is not enough for navigation
* 8874: LaTeX: the fix to two minor Pygments LaTeXFormatter output issues ignore
Pygments style
* 8925: LaTeX: 3.5.0 ``verbatimmaxunderfull`` setting does not work as
expected
* 8980: LaTeX: missing line break in ``\pysigline``
* 8995: LaTeX: legacy ``\pysiglinewithargsret`` does not compute correctly
available  horizontal space and should use a ragged right style
* 9009: LaTeX: "release" value with underscore leads to invalid LaTeX
* 8911: C++: remove the longest matching prefix in
:confval:`cpp_index_common_prefix` instead of the first that matches.
* C, properly reject function declarations when a keyword is used
as parameter name.
* 8933: viewcode: Failed to create back-links on parallel build
* 8960: C and C++, fix rendering of (member) function pointer types in
function parameter lists.
* C++, fix linking of names in array declarators, pointer to member
(function) declarators, and in the argument to ``sizeof...``.
* C, fix linking of names in array declarators.

3.5.5

==============================
Links

Update django-vanilla-views from 2.0.0 to 3.0.0.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

Update watchdog from 2.0.3 to 2.1.1.

Changelog

2.1.1

~~~~~

2021-05-10 • `full history <https://github.com/gorakhargosh/watchdog/compare/v2.1.0...v2.1.1>`__

- [mac] Fix callback exceptions when the watcher is deleted but still receiving events (`786 <https://github.com/gorakhargosh/watchdog/pull/786>`_)
- Thanks to our beloved contributors: rom1win, BoboTiG, CCP-Aporia

2.1.0

~~~~~

2021-05-04 • `full history <https://github.com/gorakhargosh/watchdog/compare/v2.0.3...v2.1.0>`__

- [inotify] Simplify ``libc`` loading (`776 <https://github.com/gorakhargosh/watchdog/pull/776>`_)
- [mac] Add support for non-recursive watches in ``FSEventsEmitter`` (`779 <https://github.com/gorakhargosh/watchdog/pull/779>`_)
- [watchmedo] Add support for ``--debug-force-*`` arguments to ``tricks`` (`781 <https://github.com/gorakhargosh/watchdog/pull/781>`_)
- Thanks to our beloved contributors: CCP-Aporia, aodj, UnitedMarsupials, BoboTiG
Links

Update tox from 3.23.0 to 3.23.1.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

Update pytest from 6.2.3 to 6.2.4.

Changelog

6.2.4

=========================

Bug Fixes
---------

- `8539 <https://github.com/pytest-dev/pytest/issues/8539>`_: Fixed assertion rewriting on Python 3.10.
Links

Update pytest-mock from 3.6.0 to 3.6.1.

Changelog

3.6.1

------------------

* Fix ``mocker.resetall()`` when using ``mocker.spy()`` (`237`_). Thanks `blaxter`_ for the report and `shadycuz`_ for the PR.

.. _blaxter: https://github.com/blaxter
.. _shadycuz: https://github.com/shadycuz
.. _237: https://github.com/pytest-dev/pytest-mock/issues/237
Links

stsewd
stsewd reviewed May 10, 2021
View reviewed changes
requirements/pip.txt

# Filtering for the REST API
django-filter==2.4.0

drf-flex-fields==0.9.0
drf-extensions==0.7.0

django-vanilla-views==2.0.0
django-vanilla-views==3.0.0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is just removing support for old versions of django and python.

stsewd
stsewd approved these changes May 10, 2021
View reviewed changes
Copy link
Member

@stsewd stsewd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can merge this after the deploy

@stsewd stsewd merged commit 2aa6ce5 into master May 11, 2021
@stsewd stsewd deleted the pyup/scheduled-update-2021-05-10 branch May 11, 2021 22:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stsewd stsewd stsewd approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@pyup-bot @stsewd