Skip to content

build(deps): bump the pip group across 1 directory with 9 updates #69

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

build(deps): bump the pip group across 1 directory with 9 updates #69

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github May 8, 2025

Bumps the pip group with 9 updates in the / directory:

Package From To
django 4.2.13 4.2.21
pillow 9.5.0 10.3.0
wagtail 6.1.2 6.1.3
black 23.12.1 24.3.0
certifi 2024.6.2 2024.7.4
cryptography 42.0.7 44.0.1
djangorestframework 3.15.1 3.15.2
urllib3 2.2.1 2.2.2
virtualenv 20.26.2 20.26.6

Updates django from 4.2.13 to 4.2.21

Commits
  • 87175d2 [4.2.x] Bumped version for 4.2.21 release.
  • 9cd8028 [4.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().
  • ca31ca0 [4.2.x] Changed packing recommendation to use pyproject.toml in reusable apps...
  • f4bd564 [4.2.x] Adjusted GitHub Action workflow to test Python versions based off pyp...
  • 3456eee [4.2.x] Fixed #35980 -- Updated setuptools to normalize package names in buil...
  • afe52d8 [4.2.x] Migrated setuptools configuration to pyproject.toml.
  • 35c34ed [4.2.x] Removed obsolete rpm-related install code.
  • 93973d4 [4.2.x] Added upcoming security release to release notes.
  • b3df753 [4.2.x] Refs #36341 -- Added release note for 4.2.21 for fix in wordwrap temp...
  • e61e3da [4.2.x] Fixed #36341 -- Preserved whitespaces in wordwrap template filter.
  • Additional commits viewable in compare view

Updates pillow from 9.5.0 to 10.3.0

Release notes

Sourced from pillow's releases.

10.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html

Deprecations

  • Deprecate eval(), replacing it with lambda_eval() and unsafe_eval() #7927 [@​hugovk]
  • Deprecate ImageCms constants and versions() function #7702 [@​nulano]

Changes

... (truncated)

Changelog

Sourced from pillow's changelog.

10.3.0 (2024-04-01)

  • CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [radarhere, hugovk]

  • Deprecate eval(), replacing it with lambda_eval() and unsafe_eval() #7927 [radarhere, hugovk]

  • Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [radarhere]

  • Add --report argument to __main__.py to omit supported formats #7818 [nulano, radarhere, hugovk]

  • Added RGB to I;16, I;16L, I;16B and I;16N conversion #7918, #7920 [radarhere]

  • Fix editable installation with custom build backend and configuration options #7658 [nulano, radarhere]

  • Fix putdata() for I;16N on big-endian #7209 [Yay295, hugovk, radarhere]

  • Determine MPO size from markers, not EXIF data #7884 [radarhere]

  • Improved conversion from RGB to RGBa, LA and La #7888 [radarhere]

  • Support FITS images with GZIP_1 compression #7894 [radarhere]

  • Use I;16 mode for 9-bit JPEG 2000 images #7900 [scaramallion, radarhere]

  • Raise ValueError if kmeans is negative #7891 [radarhere]

  • Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [radarhere]

  • Raise ValueError for negative values when loading P1-P3 PPM images #7882 [radarhere]

  • Added reading of JPEG2000 palettes #7870 [radarhere]

  • Added alpha_quality argument when saving WebP images #7872 [radarhere]

... (truncated)

Commits
  • 5c89d88 10.3.0 version bump
  • 63cbfcf Update CHANGES.rst [ci skip]
  • 2776126 Merge pull request #7928 from python-pillow/lcms
  • aeb51cb Merge branch 'main' into lcms
  • 5beb0b6 Update CHANGES.rst [ci skip]
  • cac6ffa Merge pull request #7927 from python-pillow/imagemath
  • f5eeeac Name as 'options' in lambda_eval and unsafe_eval, but '_dict' in deprecated eval
  • facf3af Added release notes
  • 2a93aba Use strncpy to avoid buffer overflow
  • a670597 Update CHANGES.rst [ci skip]
  • Additional commits viewable in compare view

Updates wagtail from 6.1.2 to 6.1.3

Release notes

Sourced from wagtail's releases.

6.1.3

  • Fix: CVE-2024-39317: Regular expression denial-of-service via search query parsing (Jake Howard)
  • Fix: Allow renditions of .ico images (Julie Rymer)
  • Fix: Handle choice groups as dictionaries in active filters (Sébastien Corbin)
  • Fix: Fix image preview when Willow optimizers are enabled (Alex Tomkins)
  • Fix: Fix dynamic image serve view with certain backends (Sébastien Corbin)
Changelog

Sourced from wagtail's changelog.

6.1.3 (11.07.2024)


 * Fix: CVE-2024-39317: Regular expression denial-of-service via search query parsing (Jake Howard)
 * Fix: Allow renditions of `.ico` images (Julie Rymer)
 * Fix: Handle choice groups as dictionaries in active filters (Sébastien Corbin)
 * Fix: Fix image preview when Willow optimizers are enabled (Alex Tomkins)
 * Fix: Fix dynamic image serve view with certain backends (Sébastien Corbin)
Commits
  • 7af87e0 Fix test syntax for Python<=3.11
  • d30104e Fetch new translations from Transifex
  • 2fce5db Version bump to 6.1.3
  • d4bb265 Add release notes / fill in release date for 6.1.3
  • 73d928e Add release notes for 6.0.6
  • bbebc50 Add release notes for 5.2.6
  • b783c09 Require word boundaries before search query filters (CVE-2024-39317)
  • 1071aa6 Fix #11716: Failure in Dynamic Image ServeView
  • 747d70e Fix image preview when Willow optimizers are enabled (#12047)
  • 98a29a0 Handle choice groups in active filters and support dictionaries as choices (#...
  • Additional commits viewable in compare view

Updates black from 23.12.1 to 24.3.0

Release notes

Sourced from black's releases.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

  • Don't move comments along with delimiters, which could cause crashes (#4248)
  • Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
  • Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

  • Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

  • Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

  • Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

  • Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
  • Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
  • Checking for newline before adding one on docstring that is almost at the line limit (#4185)
  • Remove redundant parentheses in case statement if guards (#4214).

Configuration

... (truncated)

Changelog

Sourced from black's changelog.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

  • Don't move comments along with delimiters, which could cause crashes (#4248)
  • Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
  • Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

  • Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

  • Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

  • Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

  • Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
  • Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
  • Checking for newline before adding one on docstring that is almost at the line limit (#4185)
  • Remove redundant parentheses in case statement if guards (#4214).

... (truncated)

Commits

Updates certifi from 2024.6.2 to 2024.7.4

Commits

Updates cryptography from 42.0.7 to 44.0.1

Changelog

Sourced from cryptography's changelog.

44.0.1 - 2025-02-11


* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.1.
* We now build ``armv7l`` ``manylinux`` wheels and publish them to PyPI.
* We now build ``manylinux_2_34`` wheels and publish them to PyPI.

.. _v44-0-0:


44.0.0 - 2024-11-27

  • BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.9.
  • Deprecated Python 3.7 support. Python 3.7 is no longer supported by the Python core team. Support for Python 3.7 will be removed in a future cryptography release.
  • Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.0.
  • macOS wheels are now built against the macOS 10.13 SDK. Users on older versions of macOS should upgrade, or they will need to build cryptography themselves.
  • Enforce the :rfc:5280 requirement that extended key usage extensions must not be empty.
  • Added support for timestamp extraction to the :class:~cryptography.fernet.MultiFernet class.
  • Relax the Authority Key Identifier requirements on root CA certificates during X.509 verification to allow fields permitted by :rfc:5280 but forbidden by the CA/Browser BRs.
  • Added support for :class:~cryptography.hazmat.primitives.kdf.argon2.Argon2id when using OpenSSL 3.2.0+.
  • Added support for the :class:~cryptography.x509.Admissions certificate extension.
  • Added basic support for PKCS7 decryption (including S/MIME 3.2) via :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_der, :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_pem, and :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_smime.

.. _v43-0-3:

43.0.3 - 2024-10-18


* Fixed release metadata for ``cryptography-vectors``

.. _v43-0-2:


43.0.2 - 2024-10-18

  • Fixed compilation when using LibreSSL 4.0.0.

.. _v43-0-1:

... (truncated)

Commits

Updates djangorestframework from 3.15.1 to 3.15.2

Release notes

Sourced from djangorestframework's releases.

3.15.2

What's Changed

New Contributors

Full Changelog: encode/django-rest-framework@3.15.1...3.15.2

Commits
  • c7a7eae Version 3.15.2 (#9439)
  • 3b41f01 Fix potential XSS vulnerability in break_long_headers template filter (#9435)
  • fe92f0d Add __hash__ method for permissions.OperandHolder class (#9417)
  • fbdab09 docs: Correct some evaluation results and a httpie option in Tutorial1 (#9421)
  • 36d5c0e tests: Check urlpatterns after cleanups (#9400)
  • 9d4ed05 Don't use Windows line endings
  • b34bde4 Fix typo in setup.cfg setting
  • ab681f2 Update requirements in docs
  • 2237724 bump pygments (security hygiene)
  • d58b8da Update deprecation hints
  • Additional commits viewable in compare view

Updates urllib3 from 2.2.1 to 2.2.2

Release notes

Sourced from urllib3's releases.

2.2.2

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support for 2023. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

  • Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.
  • Allowed passing negative integers as amt to read methods of http.client.HTTPResponse as an alternative to None. (#3122)
  • Fixed return types representing copying actions to use typing.Self. (#3363)

Full Changelog: urllib3/urllib3@2.2.1...2.2.2

Changelog

Sourced from urllib3's changelog.

2.2.2 (2024-06-17)

  • Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.
  • Allowed passing negative integers as amt to read methods of http.client.HTTPResponse as an alternative to None. ([#3122](https://github.com/urllib3/urllib3/issues/3122) <https://github.com/urllib3/urllib3/issues/3122>__)
  • Fixed return types representing copying actions to use typing.Self. ([#3363](https://github.com/urllib3/urllib3/issues/3363) <https://github.com/urllib3/urllib3/issues/3363>__)
Commits

Updates virtualenv from 20.26.2 to 20.26.6

Release notes

Sourced from virtualenv's releases.

20.26.6

What's Changed

New Contributors

Full Changelog: pypa/virtualenv@20.26.5...20.26.6

20.26.5

What's Changed

Full Changelog: pypa/virtualenv@20.26.4...20.26.5

20.26.4

What's Changed

New Contributors

Full Changelog: pypa/virtualenv@20.26.3...20.26.4

20.26.3

What's Changed

Full Changelog: pypa/virtualenv@20.26.2...20.26.3

Changelog

Sourced from virtualenv's changelog.

v20.26.6 (2024-09-27)

Bugfixes - 20.26.6

- Properly quote string placeholders in activation script templates to mitigate
  potential command injection - by :user:`y5c4l3`. (:issue:`2768`)

v20.26.5 (2024-09-17)


Bugfixes - 20.26.5

  • Upgrade embedded wheels: setuptools to 75.1.0 from 74.1.2 - by :user:gaborbernat. (:issue:2765)

v20.26.4 (2024-09-07)

Bugfixes - 20.26.4

- no longer create `()` output in console during activation of a virtualenv by .bat file. (:issue:`2728`)
- Upgrade embedded wheels:

    

  • wheel to 0.44.0 from 0.43.0
    • 

  • pip to 24.2 from 24.1
    • 

  • setuptools to 74.1.2 from 70.1.0 (:issue:2760)
    • 



v20.26.3 (2024-06-21)


Bugfixes - 20.26.3

  • Upgrade embedded wheels:

    • setuptools to 70.1.0 from 69.5.1
    • pip to 24.1 from 24.0 (:issue:2741)
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump the pip group across 1 directory with 9 updates
f406c75 
Bumps the pip group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [django](https://github.com/django/django) | `4.2.13` | `4.2.21` |
| [pillow](https://github.com/python-pillow/Pillow) | `9.5.0` | `10.3.0` |
| [wagtail](https://github.com/wagtail/wagtail) | `6.1.2` | `6.1.3` |
| [black](https://github.com/psf/black) | `23.12.1` | `24.3.0` |
| [certifi](https://github.com/certifi/python-certifi) | `2024.6.2` | `2024.7.4` |
| [cryptography](https://github.com/pyca/cryptography) | `42.0.7` | `44.0.1` |
| [djangorestframework](https://github.com/encode/django-rest-framework) | `3.15.1` | `3.15.2` |
| [urllib3](https://github.com/urllib3/urllib3) | `2.2.1` | `2.2.2` |
| [virtualenv](https://github.com/pypa/virtualenv) | `20.26.2` | `20.26.6` |



Updates `django` from 4.2.13 to 4.2.21
- [Commits](django/django@4.2.13...4.2.21)

Updates `pillow` from 9.5.0 to 10.3.0
- [Release notes](https://github.com/python-pillow/Pillow/releases)
- [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst)
- [Commits](python-pillow/Pillow@9.5.0...10.3.0)

Updates `wagtail` from 6.1.2 to 6.1.3
- [Release notes](https://github.com/wagtail/wagtail/releases)
- [Changelog](https://github.com/wagtail/wagtail/blob/main/CHANGELOG.txt)
- [Commits](wagtail/wagtail@v6.1.2...v6.1.3)

Updates `black` from 23.12.1 to 24.3.0
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](psf/black@23.12.1...24.3.0)

Updates `certifi` from 2024.6.2 to 2024.7.4
- [Commits](certifi/python-certifi@2024.06.02...2024.07.04)

Updates `cryptography` from 42.0.7 to 44.0.1
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@42.0.7...44.0.1)

Updates `djangorestframework` from 3.15.1 to 3.15.2
- [Release notes](https://github.com/encode/django-rest-framework/releases)
- [Commits](encode/django-rest-framework@3.15.1...3.15.2)

Updates `urllib3` from 2.2.1 to 2.2.2
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@2.2.1...2.2.2)

Updates `virtualenv` from 20.26.2 to 20.26.6
- [Release notes](https://github.com/pypa/virtualenv/releases)
- [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst)
- [Commits](pypa/virtualenv@20.26.2...20.26.6)

---
updated-dependencies:
- dependency-name: django
  dependency-version: 4.2.21
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pillow
  dependency-version: 10.3.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: wagtail
  dependency-version: 6.1.3
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: black
  dependency-version: 24.3.0
  dependency-type: direct:development
  dependency-group: pip
- dependency-name: certifi
  dependency-version: 2024.7.4
  dependency-type: indirect
  dependency-group: pip
- dependency-name: cryptography
  dependency-version: 44.0.1
  dependency-type: indirect
  dependency-group: pip
- dependency-name: djangorestframework
  dependency-version: 3.15.2
  dependency-type: indirect
  dependency-group: pip
- dependency-name: urllib3
  dependency-version: 2.2.2
  dependency-type: indirect
  dependency-group: pip
- dependency-name: virtualenv
  dependency-version: 20.26.6
  dependency-type: indirect
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies python Pull requests that update python code labels May 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant