chore(deps): update all non-major dependencies
This MR contains the following updates:
Package | Change | Age | Adoption | Passing | Confidence |
---|---|---|---|---|---|
Django (source, changelog) |
==3.2.10 -> ==3.2.11
|
||||
core-js |
3.20.0 -> 3.20.3
|
||||
django-axes |
==5.28.0 -> ==5.31.0
|
||||
eslint-plugin-vue (source) |
8.2.0 -> 8.3.0
|
||||
node |
12.22.7-alpine -> 12.22.9-alpine
|
||||
prospector (source) |
==1.5.3.1 -> ==1.6.0
|
||||
psycopg2-binary (source, changelog) |
==2.9.2 -> ==2.9.3
|
||||
requests (source, changelog) |
==2.26.0 -> ==2.27.1
|
||||
sphinx (source) |
==4.3.1 -> ==4.4.0
|
||||
sqlalchemy (changelog) |
==1.4.28 -> ==1.4.29
|
Release Notes
zloirock/core-js
v3.20.3
- Detects and replaces broken third-party
Function#bind
polyfills, uses only nativeFunction#bind
in the internals -
structuredClone
should throw an error if no arguments passed - Changed the structure of notes in
__core-js_shared__
v3.20.2
- Added a fix of a V8 ~ Chrome 36-
Object.{ defineProperty, defineProperties }
bug, Babel issue - Added fixes of some different
%TypedArray%.prototype.set
bugs, affects modern engines (like Chrome < 95 or Safari < 14.1)
v3.20.1
- Fixed the order of calling reactions of already fulfilled / rejected promises in
Promise.prototype.then
, #1026 - Fixed possible memory leak in specific promise chains
- Fixed some missed dependencies of entries
- Added Deno 1.18 compat data mapping
jazzband/django-axes
v5.31.0
- Adjust version specifiers for newer Python and other package versions.
Set package minimum Python version to 3.7.
Relax
django-ipware
version requirements to allow newer versions. [aleksihakli]
v5.30.0
- Fix package build error in 5.29.0 to allow publishing. [aleksihakli]
vuejs/eslint-plugin-vue
v8.3.0
🐛 Bug Fixes
-
#1755 Fix crash on
<textarea>
without end tag invue/html-indent
rule. -
#1756 Fix false positive for unknown emits definition in
vue/require-explicit-emits
rule.
⚙ ️ Updates
Full Changelog: https://github.com/vuejs/eslint-plugin-vue/compare/v8.2.0...v8.3.0
nodejs/node
v12.22.9
This is a security release.
Notable changes
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.
Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert
command-line option.
More details will be available at CVE-2021-44531 after publication.
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.
Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert
command-line option.
More details will be available at CVE-2021-44532 after publication.
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.
Affected versions of Node.js do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.
More details will be available at CVE-2021-44533 after publication.
console.table
properties (Low)(CVE-2022-21824)
Prototype pollution via Due to the formatting logic of the console.table()
function it was not safe to allow user controlled input to be passed to the properties
parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__
. The prototype pollution has very limited control, in that it only allows an empty string to be assigned numerical keys of the object prototype.
Versions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to.
More details will be available at CVE-2022-21824 after publication.
Thanks to Patrik Oldsberg (rugvip) for reporting this vulnerability.
Commits
- [
be69403528
] - console: fix prototype pollution via console.table (Tobias Nießen) nodejs-private/node-private#307 - [
19873abfb2
] - crypto,tls: implement safe x509 GeneralName format (Tobias Nießen and Akshay Kumar) nodejs-private/node-private#300 - [
ff9ac7d757
] - doc: fix date for v12.22.8 (Richard Lau) #41213 - [
a5c7843cab
] - src: add cve reverts and associated tests (Michael Dawson and Akshay Kumar) nodejs-private/node-private#300 - [
d4e5d1b9ca
] - src: remove unused x509 functions (Tobias Nießen and Akshay Kumar) nodejs-private/node-private#300 - [
8c2db2c86b
] - tls: fix handling of x509 subject and issuer (Tobias Nießen and Akshay Kumar) nodejs-private/node-private#300 - [
e0fe6a635e
] - tls: drop support for URI alternative names (Tobias Nießen and Akshay Kumar) nodejs-private/node-private#300
v12.22.8
Notable Changes
This release contains a c-ares update to fix a regression introduced in Node.js 12.22.5 resolving CNAME records containing underscores #39780.
Root certificates have been updated to those from Mozilla's Network Security Services 3.71 #40281.
Commits
- [
2d42295d2a
] - build: pin macOS GitHub runner to macos-10.15 (Richard Lau) #41124 - [
41e09ec71b
] - child_process: retain reference to data with advanced serialization (Anna Henningsen) #38728 - [
f0be07796e
] - crypto: update root certificates (Richard Lau) #40280 - [
4c9f920d34
] - deps: update archs files for OpenSSL-1.1.1m (Richard Lau) #41172 - [
60d7d4171e
] - deps: upgrade openssl sources to 1.1.1m (Richard Lau) #41172 - [
7feff67419
] - deps: add -fno-strict-aliasing flag to libuv (Daniel Bevenius) #40631 - [
534ac7c7c6
] - deps: update c-ares to 1.18.1 (Richard Lau) #40660 - [
c019fa9b70
] - deps: update to cjs-module-lexer@1.2.2 (Guy Bedford) #39402 - [
b13340eff4
] - doc: add alternative version links to the packages page (Filip Skokan) #36915 - [
243b2fbfdb
] - lib: fix regular expression to detect `/` and `\` (Francesco Trotta) #40325 - [
70e094a26b
] - repl: fix error message printing (Anna Henningsen) #38209 - [
02b432a704
] - src: fix crash in AfterGetAddrInfo (Anna Henningsen) #39735 - [
7479447d6a
] - test: deflake child-process-pipe-dataflow (Luigi Pinca) #40838 - [
833e199393
] - tools: update certdata.txt (Richard Lau) #40280 - [
e4339fe286
] - tools: add script to update c-ares (Richard Lau) #40660 - [
f50b9c1e8a
] - worker: avoid potential deadlock on NearHeapLimit (Santiago Gimeno) #38403
PyCQA/prospector
v1.6.0
- #478 Fixed incompatible version specification of pylint-plugin-utils. This now requires pylint-django of at least 2.5.
note This release drops support for python 3.6.1
psf/requests
v2.27.1
Bugfixes
- Fixed parsing issue that resulted in the
auth
component being dropped from proxy URLs. (#6028)
v2.27.0
Improvements
-
Officially added support for Python 3.10. (#5928)
-
Added a
requests.exceptions.JSONDecodeError
to unify JSON exceptions between Python 2 and 3. This gets raised in theresponse.json()
method, and is backwards compatible as it inherits from previously thrown exceptions. Can be caught fromrequests.exceptions.RequestException
as well. (#5856) -
Improved error text for misnamed
InvalidSchema
andMissingSchema
exceptions. This is a temporary fix until exceptions can be renamed (Schema->Scheme). (#6017) -
Improved proxy parsing for proxy URLs missing a scheme. This will address recent changes to
urlparse
in Python 3.9+. (#5917)
Bugfixes
-
Fixed defect in
extract_zipped_paths
which could result in an infinite loop for some paths. (#5851) -
Fixed handling for
AttributeError
when calculating length of files obtained byTarfile.extractfile()
. (#5239) -
Fixed urllib3 exception leak, wrapping
urllib3.exceptions.InvalidHeader
withrequests.exceptions.InvalidHeader
. (#5914) -
Fixed bug where two Host headers were sent for chunked requests. (#5391)
-
Fixed regression in Requests 2.26.0 where
Proxy-Authorization
was incorrectly stripped from all requests sent withSession.send
. (#5924) -
Fixed performance regression in 2.26.0 for hosts with a large number of proxies available in the environment. (#5924)
-
Fixed idna exception leak, wrapping
UnicodeError
withrequests.exceptions.InvalidURL
for URLs with a leading dot (.) in the domain. (#5414)
Deprecations
- Requests support for Python 2.7 and 3.6 will be ending in 2022. While we don't have exact dates, Requests 2.27.x is likely to be the last release series providing support.
sphinx-doc/sphinx
v4.4.0
=====================================
Dependencies
Features added
-
#9075: autodoc: Add a config variable :confval:
autodoc_typehints_format
to suppress the leading module names of typehints of function signatures (ex.io.StringIO
->StringIO
) -
#9831: Autosummary now documents only the members specified in a module's
__all__
attribute if :confval:autosummary_ignore_module_all
is set toFalse
. The default behaviour is unchanged. Autogen also now supports this behavior with the--respect-module-all
switch. - #9555: autosummary: Improve error messages on failure to load target object
- #9800: extlinks: Emit warning if a hardcoded link is replaceable by an extlink, suggesting a replacement.
- #9961: html: Support nested HTML elements in other HTML builders
-
#10013: html: Allow to change the loading method of JS via
loading_method
parameter for :meth:Sphinx.add_js_file()
- #9551: html search: "Hide Search Matches" link removes "highlight" parameter from URL
- #9815: html theme: Wrap sidebar components in div to allow customizing their layout via CSS
- #9827: i18n: Sort items in glossary by translated terms
-
#9899: py domain: Allows to specify cross-reference specifier (
.
and~
) as:type:
option -
#9894: linkcheck: add option
linkcheck_exclude_documents
to disable link checking in matched documents. - #9793: sphinx-build: Allow to use the parallel build feature in macOS on macOS and Python3.8+
-
#10055: sphinx-build: Create directories when
-w
option given -
#9993: std domain: Allow to refer an inline target (ex. ``_
target name```) via :rst:role:
ref` role - #9981: std domain: Strip value part of the option directive from general index
-
#9391: texinfo: improve variable in
samp
role -
#9578: texinfo: Add :confval:
texinfo_cross_references
to disable cross references for readability with standalone readers -
#9822 (and #9062), add new Intersphinx role :rst:role:
external
for explict lookup in the external projects, without resolving to the local project.
Bugs fixed
- #9866: autodoc: doccomment for the imported class was ignored
- #9883: autodoc: doccomment for the alias to mocked object was ignored
- #9908: autodoc: debug message is shown on building document using NewTypes with Python 3.10
- #9968: autodoc: instance variables are not shown if init method has position-only-arguments
- #9194: autodoc: types under the "typing" module are not hyperlinked
- #10009: autodoc: Crashes if target object raises an error on getting docstring
-
#10058: autosummary: Imported members are not shown when
autodoc_class_signature = 'separated'
- #9947: i18n: topic directive having a bullet list can't be translatable
- #9878: mathjax: MathJax configuration is placed after loading MathJax itself
- #9932: napoleon: empty "returns" section is generated even if no description
- #9857: Generated RFC links use outdated base url
- #9909: HTML, prevent line-wrapping in literal text.
- #10061: html theme: Configuration values added by themes are not be able to override from conf.py
- #10073: imgconverter: Unnecessary availablity check is called for "data" URIs
-
#9925: LaTeX: prohibit also with
'xelatex'
line splitting at dashes of inline and parsed literals - #9944: LaTeX: extra vertical whitespace for some nested declarations
- #9940: LaTeX: Multi-function declaration in Python domain has cramped vertical spacing in latexpdf output
- #10015: py domain: types under the "typing" module are not hyperlinked defined at info-field-list
- #9390: texinfo: Do not emit labels inside footnotes
- #9413: xml: Invalid XML was generated when cross referencing python objects
- #9979: Error level messages were displayed as warning messages
- #10057: Failed to scan documents if the project is placed onto the root directory
-
#9636: code-block:
:dedent:
without argument did strip newlines
v4.3.2
=====================================
Bugs fixed
- #9917: C and C++, parse fundamental types no matter the order of simple type specifiers.
Configuration
-
If you want to rebase/retry this MR, click this checkbox.
This MR has been generated by Renovate Bot.