Sourced from scrapy's releases.

2.6.1

Fixes a regression introduced in 2.6.0 that would unset the request method when following redirects.

2.6.0

• Security fixes for cookie handling (see details below)
• Python 3.10 support
• asyncio support is no longer considered experimental, and works out-of-the-box on Windows regardless of your Python version
• Feed exports now support pathlib.Path output paths and per-feed item filtering and post-processing

See the full changelog

Security bug fixes

• When a Request object with cookies defined gets a redirect response causing a new Request object to be scheduled, the cookies defined in the original Request object are no longer copied into the new Request object.

  If you manually set the Cookie header on a Request object and the domain name of the redirect URL is not an exact match for the domain of the URL of the original Request object, your Cookie header is now dropped from the new Request object.

  The old behavior could be exploited by an attacker to gain access to your cookies. Please, see the cjvr-mfj7-j4j8 security advisory for more information.

  Note: It is still possible to enable the sharing of cookies between different domains with a shared domain suffix (e.g. example.com and any subdomain) by defining the shared domain suffix (e.g. example.com) as the cookie domain when defining your cookies. See the documentation of the Request class for more information.

• When the domain of a cookie, either received in the Set-Cookie header of a response or defined in a Request object, is set to a public suffix <https://publicsuffix.org/>_, the cookie is now ignored unless the cookie domain is the same as the request domain.

  The old behavior could be exploited by an attacker to inject cookies from a controlled domain into your cookiejar that could be sent to other domains not controlled by the attacker. Please, see the mfjm-vh54-3f96 security advisory for more information.

2.5.1

Security bug fix:

If you use HttpAuthMiddleware (i.e. the http_user and http_pass spider attributes) for HTTP authentication, any request exposes your credentials to the request target.

To prevent unintended exposure of authentication credentials to unintended domains, you must now additionally set a new, additional spider attribute, http_auth_domain, and point it to the specific domain to which the authentication credentials must be sent.

If the http_auth_domain spider attribute is not set, the domain of the first request will be considered the HTTP authentication target, and authentication credentials will only be sent in requests targeting that domain.

If you need to send the same HTTP authentication credentials to multiple domains, you can use w3lib.http.basic_auth_header instead to set the value of the Authorization header of your requests.

If you really want your spider to send the same HTTP authentication credentials to any domain, set the http_auth_domain spider attribute to None.

Finally, if you are a user of scrapy-splash, know that this version of Scrapy breaks compatibility with scrapy-splash 0.7.2 and earlier. You will need to upgrade scrapy-splash to a greater version for it to continue to work.

2.5.0

• Official Python 3.9 support
• Experimental HTTP/2 support
• New get_retry_request() function to retry requests from spider callbacks
• New headers_received signal that allows stopping downloads early
• New Response.protocol attribute

See the full changelog

... (truncated)

Sourced from scrapy's changelog.

Scrapy 2.6.1 (2022-03-01)

Fixes a regression introduced in 2.6.0 that would unset the request method when following redirects.

.. _release-2.6.0:

Scrapy 2.6.0 (2022-03-01)

Highlights:

• :ref:Security fixes for cookie handling <2.6-security-fixes>

• Python 3.10 support

• :ref:asyncio support <using-asyncio> is no longer considered experimental, and works out-of-the-box on Windows regardless of your Python version

• Feed exports now support :class:pathlib.Path output paths and per-feed :ref:item filtering <item-filter> and :ref:post-processing <post-processing>

.. _2.6-security-fixes:

Security bug fixes

-   When a :class:`~scrapy.http.Request` object with cookies defined gets a
    redirect response causing a new :class:`~scrapy.http.Request` object to be
    scheduled, the cookies defined in the original
    :class:`~scrapy.http.Request` object are no longer copied into the new
    :class:`~scrapy.http.Request` object.
If you manually set the ``Cookie`` header on a
:class:`~scrapy.http.Request` object and the domain name of the redirect
URL is not an exact match for the domain of the URL of the original
:class:`~scrapy.http.Request` object, your ``Cookie`` header is now dropped
from the new :class:`~scrapy.http.Request` object.
The old behavior could be exploited by an attacker to gain access to your
cookies. Please, see the cjvr-mfj7-j4j8 security advisory_ for more
information.
.. _cjvr-mfj7-j4j8 security advisory: https://github.com/scrapy/scrapy/security/advisories/GHSA-cjvr-mfj7-j4j8
.. note:: It is still possible to enable the sharing of cookies between

</tr></table>

... (truncated)

• 23537a0 Bump version: 2.6.0 → 2.6.1
• fab3e90 Cover 2.6.1 in the release notes
• d60636d Fix redirect handling regression
• 84853c4 bandit: allow-list B324 for the time being
• 6b63e7c Bump version: 2.5.0 → 2.6.0
• e865c44 Merge pull request from GHSA-mfjm-vh54-3f96
• 8ce01b3 Merge pull request from GHSA-cjvr-mfj7-j4j8
• aa0306a Cover 2.6.0 in the release notes (#5399)
• 08557e0 Pin old markupsafe when we pin old mitmproxy (#5427)
• 3b42ccf Add a link to Discord (#5422)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from lxml's changelog.

4.6.5 (2021-12-12)

Bugs fixed

• A vulnerability (GHSL-2021-1038) in the HTML cleaner allowed sneaking script content through SVG images.

• A vulnerability (GHSL-2021-1037) in the HTML cleaner allowed sneaking script content through CSS imports and other crafted constructs.

4.6.4 (2021-11-01)

Features added

• GH#317: A new property system_url was added to DTD entities. Patch by Thirdegree.

• GH#314: The STATIC_* variables in setup.py can now be passed via env vars. Patch by Isaac Jurado.

4.6.3 (2021-03-21)

Bugs fixed

• A vulnerability (CVE-2021-28957) was discovered in the HTML Cleaner by Kevin Chung, which allowed JavaScript to pass through. The cleaner now removes the HTML5 formaction attribute.

4.6.2 (2020-11-26)

Bugs fixed

• A vulnerability (CVE-2020-27783) was discovered in the HTML Cleaner by Yaniv Nizry, which allowed JavaScript to pass through. The cleaner now removes more sneaky "style" content.

4.6.1 (2020-10-18)

... (truncated)

• a9611ba Fix a test in Py2.
• a3eacbc Prepare release of 4.6.5.
• b7ea687 Update changelog.
• 69a7473 Cleaner: cover some more cases where scripts could sneak through in specially...
• 54d2985 Fix condition in test decorator.
• 4b220b5 Use the non-depcrecated TextTestResult instead of _TextTestResult (GH-333)
• d85c6de Exclude a test when using the macOS system libraries because it fails with li...
• cd4bec9 Add macOS-M1 as wheel build platform.
• fd0d471 Install automake and libtool in macOS build to be able to install the latest ...
• f233023 Cleaner: Remove SVG image data URLs since they can embed script content.
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from scrapy's releases.

1.8.1

Security bug fix:

If you use HttpAuthMiddleware (i.e. the http_user and http_pass spider attributes) for HTTP authentication, any request exposes your credentials to the request target.

To prevent unintended exposure of authentication credentials to unintended domains, you must now additionally set a new, additional spider attribute, http_auth_domain, and point it to the specific domain to which the authentication credentials must be sent.

If the http_auth_domain spider attribute is not set, the domain of the first request will be considered the HTTP authentication target, and authentication credentials will only be sent in requests targeting that domain.

If you need to send the same HTTP authentication credentials to multiple domains, you can use w3lib.http.basic_auth_header instead to set the value of the Authorization header of your requests.

If you really want your spider to send the same HTTP authentication credentials to any domain, set the http_auth_domain spider attribute to None.

Finally, if you are a user of scrapy-splash, know that this version of Scrapy breaks compatibility with scrapy-splash 0.7.2 and earlier. You will need to upgrade scrapy-splash to a greater version for it to continue to work.

Sourced from scrapy's changelog.

Scrapy 1.8.1 (2021-10-05)

• Security bug fix:

  If you use :class:~scrapy.downloadermiddlewares.httpauth.HttpAuthMiddleware (i.e. the http_user and http_pass spider attributes) for HTTP authentication, any request exposes your credentials to the request target.

  To prevent unintended exposure of authentication credentials to unintended domains, you must now additionally set a new, additional spider attribute, http_auth_domain, and point it to the specific domain to which the authentication credentials must be sent.

  If the http_auth_domain spider attribute is not set, the domain of the first request will be considered the HTTP authentication target, and authentication credentials will only be sent in requests targeting that domain.

  If you need to send the same HTTP authentication credentials to multiple domains, you can use :func:w3lib.http.basic_auth_header instead to set the value of the Authorization header of your requests.

  If you really want your spider to send the same HTTP authentication credentials to any domain, set the http_auth_domain spider attribute to None.

  Finally, if you are a user of scrapy-splash_, know that this version of Scrapy breaks compatibility with scrapy-splash 0.7.2 and earlier. You will need to upgrade scrapy-splash to a greater version for it to continue to work.

.. _scrapy-splash: https://github.com/scrapy-plugins/scrapy-splash

.. _release-1.8.0:

• 283e90e Bump version: 1.8.0 → 1.8.1
• 99ac4db Cover 1.8.1 in the release notes
• 1635134 Small documentation fixes.
• b01d69a Add http_auth_domain to HttpAuthMiddleware.
• 4183925 Travis CI → GitHub Actions
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from lxml's changelog.

4.6.3 (2021-03-21)

Bugs fixed

• A vulnerability (CVE-2021-28957) was discovered in the HTML Cleaner by Kevin Chung, which allowed JavaScript to pass through. The cleaner now removes the HTML5 formaction attribute.

4.6.2 (2020-11-26)

Bugs fixed

• A vulnerability (CVE-2020-27783) was discovered in the HTML Cleaner by Yaniv Nizry, which allowed JavaScript to pass through. The cleaner now removes more sneaky "style" content.

4.6.1 (2020-10-18)

Bugs fixed

• A vulnerability was discovered in the HTML Cleaner by Yaniv Nizry, which allowed JavaScript to pass through. The cleaner now removes more sneaky "style" content.

4.6.0 (2020-10-17)

Features added

• GH#310: lxml.html.InputGetter supports __len__() to count the number of input fields. Patch by Aidan Woolley.

• lxml.html.InputGetter has a new .items() method to ease processing all input fields.

• lxml.html.InputGetter.keys() now returns the field names in document order.

• GH-309: The API documentation is now generated using sphinx-apidoc. Patch by Chris Mayo.

Bugs fixed

... (truncated)

• a5f9cb5 Prepare release of lxml 4.6.3.
• 2d01a1b Add HTML-5 "formaction" attribute to "defs.link_attrs" (GH-316)
• e986a9c Fix reference in docs.
• 4cb5736 Work around Py2's lack of "re.ASCII".
• c30106f Prepare release of 4.6.2.
• a105ab8 Prevent combinations of <math/svg> and <style> to sneak JavaScript through th...
• c053dc1 Add a recipe for a look-ahead generator to allow modifications during tree it...
• b083124 lxml actually works in Py3.9.
• 0f80590 lxml actually works in Py3.9.
• fd8893c Add a doc note that the .find() methods are usually faster than one might exp...
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from lxml's changelog.

4.6.2 (2020-11-26)

Bugs fixed

• A vulnerability (CVE-2020-27783) was discovered in the HTML Cleaner by Yaniv Nizry, which allowed JavaScript to pass through. The cleaner now removes more sneaky "style" content.

4.6.1 (2020-10-18)

Bugs fixed

• A vulnerability was discovered in the HTML Cleaner by Yaniv Nizry, which allowed JavaScript to pass through. The cleaner now removes more sneaky "style" content.

4.6.0 (2020-10-17)

Features added

• GH#310: lxml.html.InputGetter supports __len__() to count the number of input fields. Patch by Aidan Woolley.

• lxml.html.InputGetter has a new .items() method to ease processing all input fields.

• lxml.html.InputGetter.keys() now returns the field names in document order.

• GH-309: The API documentation is now generated using sphinx-apidoc. Patch by Chris Mayo.

Bugs fixed

• LP#1869455: C14N 2.0 serialisation failed for unprefixed attributes when a default namespace was defined.

• TreeBuilder.close() raised AssertionError in some error cases where it should have raised XMLSyntaxError. It now raises a combined exception to keep up backwards compatibility, while switching to XMLSyntaxError as an interface.

• 4cb5736 Work around Py2's lack of "re.ASCII".
• c30106f Prepare release of 4.6.2.
• a105ab8 Prevent combinations of <math/svg> and <style> to sneak JavaScript through th...
• c053dc1 Add a recipe for a look-ahead generator to allow modifications during tree it...
• b083124 lxml actually works in Py3.9.
• 0f80590 lxml actually works in Py3.9.
• fd8893c Add a doc note that the .find() methods are usually faster than one might exp...
• eb6df27 Update release version on homepage.
• 69b5c9b Automate the build artefact downloading from github and appveyor.
• 61432a8 Prepare release of lxml 4.6.1.
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from uvicorn's releases.

Version 0.11.7

0.11.7

• SECURITY FIX: Prevent sending invalid HTTP header names and values.
• SECURITY FIX: Ensure path value is escaped before logging to the console.

Version 0.11.6

• Fix overriding the root logger.

Version 0.11.5

• Revert "Watch all files, not just .py" due to unexpected side effects.
• Revert "Pass through gunicorn timeout config." due to unexpected side effects.

Version 0.11.4

• Use watchgod, if installed, for watching code changes.
• Reload application when any files in watched directories change, not just .py files.

Sourced from uvicorn's changelog.

0.11.7

• SECURITY FIX: Prevent sending invalid HTTP header names and values.
• SECURITY FIX: Ensure path value is escaped before logging to the console.

0.11.6

• Fix overriding the root logger.

0.11.5

• Revert "Watch all files, not just .py" due to unexpected side effects.
• Revert "Pass through gunicorn timeout config." due to unexpected side effects.

0.11.4

• Use watchgod, if installed, for watching code changes.
• Watch all files, not just .py.
• Pass through gunicorn timeout config.

0.11.3

• Update dependencies.

• 178bee6 Version 0.11.7 (#726)
• a796e1d Corrected --proxy-headers client ip/host when using a unix socket (#636)
• 895807f Quote path component before logging (#724)
• 789e2f1 Disallow invalid header characters (#725)
• 81f2136 Brings back windows testing to CI (#685)
• f623916 Release version 0.11.6 (#705)
• 6757386 Removing iocp mentions from documentation (#692)
• 77468df Add --app-dir option for running uvicorn from any location (#619)
• 9b92925 Document default backlog setting (#682)
• 2dcbb13 Fix typo. (#676)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from twisted's changelog.

Twisted 19.7.0 (2019-07-28)

Features

• The callable argument to twisted.internet.task.deferLater() is no longer required. (#9577)
• Twisted's minimum Cryptography requirement is now 2.5. (#9592)
• twisted.internet.utils.getProcessOutputAndValue now accepts stdinBytes to write to the child process's standard input. (#9607)
• Add new twisted.logger.capturedLogs context manager for capturing observed log events in tests. (#9617)
• twisted.internet.base.PluggableResolverMixin, which implements the pluggable resolver interfaces for easier re-use in other reactors, has been factored out of ReactorBase. (#9632)
• The PyPI page for Twisted has been enhanced to include more information and useful links. (#9648)

Bugfixes

• twisted.internet.endpoints is now importable on Windows when pywin32 is not installed. (#6032)
• twisted.conch.ssh now generates correct keys when using hmac-sha2-512 with SHA1 based KEX algorithms. (#8258)
• twisted.internet.iocpreactor.abstract.FileHandle no longer duplicates/looses outgoing data when .write() is called in rapid succession with large payloads (#9446)
• twisted.application.backoffPolicy will not fail on connection attempts > 1750 with default settings. (#9476)
• Trial on Python 3 will now properly re-raise ImportErrors that occur during the import of a module, rather than saying the module doesn't exist. (#9628)
• twisted.internet.process does not fail on import when the process has more than 1024 file descriptors opened. (#9636)
• Add the stackLevel keyword argument to twisted.logger.STDLibLogObserver._findCaller to fix an incompatibility with Python 3.8. (#9668)

Improved Documentation

• Fix the incorrect docstring for twisted.python.components.Componentized.addComponent which stated that the function returned a list of interfaces, even though the function doesn't actually do so. (#9637)

Deprecations and Removals

• twisted.test.proto_helpers has moved to twisted.internet.testing. twisted.test.proto_helpers has been deprecated. (#6435)
• twisted.protocols.mice, deprecated since Twisted 16.0, has been removed. (#9602)
• twisted.conch.insults.client and twisted.conch.insults.colors, deprecated since Twisted 10.1, have been removed. (#9603)
• The version attribute of Twisted submodules that were previously packaged separately, deprecated since Twisted 16.0, has been removed. (#9604)
• Python 3.4 is no longer supported. (#9613)
• twisted.python.compat.OrderedDict, an alias for collections.OrderedDict and deprecated since Twisted 15.5, has been removed. (#9639)

Misc

• #9217, #9445, #9454, #9605, #9614, #9615, #9619, #9625, #9633, #9640, #9674

Conch

... (truncated)

• f2ff3f9 Fix something Incremental missed
• 04d865d Towncrier for 19.7.0
• 0f3e8cd Incremental to 19.7.0
• 4d61c62 Move some miscategorised newsfragments
• 7d88fca Revert "towncrier for 19.7.0rc1"
• 17084ea towncrier for 19.7.0rc1
• 6e8cb44 incremental to 19.7.0
• ab6156f Merge pull request #1143 from twisted/9628-trial3-importerror
• e0b696f Merge branch 'trunk' into 9628-trial3-importerror
• 5b203b2 Merge ryban:8258-ryban-hmac-sha2-512-fix: Fix SSH not generating correct keys...
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from werkzeug's releases.

0.15.3

• Blog: https://palletsprojects.com/blog/werkzeug-0-15-3-released/
• Changes: https://werkzeug.palletsprojects.com/en/0.15.x/changes/#version-0-15-3

0.15.2

• Blog: https://palletsprojects.com/blog/werkzeug-0-15-2-released/
• Changes: https://werkzeug.palletsprojects.com/en/0.15.x/changes/#version-0-15-2

0.15.1

• Blog: https://palletsprojects.com/blog/werkzeug-0-15-1-released/
• Changes: https://werkzeug.palletsprojects.com/en/0.15.x/changes/

0.15.0

• Blog: https://palletsprojects.com/blog/werkzeug-0-15-0-released/
• Changes: https://werkzeug.palletsprojects.com/en/0.15.x/changes/

Sourced from werkzeug's changelog.

Version 0.15.3

Released 2019-05-14

• Properly handle multi-line header folding in development server in Python 2.7. (:issue:1080)
• Restore the response argument to :exc:~exceptions.Unauthorized. (:pr:1527)
• :exc:~exceptions.Unauthorized doesn't add the WWW-Authenticate header if www_authenticate is not given. (:issue:1516)
• The default URL converter correctly encodes bytes to string rather than representing them with b''. (:issue:1502)
• Fix the filename format string in :class:~middleware.profiler.ProfilerMiddleware to correctly handle float values. (:issue:1511)
• Update :class:~middleware.lint.LintMiddleware to work on Python 3. (:issue:1510)
• The debugger detects cycles in chained exceptions and does not time out in that case. (:issue:1536)
• When running the development server in Docker, the debugger security pin is now unique per container.

Version 0.15.2

Released 2019-04-02

• Rule code generation uses a filename that coverage will ignore. The previous value, "generated", was causing coverage to fail. (:issue:1487)
• The test client removes the cookie header if there are no persisted cookies. This fixes an issue introduced in 0.15.0 where the cookies from the original request were used for redirects, causing functions such as logout to fail. (:issue:1491)
• The test client copies the environ before passing it to the app, to prevent in-place modifications from affecting redirect requests. (:issue:1498)
• The "werkzeug" logger only adds a handler if there is no handler configured for its level in the logging chain. This avoids double logging if other code configures logging first. (:issue:1492)

Version 0.15.1

Released 2019-03-21

• :exc:~exceptions.Unauthorized takes description as the first

... (truncated)

• 9b1123a release version 0.15.3
• 00bc43b unique debugger pin in Docker containers
• 2cbdf2b Merge pull request #1542 from asottile/exceptions_arent_always_hashable
• 0e669f6 Fix unhashable exception types
• bdc17e4 Merge pull request #1540 from pallets/break-tb-cycle
• 44e38c2 break cycle in chained exceptions
• 777500b Merge pull request #1518 from NiklasMM/fix/1510_lint-middleware-python3-compa...
• e00c7c2 Make LintMiddleware Python 3 compatible and add tests
• d590cc7 Merge pull request #1539 from pallets/profiler-format
• 0388fc9 update filename_format for ProfilerMiddleware.
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

• 9e9e840 2022.12.07
• b81bdb2 2022.09.24
• 939a28f 2022.09.14
• aca828a 2022.06.15.2
• de0eae1 Only use importlib.resources's new files() / Traversable API on Python ≥3.11 ...
• b8eb5e9 2022.06.15.1
• 47fb7ab Fix deprecation warning on Python 3.11 (#199)
• b0b48e0 fixes #198 -- update link in license
• 9d514b4 2022.06.15
• 4151e88 Add py.typed to MANIFEST.in to package in sdist (#196)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from scrapy's releases.

2.6.2

Fixes a security issue around HTTP proxy usage, and addresses a few regressions introduced in Scrapy 2.6.0.

See the changelog.

2.6.1

Fixes a regression introduced in 2.6.0 that would unset the request method when following redirects.

2.6.0

• Security fixes for cookie handling (see details below)
• Python 3.10 support
• asyncio support is no longer considered experimental, and works out-of-the-box on Windows regardless of your Python version
• Feed exports now support pathlib.Path output paths and per-feed item filtering and post-processing

See the full changelog

Security bug fixes

• When a Request object with cookies defined gets a redirect response causing a new Request object to be scheduled, the cookies defined in the original Request object are no longer copied into the new Request object.

  If you manually set the Cookie header on a Request object and the domain name of the redirect URL is not an exact match for the domain of the URL of the original Request object, your Cookie header is now dropped from the new Request object.

  The old behavior could be exploited by an attacker to gain access to your cookies. Please, see the cjvr-mfj7-j4j8 security advisory for more information.

  Note: It is still possible to enable the sharing of cookies between different domains with a shared domain suffix (e.g. example.com and any subdomain) by defining the shared domain suffix (e.g. example.com) as the cookie domain when defining your cookies. See the documentation of the Request class for more information.

• When the domain of a cookie, either received in the Set-Cookie header of a response or defined in a Request object, is set to a public suffix <https://publicsuffix.org/>_, the cookie is now ignored unless the cookie domain is the same as the request domain.

  The old behavior could be exploited by an attacker to inject cookies from a controlled domain into your cookiejar that could be sent to other domains not controlled by the attacker. Please, see the mfjm-vh54-3f96 security advisory for more information.

2.5.1

Security bug fix:

If you use HttpAuthMiddleware (i.e. the http_user and http_pass spider attributes) for HTTP authentication, any request exposes your credentials to the request target.

To prevent unintended exposure of authentication credentials to unintended domains, you must now additionally set a new, additional spider attribute, http_auth_domain, and point it to the specific domain to which the authentication credentials must be sent.

If the http_auth_domain spider attribute is not set, the domain of the first request will be considered the HTTP authentication target, and authentication credentials will only be sent in requests targeting that domain.

If you need to send the same HTTP authentication credentials to multiple domains, you can use w3lib.http.basic_auth_header instead to set the value of the Authorization header of your requests.

If you really want your spider to send the same HTTP authentication credentials to any domain, set the http_auth_domain spider attribute to None.

Finally, if you are a user of scrapy-splash, know that this version of Scrapy breaks compatibility with scrapy-splash 0.7.2 and earlier. You will need to upgrade scrapy-splash to a greater version for it to continue to work.

2.5.0

• Official Python 3.9 support
• Experimental HTTP/2 support
• New get_retry_request() function to retry requests from spider callbacks

... (truncated)

Sourced from scrapy's changelog.

Scrapy 2.6.2 (2022-07-25)

Security bug fix:

• When :class:~scrapy.downloadermiddlewares.httpproxy.HttpProxyMiddleware processes a request with :reqmeta:proxy metadata, and that :reqmeta:proxy metadata includes proxy credentials, :class:~scrapy.downloadermiddlewares.httpproxy.HttpProxyMiddleware sets the Proxy-Authentication header, but only if that header is not already set.

  There are third-party proxy-rotation downloader middlewares that set different :reqmeta:proxy metadata every time they process a request.

  Because of request retries and redirects, the same request can be processed by downloader middlewares more than once, including both :class:~scrapy.downloadermiddlewares.httpproxy.HttpProxyMiddleware and any third-party proxy-rotation downloader middleware.

  These third-party proxy-rotation downloader middlewares could change the :reqmeta:proxy metadata of a request to a new value, but fail to remove the Proxy-Authentication header from the previous value of the :reqmeta:proxy metadata, causing the credentials of one proxy to be sent to a different proxy.

  To prevent the unintended leaking of proxy credentials, the behavior of :class:~scrapy.downloadermiddlewares.httpproxy.HttpProxyMiddleware is now as follows when processing a request:

  • If the request being processed defines :reqmeta:proxy metadata that includes credentials, the Proxy-Authorization header is always updated to feature those credentials.

  • If the request being processed defines :reqmeta:proxy metadata without credentials, the Proxy-Authorization header is removed unless it was originally defined for the same proxy URL.

    To remove proxy credentials while keeping the same proxy URL, remove the Proxy-Authorization header.

  • If the request has no :reqmeta:proxy metadata, or that metadata is a falsy value (e.g. None), the Proxy-Authorization header is removed.

    It is no longer possible to set a proxy URL through the :reqmeta:proxy metadata but set the credentials through the Proxy-Authorization header. Set proxy credentials through the :reqmeta:proxy metadata instead.

... (truncated)

• aecbccb Bump version: 2.6.1 → 2.6.2
• af7dd16 Merge pull request from GHSA-9x8m-2xpf-crp3
• 4205609 Fixed intersphinx references
• e3e69d1 Pin documentation requirements (#5536)
• 54bfb96 Cover #5525 in the 2.6.2 release notes (#5535)
• 4ef7182 If TWISTED_REACTOR is None, reuse any pre-installed reactor (#5528)
• 1c1cd5d Update the 2.6.2 release notes
• 84c29a2 Unset the release date of still-unreleased 2.6.2 (#5503)
• b9b9422 Merge pull request #5482 from alexpdev/parse_help_msg
• 915c288 edit
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from lxml's changelog.

4.9.1 (2022-07-01)

Bugs fixed

• A crash was resolved when using iterwalk() (or canonicalize()) after parsing certain incorrect input. Note that iterwalk() can crash on valid input parsed with the same parser after failing to parse the incorrect input.

4.9.0 (2022-06-01)

Bugs fixed

• GH#341: The mixin inheritance order in lxml.html was corrected. Patch by xmo-odoo.

Other changes

• Built with Cython 0.29.30 to adapt to changes in Python 3.11 and 3.12.

• Wheels include zlib 1.2.12, libxml2 2.9.14 and libxslt 1.1.35 (libxml2 2.9.12+ and libxslt 1.1.34 on Windows).

• GH#343: Windows-AArch64 build support in Visual Studio. Patch by Steve Dower.

4.8.0 (2022-02-17)

Features added

• GH#337: Path-like objects are now supported throughout the API instead of just strings. Patch by Henning Janssen.

• The ElementMaker now supports QName values as tags, which always override the default namespace of the factory.

Bugs fixed

• GH#338: In lxml.objectify, the XSI float annotation "nan" and "inf" were spelled in lower case, whereas XML Schema datatypes define them as "NaN" and "INF" respectively.

... (truncated)

• d01872c Prevent parse failure in new test from leaking into later test runs.
• d65e632 Prepare release of lxml 4.9.1.
• 86368e9 Fix a crash when incorrect parser input occurs together with usages of iterwa...
• 50c2764 Delete unused Travis CI config and reference in docs (GH-345)
• 8f0bf2d Try to speed up the musllinux AArch64 build by splitting the different CPytho...
• b9f7074 Remove debug print from test.
• b224e0f Try to install 'xz' in wheel builds, if available, since it's now needed to e...
• 897ebfa Update macOS deployment target version from 10.14 to 10.15 since 10.14 starts...
• 853c9e9 Prepare release of 4.9.0.
• d3f77e6 Add a test for https://bugs.launchpad.net/lxml/+bug/1965070 leaving out the a...
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from twisted's releases.

Twisted 22.4.0 (2022-04-11)

Features

• twisted.python.failure.Failure tracebacks now capture module information, improving compatibility with the Raven Sentry client. (#7796)
• twisted.python.failure.Failure objects are now compatible with dis.distb, improving compatibility with post-mortem debuggers. (#9599)

Bugfixes

• twisted.internet.interfaces.IReactorSSL.listenSSL now has correct type annotations. (#10274)
• twisted.internet.test.test_glibbase.GlibReactorBaseTests now passes. (#10317)

Conch

Features

- twisted.conch.ssh now supports using RSA keys with SHA-2 signatures (RFC 8332) when acting as a server.  The rsa-sha2-512 and rsa-sha2-256 public key signature algorithms are automatically preferred over ssh-rsa if the client advertises support for them; the actual public keys do not need to change. ([#9765](https://github.com/twisted/twisted/issues/9765))
- twisted.conch.ssh now has an alternative Ed25519 implementation using PyNaCl, in order to support platforms that lack OpenSSL >= 1.1.1b.  The new "conch_nacl" extra has the necessary dependency. ([#10208](https://github.com/twisted/twisted/issues/10208))
Misc

-  ([#10313](https://github.com/twisted/twisted/issues/10313))
Web
Features
</code></pre>
<ul>
<li>Twisted is now compatible with h2 4.x.x. (<a href="https://github-redirect.dependabot.com/twisted/twisted/issues/10182">#10182</a>)</li>
</ul>
<p>Bugfixes</p>
<pre><code>

twisted.web.http had several several defects in HTTP request parsing that could permit HTTP request smuggling. It now disallows signed Content-Length headers, forbids illegal characters in chunked extensions, forbids a 0x prefix to chunk lengths, and only strips spaces and horizontal tab characters from header values. These changes address CVE-2022-24801 and GHSA-c2jg-hw38-jrqq. (#10323)

Mail
&lt;/tr&gt;&lt;/table&gt;
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/twisted/twisted/blob/trunk/NEWS.rst">twisted's changelog</a>.</em></p>
<blockquote>
<h1>Twisted 22.4.0 (2022-04-11)</h1>
<h2>Features</h2>
<ul>
<li>twisted.python.failure.Failure tracebacks now capture module information, improving compatibility with the Raven Sentry client. (<a href="https://github-redirect.dependabot.com/twisted/twisted/issues/7796">#7796</a>)</li>
<li>twisted.python.failure.Failure objects are now compatible with dis.distb, improving compatibility with post-mortem debuggers. (<a href="https://github-redirect.dependabot.com/twisted/twisted/issues/9599">#9599</a>)</li>
</ul>
<h2>Bugfixes</h2>
<ul>
<li>twisted.internet.interfaces.IReactorSSL.listenSSL now has correct type annotations. (<a href="https://github-redirect.dependabot.com/twisted/twisted/issues/10274">#10274</a>)</li>
<li>twisted.internet.test.test_glibbase.GlibReactorBaseTests now passes. (<a href="https://github-redirect.dependabot.com/twisted/twisted/issues/10317">#10317</a>)</li>
</ul>
<h2>Conch</h2>
<p>Features</p>
<pre><code>

twisted.conch.ssh now supports using RSA keys with SHA-2 signatures (RFC 8332) when acting as a server.  The rsa-sha2-512 and rsa-sha2-256 public key signature algorithms are automatically preferred over ssh-rsa if the client advertises support for them; the actual public keys do not need to change. (#9765)
twisted.conch.ssh now has an alternative Ed25519 implementation using PyNaCl, in order to support platforms that lack OpenSSL &gt;= 1.1.1b.  The new &quot;conch_nacl&quot; extra has the necessary dependency. (#10208)

Misc


(#10313)

Web
Features

• Twisted is now compatible with h2 4.x.x. (#10182)

Bugfixes

- twisted.web.http had several several defects in HTTP request parsing that could permit HTTP request smuggling. It now disallows signed Content-Length headers, forbids illegal characters in chunked extensions, forbids a ``0x`` prefix to chunk lengths, and only strips spaces and horizontal tab characters from header values. These changes address CVE-2022-24801 and GHSA-c2jg-hw38-jrqq. ([#10323](https://github.com/twisted/twisted/issues/10323))
Mail
</tr></table>

... (truncated)

• ed86633 Mark as misc.
• c894617 Update format for release notes item.
• 5c5c046 Revert coverage reporting changes.
• 682f2c3 Manual fix the news.
• dd98e9c python -m incremental.update Twisted --newversion 22.4.0
• 3eabae5 Fix coverage reporting as codecov v1 was removed.
• a265267 Update after review.
• efac92c tox -e towncrier
• 5ece2d4 python -m incremental.update Twisted --rc
• 592217e Merge pull request from GHSA-c2jg-hw38-jrqq
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from pydantic's releases.

v1.6.2 (2021-05-11)

Security fix: Fix date and datetime parsing so passing either 'infinity' or float('inf') (or their negative values) does not cause an infinite loop, see security advisory CVE-2021-29510.

Sourced from pydantic's changelog.

v1.6.2 (2021-05-11)

• Security fix: Fix date and datetime parsing so passing either 'infinity' or float('inf') (or their negative values) does not cause an infinite loop, See security advisory CVE-2021-29510

• acf7783 tweak history
• 829528c comment out broken tests
• cf9a417 hack tests into passing
• b37a922 fix formatting
• ac360c5 prepare for release
• bdde15b Merge pull request from GHSA-5jqp-qgf6-3pvh
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from py's changelog.

1.10.0 (2020-12-12)

• Fix a regular expression DoS vulnerability in the py.path.svnwc SVN blame functionality (CVE-2020-29651)
• Update vendored apipkg: 1.4 => 1.5
• Update vendored iniconfig: 1.0.0 => 1.1.1

• e5ff378 Update CHANGELOG for 1.10.0
• 94cf44f Update vendored libs
• 5e8ded5 testing: comment out an assert which fails on Python 3.9 for now
• afdffcc Rename HOWTORELEASE.rst to RELEASING.rst
• 2de53a6 Merge pull request #266 from nicoddemus/gh-actions
• fa1b32e Merge pull request #264 from hugovk/patch-2
• 887d6b8 Skip test_samefile_symlink on pypy3 on Windows
• e94e670 Fix test_comments() in test_source
• fef9a32 Adapt test
• 4a694b0 Add GitHub Actions badge to README
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.