A Flask inspired, decorator based API wrapper for Python-Slack.

Overview

Tangerine logo

pypi

A Flask inspired, decorator based API wrapper for Python-Slack.

About

Tangerine is a lightweight Slackbot framework that abstracts away all the boilerplate code required to write bots, allowing you to focus on the problem at hand.

Installation

  1. To install tangerine, simply use pipenv (or pip, of course):
$ pipenv install slack-tangerine
  1. Create a new file with the following contents:
# mybot.py
from tangerine import Tangerine
tangerine = Tangerine("xoxb-1234567890-replace-this-with-token-from-slack")


@tangerine.listen_for('morning')
def morning(user, message):
    return "mornin' @{user.username}"

if __name__ == '__main__':
   tangerine.run()
  1. Now try running it, run the following command then say "morning" in Slack.
python mybot.py

Usage

To start your project, you'll first need to import tangerine by adding from tangerine import Tangerine to the top of your file.

Next you'll need to create an instance of Tangerine and configure your Slack token. This can be done using a yaml config file or passing it explicitly to the initialization.

# Option 1: YAML config:
import os
from tangerine import Tangerine

path = os.path.dirname(os.path.abspath(__file__))
path_to_yaml = os.path.join(path, 'config.yaml')
tangerine = Tangerine.config_from_yaml(path_to_yaml)

# Option 2: Hardcoded slack token
from tangerine import Tangerine
tangerine = Tangerine("xoxb-1234567890-replace-this-with-token-from-slack")

Now its time to write your response functions, these functions get wrapped with the listen_for decorator, which registers a pattern to watch the slack conversation for and which python method should handle it once its said.

In the following example, the method is setup to listen for the word "cookies". Notice that the decorator passes two arguments to the function, first the user object which contains information about the user who triggered the event (in this case the Slack user who said the word cookies) and message, which is a string of the complete message.

@tangerine.listen_for('cookies')
def cookies(user, message):
    # do something when someone say's "cookies" here.

Crontab

Sometimes you'll run into situations where you want Slack messages to be sent periodically rather than in direct response to a keyword, for this Tangerine ships with a single-threaded Python implementation of Cron.

Let's pretend we want to send a message to everyone in a channel every five minutes, simply add the following to your mybot.py file:

@tangerine.cron('*/5 * * * *')
def some_task():
    tangerine.speak("Hay Ride!", "#general")
Comments
  • Bump jinja2 from 2.11.3 to 3.0.0

    Bump jinja2 from 2.11.3 to 3.0.0

    Bumps jinja2 from 2.11.3 to 3.0.0.

    Release notes

    Sourced from jinja2's releases.

    3.0.0

    New major versions of all the core Pallets libraries, including Jinja 3.0, have been released! :tada:

    This represents a significant amount of work, and there are quite a few changes. Be sure to carefully read the changelog, and use tools such as pip-compile and Dependabot to pin your dependencies and control your updates.

    3.0.0rc2

    Fixes an issue with the deprecated Markup subclass, #1401.

    3.0.0rc1

    Changelog

    Sourced from jinja2's changelog.

    Version 3.0.0

    Released 2021-05-11

    • Drop support for Python 2.7 and 3.5.
    • Bump MarkupSafe dependency to >=1.1.
    • Bump Babel optional dependency to >=2.1.
    • Remove code that was marked deprecated.
    • Add type hinting. 1412
    • Use 451 API to load templates with ~loaders.PackageLoader. 1168
    • Fix a bug that caused imported macros to not have access to the current template's globals. 688
    • Add ability to ignore trim_blocks using +%}. 1036
    • Fix a bug that caused custom async-only filters to fail with constant input. 1279
    • Fix UndefinedError incorrectly being thrown on an undefined variable instead of Undefined being returned on NativeEnvironment on Python 3.10. 1335
    • Blocks can be marked as required. They must be overridden at some point, but not necessarily by the direct child. 1147
    • Deprecate the autoescape and with extensions, they are built-in to the compiler. 1203
    • The urlize filter recognizes mailto: links and takes extra_schemes (or env.policies["urlize.extra_schemes"]) to recognize other schemes. It tries to balance parentheses within a URL instead of ignoring trailing characters. The parsing in general has been updated to be more efficient and match more cases. URLs without a scheme are linked as https:// instead of http://. 522, 827, 1172, 1195
    • Filters that get attributes, such as map and groupby, can use a false or empty value as a default. 1331
    • Fix a bug that prevented variables set in blocks or loops from being accessed in custom context functions. 768
    • Fix a bug that caused scoped blocks from accessing special loop variables. 1088
    • Update the template globals when calling Environment.get_template(globals=...) even if the template was already loaded. 295
    • Do not raise an error for undefined filters in unexecuted if-statements and conditional expressions. 842
    • Add is filter and is test tests to test if a name is a registered filter or test. This allows checking if a filter is available in a template before using it. Test functions can be decorated with @pass_environment, @pass_eval_context, or @pass_context. 842, 1248
    • Support pgettext and npgettext (message contexts) in i18n extension. 441
    • The |indent filter's width argument can be a string to indent by. 1167
    • The parser understands hex, octal, and binary integer literals. 1170
    • Undefined.__contains__ (in) raises an UndefinedError instead of a TypeError. 1198
    • Undefined is iterable in an async environment. 1294
    • NativeEnvironment supports async mode. 1362
    • Template rendering only treats \n, \r\n and \r as line breaks. Other characters are left unchanged. 769, 952, 1313
    • |groupby filter takes an optional default argument. 1359
    • The function and filter decorators have been renamed and unified. The old names are deprecated. 1381
      • pass_context replaces contextfunction and contextfilter.
      • pass_eval_context replaces evalcontextfunction and evalcontextfilter
      • pass_environment replaces environmentfunction and environmentfilter.
    • Async support no longer requires Jinja to patch itself. It must still be enabled with Environment(enable_async=True). 1390
    • Overriding Context.resolve is deprecated, override resolve_or_missing instead. 1380
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 1
  • Bump pre-commit from 2.11.1 to 2.12.1

    Bump pre-commit from 2.11.1 to 2.12.1

    Bumps pre-commit from 2.11.1 to 2.12.1.

    Release notes

    Sourced from pre-commit's releases.

    pre-commit v2.12.1

    Fixes

    pre-commit v2.12.0

    Features

    Fixes

    Changelog

    Sourced from pre-commit's changelog.

    2.12.1 - 2021-04-16

    Fixes

    2.12.0 - 2021-04-06

    Features

    Fixes

    Commits
    • 8fc6602 v2.12.1
    • 52ada7c Merge pull request #1881 from adamchainz/issue_1880_patch_naming
    • 4f2069e Include PID in patch filename
    • 559d8a7 Merge pull request #1877 from pre-commit/pre-commit-ci-update-config
    • 30649e7 [pre-commit.ci] pre-commit autoupdate
    • 8dede08 Merge pull request #1873 from pre-commit/all-repos_autofix_azure-pipelines-au...
    • 5deeb82 Update azure-pipelines template repositories
    • a1b462c v2.12.0
    • baadc2d Merge pull request #1868 from pre-commit/fix_archive_permissions
    • d5eda97 fix archive permissions for ruby tar.gz roots
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 1
  • Bump pre-commit from 2.11.1 to 2.12.0

    Bump pre-commit from 2.11.1 to 2.12.0

    Bumps pre-commit from 2.11.1 to 2.12.0.

    Release notes

    Sourced from pre-commit's releases.

    pre-commit v2.12.0

    Features

    Fixes

    Changelog

    Sourced from pre-commit's changelog.

    2.12.0 - 2021-04-06

    Features

    Fixes

    Commits
    • a1b462c v2.12.0
    • baadc2d Merge pull request #1868 from pre-commit/fix_archive_permissions
    • d5eda97 fix archive permissions for ruby tar.gz roots
    • bd1658b Merge pull request #1866 from pre-commit/pre-commit-ci-update-config
    • 5827a93 [pre-commit.ci] pre-commit autoupdate
    • 008717f Merge pull request #1864 from pre-commit/batch_additional_headroom
    • fb590d4 give xargs batch file execution additional headroom
    • e431b2b Merge pull request #1854 from pre-commit/upgrade_ruby_build
    • 3bada74 upgrade ruby-build
    • 060b719 Merge pull request #1851 from pre-commit/pre-commit-ci-update-config
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 1
  • Bump twine from 1.13.0 to 3.4.0

    Bump twine from 1.13.0 to 3.4.0

    Bumps twine from 1.13.0 to 3.4.0.

    Changelog

    Sourced from twine's changelog.

    3.4.0 (2021-03-15)

    Features

    • Prefer importlib.metadata for entry point handling. (#728)
    • Rely on importlib_metadata 3.6 for nicer entry point processing. (#732)
    • Eliminated dependency on Setuptools/pkg_resources and replaced with packaging and importlib_metadata. (#736)

    3.3.0 (2020-12-23)

    Features

    • Print files to be uploaded using upload --verbose (#670)
    • Print configuration file location when using upload --verbose (#675)
    • Print source and values of credentials when using upload --verbose (#685)
    • Add support for Python 3.9 (#708)
    • Turn warnings into errors when using check --strict (#715)

    Bugfixes

    • Make password optional when using upload --client-cert (#678)
    • Support more Nexus versions with upload --skip-existing (#693)
    • Support Gitlab Enterprise with upload --skip-existing (#698)
    • Show a better error message for malformed files (#714)

    Improved Documentation

    • Adopt PSF code of conduct (#680)
    • Adopt towncrier for the changleog (#718)

    3.2.0 (2020-06-24)

    Features

    • Improve display of HTTP errors during upload (#666)
    • Print packages and signatures to be uploaded when using --verbose option (#652)
    • Use red text when printing errors on the command line (#649)
    • Require repository URL scheme to be http or https (#602)
    • Add type annotations, checked with mypy, with 561 support for users of Twine's API (#231)

    Bugfixes

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 1
  • Bump pre-commit from 1.15.2 to 2.11.0

    Bump pre-commit from 1.15.2 to 2.11.0

    Bumps pre-commit from 1.15.2 to 2.11.0.

    Release notes

    Sourced from pre-commit's releases.

    pre-commit v2.11.0

    Features

    Fixes

    pre-commit v2.10.1

    Fixes

    pre-commit v2.10.0

    Features

    Fixes

    pre-commit v2.9.3

    Fixes

    • Fix crash on cygwin mismatch check outside of a git directory
    • Fix cleanup code on docker volumes for go

    ... (truncated)

    Changelog

    Sourced from pre-commit's changelog.

    2.11.0 - 2021-03-07

    Features

    Fixes

    2.10.1 - 2021-02-06

    Fixes

    2.10.0 - 2021-01-27

    Features

    Fixes

    • Fix execution in worktrees in subdirectories of bare repositories

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 1
  • Bump pre-commit from 1.15.2 to 2.10.1

    Bump pre-commit from 1.15.2 to 2.10.1

    Bumps pre-commit from 1.15.2 to 2.10.1.

    Release notes

    Sourced from pre-commit's releases.

    pre-commit v2.10.1

    Fixes

    pre-commit v2.10.0

    Features

    Fixes

    pre-commit v2.9.3

    Fixes

    pre-commit v2.9.2

    Fixes

    pre-commit v2.9.1

    Fixes

    ... (truncated)

    Changelog

    Sourced from pre-commit's changelog.

    2.10.1 - 2021-02-06

    Fixes

    2.10.0 - 2021-01-27

    Features

    Fixes

    2.9.3 - 2020-12-07

    Fixes

    2.9.2 - 2020-11-25

    Fixes

    • Fix default value for types_or so symlink and directory can be matched

    ... (truncated)

    Commits
    • 0047fa3 v2.10.1
    • 2dac92c Merge pull request #1789 from paulhfischer/recursive_golang
    • 833bbf7 add test for recursive submodules for golang
    • 34e0ff3 added recursive repository support for golang
    • e6caddb Merge pull request #1781 from pre-commit/pre-commit-ci-update-config
    • 5e7c6eb [pre-commit.ci] pre-commit autoupdate
    • c67ba85 v2.10.0
    • 588b6ed Merge pull request #1778 from pre-commit/bare_worktree
    • f75fc6b fix execution in worktrees in subdirectories of bare repositories
    • 7727f87 Merge pull request #1773 from pre-commit/pre-commit-ci-update-config
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 1
  • [Security] Bump bleach from 3.1.0 to 3.3.0

    [Security] Bump bleach from 3.1.0 to 3.3.0

    Bumps bleach from 3.1.0 to 3.3.0. This update includes security fixes.

    Vulnerabilities fixed

    Sourced from The GitHub Security Advisory Database.

    Cross-site scripting in Bleach

    Impact

    A mutation XSS affects users calling bleach.clean with all of:

    • svg or math in the allowed tags
    • p or br in allowed tags
    • style in allowed tags
    • the keyword argument strip_comments=False

    Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.

    Patches

    Users are encouraged to upgrade to bleach v3.3.0 or greater.

    Note: bleach v3.3.0 introduces a breaking change to escape HTML comments by default.

    Workarounds

    • modify bleach.clean calls to at least one of:

    ... (truncated)

    Affected versions: < 3.3.0

    Sourced from The GitHub Security Advisory Database.

    Moderate severity vulnerability that affects bleach

    Impact

    bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS).

    Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).

    Patches

    3.1.4

    Workarounds

    • do not whitelist the style attribute in bleach.clean calls

    • limit input string length

    References

    ... (truncated)

    Affected versions: < 3.1.4

    Sourced from The GitHub Security Advisory Database.

    Moderate severity vulnerability that affects bleach

    Impact

    bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS).

    Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).

    Patches

    3.1.4

    Workarounds

    • do not whitelist the style attribute in bleach.clean calls

    • limit input string length

    References

    ... (truncated)

    Affected versions: < 3.1.4

    Sourced from The GitHub Security Advisory Database.

    Moderate severity vulnerability that affects bleach

    Impact

    A mutation XSS affects users calling bleach.clean with all of:

    • the svg or math in the allowed/whitelisted tags
    • an RCDATA tag (see below) in the allowed/whitelisted tags
    • the keyword argument strip=False

    Patches

    Users are encouraged to upgrade to bleach v3.1.2 or greater.

    Workarounds

    • modify bleach.clean calls to use strip=True, or not whitelist math or svg tags and one or more of the following tags:
    script
    noscript
    style
    </tr></table> 
    

    ... (truncated)

    Affected versions: < 3.1.2

    Sourced from The GitHub Security Advisory Database.

    Moderate severity vulnerability that affects bleach

    Impact

    A mutation XSS affects users calling bleach.clean with noscript and a raw tag (see below) in the allowed/whitelisted tags option.

    Patches

    v3.1.1

    Workarounds

    • modify bleach.clean calls to not whitelist noscript and one or more of the following raw tags:
    title
    textarea
    script
    style
    noembed
    noframes
    iframe
    </tr></table> 
    

    ... (truncated)

    Affected versions: < 3.1.1

    Sourced from The GitHub Security Advisory Database.

    Moderate severity vulnerability that affects bleach

    Impact

    A mutation XSS affects users calling bleach.clean with noscript and a raw tag (see below) in the allowed/whitelisted tags option.

    Patches

    v3.1.1

    Workarounds

    • modify bleach.clean calls to not whitelist noscript and one or more of the following raw tags:
    title
    textarea
    script
    style
    noembed
    noframes
    iframe
    </tr></table> 
    

    ... (truncated)

    Affected versions: < 3.1.1

    Changelog

    Sourced from bleach's changelog.

    Version 3.3.0 (February 1st, 2021)

    Backwards incompatible changes

    • clean escapes HTML comments even when strip_comments=False

    Security fixes

    • Fix bug 1621692 / GHSA-m6xf-fq7q-8743. See the advisory for details.

    Features

    None

    Bug fixes

    None

    Version 3.2.3 (January 26th, 2021)

    Security fixes

    None

    Features

    None

    Bug fixes

    • fix clean and linkify raising ValueErrors for certain inputs. Thank you @Google-Autofuzz.

    Version 3.2.2 (January 20th, 2021)

    Security fixes

    None

    Features

    • Migrate CI to Github Actions. Thank you @hugovk.

    Bug fixes

    • fix linkify raising an IndexError on certain inputs. Thank you @Google-Autofuzz.

    Version 3.2.1 (September 18th, 2020)

    ... (truncated)

    Commits
    • 79b7a3c Merge pull request from GHSA-vv2x-vrpj-qqpq
    • 842fcb4 Update for v3.3.0 release
    • 1334134 sanitizer: escape HTML comments
    • c045a8b Merge pull request #581 from mozilla/nit-fixes
    • 491abb0 fix typo s/vnedoring/vendoring/
    • 10b1c5d vendor: add html5lib-1.1.dist-info/REQUESTED
    • cd838c3 Merge pull request #579 from mozilla/validate-convert-entity-code-points
    • 612b808 Update for v3.2.3 release
    • 6879f6a html5lib_shim: validate unicode points for convert_entity
    • 90cb80b Update for v3.2.2 release
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies security 
    opened by dependabot-preview[bot] 1
  • [Security] Bump jinja2 from 2.10.1 to 2.11.3

    [Security] Bump jinja2 from 2.10.1 to 2.11.3

    Bumps jinja2 from 2.10.1 to 2.11.3.

    Release notes

    Sourced from jinja2's releases.

    2.11.3

    This contains a fix for a speed issue with the urlize filter. urlize is likely to be called on untrusted user input. For certain inputs some of the regular expressions used to parse the text could take a very long time due to backtracking. As part of the fix, the email matching became slightly stricter. The various speedups apply to urlize in general, not just the specific input cases.

    2.11.2

    2.11.1

    This fixes an issue in async environment when indexing the result of an attribute lookup, like {{ data.items[1:] }}.

    2.11.0

    This is the last version to support Python 2.7 and 3.5. The next version will be Jinja 3.0 and will support Python 3.6 and newer.

    2.10.3

    2.10.2

    Changelog

    Sourced from jinja2's changelog.

    Version 2.11.3

    Released 2021-01-31

    • Improve the speed of the urlize filter by reducing regex backtracking. Email matching requires a word character at the start of the domain part, and only word characters in the TLD. 1343

    Version 2.11.2

    Released 2020-04-13

    • Fix a bug that caused callable objects with __getattr__, like ~unittest.mock.Mock to be treated as a contextfunction. 1145
    • Update wordcount filter to trigger Undefined methods by wrapping the input in soft_str. 1160
    • Fix a hang when displaying tracebacks on Python 32-bit. 1162
    • Showing an undefined error for an object that raises AttributeError on access doesn't cause a recursion error. 1177
    • Revert changes to ~loaders.PackageLoader from 2.10 which removed the dependency on setuptools and pkg_resources, and added limited support for namespace packages. The changes caused issues when using Pytest. Due to the difficulty in supporting Python 2 and 451 simultaneously, the changes are reverted until 3.0. 1182
    • Fix line numbers in error messages when newlines are stripped. 1178
    • The special namespace() assignment object in templates works in async environments. 1180
    • Fix whitespace being removed before tags in the middle of lines when lstrip_blocks is enabled. 1138
    • ~nativetypes.NativeEnvironment doesn't evaluate intermediate strings during rendering. This prevents early evaluation which could change the value of an expression. 1186

    Version 2.11.1

    Released 2020-01-30

    • Fix a bug that prevented looking up a key after an attribute ({{ data.items[1:] }}) in an async template. 1141

    Version 2.11.0

    Released 2020-01-27

    • Drop support for Python 2.6, 3.3, and 3.4. This will be the last version to support Python 2.7 and 3.5.
    • Added a new ChainableUndefined class to support getitem and getattr on an undefined object. 977
    • Allow {%+ syntax (with NOP behavior) when lstrip_blocks is disabled. 748
    • Added a default parameter for the map filter. 557
    • Exclude environment globals from meta.find_undeclared_variables. 931
    • Float literals can be written with scientific notation, like 2.56e-3. 912, 922
    • Int and float literals can be written with the '_' separator for legibility, like 12_345. 923
    • Fix a bug causing deadlocks in LRUCache.setdefault. 1000
    • The trim filter takes an optional string of characters to trim. 828
    • A new jinja2.ext.debug extension adds a {% debug %} tag to quickly dump the current context and available filters and tests. 174, 798, 983
    • Lexing templates with large amounts of whitespace is much faster. 857, 858
    • Parentheses around comparisons are preserved, so {{ 2 * (3 < 5) }} outputs "2" instead of "False". 755, 938
    • Add new boolean, false, true, integer and float tests. 824
    • The environment's finalize function is only applied to the output of expressions (constant or not), not static template data. 63
    • When providing multiple paths to FileSystemLoader, a template can have the same name as a directory. 821
    • Always return Undefined when omitting the else clause in a {{ 'foo' if bar }} expression, regardless of the environment's undefined class. Omitting the else clause is a valid shortcut and should not raise an error when using StrictUndefined. 710, 1079

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies security 
    opened by dependabot-preview[bot] 1
  • Bump pre-commit from 1.15.2 to 2.10.0

    Bump pre-commit from 1.15.2 to 2.10.0

    Bumps pre-commit from 1.15.2 to 2.10.0.

    Release notes

    Sourced from pre-commit's releases.

    pre-commit v2.10.0

    Features

    Fixes

    pre-commit v2.9.3

    Fixes

    pre-commit v2.9.2

    Fixes

    pre-commit v2.9.1

    Fixes

    pre-commit v2.9.0

    ... (truncated)

    Changelog

    Sourced from pre-commit's changelog.

    2.10.0 - 2021-01-27

    Features

    Fixes

    2.9.3 - 2020-12-07

    Fixes

    2.9.2 - 2020-11-25

    Fixes

    2.9.1 - 2020-11-25

    Fixes

    • Improve error message for "hook goes missing"

    ... (truncated)

    Commits
    • c67ba85 v2.10.0
    • 588b6ed Merge pull request #1778 from pre-commit/bare_worktree
    • f75fc6b fix execution in worktrees in subdirectories of bare repositories
    • 7727f87 Merge pull request #1773 from pre-commit/pre-commit-ci-update-config
    • d258650 use comparison with sys.platform so mypy understands it
    • 74183d9 [pre-commit.ci] pre-commit autoupdate
    • dbd69af Merge pull request #1772 from pre-commit/caplog_moar
    • da369be Merge pull request #1771 from pre-commit/no_install_language_options
    • c7cbb1e replace fake_log_handler with caplog
    • 4f39946 produce a more useful error message when non-installable things use language_...
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 1
  • Bump pyyaml from 5.1 to 5.4

    Bump pyyaml from 5.1 to 5.4

    Bumps pyyaml from 5.1 to 5.4.

    Changelog

    Sourced from pyyaml's changelog.

    5.4 (2021-01-19)

    5.3.1 (2020-03-18)

    • yaml/pyyaml#386 -- Prevents arbitrary code execution during python/object/new constructor

    5.3 (2020-01-06)

    5.2 (2019-12-02)

    • Repair incompatibilities introduced with 5.1. The default Loader was changed, but several methods like add_constructor still used the old default yaml/pyyaml#279 -- A more flexible fix for custom tag constructors yaml/pyyaml#287 -- Change default loader for yaml.add_constructor yaml/pyyaml#305 -- Change default loader for add_implicit_resolver, add_path_resolver
    • Make FullLoader safer by removing python/object/apply from the default FullLoader yaml/pyyaml#347 -- Move constructor for object/apply to UnsafeConstructor
    • Fix bug introduced in 5.1 where quoting went wrong on systems with sys.maxunicode <= 0xffff yaml/pyyaml#276 -- Fix logic for quoting special characters
    • Other PRs: yaml/pyyaml#280 -- Update CHANGES for 5.1

    5.1.2 (2019-07-30)

    • Re-release of 5.1 with regenerated Cython sources to build properly for Python 3.8b2+

    ... (truncated)

    Commits
    • 58d0cb7 5.4 release
    • a60f7a1 Fix compatibility with Jython
    • ee98abd Run CI on PR base branch changes
    • ddf2033 constructor.timezone: _copy & deepcopy
    • fc914d5 Avoid repeatedly appending to yaml_implicit_resolvers
    • a001f27 Fix for CVE-2020-14343
    • fe15062 Add 3.9 to appveyor file for completeness sake
    • 1e1c7fb Add a newline character to end of pyproject.toml
    • 0b6b7d6 Start sentences and phrases for capital letters
    • c976915 Shell code improvements
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 1
  • Bump twine from 1.13.0 to 3.3.0

    Bump twine from 1.13.0 to 3.3.0

    Bumps twine from 1.13.0 to 3.3.0.

    Changelog

    Sourced from twine's changelog.

    3.3.0 (2020-12-23)

    Features

    • Print files to be uploaded using upload --verbose (#670)
    • Print configuration file location when using upload --verbose (#675)
    • Print source and values of credentials when using upload --verbose (#685)
    • Add support for Python 3.9 (#708)
    • Turn warnings into errors when using check --strict (#715)

    Bugfixes

    • Make password optional when using upload --client-cert (#678)
    • Support more Nexus versions with upload --skip-existing (#693)
    • Support Gitlab Enterprise with upload --skip-existing (#698)
    • Show a better error message for malformed files (#714)

    Improved Documentation

    • Adopt PSF code of conduct (#680)
    • Adopt towncrier for the changleog (#718)

    3.2.0 (2020-06-24)

    Features

    • Improve display of HTTP errors during upload (#666)
    • Print packages and signatures to be uploaded when using --verbose option (#652)
    • Use red text when printing errors on the command line (#649)
    • Require repository URL scheme to be http or https (#602)
    • Add type annotations, checked with mypy, with 561 support for users of Twine's API (#231)

    Bugfixes

    • Update URL to .pypirc specification (#655)
    • Don't raise an exception when Python version can't be parsed from filename (#612)
    • Fix inaccurate retry message during upload (#611)
    • Clarify error messages for archive format (#601)

    3.1.1 (2019-11-27)

    Bugfixes

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 1
  • Bump twine from 3.4.1 to 3.4.2

    Bump twine from 3.4.1 to 3.4.2

    Bumps twine from 3.4.1 to 3.4.2.

    Changelog

    Sourced from twine's changelog.

    Twine 3.4.2 (2021-07-20)

    Bugfixes

    • Improve error message for unsupported metadata. (#755)
    • Improve error message for a missing config file. (#770)
    • Do not include md5_digest or blake2_256_digest if FIPS mode is enabled on the host. This removes those fields from the metadata before sending the metadata to the repository. (#776)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 0
  • [Security] Bump urllib3 from 1.26.4 to 1.26.5

    [Security] Bump urllib3 from 1.26.4 to 1.26.5

    Bumps urllib3 from 1.26.4 to 1.26.5. This update includes a security fix.

    Vulnerabilities fixed

    Sourced from The GitHub Security Advisory Database.

    Catastrophic backtracking in URL authority parser when passed URL containing many @ characters

    Impact

    When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

    Patches

    The issue has been fixed in urllib3 v1.26.5.

    References

    For more information

    If you have any questions or comments about this advisory:

    Affected versions: < 1.26.5

    Release notes

    Sourced from urllib3's releases.

    1.26.5

    :warning: IMPORTANT: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

    • Fixed deprecation warnings emitted in Python 3.10.
    • Updated vendored six library to 1.16.0.
    • Improved performance of URL parser when splitting the authority component.

    If you or your organization rely on urllib3 consider supporting us via GitHub Sponsors

    Changelog

    Sourced from urllib3's changelog.

    1.26.5 (2021-05-26)

    • Fixed deprecation warnings emitted in Python 3.10.
    • Updated vendored six library to 1.16.0.
    • Improved performance of URL parser when splitting the authority component.
    Commits
    • d161647 Release 1.26.5
    • 2d4a3fe Improve performance of sub-authority splitting in URL
    • 2698537 Update vendored six to 1.16.0
    • 07bed79 Fix deprecation warnings for Python 3.10 ssl module
    • d725a9b Add Python 3.10 to GitHub Actions
    • 339ad34 Use pytest==6.2.4 on Python 3.10+
    • f271c9c Apply latest Black formatting
    • 1884878 [1.26] Properly proxy EOF on the SSLTransport test suite
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies security 
    opened by dependabot-preview[bot] 0
  • Bump pre-commit from 2.11.1 to 2.13.0

    Bump pre-commit from 2.11.1 to 2.13.0

    Bumps pre-commit from 2.11.1 to 2.13.0.

    Release notes

    Sourced from pre-commit's releases.

    pre-commit v2.13.0

    Features

    Fixes

    pre-commit v2.12.1

    Fixes

    pre-commit v2.12.0

    Features

    Fixes

    Changelog

    Sourced from pre-commit's changelog.

    2.13.0 - 2021-05-21

    Features

    Fixes

    2.12.1 - 2021-04-16

    Fixes

    2.12.0 - 2021-04-06

    Features

    Fixes

    Commits
    • 229a4e0 v2.13.0
    • a1f2d69 Merge pull request #1913 from jalessio/jamie/upgrade-ruby
    • 14afbc7 Update rbenv / ruby-build
    • 9f2f405 Merge pull request #1915 from pre-commit/reproducible-tar
    • c2108d6 make tarfile creation reproducible
    • 7266936 Merge pull request #1914 from pre-commit/pre-commit-ci-update-config
    • 7f65d27 [pre-commit.ci] pre-commit autoupdate
    • 147b047 Merge pull request #1911 from pre-commit/all-repos_autofix_more-inclusive-lan...
    • 3922263 Use more inclusive language
    • 2c28197 Merge pull request #1906 from pre-commit/pre-commit-ci-update-config
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 0
  • Bump jinja2 from 2.11.3 to 3.0.1

    Bump jinja2 from 2.11.3 to 3.0.1

    Bumps jinja2 from 2.11.3 to 3.0.1.

    Release notes

    Sourced from jinja2's releases.

    3.0.1

    3.0.0

    New major versions of all the core Pallets libraries, including Jinja 3.0, have been released! :tada:

    This represents a significant amount of work, and there are quite a few changes. Be sure to carefully read the changelog, and use tools such as pip-compile and Dependabot to pin your dependencies and control your updates.

    3.0.0rc2

    Fixes an issue with the deprecated Markup subclass, #1401.

    3.0.0rc1

    Changelog

    Sourced from jinja2's changelog.

    Version 3.0.1

    Released 2021-05-18

    • Update MarkupSafe dependency to >= 2.0. 1418
    • Mark top-level names as exported so type checking understands imports in user projects. 1426
    • Fix some types that weren't available in Python 3.6.0. 1433
    • The deprecation warning for unneeded autoescape and with_ extensions shows more relevant context. 1429
    • Fixed calling deprecated jinja2.Markup without an argument. Use markupsafe.Markup instead. 1438
    • Calling sync render for an async template uses asyncio.run on Python >= 3.7. This fixes a deprecation that Python 3.10 introduces. 1443

    Version 3.0.0

    Released 2021-05-11

    • Drop support for Python 2.7 and 3.5.
    • Bump MarkupSafe dependency to >=1.1.
    • Bump Babel optional dependency to >=2.1.
    • Remove code that was marked deprecated.
    • Add type hinting. 1412
    • Use 451 API to load templates with ~loaders.PackageLoader. 1168
    • Fix a bug that caused imported macros to not have access to the current template's globals. 688
    • Add ability to ignore trim_blocks using +%}. 1036
    • Fix a bug that caused custom async-only filters to fail with constant input. 1279
    • Fix UndefinedError incorrectly being thrown on an undefined variable instead of Undefined being returned on NativeEnvironment on Python 3.10. 1335
    • Blocks can be marked as required. They must be overridden at some point, but not necessarily by the direct child. 1147
    • Deprecate the autoescape and with extensions, they are built-in to the compiler. 1203
    • The urlize filter recognizes mailto: links and takes extra_schemes (or env.policies["urlize.extra_schemes"]) to recognize other schemes. It tries to balance parentheses within a URL instead of ignoring trailing characters. The parsing in general has been updated to be more efficient and match more cases. URLs without a scheme are linked as https:// instead of http://. 522, 827, 1172, 1195
    • Filters that get attributes, such as map and groupby, can use a false or empty value as a default. 1331
    • Fix a bug that prevented variables set in blocks or loops from being accessed in custom context functions. 768
    • Fix a bug that caused scoped blocks from accessing special loop variables. 1088
    • Update the template globals when calling Environment.get_template(globals=...) even if the template was already loaded. 295
    • Do not raise an error for undefined filters in unexecuted if-statements and conditional expressions. 842
    • Add is filter and is test tests to test if a name is a registered filter or test. This allows checking if a filter is available in a template before using it. Test functions can be decorated with @pass_environment, @pass_eval_context, or @pass_context. 842, 1248
    • Support pgettext and npgettext (message contexts) in i18n extension. 441
    • The |indent filter's width argument can be a string to indent by. 1167
    • The parser understands hex, octal, and binary integer literals. 1170
    • Undefined.__contains__ (in) raises an UndefinedError instead of a TypeError. 1198
    • Undefined is iterable in an async environment. 1294
    • NativeEnvironment supports async mode. 1362
    • Template rendering only treats \n, \r\n and \r as line breaks. Other characters are left unchanged. 769, 952, 1313
    • |groupby filter takes an optional default argument. 1359
    • The function and filter decorators have been renamed and unified. The old names are deprecated. 1381
      • pass_context replaces contextfunction and contextfilter.
      • pass_eval_context replaces evalcontextfunction and evalcontextfilter
      • pass_environment replaces environmentfunction and environmentfilter.
    • Async support no longer requires Jinja to patch itself. It must still be enabled with Environment(enable_async=True). 1390
    • Overriding Context.resolve is deprecated, override resolve_or_missing instead. 1380
    Commits
    • 3b3e16f Merge pull request #1445 from pallets/release-3.0.1
    • 4d23bfb release version 3.0.1
    • 77674b9 Merge pull request #1444 from pallets/event-loop
    • 7d0b7ac use asyncio.run
    • 94a6423 Merge pull request #1442 from dannysepler/use-pathlib-in-places
    • 06c646d Use pathlib in some test places
    • 9f5db9a Merge pull request #1440 from pallets/deprecated-markup
    • f562a4f fix deprecated Markup subclass
    • fb564a8 Merge pull request #1436 from pallets/deprecated-extensions
    • b4d31e7 show context for deprecated extensions
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 0
  • Issues setting up environment

    Issues setting up environment

    Hi Nick! This looks like an awesome library and I am so excited to use it to update our current slackbot.

    I've followed instructions as suggested and am running into environmental/dependency issues getting the basic bot script to work. This is the error I'm getting:

    Traceback (most recent call last):
      File "<REDACTED>/bot.py", line 2, in <module>
        from tangerine import Tangerine
      File "<VENV_REDACTED>/lib/python3.7/site-packages/tangerine/__init__.py", line 10, in <module>
        from .bot import Tangerine
      File <VENV_REDACTED>/lib/python3.7/site-packages/tangerine/bot.py", line 17, in <module>
        from slackclient import SlackClient
    ModuleNotFoundError: No module named 'slackclient'
    

    And here is my Pipfile:

    [[source]]
    name = "pypi"
    url = "https://pypi.org/simple"
    verify_ssl = true
    
    [dev-packages]
    
    [packages]
    slack-tangerine = "*"
    crontab = "*"
    jinja2 = "*"
    python-box = "*"
    pyyaml = "*"
    six = "*"
    slackclient = "2.9.3"
    
    [requires]
    python_version = "3.7"
    

    And it shows the Pipfile.lock reflects the slackclient.

            },
            "slack-tangerine": {
                "hashes": [
                    "sha256:92fa45aa2c2c75594212375a82a52e1ff8edc94b5dcb18b9d626efcc14367fce",
                    "sha256:b513504e26d21d6d0421d7edf0eb8417f6b57e6fb078b6cec0d0ca80558eb8a8"
                ],
                "index": "pypi",
                "version": "==5.1.0"
            },
            "slackclient": {
                "hashes": [
                    "sha256:07ec8fa76f6aa64852210ae235ff9e637ba78124e06c0b07a7eeea4abb955965",
                    "sha256:2d68d668c02f4038299897e5c4723ab85dd40a3548354924b24f333a435856f8"
                ],
                "index": "pypi",
                "version": "==2.9.3"
            },
    
    opened by mjahanshahi 2
  • Upgrade to GitHub-native Dependabot

    Upgrade to GitHub-native Dependabot

    Dependabot Preview will be shut down on August 3rd, 2021. In order to keep getting Dependabot updates, please merge this PR and migrate to GitHub-native Dependabot before then.

    Dependabot has been fully integrated into GitHub, so you no longer have to install and manage a separate app. This pull request migrates your configuration from Dependabot.com to a config file, using the new syntax. When merged, we'll swap out dependabot-preview (me) for a new dependabot app, and you'll be all set!

    With this change, you'll now use the Dependabot page in GitHub, rather than the Dependabot dashboard, to monitor your version updates, and you'll configure Dependabot through the new config file rather than a UI.

    If you've got any questions or feedback for us, please let us know by creating an issue in the dependabot/dependabot-core repository.

    Learn more about migrating to GitHub-native Dependabot

    Please note that regular @dependabot commands do not work on this pull request.

    dependencies 
    opened by dependabot-preview[bot] 1
Owner
Nick Ficano
Hi! I'm a Python developer living in New York City.
Nick Ficano
Full-featured Python interface for the Slack API

This repository is archived and will not receive any updates It's time to say goodbye. I'm archiving Slacker. It's been getting harder to find time to

Oktay Sancak 1.6k Dec 13, 2022
As Slack no longer provides an API to invite people, this is a Selenium Python script to do so

As Slack no longer provides an API to invite people, this is a Selenium Python script to do so

Mehdi Bounya 4 Feb 15, 2022
Mazda Connected Service API wrapper based on pymazda and Flask.

Mazda Connected Service Relay Mazda Connected Service API wrapper based on pymazda and Flask. Usage Make POST calls to https://mymazda.herokuapp.com/{

Alan Chen 10 Jan 5, 2023
Playing around with the slack api for learning purposes

SlackBotTest Playing around with the slack api for learning purposes and getting people to contribute Reason for this Project: Bots are very versatile

null 1 Nov 24, 2021
Role Based Access Control for Slack-Bolt Applications

Role Based Access Control for Slack-Bolt Apps Role Based Access Control (RBAC) is a term applied to limiting the authorization for a specific operatio

Jeremy Schulman 7 Jan 6, 2022
Aws-lambda-requests-wrapper - Request/Response wrapper for AWS Lambda with API Gateway

AWS Lambda Requests Wrapper Request/Response wrapper for AWS Lambda with API Gat

null 1 May 20, 2022
Telegram Bot Repo Capable of fetching the following Info via Anilist API inspired from AniFluid and Nepgear

Telegram Bot Repo Capable of fetching the following Info via Anilist API inspired from AniFluid and Nepgear Anime Airing Manga Character Scheduled Top

Rikka-Chan 2 Apr 1, 2022
Slack Developer Kit for Python

Python Slack SDK The Slack platform offers several APIs to build apps. Each Slack API delivers part of the capabilities from the platform, so that you

SlackAPI 3.5k Jan 2, 2023
A Python app to serve Conveyor room requests and run approvals through Slack

✨ CONVEYOR FOR SLACK ✨ This is a friendly little Python app that will allow you to integrate your instance of Conveyor with your Slack workspace. In o

Vivienne 4 Sep 27, 2021
A python library for creating Slack slash commands using AWS Lambda Functions

slashbot Slashbot makes it easy to create slash commands using AWS Lambda functions. These can be handy for creating a secure way to execute automated

Eric Brassell 17 Oct 21, 2022
Python app to notify via slack channel the status_code change from an URL

Python app to notify, via slack channel you choose to be notified, for the status_code change from the URL list you setup to be checked every yy seconds

Pedro Nunes 1 Oct 25, 2021
Automation application was made by me using Google, Sheet and Slack APIs with Python.

README This application is used to transfer the data in the xlsx document we have to the Google Drive environment and calculate the "total budget" wit

null 3 Apr 12, 2022
A simple python bot that serves to send some notifications about GitHub events to Slack.

github alerts slack bot ?? What is it? ?? This is a simple bot that serves to send some notifications about GitHub events to Slack channels. These are

Jackson Alves 10 Dec 10, 2022
Slack->DynamDB->Some applications

slack-event-subscriptions About The Project Do you want to get simple attendance checks? If you are using Slack, participants can just react on a spec

UpstageAI 26 May 28, 2022
Quickly edit your slack posts.

Lightning Edit Quickly edit your Slack posts. Heavily inspired by @KhushrajRathod's LightningDelete. Usage: Note: Before anything, be sure to head ove

Cole Wilson 14 Nov 19, 2021
Reddit cli to slack at work

Reddit CLI (v1.0) Introduction Why Reddit CLI? Coworker who sees me looking at something in a browser: "Glad you're not busy; I need you to do this, t

null 3 Jun 22, 2021
A slack bot that notifies you when a restaurant is available for orders

Slack Wolt Notifier A Slack bot that notifies you when a Wolt restaurant or venue is available for orders. How does it work? Slack supports bots that

Gil Matok 8 Oct 24, 2022
A self hosted slack bot to conduct standups & generate reports.

StandupMonkey A self hosted slack bot to conduct standups & generate reports. Report Bug · Request Feature Installation Install already hosted bot (Us

Muhammad Haseeb 69 Jan 1, 2023
This automation protect against subdomain takeover on AWS env which also send alerts on slack.

AWS_Subdomain_Takeover_Detector Purpose The purpose of this automation is to detect misconfigured Route53 entries which are vulnerable to subdomain ta

Puneet Kumar Maurya 8 May 18, 2022