Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==1.1.0
->==1.3.1
==0.14.3
->==0.17.3
==3.1.2
->==3.1.4
==3.4.1
->==3.6
==1.4.43
->==2.0.30
==2.2.2
->==3.0.3
v3
->v4
==22.1.0
->==23.2.1
==3.8.3
->==3.9.5
==1.8.1
->==1.13.1
==3.5.2
->==3.8.1
==1.7.7
->==2.3.1
==4.0.1
->==4.1.3
==4.11.1
->==4.12.3
==22.10.0
->==24.4.2
==5.0.1
->==6.1.0
==6.5.0
->==7.5.3
==1.3.0
->==2.1.1
==1.10.0
->==2.23.2
==0.86.0
->==0.111.0
==0.9.0
->==1.0.0
==3.8.0
->==3.14.0
==5.0.4
->==7.0.0
==20.1.0
->==22.0.0
11.5.0
->11.9.0
==0.23.0
->==0.27.0
==5.10.1
->==5.13.2
==2.1.2
->==2.2.0
==4.9.1
->==5.2.2
==0.5.2
->==0.8.1
==2.1.1
->==2.2.4
==3.8.1
->==3.10.3
==1.0.5
->==1.1.1
==5.9.1
->==7.0.0
==4.21.9
->==5.27.0
==1.10.1
->==1.15.0
==7.2.0
->==8.2.2
==0.20.1
->==0.23.7
==4.0.0
->==5.0.0
==3.3
->==3.4
==3.0.2
->==3.6.1
==0.0.5
->==0.0.9
==4.3.4
->==5.0.4
==2.28.1
->==2.32.3
==1.10.1
->==2.4.0
==0.19.0
->==0.30.1
Release Notes
lepture/authlib (Authlib)
v1.3.1
: Version 1.3.1Compare Source
Prevent
OctKey
to import ssh and PEM strings.v1.3.0
: Version 1.3.0Compare Source
Bug fixes
Breaking changes
v1.2.1
: Version 1.2.1Compare Source
ClientSecretJWT.sign
method, via #552authorize_redirect
for Starlette v0.26.0, via #533has_client_secret
method and documentation, via #513request_invalid
andtoken_revoked
remaining occurencesand documentation. #514
grant_types
andresponse_types
default values, via #509v1.2.0
: Version 1.2.0Compare Source
request.body
toResourceProtector
, #485.flask.g
instead of_app_ctx_stack
, #482.headers
parameter back toClientSecretJWT
, #457.realm
parameter in OAuth 1 clients, #339.default_timeout
for requestsOAuth2Session
andAssertionSession
.jwk.loads
andjwk.dumps
pgjones/hypercorn (Hypercorn)
v0.17.3
Compare Source
v0.17.2
Compare Source
v0.17.1
Compare Source
v0.17.0
Compare Source
ProxyFixMiddleware.
is accepted.
v0.16.0
Compare Source
the HTTP/2 rapid reset attack.
proxy.
manage memory leaks in apps.
flushing.
headers on first response byte, erroring if
start_response
isnot called, and switching wsgi.errors to stdout.
race conditions.
v0.15.0
Compare Source
found.
failures.
memory leak issues.
is being used.
systems that don't support multiprocessing.
v0.14.4
Compare Source
unmaintained toml library.
client-only code).
0.22 is not supported).
machines.
pallets/jinja (Jinja2)
v3.1.4
Compare Source
Released 2024-05-05
xmlattr
filter does not allow keys with/
solidus,>
greater-than sign, or
=
equals sign, in addition to disallowing spaces.Regardless of any validation done by Jinja, user input should never be used
as keys to this filter, or must be separately validated first.
:ghsa:
h75v-3vvj-5mfj
v3.1.3
Compare Source
Released 2024-01-10
empty. :pr:
1858
xmlattr
filter does not allow keys with spaces. :ghsa:h5c8-rqwp-cp95
{% trans %}
blocksmore helpful. :pr:
1918
Python-Markdown/markdown (Markdown)
v3.6
Compare Source
Changed
Refactor TOC Sanitation
striptags
is provided to convert headings to plain text.Unlike, the
markupsafe
implementation, HTML entities are not unescaped.name
, richhtml
, and unescaped rawdata-toc-label
aresaved to
toc_tokens
, allowing users to access the full rich text content ofthe headings directly from
toc_tokens
.data-toc-label
is sanitized separate from heading contentbefore being written to
name
. This fixes a bug which allowed markup throughin certain circumstances. To access the raw unsanitized data, retrieve the
value from
token['data-toc-label']
directly.html.unescape
call is made just prior to callingslugify
so thatslugify
only operates on Unicode characters. Note thathtml.unescape
isnot run on
name
,html
, ordata-toc-label
.get_name
andstashedHTML2text
defined in thetoc
extensionare both deprecated. Instead, third party extensions should use some
combination of the new functions
run_postprocessors
,render_inner_html
andstriptags
.Fixed
scripts/*.py
in the generated source tarballs (#1430).^
) and square brackets (]
) but explicitly excludebackslashes (
\
) from abbreviations (#1444).attr_list
,fenced_code
), quoted attribute values arenow allowed to contain curly braces (
}
) (#1414).v3.5.2
Compare Source
Fixed
convertFile
- it accepts only bytes-based buffers.Also remove legacy checks from Python 2 (#1400)
AdmonitionProcessor.content_indent
unset(#1404)
InlineProcessor
withAtomicString
(#1406).codehilite
with an emptycode
tag (#1405).v3.5.1
Compare Source
Fixed
trigger quadratic line counting behavior (#1392).
v3.5
Compare Source
v3.4.4
Compare Source
v3.4.3
Compare Source
v3.4.2
Compare Source
actions/checkout (actions/checkout)
v4
Compare Source
Tinche/aiofiles (aiofiles)
v23.2.1
: 23.2.1Compare Source
os.statvfs
conditionally to fix importing on non-UNIX systems.#171 #172
v23.2.0
: 23.2.0Compare Source
23.2.0
#166 #168
aiofiles.tempfile.NamedTemporaryFile
now accepts adelete_on_close
argument, just like the stdlib version.aiofiles.tempfile.NamedTemporaryFile
no longer exposes adelete
attribute, just like the stdlib version.aiofiles.os.statvfs
andaiofiles.os.path.ismount
.#162
#169
v23.1.0
Compare Source
aio-libs/aiohttp (aiohttp)
v3.9.5
Compare Source
==================
Bug fixes
Fixed "Unclosed client session" when initialization of
:py:class:
~aiohttp.ClientSession
fails -- by :user:NewGlad
.Related issues and pull requests on GitHub:
:issue:
8253
.Fixed regression (from :pr:
8280
) with addingContent-Disposition
to theform-data
part after appending to writer -- by :user:
Dreamsorcerer
/:user:Olegt0rr
.Related issues and pull requests on GitHub:
:issue:
8332
.Added default
Content-Disposition
inmultipart/form-data
responses to avoid brokenform-data responses -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8335
.v3.9.4
Compare Source
==================
Bug fixes
The asynchronous internals now set the underlying causes
when assigning exceptions to the future objects
-- by :user:
webknjaz
.Related issues and pull requests on GitHub:
:issue:
8089
.Treated values of
Accept-Encoding
header as case-insensitive when checkingfor gzip files -- by :user:
steverep
.Related issues and pull requests on GitHub:
:issue:
8104
.Improved the DNS resolution performance on cache hit -- by :user:
bdraco
.This is achieved by avoiding an :mod:
asyncio
task creation in this case.Related issues and pull requests on GitHub:
:issue:
8163
.Changed the type annotations to allow
dict
on :meth:aiohttp.MultipartWriter.append
,:meth:
aiohttp.MultipartWriter.append_json
and:meth:
aiohttp.MultipartWriter.append_form
-- by :user:cakemanny
Related issues and pull requests on GitHub:
:issue:
7741
.Ensure websocket transport is closed when client does not close it
-- by :user:
bdraco
.The transport could remain open if the client did not close it. This
change ensures the transport is closed when the client does not close
it.
Related issues and pull requests on GitHub:
:issue:
8200
.Leave websocket transport open if receive times out or is cancelled
-- by :user:
bdraco
.This restores the behavior prior to the change in #7978.
Related issues and pull requests on GitHub:
:issue:
8251
.Fixed content not being read when an upgrade request was not supported with the pure Python implementation.
-- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
8252
.Fixed a race condition with incoming connections during server shutdown -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8271
.Fixed
multipart/form-data
compliance with :rfc:7578
-- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8280
.Fixed blocking I/O in the event loop while processing files in a POST request
-- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
8283
.Escaped filenames in static view -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
8317
.Fixed the pure python parser to mark a connection as closing when a
response has no length -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8320
.Features
Upgraded llhttp to 9.2.1, and started rejecting obsolete line folding
in Python parser to match -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8146
, :issue:8292
.Deprecations (removal in next major release)
Deprecated
content_transfer_encoding
parameter in :py:meth:FormData.add_field() <aiohttp.FormData.add_field>
-- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8280
.Improved documentation
Added a note about canceling tasks to avoid delaying server shutdown -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8267
.Contributor-facing changes
The pull request template is now asking the contributors to
answer a question about the long-term maintenance challenges
they envision as a result of merging their patches
-- by :user:
webknjaz
.Related issues and pull requests on GitHub:
:issue:
8099
.Updated CI and documentation to use NPM clean install and upgrade
node to version 18 -- by :user:
steverep
.Related issues and pull requests on GitHub:
:issue:
8116
.A pytest fixture
hello_txt
was introduced to aidstatic file serving tests in
:file:
test_web_sendfile_functional.py
. It dynamicallyprovisions
hello.txt
file variants shared across thetests in the module.
-- by :user:
steverep
Related issues and pull requests on GitHub:
:issue:
8136
.Packaging updates and notes for downstreams
Added an
internal
pytest marker for tests which should be skippedby packagers (use
-m 'not internal'
to disable them) -- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8299
.v3.9.3
Compare Source
==================
Bug fixes
Fixed backwards compatibility breakage (in 3.9.2) of
ssl
parameter when set outsideof
ClientSession
(e.g. directly inTCPConnector
) -- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8097
, :issue:8098
.Miscellaneous internal changes
Improved test suite handling of paths and temp files to consistently use pathlib and pytest fixtures.
Related issues and pull requests on GitHub:
:issue:
3957
.v3.9.2
Compare Source
==================
Bug fixes
Fixed server-side websocket connection leak.
Related issues and pull requests on GitHub:
:issue:
7978
.Fixed
web.FileResponse
doing blocking I/O in the event loop.Related issues and pull requests on GitHub:
:issue:
8012
.Fixed double compress when compression enabled and compressed file exists in server file responses.
Related issues and pull requests on GitHub:
:issue:
8014
.Added runtime type check for
ClientSession
timeout
parameter.Related issues and pull requests on GitHub:
:issue:
8021
.Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:
pajod
.Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
Invalid header field names containing question mark or slash are now rejected.
Such requests are incompatible with :rfc:
9110#section-5.6.2
and are not known to be of any legitimate use.Related issues and pull requests on GitHub:
:issue:
8074
.Improved validation of paths for static resources requests to the server -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
8079
.Features
Added support for passing :py:data:
True
tossl
parameter inClientSession
whiledeprecating :py:data:
None
-- by :user:xiangyan99
.Related issues and pull requests on GitHub:
:issue:
7698
.Breaking changes
Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:
pajod
.Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
Invalid header field names containing question mark or slash are now rejected.
Such requests are incompatible with :rfc:
9110#section-5.6.2
and are not known to be of any legitimate use.Related issues and pull requests on GitHub:
:issue:
8074
.Improved documentation
Fixed examples of
fallback_charset_resolver
function in the :doc:client_advanced
document. -- by :user:henry0312
.Related issues and pull requests on GitHub:
:issue:
7995
.The Sphinx setup was updated to avoid showing the empty
changelog draft section in the tagged release documentation
builds on Read The Docs -- by :user:
webknjaz
.Related issues and pull requests on GitHub:
:issue:
8067
.Packaging updates and notes for downstreams
The changelog categorization was made clearer. The
contributors can now mark their fragment files more
accurately -- by :user:
webknjaz
.The new category tags are:
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate. View repository job log here.