Sourced from requests's\r\nreleases.
\r\n\r\n\r\nv2.32.2
\r\n2.32.2 (2024-05-21)
\r\nDeprecations
\r\n\r\n
\r\n- \r\n
\r\nTo provide a more stable migration for custom HTTPAdapters impacted\r\nby the CVE changes in 2.32.0, we've renamed
\r\n_get_connection
\r\nto\r\na new public API,get_connection_with_tls_context
. Existing\r\ncustom\r\nHTTPAdapters will need to migrate their code to use this new API.\r\nget_connection
is considered deprecated in all versions of\r\nRequests>=2.32.0.A minimal (2-line) example has been provided in the linked PR to ease\r\nmigration, but we strongly urge users to evaluate if their custom\r\nadapter\r\nis subject to the same issue described in CVE-2024-35195. (#6710)
\r\nv2.32.1
\r\n2.32.1 (2024-05-20)
\r\nBugfixes
\r\n\r\n
\r\n- Add missing test certs to the sdist distributed on PyPI.
\r\nv2.32.0
\r\n2.32.0 (2024-05-20)
\r\nš PYCON US 2024 EDITION š
\r\nSecurity
\r\n\r\n
\r\n- Fixed an issue where setting
\r\nverify=False
on the first\r\nrequest from a\r\nSession will cause subsequent requests to the same origin to\r\nalso ignore\r\ncert verification, regardless of the value ofverify
.\r\n(https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)Improvements
\r\n\r\n
\r\n- \r\n
verify=True
now reuses a global SSLContext which should\r\nimprove\r\nrequest time variance between first and subsequent requests. It should\r\nalso minimize certificate load time on Windows systems when using a\r\nPython\r\nversion built with OpenSSL 3.x. (#6667)- Requests now supports optional use of character detection\r\n(
\r\nchardet
orcharset_normalizer
) when\r\nrepackaged or vendored.\r\nThis enablespip
and other projects to minimize their\r\nvendoring\r\nsurface area. TheResponse.text()
and\r\napparent_encoding
APIs\r\nwill default toutf-8
if neither library is present. (#6702)Bugfixes
\r\n\r\n
\r\n\r\n- Fixed bug in length detection where emoji length was incorrectly\r\ncalculated in the request content-length. (#6589)
\r\n- Fixed deserialization bug in JSONDecodeError. (#6629)
\r\n- Fixed bug where an extra leading
\r\n/
(path separator)\r\ncould lead\r\nurllib3 to unnecessarily reparse the request URI. (#6644)
... (truncated)
\r\nSourced from requests's\r\nchangelog.
\r\n\r\n\r\n2.32.2 (2024-05-21)
\r\nDeprecations
\r\n\r\n
\r\n- \r\n
\r\nTo provide a more stable migration for custom HTTPAdapters impacted\r\nby the CVE changes in 2.32.0, we've renamed
\r\n_get_connection
\r\nto\r\na new public API,get_connection_with_tls_context
. Existing\r\ncustom\r\nHTTPAdapters will need to migrate their code to use this new API.\r\nget_connection
is considered deprecated in all versions of\r\nRequests>=2.32.0.A minimal (2-line) example has been provided in the linked PR to ease\r\nmigration, but we strongly urge users to evaluate if their custom\r\nadapter\r\nis subject to the same issue described in CVE-2024-35195. (#6710)
\r\n2.32.1 (2024-05-20)
\r\nBugfixes
\r\n\r\n
\r\n- Add missing test certs to the sdist distributed on PyPI.
\r\n2.32.0 (2024-05-20)
\r\nSecurity
\r\n\r\n
\r\n- Fixed an issue where setting
\r\nverify=False
on the first\r\nrequest from a\r\nSession will cause subsequent requests to the same origin to\r\nalso ignore\r\ncert verification, regardless of the value ofverify
.\r\n(https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)Improvements
\r\n\r\n
\r\n- \r\n
verify=True
now reuses a global SSLContext which should\r\nimprove\r\nrequest time variance between first and subsequent requests. It should\r\nalso minimize certificate load time on Windows systems when using a\r\nPython\r\nversion built with OpenSSL 3.x. (#6667)- Requests now supports optional use of character detection\r\n(
\r\nchardet
orcharset_normalizer
) when\r\nrepackaged or vendored.\r\nThis enablespip
and other projects to minimize their\r\nvendoring\r\nsurface area. TheResponse.text()
and\r\napparent_encoding
APIs\r\nwill default toutf-8
if neither library is present. (#6702)Bugfixes
\r\n\r\n
\r\n- Fixed bug in length detection where emoji length was incorrectly\r\ncalculated in the request content-length. (#6589)
\r\n- Fixed deserialization bug in JSONDecodeError. (#6629)
\r\n- Fixed bug where an extra leading
\r\n/
(path separator)\r\ncould lead\r\nurllib3 to unnecessarily reparse the request URI. (#6644)Deprecations
\r\n\r\n
... (truncated)
\r\n88dce9d
\r\nv2.32.2c98e4d1
\r\nMerge pull request #6710\r\nfrom nateprewitt/api_rename92075b3
\r\nAdd deprecation warningaa1461b
\r\nMove _get_connection to get_connection_with_tls_context970e8ce
\r\nv2.32.1d6ebc4a
\r\nv2.32.09a40d12
\r\nAvoid reloading root certificates to improve concurrent performance (#6667)0c030f7
\r\nMerge pull request #6702\r\nfrom nateprewitt/no_char_detection555b870
\r\nAllow character detection dependencies to be optional in post-packaging\r\nstepsd6dded3
\r\nMerge pull request #6700\r\nfrom franekmagiera/update-redirect-to-invalid-uri-testc48da13
\r\nhttp2: fix TestServerContinuationFlood flakes762b58d
\r\nhttp2: fix tipos in commentba87210
\r\nhttp2: close connections when receiving too many headersebc8168
\r\nall: fix some typos3678185
\r\nhttp2: make TestCanonicalHeaderCacheGrowth faster448c44f
\r\nhttp2: remove clientTesterc7877ac
\r\nhttp2: convert the remaining clientTester tests to testClientConnd8870b0
\r\nhttp2: use synthetic time in TestIdleConnTimeoutd73acff
\r\nhttp2: only set up deadline when Server.IdleTimeout is positive89f602b
\r\nhttp2: validate client/outgoing trailersc48da13
\r\nhttp2: fix TestServerContinuationFlood flakes762b58d
\r\nhttp2: fix tipos in commentba87210
\r\nhttp2: close connections when receiving too many headersebc8168
\r\nall: fix some typos3678185
\r\nhttp2: make TestCanonicalHeaderCacheGrowth faster448c44f
\r\nhttp2: remove clientTesterc7877ac
\r\nhttp2: convert the remaining clientTester tests to testClientConnd8870b0
\r\nhttp2: use synthetic time in TestIdleConnTimeoutd73acff
\r\nhttp2: only set up deadline when Server.IdleTimeout is positive89f602b
\r\nhttp2: validate client/outgoing trailersSourced from idna's\r\nreleases.
\r\n\r\n\r\nv3.7
\r\nWhat's Changed
\r\n\r\n
\r\n- Fix issue where specially crafted inputs to encode() could take\r\nexceptionally long amount of time to process. [CVE-2024-3651]
\r\nThanks to Guido Vranken for reporting the issue.
\r\nFull Changelog: https://github.com/kjd/idna/compare/v3.6...v3.7
\r\n
Sourced from idna's\r\nchangelog.
\r\n\r\n\r\n3.7 (2024-04-11)\r\n++++++++++++++++
\r\n\r\n
\r\n- Fix issue where specially crafted inputs to encode() could\r\ntake exceptionally long amount of time to process. [CVE-2024-3651]
\r\nThanks to Guido Vranken for reporting the issue.
\r\n3.6 (2023-11-25)\r\n++++++++++++++++
\r\n\r\n
\r\n- Fix regression to include tests in source distribution.
\r\n3.5 (2023-11-24)\r\n++++++++++++++++
\r\n\r\n
\r\n- Update to Unicode 15.1.0
\r\n- String codec name is now "idna2008" as overriding the\r\nsystem codec\r\n"idna" was not working.
\r\n- Fix typing error for codec encoding
\r\n- "setup.cfg" has been added for this release due to some\r\ndownstream\r\nlack of adherence to PEP 517. Should be removed in a future release\r\nso please prepare accordingly.
\r\n- Removed reliance on a symlink for the "idna-data" tool to\r\ncomport\r\nwith PEP 517 and the Python Packaging User Guide for sdist\r\narchives.
\r\n- Added security reporting protocol for project
\r\nThanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for\r\ncontributions\r\nto this release.
\r\n
1d365e1
\r\nRelease v3.7c1b3154
\r\nMerge pull request #172 from\r\nkjd/optimize-contextj0394ec7
\r\nMerge branch 'master' into optimize-contextjcd58a23
\r\nMerge pull request #152 from\r\nelliotwutingfeng/dev5beb28b
\r\nMore efficient resolution of joiner contexts1b12148
\r\nUpdate ossf/scorecard-action to v2.3.1d516b87
\r\nUpdate Github actions/checkout to v4c095c75
\r\nMerge branch 'master' into dev60a0a4c
\r\nFix typo in GitHub Actions workflow key5918a0e
\r\nMerge branch 'master' into devSourced from jinja2's\r\nreleases.
\r\n\r\n\r\n3.1.4
\r\nThis is the Jinja 3.1.4 security release, which fixes security issues\r\nand bugs but does not otherwise change behavior and should not result in\r\nbreaking changes.
\r\nPyPI: https://pypi.org/project/Jinja2/3.1.4/\r\nChanges: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4
\r\n\r\n
\r\n- The
\r\nxmlattr
filter does not allow keys with\r\n/
solidus,>
greater-than sign, or\r\n=
equals sign, in addition to disallowing spaces.\r\nRegardless of any validation done by Jinja, user input should never be\r\nused as keys to this filter, or must be separately validated first.\r\nGHSA-h75v-3vvj-5mfj
Sourced from jinja2's\r\nchangelog.
\r\n\r\n\r\nVersion 3.1.4
\r\nReleased 2024-05-05
\r\n\r\n
\r\n- The
\r\nxmlattr
filter does not allow keys with\r\n/
solidus,>
\r\ngreater-than sign, or=
equals sign, in addition to\r\ndisallowing spaces.\r\nRegardless of any validation done by Jinja, user input should never be\r\nused\r\nas keys to this filter, or must be separately validated first.\r\n:ghsa:h75v-3vvj-5mfj
dd4a8b5
\r\nrelease version 3.1.40668239
\r\nMerge pull request from GHSA-h75v-3vvj-5mfjd655030
\r\ndisallow invalid characters in keys to xmlattr filtera7863ba
\r\nadd ghsa linksb5c98e7
\r\nstart version 3.1.4da3a9f0
\r\nupdate project files (#1968)0ee5eb4
\r\nsatisfy formatter, linter, and strict mypy20477c6
\r\nupdate project files (#5457)e491223
\r\nupdate pyyaml dev dependency36f9885
\r\nfix pr link