fix(deps): update all non-major dependencies (!68) · Merge requests · Information Services / DevOps / Identity and Access Management / University Card management / Card Client

This MR contains the following updates:

Package	Type	Update	Change
Lucas-C/pre-commit-hooks-safety	repository	minor	`v1.3.3` -> `v1.4.2`
progress	dependencies	patch	`1.6` -> `1.6.1`
psf/black	repository	minor	`23.3.0` -> `23.12.1`
pycqa/flake8	repository	minor	`7.1.0` -> `7.3.0`
registry.gitlab.developers.cam.ac.uk/uis/devops/infra/dockerimages/python	final	minor	`3.11-slim` -> `3.13-slim`
requests (source, changelog)	dependencies	minor	`~2.26.0` -> `~2.32.0`
tobix/pywine	image	minor	`3.11` -> `3.13`
uis/devops/continuous-delivery/ci-templates	repository	minor	`v7.6.2` -> `v7.14.1`

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.

Release Notes

Lucas-C/pre-commit-hooks-safety (Lucas-C/pre-commit-hooks-safety)

`v1.4.2`: Allowing --disable-optional-telemetry-data

Compare Source

Fixed

Allowed --disable-optional-telemetry-data to be specified instead of --disable-optional-telemetry

`v1.4.1`: More robust requirements path check & using safety<=2.3.5

Compare Source

Added

Add more robust requirements path check - cf. MR #55

Fixed

Added constraint safety<=2.3.5 in setup.py in order to be able to still use the check command. A future-proof solution could be to create a new python-safety-dependencies-scan hook, cf. issue #52

`v1.4.0`

Compare Source

Added

support for Poetry 2.0.0 - cf. MR #55

psf/black (psf/black)

`v23.12.1`

Compare Source

Packaging

Fixed a bug that included dependencies from the d extra by default (#4108)

`v23.12.0`

Compare Source

Highlights

It's almost 2024, which means it's time for a new edition of Black's stable style! Together with this release, we'll put out an alpha release 24.1a1 showcasing the draft 2024 stable style, which we'll finalize in the January release. Please try it out and share your feedback.

This release (23.12.0) will still produce the 2023 style. Most but not all of the changes in --preview mode will be in the 2024 stable style.

Stable style

Fix bug where # fmt: off automatically dedents when used with the --line-ranges option, even when it is not within the specified line range. (#4084)
Fix feature detection for parenthesized context managers (#4104)

Preview style

Prefer more equal signs before a break when splitting chained assignments (#4010)
Standalone form feed characters at the module level are no longer removed (#4021)
Additional cases of immediately nested tuples, lists, and dictionaries are now indented less (#4012)
Allow empty lines at the beginning of all blocks, except immediately before a docstring (#4060)
Fix crash in preview mode when using a short --line-length (#4086)
Keep suites consisting of only an ellipsis on their own lines if they are not functions or class definitions (#4066) (#4103)

Configuration

--line-ranges now skips Black's internal stability check in --safe mode. This avoids a crash on rare inputs that have many unformatted same-content lines. (#4034)

Packaging

Upgrade to mypy 1.7.1 (#4049) (#4069)
Faster compiled wheels are now available for CPython 3.12 (#4070)

Integrations

Enable 3.12 CI (#4035)
Build docker images in parallel (#4054)
Build docker images with 3.12 (#4055)

`v23.11.0`

Compare Source

Highlights

Support formatting ranges of lines with the new --line-ranges command-line option (#4020)

Stable style

Fix crash on formatting bytes strings that look like docstrings (#4003)
Fix crash when whitespace followed a backslash before newline in a docstring (#4008)
Fix standalone comments inside complex blocks crashing Black (#4016)
Fix crash on formatting code like await (a ** b) (#3994)
No longer treat leading f-strings as docstrings. This matches Python's behaviour and fixes a crash (#4019)

Preview style

Multiline dicts and lists that are the sole argument to a function are now indented less (#3964)
Multiline unpacked dicts and lists as the sole argument to a function are now also indented less (#3992)
In f-string debug expressions, quote types that are visible in the final string are now preserved (#4005)
Fix a bug where long case blocks were not split into multiple lines. Also enable general trailing comma rules on case blocks (#4024)
Keep requiring two empty lines between module-level docstring and first function or class definition (#4028)
Add support for single-line format skip with other comments on the same line (#3959)

Configuration

Consistently apply force exclusion logic before resolving symlinks (#4015)
Fix a bug in the matching of absolute path names in --include (#3976)

Performance

Fix mypyc builds on arm64 on macOS (#4017)

Integrations

Black's pre-commit integration will now run only on git hooks appropriate for a code formatter (#3940)

`v23.10.1`

Compare Source

Highlights

Maintenance release to get a fix out for GitHub Action edge case (#3957)

Preview style

Fix merging implicit multiline strings that have inline comments (#3956)
Allow empty first line after block open before a comment or compound statement (#3967)

Packaging

Change Dockerfile to hatch + compile black (#3965)

Integrations

The summary output for GitHub workflows is now suppressible using the summary parameter. (#3958)
Fix the action failing when Black check doesn't pass (#3957)

Documentation

It is known Windows documentation CI is broken https://github.com/psf/black/issues/3968

`v23.10.0`

Compare Source

Stable style

Fix comments getting removed from inside parenthesized strings (#3909)

Preview style

Fix long lines with power operators getting split before the line length (#3942)
Long type hints are now wrapped in parentheses and properly indented when split across multiple lines (#3899)
Magic trailing commas are now respected in return types. (#3916)
Require one empty line after module-level docstrings. (#3932)
Treat raw triple-quoted strings as docstrings (#3947)

Configuration

Fix cache versioning logic when BLACK_CACHE_DIR is set (#3937)

Parser

Fix bug where attributes named type were not accepted inside match statements (#3950)
Add support for PEP 695 type aliases containing lambdas and other unusual expressions (#3949)

Output

Black no longer attempts to provide special errors for attempting to format Python 2 code (#3933)
Black will more consistently print stacktraces on internal errors in verbose mode (#3938)

Integrations

The action output displayed in the job summary is now wrapped in Markdown (#3914)

`v23.9.1`

Compare Source

Due to various issues, the previous release (23.9.0) did not include compiled mypyc wheels, which make Black significantly faster. These issues have now been fixed, and this release should come with compiled wheels once again.

There will be no wheels for Python 3.12 due to a bug in mypyc. We will provide 3.12 wheels in a future release as soon as the mypyc bug is fixed.

Packaging

Upgrade to mypy 1.5.1 (#3864)

Performance

Store raw tuples instead of NamedTuples in Black's cache, improving performance and decreasing the size of the cache (#3877)

`v23.9.0`

Compare Source

Preview style

More concise formatting for dummy implementations (#3796)
In stub files, add a blank line between a statement with a body (e.g an if sys.version_info > (3, x):) and a function definition on the same level (#3862)
Fix a bug whereby spaces were removed from walrus operators within subscript(#3823)

Configuration

Black now applies exclusion and ignore logic before resolving symlinks (#3846)

Performance

Avoid importing IPython if notebook cells do not contain magics (#3782)
Improve caching by comparing file hashes as fallback for mtime and size (#3821)

Blackd

Fix an issue in blackd with single character input (#3558)

Integrations

Black now has an official pre-commit mirror. Swapping https://github.com/psf/black to https://github.com/psf/black-pre-commit-mirror in your .pre-commit-config.yaml will make Black about 2x faster (#3828)
The .black.env folder specified by ENV_PATH will now be removed on the completion of the GitHub Action (#3759)

`v23.7.0`

Compare Source

Highlights

Runtime support for Python 3.7 has been removed. Formatting 3.7 code will still be supported until further notice (#3765)

Stable style

Fix a bug where an illegal trailing comma was added to return type annotations using PEP 604 unions (#3735)
Fix several bugs and crashes where comments in stub files were removed or mishandled under some circumstances (#3745)
Fix a crash with multi-line magic comments like type: ignore within parentheses (#3740)
Fix error in AST validation when Black removes trailing whitespace in a type comment (#3773)

Preview style

Implicitly concatenated strings used as function args are no longer wrapped inside parentheses (#3640)
Remove blank lines between a class definition and its docstring (#3692)

Configuration

The --workers argument to Black can now be specified via the BLACK_NUM_WORKERS environment variable (#3743)
.pytest_cache, .ruff_cache and .vscode are now excluded by default (#3691)
Fix Black not honouring pyproject.toml settings when running --stdin-filename and the pyproject.toml found isn't in the current working directory (#3719)
Black will now error if exclude and extend-exclude have invalid data types in pyproject.toml, instead of silently doing the wrong thing (#3764)

Packaging

Upgrade mypyc from 0.991 to 1.3 (#3697)
Remove patching of Click that mitigated errors on Python 3.6 with LANG=C (#3768)

Parser

Add support for the new PEP 695 syntax in Python 3.12 (#3703)

Performance

Speed up Black significantly when the cache is full (#3751)
Avoid importing IPython in a case where we wouldn't need it (#3748)

Output

Use aware UTC datetimes internally, avoids deprecation warning on Python 3.12 (#3728)
Change verbose logging to exactly mirror Black's logic for source discovery (#3749)

Blackd

The blackd argument parser now shows the default values for options in their help text (#3712)

Integrations

Black is now tested with PYTHONWARNDEFAULTENCODING = 1 (#3763)
Update GitHub Action to display black output in the job summary (#3688)

Documentation

Add a CITATION.cff file to the root of the repository, containing metadata on how to cite this software (#3723)
Update the classes and exceptions documentation in Developer reference to match the latest code base (#3755)

pycqa/flake8 (pycqa/flake8)

The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

Added support for Python 3.14.
Dropped support for Python 3.8 following its end of support.

`v2.32.4`

Compare Source

Security

CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

Improvements

Numerous documentation improvements

Deprecations

Added support for pypy 3.11 for Linux and macOS.
Dropped support for pypy 3.9 following its end of support.

`v2.32.3`

Compare Source

Bugfixes

Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of HTTPAdapter. (#6716)
Fixed issue where Requests started failing to run on Python versions compiled without the ssl module. (#6724)

`v2.32.2`

Compare Source

Deprecations

To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

A minimal (2-line) example has been provided in the linked MR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

`v2.32.1`

Compare Source

Bugfixes

Add missing test certs to the sdist distributed on PyPI.

`v2.32.0`

Compare Source

Security

Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)

Improvements

verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
Fixed deserialization bug in JSONDecodeError. (#6629)
Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

Deprecations

Requests has officially added support for CPython 3.12 (#6503)
Requests has officially added support for PyPy 3.9 and 3.10 (#6641)
Requests has officially dropped support for CPython 3.7 (#6642)
Requests has officially dropped support for PyPy 3.7 and 3.8 (#6641)

Documentation

Various typo fixes and doc improvements.

Packaging

Requests has started adopting some modern packaging practices. The source files for the projects (formerly requests) is now located in src/requests in the Requests sdist. (#6506)
Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system using hatchling. This should not impact the average user, but extremely old versions of packaging utilities may have issues with the new packaging format.

`v2.31.0`

Compare Source

Security

Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential forwarding of Proxy-Authorization headers to destination servers when following HTTPS redirects.

When proxies are defined with user info (https://user:pass@proxy:8080), Requests will construct a Proxy-Authorization header that is attached to the request to authenticate with the proxy.

In cases where Requests receives a redirect response, it previously reattached the Proxy-Authorization header incorrectly, resulting in the value being sent through the tunneled connection to the destination server. Users who rely on defining their proxy credentials in the URL are strongly encouraged to upgrade to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy credentials once the change has been fully deployed.

Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability.

Full details can be read in our Github Security Advisory and CVE-2023-32681.

`v2.30.0`

Compare Source

Dependencies

⚠️ Added support for urllib3 2.0. ⚠️

This may contain minor breaking changes so we advise careful testing and reviewing https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html prior to upgrading.

Users who wish to stay on urllib3 1.x can pin to urllib3<2.

`v2.29.0`

Compare Source

Improvements

Requests now defers chunked requests to the urllib3 implementation to improve standardization. (#6226)
Requests relaxes header component requirements to support bytes/str subclasses. (#6356)

`v2.28.2`

Compare Source

Dependencies

Requests now supports charset_normalizer 3.x. (#6261)

Bugfixes

Updated MissingSchema exception to suggest https scheme rather than http. (#6188)

`v2.28.1`

Compare Source

Improvements

Speed optimization in iter_content with transition to yield from. (#6170)

Dependencies

Added support for chardet 5.0.0 (#6179)
Added support for charset-normalizer 2.1.0 (#6169)

`v2.28.0`

Compare Source

Deprecations

⚠️ Requests has officially dropped support for Python 2.7. ⚠️ (#6091)
Requests has officially dropped support for Python 3.6 (including pypy3.6). (#6091)

Improvements

Wrap JSON parsing issues in Request's JSONDecodeError for payloads without an encoding to make json() API consistent. (#6097)
Parse header components consistently, raising an InvalidHeader error in all invalid cases. (#6154)
Added provisional 3.11 support with current beta build. (#6155)
Requests got a makeover and we decided to paint it black. (#6095)

Bugfixes

Fixed bug where setting CURL_CA_BUNDLE to an empty string would disable cert verification. All Requests 2.x versions before 2.28.0 are affected. (#6074)
Fixed urllib3 exception leak, wrapping urllib3.exceptions.SSLError with requests.exceptions.SSLError for content and iter_content. (#6057)
Fixed issue where invalid Windows registry entries caused proxy resolution to raise an exception rather than ignoring the entry. (#6149)
Fixed issue where entire payload could be included in the error message for JSONDecodeError. (#6036)

`v2.27.1`

Compare Source

Bugfixes

Fixed parsing issue that resulted in the auth component being dropped from proxy URLs. (#6028)

`v2.27.0`

Compare Source

Improvements

Officially added support for Python 3.10. (#5928)
Added a requests.exceptions.JSONDecodeError to unify JSON exceptions between Python 2 and 3. This gets raised in the response.json() method, and is backwards compatible as it inherits from previously thrown exceptions. Can be caught from requests.exceptions.RequestException as well. (#5856)
Improved error text for misnamed InvalidSchema and MissingSchema exceptions. This is a temporary fix until exceptions can be renamed (Schema->Scheme). (#6017)
Improved proxy parsing for proxy URLs missing a scheme. This will address recent changes to urlparse in Python 3.9+. (#5917)

Bugfixes

Fixed defect in extract_zipped_paths which could result in an infinite loop for some paths. (#5851)
Fixed handling for AttributeError when calculating length of files obtained by Tarfile.extractfile(). (#5239)
Fixed urllib3 exception leak, wrapping urllib3.exceptions.InvalidHeader with requests.exceptions.InvalidHeader. (#5914)
Fixed bug where two Host headers were sent for chunked requests. (#5391)
Fixed regression in Requests 2.26.0 where Proxy-Authorization was incorrectly stripped from all requests sent with Session.send. (#5924)
Fixed performance regression in 2.26.0 for hosts with a large number of proxies available in the environment. (#5924)
Fixed idna exception leak, wrapping UnicodeError with requests.exceptions.InvalidURL for URLs with a leading dot (.) in the domain. (#5414)

Deprecations

Requests support for Python 2.7 and 3.6 will be ending in 2022. While we don't have exact dates, Requests 2.27.x is likely to be the last release series providing support.

uis/devops/continuous-delivery/ci-templates (uis/devops/continuous-delivery/ci-templates)