Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(deps): bump the pip group across 1 directory with 8 updates #37

Closed
wants to merge 1 commit into from
Closed

build(deps): bump the pip group across 1 directory with 8 updates #37

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 21, 2024

Bumps the pip group with 8 updates in the /tests/integration_tests directory:

Package From To
black 22.10.0 24.3.0
grpcio 1.50.0 1.53.2
aiohttp 3.8.3 3.9.4
certifi 2022.12.7 2023.7.22
idna 3.4 3.7
pycryptodome 3.15.0 3.19.1
requests 2.28.1 2.32.0
urllib3 1.26.12 1.26.18

Updates black from 22.10.0 to 24.3.0

Release notes

Sourced from black's releases.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

  • Don't move comments along with delimiters, which could cause crashes (#4248)
  • Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
  • Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

  • Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

  • Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

  • Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

  • Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
  • Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
  • Checking for newline before adding one on docstring that is almost at the line limit (#4185)
  • Remove redundant parentheses in case statement if guards (#4214).

Configuration

... (truncated)

Changelog

Sourced from black's changelog.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

  • Don't move comments along with delimiters, which could cause crashes (#4248)
  • Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
  • Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

  • Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

  • Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

  • Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

  • Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
  • Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
  • Checking for newline before adding one on docstring that is almost at the line limit (#4185)
  • Remove redundant parentheses in case statement if guards (#4214).

... (truncated)

Commits

Updates grpcio from 1.50.0 to 1.53.2

Release notes

Sourced from grpcio's releases.

Release v1.53.2

This is release gRPC Core 1.53.2 (glockenspiel).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes.

Core

Release v1.53.1

This is release gRPC Core 1.53.1 (glockenspiel).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes.

Release v1.53.0

This is release 1.53.0 (glockenspiel) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

  • xDS: fix crash when removing the last endpoint from the last locality in weighted_target. (#32592)
  • filter stack: pass peer name up via recv_initial_metadata batch. (#31933)
  • [EventEngine] Add advice against blocking work in callbacks. (#32397)
  • [http2] Dont drop connections on metadata limit exceeded. (#32309)
  • xDS: reject aggregate cluster with empty cluster list. (#32238)
  • Fix Python epoll1 Fork Support. (#32196)
  • server: introduce ServerMetricRecorder API and move per-call reporting from a C++ interceptor to a C-core filter. (#32106)
  • [EventEngine] Add invalid handle types to the public API. (#32202)
  • [EventEngine] Refactoring the EventEngine Test Suite: Part 1. (#32127)
  • xDS: fix WeightedClusters total weight handling. (#32134)

C++

  • Update minimum MSVC version to 2019. (#32615)
  • Use CMake variables for paths in pkg-config files. (#31671)

... (truncated)

Commits
  • afb307f [v1.53.x][Interop] Backport Python image update (#33864)
  • 7a9373b [Backport] [dependency] Restrict cython to less than 3.X (#33770)
  • fdb64a6 [v1.53][Build] Update Phusion baseimage (#33767) (#33836)
  • cdf4186 [PSM Interop] Legacy tests: fix xDS test client build (v1.53.x backport) (#33...
  • ce5b93a [PSM Interop] Legacy test builds always pull the driver from master (v1.53.x ...
  • b24b6ea [release] Bump release version to 1.53.2 (#33709)
  • 1e86ca5 [backport][iomgr][EventEngine] Improve server handling of file descriptor exh...
  • aff3066 [PSM interop] Don't fail url_map target if sub-target already failed (v1.53.x...
  • 539d75c [PSM interop] Don't fail target if sub-target already failed (#33222) (v1.53....
  • 3e79c88 [Release] Bump version to 1.53.1 (on v1.53.x branch) (#33047)
  • Additional commits viewable in compare view

Updates aiohttp from 3.8.3 to 3.9.4

Release notes

Sourced from aiohttp's releases.

3.9.4

Bug fixes

  • The asynchronous internals now set the underlying causes when assigning exceptions to the future objects -- by :user:webknjaz.

    Related issues and pull requests on GitHub: #8089.

  • Treated values of Accept-Encoding header as case-insensitive when checking for gzip files -- by :user:steverep.

    Related issues and pull requests on GitHub: #8104.

  • Improved the DNS resolution performance on cache hit -- by :user:bdraco.

    This is achieved by avoiding an :mod:asyncio task creation in this case.

    Related issues and pull requests on GitHub: #8163.

  • Changed the type annotations to allow dict on :meth:aiohttp.MultipartWriter.append, :meth:aiohttp.MultipartWriter.append_json and :meth:aiohttp.MultipartWriter.append_form -- by :user:cakemanny

    Related issues and pull requests on GitHub: #7741.

  • Ensure websocket transport is closed when client does not close it -- by :user:bdraco.

    The transport could remain open if the client did not close it. This change ensures the transport is closed when the client does not close it.

... (truncated)

Changelog

Sourced from aiohttp's changelog.

3.9.4 (2024-04-11)

Bug fixes

  • The asynchronous internals now set the underlying causes when assigning exceptions to the future objects -- by :user:webknjaz.

    Related issues and pull requests on GitHub: :issue:8089.

  • Treated values of Accept-Encoding header as case-insensitive when checking for gzip files -- by :user:steverep.

    Related issues and pull requests on GitHub: :issue:8104.

  • Improved the DNS resolution performance on cache hit -- by :user:bdraco.

    This is achieved by avoiding an :mod:asyncio task creation in this case.

    Related issues and pull requests on GitHub: :issue:8163.

  • Changed the type annotations to allow dict on :meth:aiohttp.MultipartWriter.append, :meth:aiohttp.MultipartWriter.append_json and :meth:aiohttp.MultipartWriter.append_form -- by :user:cakemanny

    Related issues and pull requests on GitHub: :issue:7741.

  • Ensure websocket transport is closed when client does not close it -- by :user:bdraco.

    The transport could remain open if the client did not close it. This change ensures the transport is closed when the client does not close it.

... (truncated)

Commits

Updates certifi from 2022.12.7 to 2023.7.22

Commits

Updates idna from 3.4 to 3.7

Release notes

Sourced from idna's releases.

v3.7

What's Changed

  • Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: kjd/idna@v3.6...v3.7

Changelog

Sourced from idna's changelog.

3.7 (2024-04-11) ++++++++++++++++

  • Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

3.6 (2023-11-25) ++++++++++++++++

  • Fix regression to include tests in source distribution.

3.5 (2023-11-24) ++++++++++++++++

  • Update to Unicode 15.1.0
  • String codec name is now "idna2008" as overriding the system codec "idna" was not working.
  • Fix typing error for codec encoding
  • "setup.cfg" has been added for this release due to some downstream lack of adherence to PEP 517. Should be removed in a future release so please prepare accordingly.
  • Removed reliance on a symlink for the "idna-data" tool to comport with PEP 517 and the Python Packaging User Guide for sdist archives.
  • Added security reporting protocol for project

Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions to this release.

Commits
  • 1d365e1 Release v3.7
  • c1b3154 Merge pull request #172 from kjd/optimize-contextj
  • 0394ec7 Merge branch 'master' into optimize-contextj
  • cd58a23 Merge pull request #152 from elliotwutingfeng/dev
  • 5beb28b More efficient resolution of joiner contexts
  • 1b12148 Update ossf/scorecard-action to v2.3.1
  • d516b87 Update Github actions/checkout to v4
  • c095c75 Merge branch 'master' into dev
  • 60a0a4c Fix typo in GitHub Actions workflow key
  • 5918a0e Merge branch 'master' into dev
  • Additional commits viewable in compare view

Updates pycryptodome from 3.15.0 to 3.19.1

Release notes

Sourced from pycryptodome's releases.

v3.19.1 - Zeil

Resolved issues

  • Fixed a side-channel leakage with OAEP decryption that could be exploited to carry out a Manger attack. Thanks to Hubert Kario.

v3.19.1 - Zeil (pycryptodomex)

Resolved issues

  • Fixed a side-channel leakage with OAEP decryption that could be exploited to carry out a Manger attack. Thanks to Hubert Kario.

v3.19.0 - Ulm

New features

  • The update() methods of TupleHash128 and TupleHash256 objects can now hash multiple items (byte strings) at once. Thanks to Sylvain Pelissier.
  • Added support for ECDH, with Crypto.Protocol.DH.

Resolved issues

  • GH#754: due to a bug in cffi, do not use it on Windows with Python 3.12+.

v3.19.0 - Ulm (pycryptodomex)

New features

  • The update() methods of TupleHash128 and TupleHash256 objects can now hash multiple items (byte strings) at once. Thanks to Sylvain Pelissier.
  • Added support for ECDH, with Crypto.Protocol.DH.

Resolved issues

  • GH#754: due to a bug in cffi, do not use it on Windows with Python 3.12+.

v3.18.0 - Trier

New features

  • Added support for DER BOOLEAN encodings.

  • The library now compiles on Windows ARM64. Thanks to Niyas Sait.

    Resolved issues

  • GH#722: nonce attribute was not correctly set for XChaCha20_Poly1305 ciphers. Thanks to Liam Haber.
  • GH#728: Workaround for a possible x86 emulator bug in Windows for ARM64.
  • GH#739: OID encoding for arc 2 didn't accept children larger than 39. Thanks to James.
  • Correctly check that the scalar matches the point when importing an ECC private key.

... (truncated)

Changelog

Sourced from pycryptodome's changelog.

3.19.1 (28 December 2023) ++++++++++++++++++++++++++

Resolved issues

  • Fixed a side-channel leakage with OAEP decryption that could be exploited to carry out a Manger attack (CVE-2023-52323). Thanks to Hubert Kario.

3.19.0 (16 September 2023) ++++++++++++++++++++++++++

New features

  • The update() methods of TupleHash128 and TupleHash256 objects can now hash multiple items (byte strings) at once. Thanks to Sylvain Pelissier.
  • Added support for ECDH, with Crypto.Protocol.DH.

Resolved issues

  • GH#754: due to a bug in cffi, do not use it on Windows with Python 3.12+.

3.18.0 (18 May 2023) ++++++++++++++++++++++++++

New features

  • Added support for DER BOOLEAN encodings.
  • The library now compiles on Windows ARM64. Thanks to Niyas Sait.

Resolved issues

  • GH#722: nonce attribute was not correctly set for XChaCha20_Poly1305 ciphers. Thanks to Liam Haber.
  • GH#728: Workaround for a possible x86 emulator bug in Windows for ARM64.
  • GH#739: OID encoding for arc 2 didn't accept children larger than 39. Thanks to James.
  • Correctly check that the scalar matches the point when importing an ECC private key.

3.17.0 (29 January 2023) ++++++++++++++++++++++++++

New features

  • Added support for the Counter Mode KDF defined in SP 800-108 Rev 1.
  • Reduce the minimum tag length for the EAX cipher to 2 bytes.
  • An RSA object has 4 new properties for the CRT coefficients: dp, dq, invq and invq (invp is the same value as the existing u).

Resolved issues

... (truncated)

Commits
  • ef270ab Update wheels action
  • 3278edd Update changelog and version
  • 10e8216 Update PSS verify signature code example.
  • 4ec4b85 Bump version
  • 0deea1b Use constant-time (faster) padding decoding also for OAEP
  • 519e7ae Avoid changing signature of RSA._decrypt() method if possible
  • 1aa9dca Update changelog and bump version
  • afb5e27 Fix side-channel leakage in RSA decryption
  • ee91c67 Update CMAC.py
  • 43a466d Fix small "passes" typo.
  • Additional commits viewable in compare view

Updates requests from 2.28.1 to 2.32.0

Release notes

Sourced from requests's releases.

v2.32.0

2.32.0 (2024-05-20)

🐍 PYCON US 2024 EDITION 🐍

Security

  • Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (GHSA-9wx4-h78v-vm56)

Improvements

  • verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
  • Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

  • Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
  • Fixed deserialization bug in JSONDecodeError. (#6629)
  • Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

Deprecations

  • Requests has officially added support for CPython 3.12 (#6503)
  • Requests has officially added support for PyPy 3.9 and 3.10 (#6641)
  • Requests has officially dropped support for CPython 3.7 (#6642)
  • Requests has officially dropped support for PyPy 3.7 and 3.8 (#6641)

Documentation

  • Various typo fixes and doc improvements.

Packaging

  • Requests has started adopting some modern packaging practices. The source files for the projects (formerly requests) is now located in src/requests in the Requests sdist. (#6506)
  • Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system using hatchling. This should not impact the average user, but extremely old versions of packaging utilities may have issues with the new packaging format.

New Contributors

... (truncated)

Changelog

Sourced from requests's changelog.

2.32.0 (2024-05-20)

Security

  • Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (GHSA-9wx4-h78v-vm56)

Improvements

  • verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
  • Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

  • Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
  • Fixed deserialization bug in JSONDecodeError. (#6629)
  • Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

Deprecations

  • Requests has officially added support for CPython 3.12 (#6503)
  • Requests has officially added support for PyPy 3.9 and 3.10 (#6641)
  • Requests has officially dropped support for CPython 3.7 (#6642)
  • Requests has officially dropped support for PyPy 3.7 and 3.8 (#6641)

Documentation

  • Various typo fixes and doc improvements.

Packaging

  • Requests has started adopting some modern packaging practices. The source files for the projects (formerly requests) is now located in src/requests in the Requests sdist. (#6506)
  • Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system using hatchling. This should not impact the average user, but extremely old versions of packaging utilities may have issues with the new packaging format.

2.31.0 (2023-05-22)

Security

... (truncated)

Commits
  • d6ebc4a v2.32.0
  • 9a40d12 Avoid reloading root certificates to improve concurrent performance (#6667)
  • 0c030f7 Merge pull request #6702 from nateprewitt/no_char_detection
  • 555b870 Allow character detection dependencies to be optional in post-packaging steps
  • d6dded3 Merge pull request #6700 from franekmagiera/update-redirect-to-invalid-uri-test
  • bf24b7d Use an invalid URI that will not cause httpbin to throw 500
  • 2d5f547 Pin 3.8 and 3.9 runners back to macos-13 (#6688)
  • f1bb07d Merge pull request #6687 from psf/dependabot/github_actions/github/codeql-act...
  • 60047ad Bump github/codeql-action from 3.24.0 to 3.25.0
  • 31ebb81 Merge pull request #6682 from frenzymadness/pytest8
  • Additional commits viewable in compare view

Updates urllib3 from 1.26.12 to 1.26.18

Release notes

Sourced from urllib3's releases.

1.26.18

  • Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (GHSA-g4mx-q9vg-27p4)

1.26.17

  • Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. (GHSA-v845-jxx5-vc9f)

1.26.16

  • Fixed thread-safety issue where accessing a PoolManager with many distinct origins would cause connection pools to be closed while requests are in progress (#2954)

1.26.15

1.26.14

  • Fixed parsing of port 0 (zero) returning None, instead of 0 (#2850)
  • Removed deprecated HTTPResponse.getheaders() calls in urllib3.contrib module.

1.26.13

  • Deprecated the HTTPResponse.getheaders() and HTTPResponse.getheader() methods.
  • Fixed an issue where parsing a URL with leading zeroes in the port would be rejected even when the port number after removing the zeroes was valid.
  • Fixed a deprecation warning when using cryptography v39.0.0.
  • Removed the <4 in the Requires-Python packaging metadata field.
Changelog

Sourced from urllib3's changelog.

1.26.18 (2023-10-17)

  • Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses.

1.26.17 (2023-10-02)

  • Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. ([#3139](https://github.com/urllib3/urllib3/issues/3139) <https://github.com/urllib3/urllib3/pull/3139>_)

1.26.16 (2023-05-23)

  • Fixed thread-safety issue where accessing a PoolManager with many distinct origins would cause connection pools to be closed while requests are in progress ([#2954](https://github.com/urllib3/urllib3/issues/2954) <https://github.com/urllib3/urllib3/pull/2954>_)

1.26.15 (2023-03-10)

  • Fix socket timeout value when HTTPConnection is reused ([#2645](https://github.com/urllib3/urllib3/issues/2645) <https://github.com/urllib3/urllib3/issues/2645>__)
  • Remove "!" character from the unreserved characters in IPv6 Zone ID parsing ([#2899](https://github.com/urllib3/urllib3/issues/2899) <https://github.com/urllib3/urllib3/issues/2899>__)
  • Fix IDNA handling of '\x80' byte ([#2901](https://github.com/urllib3/urllib3/issues/2901) <https://github.com/urllib3/urllib3/issues/2901>__)

1.26.14 (2023-01-11)

  • Fixed parsing of port 0 (zero) returning None, instead of 0. ([#2850](https://github.com/urllib3/urllib3/issues/2850) <https://github.com/urllib3/urllib3/issues/2850>__)
  • Removed deprecated getheaders() calls in contrib module. Fixed the type hint of PoolKey.key_retries by adding bool to the union. ([#2865](https://github.com/urllib3/urllib3/issues/2865) <https://github.com/urllib3/urllib3/issues/2865>__)

1.26.13 (2022-11-23)

  • Deprecated the HTTPResponse.getheaders() and HTTPResponse.getheader() methods.
  • Fixed an issue where parsing a URL with leading zeroes in the port would be rejected even when the port number after removing the zeroes was valid.
  • Fixed a deprecation warning when using cryptography v39.0.0.
  • Removed the <4 in the Requires-Python packaging metadata field.
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
---
1830bee 
updated-dependencies:
- dependency-name: black
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: grpcio
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: aiohttp
  dependency-type: indirect
  dependency-group: pip
- dependency-name: certifi
  dependency-type: indirect
  dependency-group: pip
- dependency-name: idna
  dependency-type: indirect
  dependency-group: pip
- dependency-name: pycryptodome
  dependency-type: indirect
  dependency-group: pip
- dependency-name: requests
  dependency-type: indirect
  dependency-group: pip
- dependency-name: urllib3
  dependency-type: indirect
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels May 21, 2024
@dependabot dependabot bot mentioned this pull request May 21, 2024
Closed
@socket-security Socket Security
Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/cors@2.8.5 None 0 20 kB dougwilson
npm/create-hash@1.2.0 None +2 19 kB cwmma
npm/create-hmac@1.1.7 None 0 5.81 kB cwmma
npm/cross-spawn@6.0.5 environment, filesystem, shell +3 30.1 kB satazor
npm/debug@4.3.2 environment 0 41.3 kB qix
npm/define-properties@1.1.4 None +1 19.7 kB ljharb
npm/diff@5.0.0 None 0 369 kB kpdecker
npm/encoding@0.1.13 None +1 356 kB andris
npm/env-paths@2.2.1 None 0 10.2 kB sindresorhus
npm/err-code@2.0.3 None 0 12.3 kB achingbrain
npm/escape-html@1.0.3 None 0 3.66 kB dougwilson
npm/escape-string-regexp@1.0.5 None 0 2.69 kB jbnicolai
npm/ethers@4.0.49 network Transitive: filesystem, shell +3 3.11 MB ricmoo
npm/events@3.3.0 None 0 82.8 kB goto-bus-stop
npm/express@4.18.2 environment, filesystem, network Transitive: eval +23 827 kB dougwilson
npm/faker@5.5.3 None 0 10.1 MB marak
npm/fast-json-stable-stringify@2.1.0 None 0 17 kB esp
npm/find-up@2.1.0 Transitive: filesystem +5 23.9 kB sindresorhus
npm/find-yarn-workspace-root@2.0.0 filesystem 0 16.7 kB bmishkin
npm/follow-redirects@1.15.0 network 0 27.4 kB rubenverborgh
npm/foreach@2.0.6 None 0 8.73 kB manuelstofer
npm/fs-extra@7.0.1 filesystem +1 141 kB ryanzim
npm/fsevents@2.3.2 None 0 156 kB pipobscure
npm/get-caller-file@2.0.5 None 0 4.72 kB stefanpenner
npm/get-intrinsic@1.1.3 eval +1 62.3 kB ljharb
npm/glob-parent@5.1.2 None 0 12.1 kB phated
npm/glob@7.2.0 filesystem Transitive: environment +3 74.9 kB isaacs
npm/google-protobuf@3.21.2 None 0 820 kB dibenede
npm/graceful-fs@4.2.8 environment, filesystem 0 31.6 kB isaacs
npm/graphql-tag@2.12.6 Transitive: environment +1 2.29 MB apollo-bot
npm/has-symbols@1.0.3 None 0 20.6 kB ljharb
npm/has@1.0.3 None +1 27.9 kB ljharb
npm/hash.js@1.1.7 None 0 41.7 kB indutny
npm/he@1.2.0 None 0 124 kB mathias
npm/http-errors@2.0.0 Transitive: environment, eval +2 58 kB dougwilson
npm/iconv-lite@0.4.24 None 0 336 kB ashtuchkin
npm/ieee754@1.2.1 None 0 6.8 kB feross
npm/inherits@2.0.4 None 0 3.96 kB isaacs
npm/is-buffer@2.0.5 None 0 4.59 kB feross
npm/is-extglob@2.1.1 None 0 6.22 kB jonschlinkert
npm/is-glob@4.0.3 None 0 13.6 kB phated
npm/is-plain-obj@2.1.0 None 0 3.69 kB sindresorhus
npm/is-typedarray@1.0.0 None 0 4.41 kB hughsk
npm/isomorphic-ws@4.0.1 None 0 3.89 kB heineiuo
npm/js-sha3@0.5.7 None 0 81.8 kB emn178
npm/js-yaml@4.1.0 Transitive: environment, filesystem +1 576 kB vitaly
npm/json-pointer@0.6.2 None 0 100 kB manuelstofer
npm/keccak@3.0.1 None +1 1.55 MB fanatid
npm/leveldown@6.1.0 None 0 5.64 MB vweevers
npm/lodash@4.17.21 None 0 1.41 MB bnjmnt4n
npm/log-symbols@4.1.0 None +2 14.8 kB sindresorhus
npm/loglevel@1.7.1 None 0 136 kB pimterry
npm/lower-case@1.1.4 None 0 4.78 kB blakeembrey
npm/lru-cache@6.0.0 None +1 30.4 kB isaacs
npm/micromatch@4.0.4 None 0 61.5 kB danez
npm/mime-db@1.52.0 None 0 206 kB dougwilson
npm/mime-types@2.1.35 None 0 18.3 kB dougwilson
npm/mimic-fn@3.1.0 None 0 8.24 kB sindresorhus
npm/minimalistic-assert@1.0.1 None 0 1.55 kB cwmma
npm/minimatch@3.0.4 None +3 56 kB isaacs
npm/minimist@1.2.7 None 0 50.7 kB ljharb
npm/mocha@9.2.2 environment, eval, filesystem Transitive: shell +22 4.25 MB juergba
npm/multiaddr@8.1.2 Transitive: network +8 205 kB vascosantos
npm/multibase@3.1.2 None +1 43.3 kB hugomrdias
npm/multiformats@9.4.8 None 0 434 kB mikeal
npm/multihashes@3.1.2 None +2 102 kB hugomrdias
npm/nanoid@3.1.29 None 0 25.8 kB ai
npm/napi-macros@2.0.0 None 0 16.2 kB mafintosh
npm/native-abort-controller@0.0.3 None +1 72.4 kB achingbrain
npm/no-case@2.3.2 None 0 30.8 kB blakeembrey
npm/node-fetch@2.6.7 network +1 202 kB endless
npm/node-gyp-build@4.3.0 environment, filesystem 0 12.7 kB vweevers
npm/normalize-path@3.0.0 None 0 9.22 kB jonschlinkert
npm/object-assign@4.1.1 None 0 5.49 kB sindresorhus
npm/object-keys@1.1.1 None 0 26.5 kB ljharb
npm/on-finished@2.4.1 unsafe +1 19.9 kB dougwilson
npm/once@1.4.0 None +1 7.01 kB isaacs
npm/onetime@5.1.2 None +1 10.6 kB sindresorhus
npm/os-tmpdir@1.0.2 None 0 3.06 kB sindresorhus
npm/p-limit@3.1.0 None +1 13.8 kB sindresorhus
npm/parseurl@1.3.3 None 0 10.3 kB dougwilson
npm/pascal-case@2.0.1 None +1 7.15 kB blakeembrey
npm/patch-package@6.4.7 environment, filesystem Transitive: eval, shell +8 632 kB ds300
npm/path-is-absolute@1.0.1 None 0 3.62 kB sindresorhus
npm/path-key@2.0.1 None 0 3.02 kB sindresorhus
npm/pbkdf2@3.1.2 None 0 13.8 kB cwmma
npm/picomatch@2.3.0 None 0 89 kB jonschlinkert
npm/pouchdb@7.2.2 filesystem, network, unsafe 0 3.63 MB daleharvey
npm/protobufjs@6.11.3 filesystem, network +10 3.53 MB google-wombot
npm/qs@6.10.3 None +1 231 kB ljharb
npm/queue-microtask@1.2.3 None 0 8.37 kB feross
npm/randombytes@2.1.0 None 0 6.36 kB cwmma
npm/raw-body@2.5.1 network, unsafe 0 25.4 kB dougwilson
npm/readable-stream@3.6.0 environment 0 122 kB matteo.collina
npm/readdirp@3.6.0 filesystem 0 20.5 kB paulmillr
npm/require-from-string@2.0.2 unsafe 0 3.42 kB floatdrop
npm/reselect-tree@1.3.7 None 0 27.8 kB haltman
npm/rimraf@2.7.1 filesystem 0 15.5 kB isaacs
npm/ripemd160@2.0.2 None +1 15.9 kB dcousens
npm/rxjs@6.6.7 None 0 5.13 MB blesh
npm/safer-buffer@2.1.2 None 0 42.3 kB chalker
npm/secp256k1@4.0.2 None +1 2.66 MB fanatid
npm/seedrandom@3.0.5 None 0 374 kB davidbau
npm/serialize-javascript@6.0.0 None 0 16.8 kB okuryu
npm/setimmediate@1.0.4 None 0 13.9 kB domenic
npm/setprototypeof@1.2.0 None 0 4.03 kB wesleytodd
npm/sha.js@2.4.11 None 0 31.1 kB dcousens
npm/stream-to-it@0.2.4 None +1 16 kB alanshaw
npm/string-width@4.2.3 None 0 5.16 kB sindresorhus
npm/strip-ansi@6.0.1 None 0 4.03 kB sindresorhus
npm/strip-json-comments@3.1.1 None 0 6.96 kB sindresorhus
npm/supports-color@5.5.0 environment +1 9.76 kB sindresorhus
npm/tmp@0.0.33 filesystem 0 26 kB raszi
npm/toidentifier@1.0.1 None 0 4.68 kB dougwilson
npm/truffle@5.5.8 filesystem, network, shell, unsafe +5 148 MB eggplantzzz
npm/tslib@2.4.0 None 0 50 kB typescript-bot
npm/tweetnacl-util@0.15.1 None 0 8.14 kB dchest
npm/tweetnacl@1.0.3 None 0 175 kB dchest
npm/type-is@1.6.18 None 0 18.5 kB dougwilson
npm/universalify@0.1.2 None 0 4.71 kB ryanzim
npm/unorm@1.6.0 None 0 151 kB walling
npm/unpipe@1.0.0 None 0 4.31 kB dougwilson
npm/upper-case-first@1.1.2 None 0 4.01 kB blakeembrey
npm/upper-case@1.1.3 None 0 4.64 kB blakeembrey
npm/utf-8-validate@5.0.7 None 0 400 kB lpinca
npm/utf8@3.0.0 None 0 11.2 kB mathias
npm/uuid@8.3.2 None 0 116 kB ctavan
npm/vary@1.1.2 None 0 8.75 kB dougwilson
npm/web-encoding@1.1.5 None 0 1.36 MB gozala
npm/web3-eth-abi@1.5.3 None 0 49.3 kB spacesailor
npm/web3-utils@1.5.3 None 0 164 kB spacesailor
npm/web3@1.5.3 None 0 5.78 MB spacesailor
npm/websocket@1.0.34 network 0 154 kB theturtle32
npm/which@1.3.1 environment Transitive: filesystem +1 20.4 kB isaacs
npm/workerpool@6.2.0 None 0 330 kB josdejong
npm/ws@7.5.7 network 0 122 kB lpinca
npm/yargs-parser@20.2.4 environment, filesystem 0 120 kB oss-bot
npm/yargs-unparser@2.0.0 None 0 13.9 kB oss-bot
npm/yargs@17.2.1 environment, filesystem +5 385 kB oss-bot

🚮 Removed packages: npm/101@1.6.3, npm/@apollo/client@3.4.16, npm/@apollographql/graphql-upload-8-fork@8.1.3, npm/@aragon/contract-helpers-test@0.0.3, npm/@ardatan/aggregate-error@0.0.6, npm/@babel/code-frame@7.15.8, npm/@babel/compat-data@7.15.0, npm/@babel/core@7.15.8, npm/@babel/generator@7.15.8, npm/@babel/helper-annotate-as-pure@7.15.4, npm/@babel/helper-compilation-targets@7.15.4, npm/@babel/helper-create-class-features-plugin@7.15.4, npm/@babel/helper-define-polyfill-provider@0.2.3, npm/@babel/helper-function-name@7.15.4, npm/@babel/helper-module-imports@7.15.4, npm/@babel/helper-module-transforms@7.15.8, npm/@babel/helper-plugin-utils@7.14.5, npm/@babel/helper-replace-supers@7.15.4, npm/@babel/helper-skip-transparent-expression-wrappers@7.15.4, npm/@babel/helper-split-export-declaration@7.15.4, npm/@babel/helper-validator-identifier@7.15.7, npm/@babel/parser@7.15.8, npm/@babel/plugin-proposal-class-properties@7.14.5, npm/@babel/plugin-proposal-object-rest-spread@7.15.6, npm/@babel/plugin-syntax-class-properties@7.12.13, npm/@babel/plugin-syntax-flow@7.14.5, npm/@babel/plugin-syntax-jsx@7.14.5, npm/@babel/plugin-syntax-object-rest-spread@7.8.3, npm/@babel/plugin-transform-arrow-functions@7.14.5, npm/@babel/plugin-transform-block-scoped-functions@7.14.5, npm/@babel/plugin-transform-block-scoping@7.15.3, npm/@babel/plugin-transform-classes@7.15.4, npm/@babel/plugin-transform-computed-properties@7.14.5, npm/@babel/plugin-transform-destructuring@7.14.7, npm/@babel/plugin-transform-flow-strip-types@7.14.5, npm/@babel/plugin-transform-for-of@7.15.4, npm/@babel/plugin-transform-function-name@7.14.5, npm/@babel/plugin-transform-literals@7.14.5, npm/@babel/plugin-transform-member-expression-literals@7.14.5, npm/@babel/plugin-transform-modules-commonjs@7.15.4, npm/@babel/plugin-transform-object-super@7.14.5, npm/@babel/plugin-transform-parameters@7.15.4, npm/@babel/plugin-transform-property-literals@7.14.5, npm/@babel/plugin-transform-react-display-name@7.15.1, npm/@babel/plugin-transform-react-jsx@7.14.9, npm/@babel/plugin-transform-runtime@7.15.8, npm/@babel/plugin-transform-shorthand-properties@7.14.5, npm/@babel/plugin-transform-spread@7.15.8, npm/@babel/plugin-transform-template-literals@7.14.5, npm/@babel/traverse@7.15.4, npm/@babel/types@7.15.6, npm/@ensdomains/address-encoder@0.1.9, npm/@ensdomains/ens@0.4.3, npm/@ensdomains/ensjs@2.0.1, npm/@ethereumjs/common@2.5.0, npm/@ethereumjs/tx@3.3.2, npm/@ethersproject/abi@5.0.7, npm/@ethersproject/abstract-provider@5.4.1, npm/@ethersproject/abstract-signer@5.4.1, npm/@ethersproject/address@5.4.0, npm/@ethersproject/base64@5.4.0, npm/@ethersproject/basex@5.4.0, npm/@ethersproject/bignumber@5.4.2, npm/@ethersproject/bytes@5.4.0, npm/@ethersproject/constants@5.4.0, npm/@ethersproject/hash@5.4.0, npm/@ethersproject/hdnode@5.4.0, npm/@ethersproject/json-wallets@5.4.0, npm/@ethersproject/keccak256@5.4.0, npm/@ethersproject/logger@5.4.1, npm/@ethersproject/networks@5.4.2, npm/@ethersproject/pbkdf2@5.4.0, npm/@ethersproject/properties@5.4.1, npm/@ethersproject/random@5.4.0, npm/@ethersproject/rlp@5.4.0, npm/@ethersproject/sha2@5.4.0, npm/@ethersproject/signing-key@5.4.0, npm/@ethersproject/strings@5.4.0, npm/@ethersproject/transactions@5.4.0, npm/@ethersproject/web@5.4.0, npm/@ethersproject/wordlists@5.4.0, npm/@graphql-tools/batch-delegate@6.2.6, npm/@graphql-tools/code-file-loader@6.3.1, npm/@graphql-tools/git-loader@6.2.6, npm/@graphql-tools/github-loader@6.2.5, npm/@graphql-tools/graphql-file-loader@6.2.7, npm/@graphql-tools/graphql-tag-pluck@6.5.1, npm/@graphql-tools/import@6.5.4, npm/@graphql-tools/json-file-loader@6.2.6, npm/@graphql-tools/links@6.2.5, npm/@graphql-tools/load-files@6.5.1, npm/@graphql-tools/load@6.2.8, npm/@graphql-tools/module-loader@6.2.7, npm/@graphql-tools/relay-operation-optimizer@6.4.0, npm/@graphql-tools/resolvers-composition@6.4.0, npm/@graphql-tools/stitch@6.2.4, npm/@graphql-tools/url-loader@6.10.1, npm/@gulp-sourcemaps/map-sources@1.0.0, npm/@nodelib/fs.stat@2.0.5, npm/@nomiclabs/buidler-ganache@1.3.3, npm/@nomiclabs/buidler-truffle5@1.3.4, npm/@nomiclabs/buidler-web3@1.3.4, npm/@nomiclabs/buidler@1.999.0, npm/@solidity-parser/parser@0.5.2, npm/@truffle/blockchain-utils@0.0.25, npm/@truffle/contract-schema@3.4.3, npm/@truffle/contract-sources@0.1.12, npm/@truffle/contract@4.3.38, npm/@truffle/expect@0.0.18, npm/@truffle/hdwallet-provider@1.7.0, npm/@truffle/provisioner@0.2.33, npm/@truffle/resolver@7.0.32, npm/@trufflesuite/chromafi@2.2.2, npm/@trufflesuite/eth-json-rpc-middleware@4.4.2-1, npm/@types/bn.js@4.11.6, npm/abab@1.0.4, npm/acorn-globals@1.0.9, npm/acorn@5.7.4, npm/align-text@0.1.4, npm/apollo-cache-control@0.15.0, npm/apollo-graphql@0.9.7, npm/apollo-link@1.2.14, npm/apollo-tracing@0.16.0, npm/apollo-utilities@1.3.4, npm/argsarray@0.0.1, npm/arr-diff@4.0.0, npm/arr-flatten@1.1.0, npm/array-unique@0.3.2, npm/array.prototype.map@1.0.4, npm/array.prototype.reduce@1.0.4, npm/assert-args@1.2.1, npm/assert-plus@1.0.0, npm/async@2.6.3, npm/babel-code-frame@6.26.0, npm/babel-core@6.26.3, npm/babel-generator@6.26.1, npm/babel-helper-builder-binary-assignment-operator-visitor@6.24.1, npm/babel-helper-call-delegate@6.24.1, npm/babel-helper-define-map@6.26.0, npm/babel-helper-optimise-call-expression@6.24.1, npm/babel-helper-regex@6.26.0, npm/babel-helper-remap-async-to-generator@6.24.1, npm/babel-helper-replace-supers@6.24.1, npm/babel-plugin-check-es2015-constants@6.22.0, npm/babel-plugin-syntax-async-functions@6.13.0, npm/babel-plugin-syntax-exponentiation-operator@6.13.0, npm/babel-plugin-syntax-trailing-function-commas@7.0.0-beta.0, npm/babel-plugin-transform-async-to-generator@6.24.1, npm/babel-plugin-transform-es2015-arrow-functions@6.22.0, npm/babel-plugin-transform-es2015-block-scoped-functions@6.22.0, npm/babel-plugin-transform-es2015-block-scoping@6.26.0, npm/babel-plugin-transform-es2015-classes@6.24.1, npm/babel-plugin-transform-es2015-computed-properties@6.24.1, npm/babel-plugin-transform-es2015-destructuring@6.23.0, npm/babel-plugin-transform-es2015-duplicate-keys@6.24.1, npm/babel-plugin-transform-es2015-for-of@6.23.0, npm/babel-plugin-transform-es2015-function-name@6.24.1, npm/babel-plugin-transform-es2015-literals@6.22.0, npm/babel-plugin-transform-es2015-modules-amd@6.24.1, npm/babel-plugin-transform-es2015-modules-commonjs@6.26.2, npm/babel-plugin-transform-es2015-modules-systemjs@6.24.1, npm/babel-plugin-transform-es2015-modules-umd@6.24.1, npm/babel-plugin-transform-es2015-object-super@6.24.1, npm/babel-plugin-transform-es2015-parameters@6.24.1, npm/babel-plugin-transform-es2015-shorthand-properties@6.24.1, npm/babel-plugin-transform-es2015-spread@6.22.0, npm/babel-plugin-transform-es2015-sticky-regex@6.24.1, npm/babel-plugin-transform-es2015-template-literals@6.22.0, npm/babel-plugin-transform-es2015-typeof-symbol@6.23.0, npm/babel-plugin-transform-es2015-unicode-regex@6.24.1, npm/babel-plugin-transform-exponentiation-operator@6.24.1, npm/babel-plugin-transform-regenerator@6.26.0, npm/babel-preset-env@1.7.0, npm/babel-runtime@6.26.0, npm/babel-template@6.26.0, npm/babel-traverse@6.26.0, npm/babel-types@6.26.0, npm/babelify@7.3.0, npm/babylon@6.18.0, npm/bindings@1.5.0, npm/bluebird@3.7.2, npm/boolbase@1.0.0, npm/browserify-aes@1.2.0, npm/browserify-rsa@4.1.0, npm/browserslist@4.17.4, npm/buffer-from@1.1.1, npm/bytewise-core@1.2.3, npm/bytewise@1.1.0, npm/cachedown@1.0.0, npm/call-bind@1.0.2, npm/camelcase@6.3.0, npm/caniuse-lite@1.0.30001265, npm/chai@4.3.4, npm/cheerio@1.0.0-rc.10, npm/circular-json@0.5.9, npm/cli-spinners@2.6.1, npm/clone-response@1.0.2, npm/clone-stats@0.0.1, npm/clone@1.0.4, npm/color-logger@0.0.3, npm/component-emitter@1.3.0, npm/concat-stream@1.5.1, npm/concurrently@6.3.0, npm/console-control-strings@1.1.0, npm/convert-source-map@1.8.0, npm/core-js-pure@3.18.3

View full report↗︎

@socket-security Socket Security
Copy link

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSource
Install scripts npm/protobufjs@6.11.3
  • Install script: postinstall
  • Source: node scripts/postinstall
Install scripts npm/tiny-secp256k1@1.1.6
  • Install script: install
  • Source: npm run build || echo "secp256k1 bindings compilation fail. Pure JS implementation will be used."
Install scripts npm/iso-constants@0.1.2
  • Install script: install
  • Source: node build.js > index.browser.js
Install scripts npm/ursa-optional@0.10.2
  • Install script: install
  • Source: node rebuild.js
Install scripts npm/truffle@5.5.8
  • Install script: postinstall
  • Source: node ./scripts/postinstall.js

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore npm/protobufjs@6.11.3
  • @SocketSecurity ignore npm/tiny-secp256k1@1.1.6
  • @SocketSecurity ignore npm/iso-constants@0.1.2
  • @SocketSecurity ignore npm/ursa-optional@0.10.2
  • @SocketSecurity ignore npm/truffle@5.5.8

@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Jun 18, 2024

Superseded by #45.

@dependabot dependabot bot closed this Jun 18, 2024
@dependabot dependabot bot deleted the dependabot/pip/tests/integration_tests/pip-147478578d branch June 18, 2024 00:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file python Pull requests that update Python code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants