Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump the dependencies group across 1 directory with 5 updates #218

Closed
wants to merge 1 commit into from
Closed

Bump the dependencies group across 1 directory with 5 updates #218

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 20, 2025
edited
Loading

Bumps the dependencies group with 5 updates in the / directory:

Package From To
authlib 1.3.2 1.4.0
zizmor 1.0.0 1.2.2
charset-normalizer 3.4.0 3.4.1
click 8.1.7 8.1.8
urllib3 2.2.3 2.3.0

Updates authlib from 1.3.2 to 1.4.0

Changelog

Sourced from authlib's changelog.

Version 1.4.0

Released on Dec 20, 2024

  • Fix id_token decoding when kid is null. :pr:659
  • Support for Python 3.13. :pr:682
  • Force login if the prompt parameter value is login. :pr:637
  • Support for httpx 0.28, :pr:695

Breaking changes:

  • Stop support for Python 3.8. :pr:682
Commits
  • eb34edf chore: release 1.4.0
  • bc55003 Merge pull request #695 from MeggyCal/master
  • 1d10ff3 Support httpx 0.28
  • 27fb1fd docs: remove starlette.config.Config from docs via #612
  • 5a0ca3c Updated notes on using a cache instance when initializing OAuth. (#693)
  • fbdbbd6 Merge pull request #691 from iSOLveIT/master
  • d36dc38 Fixed typos and grammatical errors in the flask_client docs.
  • 639ca66 doc: changelog for contributions since version 1.3.2
  • 858f7d9 Merge pull request #637 from frankie567/fix/oidc-guess-prompt
  • 1cba980 doc: improve RFC9068 examples in documentation
  • Additional commits viewable in compare view

Updates zizmor from 1.0.0 to 1.2.2

Release notes

Sourced from zizmor's releases.

v1.2.2

Bug Fixes 🐛🔗

Improvements 🌱🔗

  • Fetch failures when running zizmor org/repo are now more informative (#475)

v1.2.1

This is a small corrective release for some SARIF behavior that changed with v1.2.0.

Bug Fixes 🐛🔗

  • SARIF outputs now use relative paths again, but more correctly than before v1.2.0 (#469)

v1.2.0

This release comes with one new audit (bot-conditions), plus a handful of bugfixes and analysis improvements to existing audits.

One bugfix in this release is also a slight behavior change: zizmor now emits SARIF outputs with absolute paths. This should not affect most users, but may make it slightly harder to share SARIF outputs between machines without fully reproducing exact file paths. If this affects you, please let us know!

New Features 🌈🔗

  • New audit: bot-conditions detects spoofable uses of github.actor within dangerous triggers (#460)

Improvements 🌱🔗

  • The unpinned-uses audit no longer flags local reusable workflows or actions as unpinned/unhashed (#439)
  • The excessive-permissions audit has been refactored, and better captures both true positive and true negative cases (#441)
  • The SARIF output mode (--format=sarif) now always returns absolute paths in its location information, rather than attempting to infer a (sometimes incorrect) repository-relative path (#453)
  • zizmor now provides manylinux wheel builds for aarch64 (#457)

Bug Fixes 🐛🔗

  • The template-injection audit no longer considers github.event.pull_request.base.sha dangerous (#445)
  • The artipacked audit now correctly handles the strings 'true' and 'false' as their boolean counterparts (#448)
  • Expressions that span multiple source lines are now parsed correctly (#461)
  • Workflows that contain timeout-minutes: ${{ expr }} are now parsed correctly (#462)

v1.1.1

Fixed

  • Fixed a regression where workflows with calls to unpinned reusable workflows would fail to parse (#437)

v1.1.0

This release comes with one new audit (secrets-inherit), plus a slew of bugfixes and internal refactors that unblock future improvements!

Added🔗

... (truncated)

Changelog

Sourced from zizmor's changelog.

v1.2.2

Bug Fixes 🐛

  • The [excessive-permissions] audit is now more precise about both reusable workflows and reusable workflow calls (#473)

Improvements 🌱

  • Fetch failures when running zizmor org/repo are now more informative (#475)

v1.2.1

This is a small corrective release for some SARIF behavior that changed with v1.2.0.

Bug Fixes 🐛

  • SARIF outputs now use relative paths again, but more correctly than before v1.2.0 (#469)

v1.2.0

This release comes with one new audit ([bot-conditions]), plus a handful of bugfixes and analysis improvements to existing audits.

One bugfix in this release is also a slight behavior change: zizmor now emits SARIF outputs with absolute paths. This should not affect most users, but may make it slightly harder to share SARIF outputs between machines without fully reproducing exact file paths. If this affects you, please let us know!

New Features 🌈

  • New audit: [bot-conditions] detects spoofable uses of github.actor within dangerous triggers (#460)

Improvements 🌱

  • The [unpinned-uses] audit no longer flags local reusable workflows or actions as unpinned/unhashed (#439)
  • The [excessive-permissions] audit has been refactored, and better captures both true positive and true negative cases (#441)
  • The SARIF output mode (--format=sarif) now always returns absolute paths in its location information, rather than attempting to infer a (sometimes incorrect) repository-relative path (#453)
  • zizmor now provides manylinux wheel builds for aarch64 (#457)

Bug Fixes 🐛

... (truncated)

Commits

Updates charset-normalizer from 3.4.0 to 3.4.1

Release notes

Sourced from charset-normalizer's releases.

Version 3.4.1

🚀 We're still raising awareness around HTTP/2, and HTTP/3!

Did you know that Internet Explorer 11 shipped with an optional HTTP/2 support back in 2013? also libcurl did ship it in 2014[...] Using Requests today is the rough equivalent of using EOL Windows 8! We promptly invite Python developers to look at the first drop-in replacement for Requests, namely Niquests. Ship with native WebSocket, SSE, Happy Eyeballs, DNS over HTTPS, and so on[...] All of this while remaining compatible with all Requests prior plug-ins / add-ons.

It leverages charset-normalizer in a better way! Check it out, you will gain up to being 3X faster and get a real/respectable support with it.

3.4.1 (2024-12-24)

Changed

  • Project metadata are now stored using pyproject.toml instead of setup.cfg using setuptools as the build backend.
  • Enforce annotation delayed loading for a simpler and consistent types in the project.
  • Optional mypyc compilation upgraded to version 1.14 for Python >= 3.8

Added

  • pre-commit configuration.
  • noxfile.

Removed

  • build-requirements.txt as per using pyproject.toml native build configuration.
  • bin/integration.py and bin/serve.py in favor of downstream integration test (see noxfile).
  • setup.cfg in favor of pyproject.toml metadata configuration.
  • Unused utils.range_scan function.

Fixed

  • Converting content to Unicode bytes may insert utf_8 instead of preferred utf-8. (#572)
  • Deprecation warning "'count' is passed as positional argument" when converting to Unicode bytes on Python 3.13+
Changelog

Sourced from charset-normalizer's changelog.

3.4.1 (2024-12-24)

Changed

  • Project metadata are now stored using pyproject.toml instead of setup.cfg using setuptools as the build backend.
  • Enforce annotation delayed loading for a simpler and consistent types in the project.
  • Optional mypyc compilation upgraded to version 1.14 for Python >= 3.8

Added

  • pre-commit configuration.
  • noxfile.

Removed

  • build-requirements.txt as per using pyproject.toml native build configuration.
  • bin/integration.py and bin/serve.py in favor of downstream integration test (see noxfile).
  • setup.cfg in favor of pyproject.toml metadata configuration.
  • Unused utils.range_scan function.

Fixed

  • Converting content to Unicode bytes may insert utf_8 instead of preferred utf-8. (#572)
  • Deprecation warning "'count' is passed as positional argument" when converting to Unicode bytes on Python 3.13+
Commits
  • ffdf7f5 🔧 fix long description content-type inferred as rst instead of md
  • c7197b7 📝 fix changelog entries (#582)
  • c390e1f Merge pull request #581 from jawah/refresh-part-2
  • f9d6b8c 🔒 add CODEOWNERS
  • 7ce1ef1 🔧 use ubuntu-22.04 for cibuildwheel in continuous deployment workflow
  • deed205 🔧 update LICENSE copyright
  • f11f571 🔧 include noxfile in sdist
  • 1ec7c06 🔧 update changelog
  • 14b4649 🐛 output(...) replace declarative mark using non iana compliant encoding ...
  • 1b06bc0 Merge branch 'refresh-part-2' of github.com:jawah/charset_normalizer into ref...
  • Additional commits viewable in compare view

Updates click from 8.1.7 to 8.1.8

Release notes

Sourced from click's releases.

8.1.8

This is the Click 8.1.8 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.1.8/ Changes: https://click.palletsprojects.com/en/stable/changes/#version-8-1-8 Milestone https://github.com/pallets/click/milestones/23?closed=1

  • Fix an issue with type hints for click.open_file(). #2717
  • Fix issue where error message for invalid click.Path displays on multiple lines. #2697
  • Fixed issue that prevented a default value of "" from being displayed in the help for an option. #2500
  • The test runner handles stripping color consistently on Windows. #2705
  • Show correct value for flag default when using default_map. #2632
  • Fix click.echo(color=...) passing color to coloroma so it can be forced on Windows. #2606.
  • More robust bash version check, fixing problem on Windows with git-bash. #2638
  • Cache the help option generated by the help_option_names setting to respect its eagerness. #2811
  • Replace uses of os.system with subprocess.Popen. #1476
  • Exceptions generated during a command will use the context's color setting when being displayed. #2193
  • Error message when defining option with invalid name is more descriptive. #2452
  • Refactor code generating default --help option to deduplicate code. #2563
  • Test CLIRunner resets patched _compat.should_strip_ansi. #2732
Changelog

Sourced from click's changelog.

Version 8.1.8

Unreleased

  • Fix an issue with type hints for click.open_file(). :issue:2717
  • Fix issue where error message for invalid click.Path displays on multiple lines. :issue:2697
  • Fixed issue that prevented a default value of "" from being displayed in the help for an option. :issue:2500
  • The test runner handles stripping color consistently on Windows. :issue:2705
  • Show correct value for flag default when using default_map. :issue:2632
  • Fix click.echo(color=...) passing color to coloroma so it can be forced on Windows. :issue:2606.
Commits

Updates urllib3 from 2.2.3 to 2.3.0

Release notes

Sourced from urllib3's releases.

2.3.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support for 2023. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Features

  • Added HTTPResponse.shutdown() to stop any ongoing or future reads for a specific response. It calls shutdown(SHUT_RD) on the underlying socket. This feature was sponsored by LaunchDarkly. (urllib3/urllib3#2868)
  • Added support for JavaScript Promise Integration on Emscripten. This enables more efficient WebAssembly requests and streaming, and makes it possible to use in Node.js if you launch it as node --experimental-wasm-stack-switching. (urllib3/urllib3#3400)
  • Added the proxy_is_tunneling property to HTTPConnection and HTTPSConnection. (urllib3/urllib3#3285)
  • Added pickling support to NewConnectionError and NameResolutionError. (urllib3/urllib3#3480)

Bugfixes

  • Fixed an issue in debug logs where the HTTP version was rendering as "HTTP/11" instead of "HTTP/1.1". (urllib3/urllib3#3489)

Deprecations and Removals

Full Changelog: urllib3/urllib3@2.2.3...2.3.0

Changelog

Sourced from urllib3's changelog.

2.3.0 (2024-12-22)

Features

  • Added HTTPResponse.shutdown() to stop any ongoing or future reads for a specific response. It calls shutdown(SHUT_RD) on the underlying socket. This feature was sponsored by LaunchDarkly <https://opencollective.com/urllib3/contributions/815307>. ([#2868](https://github.com/urllib3/urllib3/issues/2868) <https://github.com/urllib3/urllib3/issues/2868>)
  • Added support for JavaScript Promise Integration on Emscripten. This enables more efficient WebAssembly requests and streaming, and makes it possible to use in Node.js if you launch it as node --experimental-wasm-stack-switching. ([#3400](https://github.com/urllib3/urllib3/issues/3400) <https://github.com/urllib3/urllib3/issues/3400>__)
  • Added the proxy_is_tunneling property to HTTPConnection and HTTPSConnection. ([#3285](https://github.com/urllib3/urllib3/issues/3285) <https://github.com/urllib3/urllib3/issues/3285>__)
  • Added pickling support to NewConnectionError and NameResolutionError. ([#3480](https://github.com/urllib3/urllib3/issues/3480) <https://github.com/urllib3/urllib3/issues/3480>__)

Bugfixes

  • Fixed an issue in debug logs where the HTTP version was rendering as "HTTP/11" instead of "HTTP/1.1". ([#3489](https://github.com/urllib3/urllib3/issues/3489) <https://github.com/urllib3/urllib3/issues/3489>__)

Deprecations and Removals

  • Removed support for Python 3.8. ([#3492](https://github.com/urllib3/urllib3/issues/3492) <https://github.com/urllib3/urllib3/issues/3492>__)
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jan 20, 2025
@dependabot dependabot bot mentioned this pull request Jan 20, 2025
Closed
@dependabot
Bump the dependencies group across 1 directory with 5 updates
576501c 
Bumps the dependencies group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [authlib](https://github.com/lepture/authlib) | `1.3.2` | `1.4.0` |
| [zizmor](https://github.com/woodruffw/zizmor) | `1.0.0` | `1.2.2` |
| [charset-normalizer](https://github.com/jawah/charset_normalizer) | `3.4.0` | `3.4.1` |
| [click](https://github.com/pallets/click) | `8.1.7` | `8.1.8` |
| [urllib3](https://github.com/urllib3/urllib3) | `2.2.3` | `2.3.0` |



Updates `authlib` from 1.3.2 to 1.4.0
- [Release notes](https://github.com/lepture/authlib/releases)
- [Changelog](https://github.com/lepture/authlib/blob/master/docs/changelog.rst)
- [Commits](lepture/authlib@v1.3.2...v1.4.0)

Updates `zizmor` from 1.0.0 to 1.2.2
- [Release notes](https://github.com/woodruffw/zizmor/releases)
- [Changelog](https://github.com/woodruffw/zizmor/blob/main/docs/release-notes.md)
- [Commits](woodruffw/zizmor@v1.0.0...v1.2.2)

Updates `charset-normalizer` from 3.4.0 to 3.4.1
- [Release notes](https://github.com/jawah/charset_normalizer/releases)
- [Changelog](https://github.com/jawah/charset_normalizer/blob/master/CHANGELOG.md)
- [Commits](jawah/charset_normalizer@3.4.0...3.4.1)

Updates `click` from 8.1.7 to 8.1.8
- [Release notes](https://github.com/pallets/click/releases)
- [Changelog](https://github.com/pallets/click/blob/main/CHANGES.rst)
- [Commits](pallets/click@8.1.7...8.1.8)

Updates `urllib3` from 2.2.3 to 2.3.0
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@2.2.3...2.3.0)

---
updated-dependencies:
- dependency-name: authlib
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: zizmor
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: charset-normalizer
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: click
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: urllib3
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/pip/dependencies-83cca39997 branch from 6e91c3a to 576501c Compare January 27, 2025 12:06
@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Feb 3, 2025

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot bot closed this Feb 3, 2025
@dependabot dependabot bot deleted the dependabot/pip/dependencies-83cca39997 branch February 3, 2025 12:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file python Pull requests that update Python code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants