Vulnerable Library - Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/8e/7a/b047f6f80fdb02c0cca1d3761d71e9800bcf6d4874b71c9e6548ec59e156/Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 9bb4c1c0913bb8a6a7f8166f5abfea8c43e46ec3

CVE-2022-22817

Vulnerable Library - Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/8e/7a/b047f6f80fdb02c0cca1d3761d71e9800bcf6d4874b71c9e6548ec59e156/Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• :x: Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9bb4c1c0913bb8a6a7f8166f5abfea8c43e46ec3

Found in base branch: main

Vulnerability Details

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used,

Publish Date: 2022-01-10

URL: CVE-2022-22817

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22817

Release Date: 2022-01-10

Fix Resolution: Pillow - 9.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-24303

Vulnerable Library - Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/8e/7a/b047f6f80fdb02c0cca1d3761d71e9800bcf6d4874b71c9e6548ec59e156/Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• :x: Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9bb4c1c0913bb8a6a7f8166f5abfea8c43e46ec3

Found in base branch: main

Vulnerability Details

Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.

Publish Date: 2022-03-28

URL: CVE-2022-24303

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-9j59-75qj-795w

Release Date: 2022-03-28

Fix Resolution: Pillow - 9.0.1

Step up your Open Source Security Game with Mend here

CVE-2021-23437

Vulnerable Library - Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/8e/7a/b047f6f80fdb02c0cca1d3761d71e9800bcf6d4874b71c9e6548ec59e156/Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• :x: Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9bb4c1c0913bb8a6a7f8166f5abfea8c43e46ec3

Found in base branch: main

Vulnerability Details

The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.

Publish Date: 2021-09-03

URL: CVE-2021-23437

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html

Release Date: 2021-09-03

Fix Resolution: Pillow - 8.3.2

Step up your Open Source Security Game with Mend here

WS-2022-0097

Vulnerable Library - Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/8e/7a/b047f6f80fdb02c0cca1d3761d71e9800bcf6d4874b71c9e6548ec59e156/Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• :x: Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9bb4c1c0913bb8a6a7f8166f5abfea8c43e46ec3

Found in base branch: main

Vulnerability Details

JpegImagePlugin may append an EOF marker to the end of a truncated file, so that the last segment of the data will still be processed by the decoder.

If the EOF marker is not detected as such however, this could lead to an infinite loop where JpegImagePlugin keeps trying to end the file.

Publish Date: 2022-03-11

URL: WS-2022-0097

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-4fx9-vc88-q2xc

Release Date: 2022-03-11

Fix Resolution: Pillow - 9.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-22815

Vulnerable Library - Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/8e/7a/b047f6f80fdb02c0cca1d3761d71e9800bcf6d4874b71c9e6548ec59e156/Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• :x: Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9bb4c1c0913bb8a6a7f8166f5abfea8c43e46ec3

Found in base branch: main

Vulnerability Details

path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.

Publish Date: 2022-01-10

URL: CVE-2022-22815

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22815

Release Date: 2022-01-10

Fix Resolution: Pillow - 9.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-22816

Vulnerable Library - Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/8e/7a/b047f6f80fdb02c0cca1d3761d71e9800bcf6d4874b71c9e6548ec59e156/Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• :x: Pillow-8.3.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 9bb4c1c0913bb8a6a7f8166f5abfea8c43e46ec3

Found in base branch: main

Vulnerability Details

path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.

Publish Date: 2022-01-10

URL: CVE-2022-22816

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22816

Release Date: 2022-01-10

Fix Resolution: Pillow - 9.0.0

Step up your Open Source Security Game with Mend here

Sourced from selenium's releases.

Selenium 4.4.0

Changelog

For each component's detailed changelog, please check:

• Ruby
• Python
• JavaScript
• Java
• DotNet
• IEDriverServer

Commits in this release

• 3e70fc51c3c - [py] Bumping to 4.3.0 :: Diego Molina
• 209d778c892 - [javascript] Bumping to 4.3.0 :: Diego Molina
• 55714150419 - [grid] Fixing env var name to stream VNC :: Diego Molina
• 3b3a3edf36a - [dotnet] remove obsolete TouchActions class :: titusfortner
• 2fbfc62f565 - [dotnet] remove obsolete commands :: titusfortner
• 7949433994c - [JS] Updated jsdoc for move action (#10816) :: praveendvd
• 78f2b1ef68c - [grid] Updating JS deps :: Diego Molina
• 00fce383436 - [JS] Update rules_nodejs to 5.5.1 :: harsha509
• 334a10350fe - [web] add index to webpages (#10640) :: Titus Fortner
• cc79de69690 - [java] Putting all valid IEOptions only in se:ieOptions :: Diego Molina
• 7a13e937a5f - [java] Fixing - put all valid IEOptions only in se:ieOptions :: Diego Molina
• de0a144b923 - Use which() to get Firefox path on Mac OS (#10818) :: Bogdan Condurache
• 4ad053312fd - #10810 pick the right target using given window handle (#10811) :: Andrei Solntsev
• 2d0c733ac47 - Fix RuboCop configuration :: Alex Rodionov
• 8645cafd33e - Bump bazel-contrib/rules_jvm to v0.4.0 (#10829) :: Boni García
• ed7d29eb07a - [grid] Saving Selenium logs in Dynamic Grid :: Diego Molina
• ae46fd8eb45 - [java] Adding more exceptions to spotbugs :: Diego Molina
• 632849cb88d - [JS] kill chromium service on quit (#10796) :: Ravi Sawlani
• 0c2b60532ee - [java] Removing filter for lint, not needed in browser tests :: Diego Molina
• daa04231c49 - [java] Removing makeW3CSafe from NewSession CommandPayload :: Diego Molina
• 943081bd8f6 - [dotnet] Add Virtual Authenticator support (#10772) :: Puja Jagani
• 5532a8d5c0d - [py] Remove assertion for python version check (#10815) :: jsfehler
• cd3af6e5fa3 - correctly checks the driver supports DevTools (#10819) :: elgatov
• 54b8568c665 - [grid] Updating JS deps :: Diego Molina
• 71cccff7446 - Correctly generate test suites and all targets for java selenium tests :: Simon Mavi Stewart
• b9252637d65 - Repin browsers and drivers :: Simon Mavi Stewart
• 8487998201c - Run buildifier :: Simon Mavi Stewart
• f2b65eb4a00 - [build] Bump rules_python to 0.10 :: AutomatedTester
• 0a2a4a93ea0 - [java] Add status endpoint :: Puja Jagani
• 8e24d937238 - [java] Formatting changes in test classes :: Puja Jagani
• a6b161a159c - [atoms] Add shadow dom visible text tests :: AutomatedTester
• 09e296c30b5 - Cleanup docstrings, fix broken formatting (#10838) :: jsfehler
• fb4df665ab8 - [java] Add ability to decorate child classes of WebDriver (#10737) :: Valery Yatsynovich
• ca2f0f955de - [build] Bump bazel to 5.2 :: AutomatedTester

... (truncated)

• e5c75ed Bumping version in bindings to 4.4.0
• 2d36450 [java] Amending changelog for 4.4.0
• 0d38875 [py] build(setup.py): Add project_urls for PyPI (#10880)
• f91fec5 [java] Throwing when a user sets w3c: false in ChromeOptions
• ad02160 [java] Revert - Add status endpoint
• b1c2700 upgdate changelogs for 4.4.0
• 5b62f2f [rb] virtual auth credentials command arguments in wrong order
• 2af04d4 [java] update warning for setting w3c: false (#10448)
• d830a13 [dotnet] mark UseSpecCompliantProtocol obsolete and throw error when false (#...
• a52bfcd [py] throw error when setting w3c to False #10908
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Sourced from pillow's releases.

9.4.0

https://pillow.readthedocs.io/en/stable/releasenotes/9.4.0.html

Changes

• Updated copyright year #6845 [@​radarhere]
• Fixed null pointer dereference crash with malformed font #6846 [@​radarhere]
• Return from ImagingFill early if image has a zero dimension #6842 [@​radarhere]
• Reversed deprecations for Image constants, except for duplicate Resampling attributes #6830 [@​radarhere]
• Improve exception traceback readability #6836 [@​hugovk]
• Fix version mismatch #6841 [@​smb123w64gb]
• Do not attempt to read IFD1 if absent #6840 [@​radarhere]
• Fixed writing int as ASCII tag #6800 [@​radarhere]
• If available, use wl-paste or xclip for grabclipboard() on Linux #6783 [@​radarhere]
• Added signed option when saving JPEG2000 images #6709 [@​radarhere]
• Patch OpenJPEG to include ARM64 fix #6718 [@​radarhere]
• Added support for I;16 modes in putdata() #6825 [@​radarhere]
• Added conversion from RGBa to RGB #6708 [@​radarhere]
• Added DDS support for uncompressed L and LA images #6820 [@​radarhere]
• Added LightSource tag values to ExifTags #6749 [@​radarhere]
• Updated libtiff shared library name #6826 [@​radarhere]
• Fixed PyAccess after changing ICO size #6821 [@​radarhere]
• Do not use EXIF from info when saving PNG images #6819 [@​radarhere]
• Fixed saving EXIF data to MPO #6817 [@​radarhere]
• Added Exif hide_offsets() #6762 [@​radarhere]
• Only compare to previous frame when checking for duplicate GIF frames while saving #6787 [@​radarhere]
• Always initialize all plugins in registered_extensions() #6811 [@​radarhere]
• Initialize unsigned char variables #6818 [@​radarhere]
• Updated deprecated NumPy alias #6814 [@​radarhere]
• Ignore non-opaque WebP background when saving as GIF #6792 [@​radarhere]
• Only set tile in ImageFile setstate #6793 [@​radarhere]
• Fixed BytesWarnings #6816 [@​radarhere]
• When reading BLP, do not trust JPEG decoder to determine image is CMYK #6767 [@​radarhere]
• Updated xz to 5.4.0 #6802 [@​radarhere]
• Added IFD enum to ExifTags #6748 [@​radarhere]
• Fixed bug combining GIF frame durations #6779 [@​radarhere]
• Remove unnecessary Pipfile #6790 [@​hugovk]
• Support saving JPEG comments #6774 [@​smason]
• Add support for PyPy3.9, drop PyPy3.7 #6782 [@​hugovk]
• [pre-commit.ci] pre-commit autoupdate #6780 [@​pre-commit-ci]
• Use compile_python_fuzzer #6775 [@​radarhere]
• Remove specific number of jobs from comment #6772 [@​radarhere]
• Fix WebP dealloc method definitions #6763 [@​Yay295]
• Added getxmp() to WebPImagePlugin #6758 [@​radarhere]
• Use stdlib for setuptools on Cygwin #6760 [@​radarhere]
• Added "exact" option when saving WebP #6747 [@​ashafaei]
• Use fractional coordinates when drawing text #6722 [@​radarhere]
• Fixed writing int as BYTE tag #6740 [@​radarhere]
• Remove Tidelift alignment action and badge #6739 [@​aclark4life]

... (truncated)

Sourced from pillow's changelog.

9.4.0 (2023-01-02)

• Fixed null pointer dereference crash with malformed font #6846 [wiredfool, radarhere]

• Return from ImagingFill early if image has a zero dimension #6842 [radarhere]

• Reversed deprecations for Image constants, except for duplicate Resampling attributes #6830 [radarhere]

• Improve exception traceback readability #6836 [hugovk, radarhere]

• Do not attempt to read IFD1 if absent #6840 [radarhere]

• Fixed writing int as ASCII tag #6800 [radarhere]

• If available, use wl-paste or xclip for grabclipboard() on Linux #6783 [radarhere]

• Added signed option when saving JPEG2000 images #6709 [radarhere]

• Patch OpenJPEG to include ARM64 fix #6718 [radarhere]

• Added support for I;16 modes in putdata() #6825 [radarhere]

• Added conversion from RGBa to RGB #6708 [radarhere]

• Added DDS support for uncompressed L and LA images #6820 [radarhere, REDxEYE]

• Added LightSource tag values to ExifTags #6749 [radarhere]

• Fixed PyAccess after changing ICO size #6821 [radarhere]

• Do not use EXIF from info when saving PNG images #6819 [radarhere]

• Fixed saving EXIF data to MPO #6817 [radarhere]

... (truncated)

• a5bbab1 9.4.0 version bump
• cdd3d8e Merge pull request #6851 from radarhere/size
• 38a93a0 Merge pull request #6850 from radarhere/releasenotes
• d4d981d Updated size parameter descriptions
• e908afe Updated security descriptions
• 0efda91 Merge pull request #6845 from radarhere/copyright
• 35b4c43 Added release notes for #6846
• a632b7a Added release notes for #6842
• 009bbe2 Update CHANGES.rst [ci skip]
• c4cc487 Merge pull request #6846 from radarhere/font_crash
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Sourced from selenium's releases.

Selenium 4.7.0

Changelog

For each component's detailed changelog, please check:

• Ruby
• Python
• JavaScript
• Java
• DotNet
• IEDriverServer

Commits in this release

• 0a5b49d16f - [java] update changelog and bump version to 4.7 :: titusfortner
• 8d170a99d4 - [rb] update changes and bump version to 4.7 :: titusfortner
• 8d92d981a5 - [py] update changes and bump version to 4.7 :: titusfortner
• 68b46096da - [js] update changes and bump version to 4.7 :: titusfortner
• 1f5fe6da92 - [dotnet] update readme and bump version to 4.7 :: titusfortner
• 7ee8add26b - [cpp] bump IE Driver version to 4.7 :: titusfortner
• 4b4e01dddf - update selenium manager binaries for 4.7 release :: titusfortner
• 7a79429d15 - [js] update ways error messages are handled for selenium manager :: titusfortner
• c23b95b9ff - [dotnet] split up frameworks on CI :: titusfortner
• 993e6b2f97 - [py] fix linter issue :: titusfortner
• 416d183251 - [ci] run language tests from typical language tags :: titusfortner
• 409b057bdf - [py]: 🚀 Improve performance (#11310) :: Fenil Mehta
• 8b6dbb38e0 - [py]: Propagate stderr to exceptions when selenium manager fails (#11329) :: Simon K
• 3584dad5b5 - [Build] setup multiple python interpreters defaulting to 3.8 :: AutomatedTester
• cccbe85920 - [Build] Bump rules_python to 0.15 :: AutomatedTester
• 8cd4954c7a - [rb] fix failing specs :: titusfortner
• 285dacec9c - [dotnet][cdp] add support for Chrome 108 and remove support for Chrome 105 :: titusfortner
• 922f5d31af - [js][cdp] add support for Chrome 108 and remove support for Chrome 105 :: titusfortner
• e8c0102941 - [rb][cdp] add support for Chrome 108 and remove support for Chrome 105 :: titusfortner
• c315feef9d - [py][cdp] add support for Chrome 108 and remove support for Chrome 105 :: titusfortner
• 8d5c10ff62 - [java][cdp] add support for Chrome 108 and remove support for Chrome 105 :: titusfortner
• 69fac46fe0 - [cdp] add support for Chrome 108 and remove support for Chrome 105 :: titusfortner
• 3d1b8c6267 - [dotnet] run tests on Windows CI :: titusfortner
• a8f4184e3c - [rb] make sure command execution errors get rescued :: titusfortner
• 769cd05fb4 - [rb] fix reset_driver! implementation :: titusfortner
• 37498f8bd1 - [java] toggle selenium manager output by exit value instead of content :: titusfortner
• 18fc6346f7 - [rb] toggle Selenium Manager execution output on exit code :: titusfortner
• ec2430e52b - [java] minor test updates :: titusfortner
• b4d6c4e59a - [cpp] update to visual studio 2022 :: titusfortner
• 9480f0d514 - [dotnet][cdp] implement get targets better :: titusfortner
• aa5dfd697f - [dotnet] add guards and fix tests :: titusfortner
• b3c3903c9f - [dotnet] add test attributes to guard for platforms and targets :: titusfortner
• 8fb8fd791a - [dotnet] toggle Selenium Manager execution output on exit code :: titusfortner
• d2838e1291 - [dotnet] update everything required for .NET 6 :: titusfortner
• 471e245d7c - ci: fix GitHub_Actions set-output is deprecated (#11265) :: Christian Clauss

... (truncated)

• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

How often will the code scanning analysis run?

By default, code scanning will trigger a scan with the CodeQL engine on the following events:

• On every pull request — to flag up potential security problems for you to investigate before merging a PR.
• On every push to your default branch and other protected branches — this keeps the analysis results on your repository’s Security tab up to date.
• Once a week at a fixed time — to make sure you benefit from the latest updated security analysis even when no code was committed or PRs were opened.

What will this cost?

Nothing! The CodeQL engine will run inside GitHub Actions, making use of your unlimited free compute minutes for public repositories.

What types of problems does CodeQL find?

The CodeQL engine that powers GitHub code scanning is the exact same engine that powers LGTM.com. The exact set of rules has been tweaked slightly, but you should see almost exactly the same types of alerts as you were used to on LGTM.com: we’ve enabled the security-and-quality query suite for you.

How do I upgrade my CodeQL engine?

No need! New versions of the CodeQL analysis are constantly deployed on GitHub.com; your repository will automatically benefit from the most recently released version.

The analysis doesn’t seem to be working

If you get an error in GitHub Actions that indicates that CodeQL wasn’t able to analyze your code, please follow the instructions here to debug the analysis.

How do I disable LGTM.com?

If you have LGTM’s automatic pull request analysis enabled, then you can follow these steps to disable the LGTM pull request analysis. You don’t actually need to remove your repository from LGTM.com; it will automatically be removed in the next few months as part of the deprecation of LGTM.com (more info here).

Which source code hosting platforms does code scanning support?

GitHub code scanning is deeply integrated within GitHub itself. If you’d like to scan source code that is hosted elsewhere, we suggest that you create a mirror of that code on GitHub.

How do I know this PR is legitimate?

This PR is filed by the official LGTM.com GitHub App, in line with the deprecation timeline that was announced on the official GitHub Blog. The proposed GitHub Action workflow uses the official open source GitHub CodeQL Action. If you have any other questions or concerns, please join the discussion here in the official GitHub community!

I have another question / how do I get in touch?

Please join the discussion here to ask further questions and send us suggestions!

Sourced from selenium's releases.

Selenium 4.6.0

Changelog

For each component's detailed changelog, please check:

• Ruby
• Python
• JavaScript
• Java
• DotNet
• IEDriverServer

Commits in this release

• dbf63cff9dd - [dotnet] forgot to delete CDP v103 directory :: titusfortner
• e219c447714 - Update list of java modules to upload to maven :: Simon Mavi Stewart
• 316f9738a8e - isPromise() thenable fix (#11048) :: Chris Stringer
• 3167e93110f - [py]: new tox recipe for isort in non diff only mode (#11005) :: Simon K
• c686e6875c3 - [py]: Recipe for black; configure flake8 to work in tandem :: symonk
• b5b495da3ce - [py]: format python tests with black :: symonk
• fe9444df1b2 - [py]: consolidate and document linting changes; enable linting in gh actions :: symonk
• eaa7ecceb6b - [py]: tidy exceptions.py code :: symonk
• 9e0316636f0 - [py]: Run flake8 last as other linters fix most of its issues automatically :: symonk
• f4a891523b3 - [py]: use f-strings in some tests :: symonk
• 1c2f1cbd69b - [py]: Lint webdriver/safari/ in preparation for consolidating the driver API :: symonk
• 4d8fc6ba596 - [py]: Document firefox service= arg. closes #11067 :: symonk
• 31144ffdc4c - [py]: Additional types and tidying safari service :: symonk
• 084ffc83001 - [py]: Revert removal of default executable global for safari :: symonk
• 58c3c5c887a - [py]: Adding a start/stop interface for typing :: symonk
• c09027bc5c6 - [py]: convert service_url to fstrings :: symonk
• ca217d29ec9 - [py]: Exit 1 in ci when linter is failing :: symonk
• ba04acdf9ea - [py]: Base Service tidy up :: symonk
• 6b4281bd4bc - [py]: More internal refactoring of the base Service class :: symonk
• e2add163783 - [py]: Apply black on the rest of the code base :: symonk
• c59a267a0c4 - [py]: bugfix iterating stdout twice instead of stderr :: symonk
• 49efb1c3873 - [py]: remove no_focus_so_name unused argument :: symonk
• a8026c18431 - [py]: bugfix _get_firefox_start_cmd referencing invalid os._name :: symonk
• e1a2b532da2 - [py]: Tidy some webelement.py and simplify branched logic :: symonk
• c22de96c687 - [java] Avoid throwing errors once NetworkInterceptor is closed :: Puja Jagani
• a5423d92d58 - [py]: Remove invalid argument calls to _extract_and_check until removed :: symonk
• fcb83491a87 - [py]: Remove invalid argument calls to _extract_and_check until removed :: symonk
• 7ead8b87577 - [py]: Fix typing.Union t ypes for log_path :: symonk
• 1d2ea0488e3 - [py]: Additional types; remove unused permissions.py :: symonk
• 5fba3a2b2d2 - [py]: Remove RemoteDriverServerException :: symonk
• 4199d70eb19 - [java] Avoiding hiding "internal" package so that selenium-api exports it :: Puja Jagani
• 1fa4ca61d7e - [py]: Remove comments from tox.ini :: symonk
• 3a788a383b4 - [py]: docs and type hints for chrome.service :: symonk
• 7c7e2ecba28 - [py]: docs, type hints and clean up for ChromiumService :: symonk

... (truncated)

• 79f1c02 Bumping versions to 4.6.0 and updating changelogs
• 4ce2649 [dotnet] add Selenium Manager support for Unix
• 7be7e2e [dotnet] fix the framework conditionals for Selenium Manager
• 73f9351 Running ./go copyright:update
• 06e639e Including Rust in ./go copyright:update task
• b0db1ee [dotnet] add Selenium Manager support for linux & mac
• ba1821d Fix platform list in #scroll_by guard
• 7bb31fc mark Selenium Manager implementations as beta
• 718f4f2 [rb] update guards for tests on Windows
• 878ce7e Ensure all ruby_test targets have access to :remote
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Sourced from pillow's releases.

9.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/9.3.0.html

Changes

• Initialize libtiff buffer when saving #6699 [@​radarhere]
• Limit SAMPLESPERPIXEL to avoid runtime DOS #6700 [@​wiredfool]
• Inline fname2char to fix memory leak #6329 [@​nulano]
• Fix memory leaks related to text features #6330 [@​nulano]
• Use double quotes for version check on old CPython on Windows #6695 [@​hugovk]
• GHA: replace deprecated set-output command with GITHUB_OUTPUT file #6697 [@​nulano]
• Remove backup implementation of Round for Windows platforms #6693 [@​cgohlke]
• Upload fribidi.dll to GitHub Actions #6532 [@​nulano]
• Fixed set_variation_by_name offset #6445 [@​radarhere]
• Windows build improvements #6562 [@​nulano]
• Fix malloc in _imagingft.c:font_setvaraxes #6690 [@​cgohlke]
• Only use ASCII characters in C source file #6691 [@​cgohlke]
• Release Python GIL when converting images using matrix operations #6418 [@​hmaarrfk]
• Added ExifTags enums #6630 [@​radarhere]
• Do not modify previous frame when calculating delta in PNG #6683 [@​radarhere]
• Added support for reading BMP images with RLE4 compression #6674 [@​npjg]
• Decode JPEG compressed BLP1 data in original mode #6678 [@​radarhere]
• pylint warnings #6659 [@​marksmayo]
• Added GPS TIFF tag info #6661 [@​radarhere]
• Added conversion between RGB/RGBA/RGBX and LAB #6647 [@​radarhere]
• Do not attempt normalization if mode is already normal #6644 [@​radarhere]
• Fixed seeking to an L frame in a GIF #6576 [@​radarhere]
• Consider all frames when selecting mode for PNG save_all #6610 [@​radarhere]
• Don't reassign crc on ChunkStream close #6627 [@​radarhere]
• Raise a warning if NumPy failed to raise an error during conversion #6594 [@​radarhere]
• Only read a maximum of 100 bytes at a time in IMT header #6623 [@​radarhere]
• Show all frames in ImageShow #6611 [@​radarhere]
• Allow FLI palette chunk to not be first #6626 [@​radarhere]
• If first GIF frame has transparency for RGB_ALWAYS loading strategy, use RGBA mode #6592 [@​radarhere]
• Round box position to integer when pasting embedded color #6517 [@​radarhere]
• Removed EXIF prefix when saving WebP #6582 [@​radarhere]
• Pad IM palette to 768 bytes when saving #6579 [@​radarhere]
• Added DDS BC6H reading #6449 [@​ShadelessFox]
• Added support for opening WhiteIsZero 16-bit integer TIFF images #6642 [@​JayWiz]
• Raise an error when allocating translucent color to RGB palette #6654 [@​jsbueno]
• Moved mode check outside of loops #6650 [@​radarhere]
• Added reading of TIFF child images #6569 [@​radarhere]
• Improved ImageOps palette handling #6596 [@​PososikTeam]
• Defer parsing of palette into colors #6567 [@​radarhere]
• Apply transparency to P images in ImageTk.PhotoImage #6559 [@​radarhere]
• Use rounding in ImageOps contain() and pad() #6522 [@​bibinhashley]
• Fixed GIF remapping to palette with duplicate entries #6548 [@​radarhere]
• Allow remap_palette() to return an image with less than 256 palette entries #6543 [@​radarhere]
• Corrected BMP and TGA palette size when saving #6500 [@​radarhere]

... (truncated)

Sourced from pillow's changelog.

9.3.0 (2022-10-29)

• Limit SAMPLESPERPIXEL to avoid runtime DOS #6700 [wiredfool]

• Initialize libtiff buffer when saving #6699 [radarhere]

• Inline fname2char to fix memory leak #6329 [nulano]

• Fix memory leaks related to text features #6330 [nulano]

• Use double quotes for version check on old CPython on Windows #6695 [hugovk]

• Remove backup implementation of Round for Windows platforms #6693 [cgohlke]

• Fixed set_variation_by_name offset #6445 [radarhere]

• Fix malloc in _imagingft.c:font_setvaraxes #6690 [cgohlke]

• Release Python GIL when converting images using matrix operations #6418 [hmaarrfk]

• Added ExifTags enums #6630 [radarhere]

• Do not modify previous frame when calculating delta in PNG #6683 [radarhere]

• Added support for reading BMP images with RLE4 compression #6674 [npjg, radarhere]

• Decode JPEG compressed BLP1 data in original mode #6678 [radarhere]

• Added GPS TIFF tag info #6661 [radarhere]

• Added conversion between RGB/RGBA/RGBX and LAB #6647 [radarhere]

• Do not attempt normalization if mode is already normal #6644 [radarhere]

... (truncated)

• d594f4c Update CHANGES.rst [ci skip]
• 909dc64 9.3.0 version bump
• 1a51ce7 Merge pull request #6699 from hugovk/security-libtiff_buffer
• 2444cdd Merge pull request #6700 from hugovk/security-samples_per_pixel-sec
• 744f455 Added release notes
• 0846bfa Add to release notes
• 799a6a0 Fix linting
• 00b25fd Hide UserWarning in logs
• 05b175e Tighter test case
• 13f2c5a Prevent DOS with large SAMPLESPERPIXEL in Tiff IFD
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Sourced from selenium's releases.

Selenium 4.5.0

Changelog

For each component's detailed changelog, please check:

• Ruby
• Python
• JavaScript
• Java
• DotNet
• IEDriverServer

Commits in this release

• feed290ab3 - [js] missing end quote in bazel file :: titusfortner
• fe167b119a - [java] update changelog and bump version to 4.5 :: titusfortner
• 14516208b0 - [dotnet] update changelog and bump version to 4.5 :: titusfortner
• 10ad14e20e - [iedriver] bump versions to 4.5 :: titusfortner
• 5057e02848 - [js] update changelog and bump version to 4.5 :: titusfortner
• 77166342b7 - [py] update changelog and bump versions to 4.5 :: titusfortner
• 26dc816c5c - [rb] update changelog and bump version to 4.5 :: titusfortner
• 50c5d6ff23 - [rb] add cdp v106 remove v103 :: titusfortner
• 3170a497f8 - [dotnet] add cdp v106 remove v103 :: titusfortner
• a2b161a5c5 - [py] add cdp v106 remove v103 :: titusfortner
• 1ffd09357a - [js] add cdp v106 remove v103 :: titusfortner
• 2a05eb120b - [java] add cdp v106 remove v103 :: titusfortner
• 697c717a28 - [cdp] add definition files for v106 and remove v103 :: titusfortner
• 9c8215e84e - [java] Enable BiDi session test :: Puja Jagani
• f7b97cbe12 - [java] Allow origin of [::1] for geckodriver for IPv6 only systems :: Puja Jagani
• 3e7c6e1a95 - Ensure that the decorators do not leak out of the support package :: Simon Mavi Stewart
• 96c4ecd714 - [java] allow origins for geckodriver of localhost and 127.0.0.1 :: titusfortner
• af12e439d8 - [JS] bump rules_nodejs to 5.6.0 :: Sriharsha
• a3b11f7fb8 - [dotnet] update changelog for 4.5 :: titusfortner
• 5d1779925c - [rb] update changelog for 4.5 :: titusfortner
• 42850a7fab - [rb] add BiDi support for Chrome in preparation for Chrome v106 :: titusfortner
• 58f5833ba0 - [rb] match other bindings by defaulting debugger_address and accept_insecure_certs to true for Firefox :: titusfortner
• 04e1dfc1fd - [rb] run dev tools tests on Firefox :: titusfortner
• e51e2a99ab - [rb] support initializing Server with args and log_level :: titusfortner
• b44aee0478 - [rb] use options instead of capabilities :: titusfortner
• 77c4bf303e - [rb] don't use opts as hash in tests :: titusfortner
• cb8872cd72 - Remove spelling mistake from the method name (#11051) :: Vikas Goel
• 760305b6a6 - [py]: add type hints for method parameters (#11053) :: Kim Hyeonseok
• df0f92db7f - [iedriver] update changelog :: titusfortner
• 42284b08ab - [java] update changelog :: titusfortner
• 8aeb1e1290 - Run fluxbox as window manager for jobs using Xvfb (#11025) :: Henrik Skupin
• ff372929fa - Fixed some typos (#11035) :: Shishu Raj Pandey
• dc53093baf - [py] fix flake8 failure :: titusfortner
• 3fcc413878 - [java] remove non-applicable xml test :: titusfortner
• 31190f8edd - [java] fix aliases for windows 7 and vista platform name :: titusfortner

... (truncated)

• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)