chore(deps): update all non-major dependencies

This MR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
Django (source, changelog)	==3.2.10 -> ==3.2.11
core-js	3.20.0 -> 3.20.3
django-axes	==5.28.0 -> ==5.31.0
eslint-plugin-vue (source)	8.2.0 -> 8.3.0
node	12.22.7-alpine -> 12.22.9-alpine
prospector (source)	==1.5.3.1 -> ==1.6.0
psycopg2-binary (source, changelog)	==2.9.2 -> ==2.9.3
requests (source, changelog)	==2.26.0 -> ==2.27.1
sphinx (source)	==4.3.1 -> ==4.4.0
sqlalchemy (changelog)	==1.4.28 -> ==1.4.29

---

Release Notes

django/django

v3.2.11

Compare Source

zloirock/core-js

v3.20.3

Compare Source

• Detects and replaces broken third-party Function#bind polyfills, uses only native Function#bind in the internals
• structuredClone should throw an error if no arguments passed
• Changed the structure of notes in __core-js_shared__

v3.20.2

Compare Source

• Added a fix of a V8 ~ Chrome 36- Object.{ defineProperty, defineProperties } bug, Babel issue
• Added fixes of some different %TypedArray%.prototype.set bugs, affects modern engines (like Chrome < 95 or Safari < 14.1)

v3.20.1

Compare Source

• Fixed the order of calling reactions of already fulfilled / rejected promises in Promise.prototype.then, #​1026
• Fixed possible memory leak in specific promise chains
• Fixed some missed dependencies of entries
• Added Deno 1.18 compat data mapping

jazzband/django-axes

v5.31.0

Compare Source

• Adjust version specifiers for newer Python and other package versions. Set package minimum Python version to 3.7. Relax django-ipware version requirements to allow newer versions. [aleksihakli]

v5.30.0

Compare Source

• Fix package build error in 5.29.0 to allow publishing. [aleksihakli]

vuejs/eslint-plugin-vue

v8.3.0

Compare Source

🐛 Bug Fixes

• #​1755 Fix crash on <textarea> without end tag in vue/html-indent rule.
• #​1756 Fix false positive for unknown emits definition in vue/require-explicit-emits rule.

⚙️ Updates

• #​1750 Report $set and $nextTick in computed properties.

Full Changelog: https://github.com/vuejs/eslint-plugin-vue/compare/v8.2.0...v8.3.0

nodejs/node

v12.22.9

Compare Source

This is a security release.

Notable changes

Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.

Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.

More details will be available at CVE-2021-44531 after publication.

Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)

Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.

Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.

More details will be available at CVE-2021-44532 after publication.

Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)

Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.

Affected versions of Node.js do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.

More details will be available at CVE-2021-44533 after publication.

Prototype pollution via console.table properties (Low)(CVE-2022-21824)

Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned numerical keys of the object prototype.

Versions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to.

More details will be available at CVE-2022-21824 after publication.

Thanks to Patrik Oldsberg (rugvip) for reporting this vulnerability.

Commits

• [be69403528] - console: fix prototype pollution via console.table (Tobias Nießen) nodejs-private/node-private#​307
• [19873abfb2] - crypto,tls: implement safe x509 GeneralName format (Tobias Nießen and Akshay Kumar) nodejs-private/node-private#​300
• [ff9ac7d757] - doc: fix date for v12.22.8 (Richard Lau) #​41213
• [a5c7843cab] - src: add cve reverts and associated tests (Michael Dawson and Akshay Kumar) nodejs-private/node-private#​300
• [d4e5d1b9ca] - src: remove unused x509 functions (Tobias Nießen and Akshay Kumar) nodejs-private/node-private#​300
• [8c2db2c86b] - tls: fix handling of x509 subject and issuer (Tobias Nießen and Akshay Kumar) nodejs-private/node-private#​300
• [e0fe6a635e] - tls: drop support for URI alternative names (Tobias Nießen and Akshay Kumar) nodejs-private/node-private#​300

v12.22.8

Compare Source

Notable Changes

This release contains a c-ares update to fix a regression introduced in Node.js 12.22.5 resolving CNAME records containing underscores #​39780.

Root certificates have been updated to those from Mozilla's Network Security Services 3.71 #​40281.

Commits

• [2d42295d2a] - build: pin macOS GitHub runner to macos-10.15 (Richard Lau) #​41124
• [41e09ec71b] - child_process: retain reference to data with advanced serialization (Anna Henningsen) #​38728
• [f0be07796e] - crypto: update root certificates (Richard Lau) #​40280
• [4c9f920d34] - deps: update archs files for OpenSSL-1.1.1m (Richard Lau) #​41172
• [60d7d4171e] - deps: upgrade openssl sources to 1.1.1m (Richard Lau) #​41172
• [7feff67419] - deps: add -fno-strict-aliasing flag to libuv (Daniel Bevenius) #​40631
• [534ac7c7c6] - deps: update c-ares to 1.18.1 (Richard Lau) #​40660
• [c019fa9b70] - deps: update to cjs-module-lexer@1.2.2 (Guy Bedford) #​39402
• [b13340eff4] - doc: add alternative version links to the packages page (Filip Skokan) #​36915
• [243b2fbfdb] - lib: fix regular expression to detect `/` and `\` (Francesco Trotta) #​40325
• [70e094a26b] - repl: fix error message printing (Anna Henningsen) #​38209
• [02b432a704] - src: fix crash in AfterGetAddrInfo (Anna Henningsen) #​39735
• [7479447d6a] - test: deflake child-process-pipe-dataflow (Luigi Pinca) #​40838
• [833e199393] - tools: update certdata.txt (Richard Lau) #​40280
• [e4339fe286] - tools: add script to update c-ares (Richard Lau) #​40660
• [f50b9c1e8a] - worker: avoid potential deadlock on NearHeapLimit (Santiago Gimeno) #​38403

PyCQA/prospector

v1.6.0

Compare Source

• #​478 Fixed incompatible version specification of pylint-plugin-utils. This now requires pylint-django of at least 2.5.

note This release drops support for python 3.6.1

psf/requests

v2.27.1

Compare Source

Bugfixes

• Fixed parsing issue that resulted in the auth component being dropped from proxy URLs. (#​6028)

v2.27.0

Compare Source

Improvements

• Officially added support for Python 3.10. (#​5928)

• Added a requests.exceptions.JSONDecodeError to unify JSON exceptions between Python 2 and 3. This gets raised in the response.json() method, and is backwards compatible as it inherits from previously thrown exceptions. Can be caught from requests.exceptions.RequestException as well. (#​5856)

• Improved error text for misnamed InvalidSchema and MissingSchema exceptions. This is a temporary fix until exceptions can be renamed (Schema->Scheme). (#​6017)

• Improved proxy parsing for proxy URLs missing a scheme. This will address recent changes to urlparse in Python 3.9+. (#​5917)

Bugfixes

• Fixed defect in extract_zipped_paths which could result in an infinite loop for some paths. (#​5851)

• Fixed handling for AttributeError when calculating length of files obtained by Tarfile.extractfile(). (#​5239)

• Fixed urllib3 exception leak, wrapping urllib3.exceptions.InvalidHeader with requests.exceptions.InvalidHeader. (#​5914)

• Fixed bug where two Host headers were sent for chunked requests. (#​5391)

• Fixed regression in Requests 2.26.0 where Proxy-Authorization was incorrectly stripped from all requests sent with Session.send. (#​5924)

• Fixed performance regression in 2.26.0 for hosts with a large number of proxies available in the environment. (#​5924)

• Fixed idna exception leak, wrapping UnicodeError with requests.exceptions.InvalidURL for URLs with a leading dot (.) in the domain. (#​5414)

Deprecations

• Requests support for Python 2.7 and 3.6 will be ending in 2022. While we don't have exact dates, Requests 2.27.x is likely to be the last release series providing support.

sphinx-doc/sphinx

v4.4.0

Compare Source

=====================================

Dependencies

• #​10007: Use importlib_metadata for python-3.9 or older
• #​10007: Drop setuptools

Features added

• #​9075: autodoc: Add a config variable :confval:autodoc_typehints_format to suppress the leading module names of typehints of function signatures (ex. io.StringIO -> StringIO)
• #​9831: Autosummary now documents only the members specified in a module's __all__ attribute if :confval:autosummary_ignore_module_all is set to False. The default behaviour is unchanged. Autogen also now supports this behavior with the --respect-module-all switch.
• #​9555: autosummary: Improve error messages on failure to load target object
• #​9800: extlinks: Emit warning if a hardcoded link is replaceable by an extlink, suggesting a replacement.
• #​9961: html: Support nested HTML elements in other HTML builders
• #​10013: html: Allow to change the loading method of JS via loading_method parameter for :meth:Sphinx.add_js_file()
• #​9551: html search: "Hide Search Matches" link removes "highlight" parameter from URL
• #​9815: html theme: Wrap sidebar components in div to allow customizing their layout via CSS
• #​9827: i18n: Sort items in glossary by translated terms
• #​9899: py domain: Allows to specify cross-reference specifier (. and ~) as :type: option
• #​9894: linkcheck: add option linkcheck_exclude_documents to disable link checking in matched documents.
• #​9793: sphinx-build: Allow to use the parallel build feature in macOS on macOS and Python3.8+
• #​10055: sphinx-build: Create directories when -w option given
• #​9993: std domain: Allow to refer an inline target (ex. ``_target name```) via :rst:role:ref` role
• #​9981: std domain: Strip value part of the option directive from general index
• #​9391: texinfo: improve variable in samp role
• #​9578: texinfo: Add :confval:texinfo_cross_references to disable cross references for readability with standalone readers
• #​9822 (and #​9062), add new Intersphinx role :rst:role:external for explict lookup in the external projects, without resolving to the local project.

Bugs fixed

• #​9866: autodoc: doccomment for the imported class was ignored
• #​9883: autodoc: doccomment for the alias to mocked object was ignored
• #​9908: autodoc: debug message is shown on building document using NewTypes with Python 3.10
• #​9968: autodoc: instance variables are not shown if init method has position-only-arguments
• #​9194: autodoc: types under the "typing" module are not hyperlinked
• #​10009: autodoc: Crashes if target object raises an error on getting docstring
• #​10058: autosummary: Imported members are not shown when autodoc_class_signature = 'separated'
• #​9947: i18n: topic directive having a bullet list can't be translatable
• #​9878: mathjax: MathJax configuration is placed after loading MathJax itself
• #​9932: napoleon: empty "returns" section is generated even if no description
• #​9857: Generated RFC links use outdated base url
• #​9909: HTML, prevent line-wrapping in literal text.
• #​10061: html theme: Configuration values added by themes are not be able to override from conf.py
• #​10073: imgconverter: Unnecessary availablity check is called for "data" URIs
• #​9925: LaTeX: prohibit also with 'xelatex' line splitting at dashes of inline and parsed literals
• #​9944: LaTeX: extra vertical whitespace for some nested declarations
• #​9940: LaTeX: Multi-function declaration in Python domain has cramped vertical spacing in latexpdf output
• #​10015: py domain: types under the "typing" module are not hyperlinked defined at info-field-list
• #​9390: texinfo: Do not emit labels inside footnotes
• #​9413: xml: Invalid XML was generated when cross referencing python objects
• #​9979: Error level messages were displayed as warning messages
• #​10057: Failed to scan documents if the project is placed onto the root directory
• #​9636: code-block: :dedent: without argument did strip newlines

v4.3.2

Compare Source

=====================================

Bugs fixed

• #​9917: C and C++, parse fundamental types no matter the order of simple type specifiers.

---

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This MR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this MR, click this checkbox.

---

This MR has been generated by Renovate Bot.