Chatbot construido com o framework Rasa para responder dúvidas referentes ao COVID-19.

Vinícius Souza

Last update: Jul 28, 2022

Overview

Racom Chatbot

Chatbot construido com o framework Rasa.

Como executar

Necessário instalar Docker e Docker Compose.

Para inicializar a aplicação, basta executar o comando abaixo na raiz do projeto:

docker-compose up

Cainais

Telegram: @racom_bot
Webchat: :4445

Portas utilizadas

localhost:3306: Racom Banco de dados (MySQL)
localhost:4040: Túnel de conexão (Ngrok)
localhost:4444: Racom API (Node.js)
localhost:4445: Webchat
localhost:5002: Rasa API
localhost:5005: Rasa Server
localhost:5055: Rasa Action Server

Observações

Ao executar a aplicação, o server do chatbot irá ser executado na porta :5005 e irá criar um túnel nessa porta para que o server possa ser acessado através da rede externa, em vez de somente local.
Quando Ngrok executa, ele gera uma URL aleatória. O arquivo /chatbot/main.py chamará o módulo /chatbot/support/set_telegram_config.py que irá extrair essa URL e atualizar o arquivo chatbot/credentials.yml em tempo de execução, definido a variável $TELEGRAM_URL com este valor. Com isso, o chatbot poderá ser utilizado no Telegram sem necessidade de outra configuração.
A penúltima etapa da execução é treinamento do modelo. O output do progresso de treinamento é incompatível com o terminal do Docker, por isso pode parecer que o build travou na mensagem Training NLU model... mas está sendo executado em segundo plano.

Estrutura

Aplicações

faq: Aplicação que utiliza o framework Scrapy para extrair os FAQs do site da Fiocruz e alimentar o banco de dados com as informações extraídas.
api: Aplicação em TypeScript e Node.js para integração do banco de dados com o chatbot
chatbot: Chatbot construído em Rasa para atendimento automatizado para auxílio de dúvidas sobre Coronavírus.

Diretórios

.
├── api - Diretório da API para comunicação com o banco de dados
├── chatbot - Diretório de instalação do Rasa
├── faq - Diretório para scrapping e alimentação do banco de dados com FAQs

Banco de dados

├── TFAQ - Armazena FAQs extraídos do site da Fiocruz
├── TCategory - Armazena categoria dos FAQs
├── TUnrecognizedMessage - Armazena mensagens não reconhecidas pelo chatbot

Diagramas

Documentação C4

Responsável

Vinícius Souza <[email protected]>

Comments

chore(deps): bump ujson from 4.1.0 to 5.2.0 in /chatbot
Bumps ujson from 4.1.0 to 5.2.0.

Release notes

Sourced from ujson's releases.

5.2.0

Added

Support parsing NaN, Infinity and -Infinity (#514) @Erotemic

Support dynamically linking against system double-conversion library (#508) @musicinmybrain

Add env var to control stripping debug info (#507) @musicinmybrain

Add JSONDecodeError (#498) @JustAnotherArchivist

Fixed

Fix buffer overflows (CVE-2021-45958) (#519) @JustAnotherArchivist

Upgrade Black to fix Click (#515) @hugovk

simplify exception handling on integer overflow (#510) @RouquinBlanc

Remove dead code that used to handle the separate int type in Python 2 (#509) @JustAnotherArchivist

Fix exceptions on encoding list or dict elements and non-overflow errors on int handling getting silenced (#505) @JustAnotherArchivist

5.1.0

Changed

Strip debugging symbols from Linux binaries (#493) @bwoodsend

5.0.0

Added

Use cibuildwheel to build wheels (#491) @bwoodsend

Removed

Drop support for soon-EOL Python 3.6 (#490) @hugovk

Fixed

Install Twine to upload to PyPI (#492) @hugovk

4.3.0

Added

Enable Windows on ARM64 target (#488) @nsait-linaro

4.2.0

Added

Add a default keyword argument to dumps (#470) @garenchan

Add support for Python 3.10 (#472) @hugovk

Build 32-bit wheels for Windows (#481) @hugovk

Build PyPy3 wheels for manylinux (#475) @hugovk

Build wheels for musl aarch64 (aka ARM) Linux (musllinux_1_1_aarch64) (#478) @bwoodsend

Build wheels for musl Linux (musllinux_1_1_x86_64) (#476) @bwoodsend

Changed

... (truncated)

Commits

f6860f1 Remove shebang

c0ff7b1 python -m pytest

362fed3 Clearer pytest command

82917c0 actions/checkout@v3

3c095f1 Widen tests to cover more possible buffer overflows

f4d2c87 Refactor buffer reservations to ensure sufficient space on all additions

1846e08 Add fuzz test to CI/CD.

5875168 Fix some more seg-faults on encoding.

1a39406 Remove the hidden JSON_NO_EXTRA_WHITESPACE compile knob.

20aa1a6 Add a fuzzing test to search for segfaults in encoding.

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies python
opened by dependabot[bot] 1
chore(deps): bump tensorflow from 2.5.2 to 2.6.4 in /chatbot
Bumps tensorflow from 2.5.2 to 2.6.4.

Release notes

Sourced from tensorflow's releases.

TensorFlow 2.6.4

Release 2.6.4

This releases introduces several vulnerability fixes:

Fixes a code injection in saved_model_cli (CVE-2022-29216)

Fixes a missing validation which causes TensorSummaryV2 to crash (CVE-2022-29193)

Fixes a missing validation which crashes QuantizeAndDequantizeV4Grad (CVE-2022-29192)

Fixes a missing validation which causes denial of service via DeleteSessionTensor (CVE-2022-29194)

Fixes a missing validation which causes denial of service via GetSessionTensor (CVE-2022-29191)

Fixes a missing validation which causes denial of service via StagePeek (CVE-2022-29195)

Fixes a missing validation which causes denial of service via UnsortedSegmentJoin (CVE-2022-29197)

Fixes a missing validation which causes denial of service via LoadAndRemapMatrix (CVE-2022-29199)

Fixes a missing validation which causes denial of service via SparseTensorToCSRSparseMatrix (CVE-2022-29198)

Fixes a missing validation which causes denial of service via LSTMBlockCell (CVE-2022-29200)

Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29196)

Fixes a CHECK failure in depthwise ops via overflows (CVE-2021-41197)

Fixes issues arising from undefined behavior stemming from users supplying invalid resource handles (CVE-2022-29207)

Fixes a segfault due to missing support for quantized types (CVE-2022-29205)

Fixes a missing validation which results in undefined behavior in SparseTensorDenseAdd (CVE-2022-29206)

Fixes a missing validation which results in undefined behavior in QuantizedConv2D (CVE-2022-29201)

Fixes an integer overflow in SpaceToBatchND (CVE-2022-29203)

Fixes a segfault and OOB write due to incomplete validation in EditDistance (CVE-2022-29208)

Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29204)

Fixes a denial of service in tf.ragged.constant due to lack of validation (CVE-2022-29202)

Fixes a segfault when tf.histogram_fixed_width is called with NaN values (CVE-2022-29211)

Fixes a core dump when loading TFLite models with quantization (CVE-2022-29212)

Fixes crashes stemming from incomplete validation in signal ops (CVE-2022-29213)

Fixes a type confusion leading to CHECK-failure based denial of service (CVE-2022-29209)

Updates curl to 7.83.1 to handle (CVE-2022-22576, (CVE-2022-27774, (CVE-2022-27775, (CVE-2022-27776, (CVE-2022-27778, (CVE-2022-27779, (CVE-2022-27780, (CVE-2022-27781, (CVE-2022-27782 and (CVE-2022-30115

Updates zlib to 1.2.12 after 1.2.11 was pulled due to security issue

TensorFlow 2.6.3

Release 2.6.3

This releases introduces several vulnerability fixes:

Fixes a floating point division by 0 when executing convolution operators (CVE-2022-21725)

Fixes a heap OOB read in shape inference for ReverseSequence (CVE-2022-21728)

Fixes a heap OOB access in Dequantize (CVE-2022-21726)

Fixes an integer overflow in shape inference for Dequantize (CVE-2022-21727)

Fixes a heap OOB access in FractionalAvgPoolGrad (CVE-2022-21730)

Fixes an overflow and divide by zero in UnravelIndex (CVE-2022-21729)

Fixes a type confusion in shape inference for ConcatV2 (CVE-2022-21731)

Fixes an OOM in ThreadPoolHandle (CVE-2022-21732)

Fixes an OOM due to integer overflow in StringNGrams (CVE-2022-21733)

Fixes more issues caused by incomplete validation in boosted trees code (CVE-2021-41208)

Fixes an integer overflows in most sparse component-wise ops (CVE-2022-23567)

Fixes an integer overflows in AddManySparseToTensorsMap (CVE-2022-23568)

Fixes a number of CHECK-failures in MapStage (CVE-2022-21734)

... (truncated)

Changelog

Sourced from tensorflow's changelog.

Release 2.6.4

This releases introduces several vulnerability fixes:

Fixes a code injection in saved_model_cli (CVE-2022-29216)

Fixes a missing validation which causes TensorSummaryV2 to crash (CVE-2022-29193)

Fixes a missing validation which crashes QuantizeAndDequantizeV4Grad (CVE-2022-29192)

Fixes a missing validation which causes denial of service via DeleteSessionTensor (CVE-2022-29194)

Fixes a missing validation which causes denial of service via GetSessionTensor (CVE-2022-29191)

Fixes a missing validation which causes denial of service via StagePeek (CVE-2022-29195)

Fixes a missing validation which causes denial of service via UnsortedSegmentJoin (CVE-2022-29197)

Fixes a missing validation which causes denial of service via LoadAndRemapMatrix (CVE-2022-29199)

Fixes a missing validation which causes denial of service via SparseTensorToCSRSparseMatrix (CVE-2022-29198)

Fixes a missing validation which causes denial of service via LSTMBlockCell (CVE-2022-29200)

Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29196)

Fixes a CHECK failure in depthwise ops via overflows (CVE-2021-41197)

Fixes issues arising from undefined behavior stemming from users supplying invalid resource handles (CVE-2022-29207)

Fixes a segfault due to missing support for quantized types (CVE-2022-29205)

Fixes a missing validation which results in undefined behavior in SparseTensorDenseAdd (CVE-2022-29206)

Fixes a missing validation which results in undefined behavior in QuantizedConv2D (CVE-2022-29201)

Fixes an integer overflow in SpaceToBatchND (CVE-2022-29203)

Fixes a segfault and OOB write due to incomplete validation in EditDistance (CVE-2022-29208)

Fixes a missing validation which causes denial of service via Conv3DBackpropFilterV2 (CVE-2022-29204)

Fixes a denial of service in tf.ragged.constant due to lack of validation (CVE-2022-29202)

Fixes a segfault when tf.histogram_fixed_width is called with NaN values (CVE-2022-29211)

Fixes a core dump when loading TFLite models with quantization (CVE-2022-29212)

Fixes crashes stemming from incomplete validation in signal ops (CVE-2022-29213)

Fixes a type confusion leading to CHECK-failure based denial of service (CVE-2022-29209)

Updates curl to 7.83.1 to handle (CVE-2022-22576, (CVE-2022-27774, (CVE-2022-27775, (CVE-2022-27776, (CVE-2022-27778, (CVE-2022-27779, (CVE-2022-27780, (CVE-2022-27781, (CVE-2022-27782 and (CVE-2022-30115

Updates zlib to 1.2.12 after 1.2.11 was pulled due to security issue

Release 2.8.0

Major Features and Improvements

tf.lite:

Added TFLite builtin op support for the following TF ops:

tf.raw_ops.Bucketize op on CPU.

tf.where op for data types tf.int32/tf.uint32/tf.int8/tf.uint8/tf.int64.

tf.random.normal op for output data type tf.float32 on CPU.

tf.random.uniform op for output data type tf.float32 on CPU.

tf.random.categorical op for output data type tf.int64 on CPU.

tensorflow.experimental.tensorrt:

conversion_params is now deprecated inside TrtGraphConverterV2 in favor of direct arguments: max_workspace_size_bytes, precision_mode, minimum_segment_size, maximum_cached_engines, use_calibration and

... (truncated)

Commits

33ed2b1 Merge pull request #56102 from tensorflow/mihaimaruseac-patch-1

e1ec480 Fix build due to importlib-metadata/setuptools

63f211c Merge pull request #56033 from tensorflow-jenkins/relnotes-2.6.4-6677

22b8fe4 Update RELEASE.md

ec30684 Merge pull request #56070 from tensorflow/mm-cp-adafb45c781-on-r2.6

38774ed Merge pull request #56060 from yongtang:curl-7.83.1

9ef1604 Merge pull request #56036 from tensorflow-jenkins/version-numbers-2.6.4-9925

a6526a3 Update version numbers to 2.6.4

cb1a481 Update RELEASE.md

4da550f Insert release notes place-fill

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies python
opened by dependabot[bot] 1
chore(deps): bump twisted from 21.7.0 to 22.2.0 in /faq
Bumps twisted from 21.7.0 to 22.2.0.

Release notes

Sourced from twisted's releases.

Twisted 22.2.0 (2022-03-01)

Bugfixes

twisted.internet.gireactor.PortableGIReactor.simulate and twisted.internet.gtk2reactor.PortableGtkReactor.simulate no longer raises TypeError when there are no delayed called. This was a regression introduced with the migration to Python 3 in which the builtin min function no longer accepts None as an argument. (#9660)

twisted.conch.ssh.transport.SSHTransportBase now disconnects the remote peer if the SSH version string is not sent in the first 4096 bytes. (#10284, CVE-2022-21716, GHSA-rv6r-3f5q-9rgx)

Improved Documentation

Add type annotations for twisted.web.http.Request.getHeader. (#10270)

Deprecations and Removals

Support for Python 3.6, which is EoL as of 2021-09-04, has been deprecated. (#10303)

Misc

#10216, #10299, #10300

Conch

Misc

- [#10298](https://github.com/twisted/twisted/issues/10298) Web No significant changes. Mail No significant changes.
</tr></table>

... (truncated)

Changelog

Sourced from twisted's changelog.

Twisted 22.2.0 (2022-03-01)

Bugfixes

twisted.internet.gireactor.PortableGIReactor.simulate and twisted.internet.gtk2reactor.PortableGtkReactor.simulate no longer raises TypeError when there are no delayed called. This was a regression introduced with the migration to Python 3 in which the builtin min function no longer accepts None as an argument. (#9660)

twisted.conch.ssh.transport.SSHTransportBase now disconnects the remote peer if the SSH version string is not sent in the first 4096 bytes. (#10284, CVE-2022-21716, GHSA-rv6r-3f5q-9rgx)

Improved Documentation

Add type annotations for twisted.web.http.Request.getHeader. (#10270)

Deprecations and Removals

Support for Python 3.6, which is EoL as of 2021-09-04, has been deprecated. (#10303)

Misc

#10216, #10299, #10300

Conch

Misc

- [#10298](https://github.com/twisted/twisted/issues/10298) Web No significant changes. Mail No significant changes.
</tr></table>

... (truncated)

Commits

89c395e Update the release date.

2b2af4d python -m incremental.update Twisted --newversion 22.2.0

5246003 Apply suggestions from code review from twm.

766bcd3 tox -e towncrier

7cbf195 python -m incremental.update Twisted --rc

98387b3 Merge pull request from GHSA-rv6r-3f5q-9rgx

a4523b4 Fix typo.

a6849d4 Merge pull request #1693 from twisted/10303-deprecate-py36

bce8e81 Merge branch 'trunk' into 10303-deprecate-py36

9045ef7 Merge pull request #1679 from doadin/patch-3

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies python
opened by dependabot[bot] 1

chore(deps): bump scrapy from 2.5.1 to 2.6.0 in /faq

Bumps scrapy from 2.5.1 to 2.6.0.

Release notes

Sourced from scrapy's releases.

2.6.0

Security fixes for cookie handling (see details below)

Python 3.10 support

asyncio support is no longer considered experimental, and works out-of-the-box on Windows regardless of your Python version

Feed exports now support pathlib.Path output paths and per-feed item filtering and post-processing

See the full changelog

Security bug fixes

When a Request object with cookies defined gets a redirect response causing a new Request object to be scheduled, the cookies defined in the original Request object are no longer copied into the new Request object.

If you manually set the Cookie header on a Request object and the domain name of the redirect URL is not an exact match for the domain of the URL of the original Request object, your Cookie header is now dropped from the new Request object.

The old behavior could be exploited by an attacker to gain access to your cookies. Please, see the cjvr-mfj7-j4j8 security advisory for more information.

Note: It is still possible to enable the sharing of cookies between different domains with a shared domain suffix (e.g. example.com and any subdomain) by defining the shared domain suffix (e.g. example.com) as the cookie domain when defining your cookies. See the documentation of the Request class for more information.

When the domain of a cookie, either received in the Set-Cookie header of a response or defined in a Request object, is set to a public suffix <https://publicsuffix.org/>_, the cookie is now ignored unless the cookie domain is the same as the request domain.

The old behavior could be exploited by an attacker to inject cookies from a controlled domain into your cookiejar that could be sent to other domains not controlled by the attacker. Please, see the mfjm-vh54-3f96 security advisory for more information.

Changelog

Sourced from scrapy's changelog.

Scrapy 2.6.0 (2022-03-01)

Highlights:

:ref:Security fixes for cookie handling <2.6-security-fixes>
Python 3.10 support
:ref:asyncio support <using-asyncio> is no longer considered experimental, and works out-of-the-box on Windows regardless of your Python version
Feed exports now support :class:pathlib.Path output paths and per-feed :ref:item filtering <item-filter> and :ref:post-processing <post-processing>

.. _2.6-security-fixes:

Security bug fixes


-   When a :class:`~scrapy.http.Request` object with cookies defined gets a
    redirect response causing a new :class:`~scrapy.http.Request` object to be
    scheduled, the cookies defined in the original
    :class:`~scrapy.http.Request` object are no longer copied into the new
    :class:`~scrapy.http.Request` object.
If you manually set the ``Cookie`` header on a
:class:`~scrapy.http.Request` object and the domain name of the redirect
URL is not an exact match for the domain of the URL of the original
:class:`~scrapy.http.Request` object, your ``Cookie`` header is now dropped
from the new :class:`~scrapy.http.Request` object.
The old behavior could be exploited by an attacker to gain access to your
cookies. Please, see the cjvr-mfj7-j4j8 security advisory_ for more
information.
.. _cjvr-mfj7-j4j8 security advisory: https://github.com/scrapy/scrapy/security/advisories/GHSA-cjvr-mfj7-j4j8
.. note:: It is still possible to enable the sharing of cookies between
different domains with a shared domain suffix (e.g.
example.com and any subdomain) by defining the shared domain
suffix (e.g. example.com) as the cookie domain when defining
your cookies. See the documentation of the
:class:~scrapy.http.Request class for more information.


When the domain of a cookie, either received in the Set-Cookie header
of a response or defined in a :class:~scrapy.http.Request object, is set
to a public suffix &lt;https://publicsuffix.org/&gt;_, the cookie is now
</tr></table>

... (truncated)

Commits

6b63e7c Bump version: 2.5.0 → 2.6.0
e865c44 Merge pull request from GHSA-mfjm-vh54-3f96
8ce01b3 Merge pull request from GHSA-cjvr-mfj7-j4j8
aa0306a Cover 2.6.0 in the release notes (#5399)
08557e0 Pin old markupsafe when we pin old mitmproxy (#5427)
3b42ccf Add a link to Discord (#5422)
8840403 Merge pull request #5412 from Laerte/master
0b0eea3 Merge pull request #5419 from PendalF89/patch-2
187b5c8 Update the documentation link for robots.txt (#5415)
bbb693d Update downloader-middleware.rst
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies python

opened by dependabot[bot] 1

chore(deps): bump twisted from 21.7.0 to 22.1.0 in /faq

Bumps twisted from 21.7.0 to 22.1.0.

Release notes

Sourced from twisted's releases.

Twisted 22.1.0 (2022-02-03)

Features

Python 3.10 is now a supported platform (#10224)

Type annotations have been added to the twisted.python.fakepwd module. (#10287)

Bugfixes

twisted.internet.defer.inlineCallbacks has an improved type annotation, to avoid typing errors when it is used on a function which returns a non-None result. (#10231)

twisted.internet.base.DelayedCall.__repr__ and twisted.internet.task.LoopingCall.__repr__ had the changes from #10155 reverted to accept non-function callables. (#10235)

Revert the removal of .whl building that was done as part of #10177. (#10236)

The type annotation of the host parameter to twisted.internet.interfaces.IReactorTCP.connectTCP has been corrected from bytes to str. (#10251)

Deprecated twisted.python.threading.ThreadPool.currentThread() in favor of threading.current_thread(). Switched twisted.python.threading.ThreadPool.currentThread() and twisted.python.threadable.getThreadID() to use `threading.current_thread()to avoid the deprecation warnings introduced forthreading.currentThread()`` in Python 3.10. (#10273)

Improved Documentation

twisted.internet.utils.runWithWarningsSupressed behavior of waiting on deferreds has been documented. (#10238)

Sync API docs templates with pydoctor 21.9.0 release, using new theming capabilities. (#10267)

Misc

#1681, #9944, #10198, #10218, #10219, #10228, #10229, #10234, #10239, #10240, #10245, #10246, #10248, #10250, #10255, #10277, #10288, #10292

Conch

Features
- twisted.conch.ssh now supports SSH extension negotiation (RFC 8308). ([#10266](https://github.com/twisted/twisted/issues/10266))
Bugfixes
twisted.conch now uses constant-time comparisons for MACs. (#8199)

twisted.conch.ssh.filetransfer.FileTransferServer will now return an ENOENT error status if an SFTP client tries to close an unrecognized file handle. (#10293)

SSHTransportBase.ssh_KEXINIT now uses the remote peer preferred MAC list for negotiation. In previous versions it was only using the local preferred MAC list. (#10241)

... (truncated)

Changelog

Sourced from twisted's changelog.

Twisted 22.1.0 (2022-02-03)

Features

Python 3.10 is now a supported platform (#10224)

Type annotations have been added to the twisted.python.fakepwd module. (#10287)

Bugfixes

twisted.internet.defer.inlineCallbacks has an improved type annotation, to avoid typing errors when it is used on a function which returns a non-None result. (#10231)

twisted.internet.base.DelayedCall.__repr__ and twisted.internet.task.LoopingCall.__repr__ had the changes from #10155 reverted to accept non-function callables. (#10235)

Revert the removal of .whl building that was done as part of #10177. (#10236)

The type annotation of the host parameter to twisted.internet.interfaces.IReactorTCP.connectTCP has been corrected from bytes to str. (#10251)

Deprecated twisted.python.threading.ThreadPool.currentThread() in favor of threading.current_thread(). Switched twisted.python.threading.ThreadPool.currentThread() and twisted.python.threadable.getThreadID() to use `threading.current_thread()to avoid the deprecation warnings introduced forthreading.currentThread()`` in Python 3.10. (#10273)

Improved Documentation

twisted.internet.utils.runWithWarningsSupressed behavior of waiting on deferreds has been documented. (#10238)

Sync API docs templates with pydoctor 21.9.0 release, using new theming capabilities. (#10267)

Misc

#1681, #9944, #10198, #10218, #10219, #10228, #10229, #10234, #10239, #10240, #10245, #10246, #10248, #10250, #10255, #10277, #10288, #10292

Conch

Bugfixes

SSHTransportBase.ssh_KEXINIT now uses the remote peer preferred MAC list for negotiation. In previous versions it was only using the local preferred MAC list. (#10241)

Features
- twisted.conch.ssh now supports SSH extension negotiation (RFC 8308). ([#10266](https://github.com/twisted/twisted/issues/10266))
Bugfixes
</tr></table>

... (truncated)

Commits

45d463c move conch bugfix.
d48e4d3 Manually update the release version and date inside the NEWS file. T
9ce5061 Update final release version.
9d9322b Update the release notes.
7e65fbe Bump copyright.
ddf72a9 tox -e towncrier
b33589f Update to 21.1.0.rc1
a033c84 Merge pull request #1685 from twisted/10293-conch-sftp-close-invalid-handle
9e9cce2 Copy the skip logic from FileTransferCloseTests
385e9f2 mention the name of the draft doc
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies python

opened by dependabot[bot] 1

chore(deps): bump tensorflow from 2.5.2 to 2.5.3 in /chatbot

Bumps tensorflow from 2.5.2 to 2.5.3.

Release notes

Sourced from tensorflow's releases.

TensorFlow 2.5.3

Release 2.5.3

Note: This is the last release in the 2.5 series.

This releases introduces several vulnerability fixes:

Fixes a floating point division by 0 when executing convolution operators (CVE-2022-21725)

Fixes a heap OOB read in shape inference for ReverseSequence (CVE-2022-21728)

Fixes a heap OOB access in Dequantize (CVE-2022-21726)

Fixes an integer overflow in shape inference for Dequantize (CVE-2022-21727)

Fixes a heap OOB access in FractionalAvgPoolGrad (CVE-2022-21730)

Fixes an overflow and divide by zero in UnravelIndex (CVE-2022-21729)

Fixes a type confusion in shape inference for ConcatV2 (CVE-2022-21731)

Fixes an OOM in ThreadPoolHandle (CVE-2022-21732)

Fixes an OOM due to integer overflow in StringNGrams (CVE-2022-21733)

Fixes more issues caused by incomplete validation in boosted trees code (CVE-2021-41208)

Fixes an integer overflows in most sparse component-wise ops (CVE-2022-23567)

Fixes an integer overflows in AddManySparseToTensorsMap (CVE-2022-23568)

Fixes a number of CHECK-failures in MapStage (CVE-2022-21734)

Fixes a division by zero in FractionalMaxPool (CVE-2022-21735)

Fixes a number of CHECK-fails when building invalid/overflowing tensor shapes (CVE-2022-23569)

Fixes an undefined behavior in SparseTensorSliceDataset (CVE-2022-21736)

Fixes an assertion failure based denial of service via faulty bin count operations (CVE-2022-21737)

Fixes a reference binding to null pointer in QuantizedMaxPool (CVE-2022-21739)

Fixes an integer overflow leading to crash in SparseCountSparseOutput (CVE-2022-21738)

Fixes a heap overflow in SparseCountSparseOutput (CVE-2022-21740)

Fixes an FPE in BiasAndClamp in TFLite (CVE-2022-23557)

Fixes an FPE in depthwise convolutions in TFLite (CVE-2022-21741)

Fixes an integer overflow in TFLite array creation (CVE-2022-23558)

Fixes an integer overflow in TFLite (CVE-2022-23559)

Fixes a dangerous OOB write in TFLite (CVE-2022-23561)

Fixes a vulnerability leading to read and write outside of bounds in TFLite (CVE-2022-23560)

Fixes a set of vulnerabilities caused by using insecure temporary files (CVE-2022-23563)

Fixes an integer overflow in Range resulting in undefined behavior and OOM (CVE-2022-23562)

Fixes a vulnerability where missing validation causes tf.sparse.split to crash when axis is a tuple (CVE-2021-41206)

Fixes a CHECK-fail when decoding resource handles from proto (CVE-2022-23564)

Fixes a CHECK-fail with repeated AttrDef (CVE-2022-23565)

Fixes a heap OOB write in Grappler (CVE-2022-23566)

Fixes a CHECK-fail when decoding invalid tensors from proto (CVE-2022-23571)

Fixes an unitialized variable access in AssignOp (CVE-2022-23573)

Fixes an integer overflow in OpLevelCostEstimator::CalculateTensorSize (CVE-2022-23575)

Fixes an integer overflow in OpLevelCostEstimator::CalculateOutputSize (CVE-2022-23576)

Fixes a null dereference in GetInitOp (CVE-2022-23577)

Fixes a memory leak when a graph node is invalid (CVE-2022-23578)

Fixes an abort caused by allocating a vector that is too large (CVE-2022-23580)

Fixes multiple CHECK-failures during Grappler's IsSimplifiableReshape (CVE-2022-23581)

Fixes multiple CHECK-failures during Grappler's SafeToRemoveIdentity (CVE-2022-23579)

Fixes multiple CHECK-failures in TensorByteSize (CVE-2022-23582)

Fixes multiple CHECK-failures in binary ops due to type confusion (CVE-2022-23583)

... (truncated)

Changelog

Sourced from tensorflow's changelog.

Release 2.5.3

This releases introduces several vulnerability fixes:

Fixes a floating point division by 0 when executing convolution operators (CVE-2022-21725)

Fixes a heap OOB read in shape inference for ReverseSequence (CVE-2022-21728)

Fixes a heap OOB access in Dequantize (CVE-2022-21726)

Fixes an integer overflow in shape inference for Dequantize (CVE-2022-21727)

Fixes a heap OOB access in FractionalAvgPoolGrad (CVE-2022-21730)

Fixes an overflow and divide by zero in UnravelIndex (CVE-2022-21729)

Fixes a type confusion in shape inference for ConcatV2 (CVE-2022-21731)

Fixes an OOM in ThreadPoolHandle (CVE-2022-21732)

Fixes an OOM due to integer overflow in StringNGrams (CVE-2022-21733)

Fixes more issues caused by incomplete validation in boosted trees code (CVE-2021-41208)

Fixes an integer overflows in most sparse component-wise ops (CVE-2022-23567)

Fixes an integer overflows in AddManySparseToTensorsMap (CVE-2022-23568)

Fixes a number of CHECK-failures in MapStage (CVE-2022-21734)

Fixes a division by zero in FractionalMaxPool (CVE-2022-21735)

Fixes a number of CHECK-fails when building invalid/overflowing tensor shapes (CVE-2022-23569)

Fixes an undefined behavior in SparseTensorSliceDataset (CVE-2022-21736)

Fixes an assertion failure based denial of service via faulty bin count operations (CVE-2022-21737)

Fixes a reference binding to null pointer in QuantizedMaxPool (CVE-2022-21739)

Fixes an integer overflow leading to crash in SparseCountSparseOutput (CVE-2022-21738)

Fixes a heap overflow in SparseCountSparseOutput (CVE-2022-21740)

Fixes an FPE in BiasAndClamp in TFLite (CVE-2022-23557)

Fixes an FPE in depthwise convolutions in TFLite (CVE-2022-21741)

... (truncated)

Commits

959e9b2 Merge pull request #54213 from tensorflow/fix-sanity-on-r2.5
d05fcbc Fix sanity build
f2526a0 Merge pull request #54205 from tensorflow/disable-flaky-tests-on-r2.5
a5f94df Disable flaky test
7babe52 Merge pull request #54201 from tensorflow/cherrypick-510ae18200d0a4fad797c0bf...
0e5d378 Set Env Variable to override Setuptools new behavior
fdd4195 Merge pull request #54176 from tensorflow-jenkins/relnotes-2.5.3-6805
4083165 Update RELEASE.md
a2bb7f1 Merge pull request #54185 from tensorflow/cherrypick-d437dec4d549fc30f9b85c75...
5777ea3 Update third_party/icu/workspace.bzl
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies python

opened by dependabot[bot] 1

chore(deps): bump ujson from 4.1.0 to 5.1.0 in /chatbot

Bumps ujson from 4.1.0 to 5.1.0.

Release notes

Sourced from ujson's releases.

5.1.0

Changed

Strip debugging symbols from Linux binaries (#493) @bwoodsend

5.0.0

Added

Use cibuildwheel to build wheels (#491) @bwoodsend

Removed

Drop support for soon-EOL Python 3.6 (#490) @hugovk

Fixed

Install Twine to upload to PyPI (#492) @hugovk

4.3.0

Added

Enable Windows on ARM64 target (#488) @nsait-linaro

4.2.0

Added

Add a default keyword argument to dumps (#470) @garenchan

Add support for Python 3.10 (#472) @hugovk

Build 32-bit wheels for Windows (#481) @hugovk

Build PyPy3 wheels for manylinux (#475) @hugovk

Build wheels for musl aarch64 (aka ARM) Linux (musllinux_1_1_aarch64) (#478) @bwoodsend

Build wheels for musl Linux (musllinux_1_1_x86_64) (#476) @bwoodsend

Changed

Use declarative setup metadata (#477) @hugovk

Wheel building updates (#473) @hugovk

Rename master to main (#471) @hugovk

Replace README.rst with Markdown (#479) @hugovk

Commits

682c660 Merge pull request #493 from bwoodsend/strip-binaries
c1d5b6d [pre-commit.ci] auto fixes from pre-commit.com hooks
b9275f7 Strip debugging symbols from Linux binaries.
e3ccc5a Merge pull request #492 from hugovk/deploy-twine
243d49b Install Twine to upload to PyPI
269621b Merge pull request #490 from hugovk/rm-3.6
cccde3f Drop support for EOL Python 3.6
b55049f Merge pull request #491 from bwoodsend/switch-to-ci-build-wheels
04286a6 Drop wheels for Python 3.6. (#490)
ab32d48 CI/CD: Ensure that sdists are uploaded last.
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies python

opened by dependabot[bot] 1

chore(deps): bump pillow from 8.3.1 to 9.0.0 in /chatbot

Bumps pillow from 8.3.1 to 9.0.0.

Release notes

Sourced from pillow's releases.

9.0.0

https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html

Changes

Restrict builtins for ImageMath.eval() #5923 [@radarhere]

Ensure JpegImagePlugin stops at the end of a truncated file #5921 [@radarhere]

Fixed ImagePath.Path array handling #5920 [@radarhere]

Remove consecutive duplicate tiles that only differ by their offset #5919 [@radarhere]

Removed redundant part of condition #5915 [@radarhere]

Explicitly enable strip chopping for large uncompressed TIFFs #5517 [@kmilos]

Use the Windows method to get TCL functions on Cygwin #5807 [@DWesl]

Changed error type to allow for incremental WebP parsing #5404 [@radarhere]

Improved I;16 operations on big endian #5901 [@radarhere]

Ensure that BMP pixel data offset does not ignore palette #5899 [@radarhere]

Limit quantized palette to number of colors #5879 [@radarhere]

Use latin1 encoding to decode bytes #5870 [@radarhere]

Fixed palette index for zeroed color in FASTOCTREE quantize #5869 [@radarhere]

When saving RGBA to GIF, make use of first transparent palette entry #5859 [@radarhere]

Pass SAMPLEFORMAT to libtiff #5848 [@radarhere]

Added rounding when converting P and PA #5824 [@radarhere]

Improved putdata() documentation and data handling #5910 [@radarhere]

Exclude carriage return in PDF regex to help prevent ReDoS #5912 [@radarhere]

Image.NONE is only used for resampling and dithers #5908 [@radarhere]

Fixed freeing pointer in ImageDraw.Outline.transform #5909 [@radarhere]

Add Tidelift alignment action and badge #5763 [@aclark4life]

Replaced further direct invocations of setup.py #5906 [@radarhere]

Added ImageShow support for xdg-open #5897 [@m-shinder]

Fixed typo #5902 [@radarhere]

Switched from deprecated "setup.py install" to "pip install ." #5896 [@radarhere]

Support 16-bit grayscale ImageQt conversion #5856 [@cmbruns]

Fixed raising OSError in _safe_read when size is greater than SAFEBLOCK #5872 [@radarhere]

Convert subsequent GIF frames to RGB or RGBA #5857 [@radarhere]

WebP: Fix memory leak during decoding on failure #5798 [@ilai-deutel]

Do not prematurely return in ImageFile when saving to stdout #5665 [@infmagic2047]

Added support for top right and bottom right TGA orientations #5829 [@radarhere]

Corrected ICNS file length in header #5845 [@radarhere]

Block tile TIFF tags when saving #5839 [@radarhere]

Added line width argument to ImageDraw polygon #5694 [@radarhere]

Do not redeclare class each time when converting to NumPy #5844 [@radarhere]

Only prevent repeated polygon pixels when drawing with transparency #5835 [@radarhere]

Fix pushes_fd method signature #5833 [@hoodmane]

Add support for pickling TrueType fonts #5826 [@hugovk]

Only prefer command line tools SDK on macOS over default MacOSX SDK #5828 [@radarhere]

Fix compilation on 64-bit Termux #5793 [@landfillbaby]

Replace 'setup.py sdist' with '-m build --sdist' #5785 [@hugovk]

Use declarative package configuration #5784 [@hugovk]

Use title for display in ImageShow #5788 [@radarhere]

Fix for PyQt6 #5775 [@hugovk]

... (truncated)

Changelog

Sourced from pillow's changelog.

9.0.0 (2022-01-02)

Restrict builtins for ImageMath.eval(). CVE-2022-22817 #5923 [radarhere]

Ensure JpegImagePlugin stops at the end of a truncated file #5921 [radarhere]

Fixed ImagePath.Path array handling. CVE-2022-22815, CVE-2022-22816 #5920 [radarhere]

Remove consecutive duplicate tiles that only differ by their offset #5919 [radarhere]

Improved I;16 operations on big endian #5901 [radarhere]

Limit quantized palette to number of colors #5879 [radarhere]

Fixed palette index for zeroed color in FASTOCTREE quantize #5869 [radarhere]

When saving RGBA to GIF, make use of first transparent palette entry #5859 [radarhere]

Pass SAMPLEFORMAT to libtiff #5848 [radarhere]

Added rounding when converting P and PA #5824 [radarhere]

Improved putdata() documentation and data handling #5910 [radarhere]

Exclude carriage return in PDF regex to help prevent ReDoS #5912 [hugovk]

Fixed freeing pointer in ImageDraw.Outline.transform #5909 [radarhere]

Added ImageShow support for xdg-open #5897 [m-shinder, radarhere]

Support 16-bit grayscale ImageQt conversion #5856 [cmbruns, radarhere]

Convert subsequent GIF frames to RGB or RGBA #5857 [radarhere]

... (truncated)

Commits

82541b6 9.0.0 version bump
cae5ac4 Merge pull request #5924 from radarhere/cves
ed4cf78 CVEs TBD
d7f60d1 Merge pull request #5923 from radarhere/imagemath_eval
8531b01 Restrict builtins for ImageMath.eval
1efb1d9 Merge pull request #5922 from radarhere/releasenotes
f6c7871 Added release notes for #5919, #5920 and #5921
032d2dc Update CHANGES.rst [ci skip]
baae9ec Merge pull request #5921 from radarhere/jpeg_eoi
1059eb5 If appended EOI did not work, do not keep trying
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies python

opened by dependabot[bot] 1

chore(deps): bump pillow from 8.3.1 to 8.3.2 in /chatbot

Bumps pillow from 8.3.1 to 8.3.2.

Release notes

Sourced from pillow's releases.

8.3.2

https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html

Security

CVE-2021-23437 Raise ValueError if color specifier is too long [hugovk, radarhere]

Fix 6-byte OOB read in FliDecode [wiredfool]

Python 3.10 wheels

Add support for Python 3.10 #5569, #5570 [hugovk, radarhere]

Fixed regressions

Ensure TIFF RowsPerStrip is multiple of 8 for JPEG compression #5588 [kmilos, radarhere]

Updates for ImagePalette channel order #5599 [radarhere]

Hide FriBiDi shim symbols to avoid conflict with real FriBiDi library #5651 [nulano]

Changelog

Sourced from pillow's changelog.

8.3.2 (2021-09-02)

CVE-2021-23437 Raise ValueError if color specifier is too long [hugovk, radarhere]

Fix 6-byte OOB read in FliDecode [wiredfool]

Add support for Python 3.10 #5569, #5570 [hugovk, radarhere]

Ensure TIFF RowsPerStrip is multiple of 8 for JPEG compression #5588 [kmilos, radarhere]

Updates for ImagePalette channel order #5599 [radarhere]

Hide FriBiDi shim symbols to avoid conflict with real FriBiDi library #5651 [nulano]

Commits

8013f13 8.3.2 version bump
23c7ca8 Update CHANGES.rst
8450366 Update release notes
a0afe89 Update test case
9e08eb8 Raise ValueError if color specifier is too long
bd5cf7d FLI tests for Oss-fuzz crash.
94a0cf1 Fix 6-byte OOB read in FliDecode
cece64f Add 8.3.2 (2021-09-02) [CI skip]
e422386 Add release notes for Pillow 8.3.2
08dcbb8 Pillow 8.3.2 supports Python 3.10 [ci skip]
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies python

opened by dependabot[bot] 1

chore(deps): bump websockets from 8.1 to 9.1 in /chatbot

Bumps websockets from 8.1 to 9.1.

Changelog

Sourced from websockets's changelog.

9.1 ...

May 27, 2021

.. note::
**Version 9.1 fixes a security issue introduced in version 8.0.**
Version 8.0 was vulnerable to timing attacks on HTTP Basic Auth passwords.
9.0.2 .....

May 15, 2021

Restored compatibility of python -m websockets with Python < 3.9.

Restored compatibility with mypy.

9.0.1 .....

May 2, 2021

Fixed issues with the packaging of the 9.0 release.

9.0 ...

May 1, 2021

.. note::
**Version 9.0 moves or deprecates several APIs.**
Aliases provide backwards compatibility for all previously public APIs.


:class:~datastructures.Headers and
:exc:~datastructures.MultipleValuesError were moved from
websockets.http to :mod:websockets.datastructures. If you're using
them, you should adjust the import path.


The client, server, protocol, and auth modules were
moved from the websockets package to websockets.legacy
sub-package, as part of an upcoming refactoring. Despite the name,
they're still fully supported. The refactoring should be a transparent
upgrade for most uses when it's available. The legacy implementation
will be preserved according to the backwards-compatibility policy_.

... (truncated)

Commits

d0f3288 Bump version number.
547a26b Use constant-time comparison for passwords.
a14226a Bump version number.
8900c13 Add mypy to dictionary.
0713dbf Add test coverage.
b99c4fe Restore real imports for compatibility with mypy.
e44e085 Use relative imports everywhere, for consistency.
70fadbf Restore compatibility with Python < 3.9.
217ac2d Fix broken link.
fc176f4 Bump version number.
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies python

opened by dependabot[bot] 1

chore(deps): bump tensorflow from 2.3.4 to 2.5.1 in /chatbot

Bumps tensorflow from 2.3.4 to 2.5.1.

Release notes

Sourced from tensorflow's releases.

TensorFlow 2.5.1

Release 2.5.1

This release introduces several vulnerability fixes:

Fixes a heap out of bounds access in sparse reduction operations (CVE-2021-37635)

Fixes a floating point exception in SparseDenseCwiseDiv (CVE-2021-37636)

Fixes a null pointer dereference in CompressElement (CVE-2021-37637)

Fixes a null pointer dereference in RaggedTensorToTensor (CVE-2021-37638)

Fixes a null pointer dereference and a heap OOB read arising from operations restoring tensors (CVE-2021-37639)

Fixes an integer division by 0 in sparse reshaping (CVE-2021-37640)

Fixes a division by 0 in ResourceScatterDiv (CVE-2021-37642)

Fixes a heap OOB in RaggedGather (CVE-2021-37641)

Fixes a std::abort raised from TensorListReserve (CVE-2021-37644)

Fixes a null pointer dereference in MatrixDiagPartOp (CVE-2021-37643)

Fixes an integer overflow due to conversion to unsigned (CVE-2021-37645)

Fixes a bad allocation error in StringNGrams caused by integer conversion (CVE-2021-37646)

Fixes a null pointer dereference in SparseTensorSliceDataset (CVE-2021-37647)

Fixes an incorrect validation of SaveV2 inputs (CVE-2021-37648)

Fixes a null pointer dereference in UncompressElement (CVE-2021-37649)

Fixes a segfault and a heap buffer overflow in {Experimental,}DatasetToTFRecord (CVE-2021-37650)

Fixes a heap buffer overflow in FractionalAvgPoolGrad (CVE-2021-37651)

Fixes a use after free in boosted trees creation (CVE-2021-37652)

Fixes a division by 0 in ResourceGather (CVE-2021-37653)

Fixes a heap OOB and a CHECK fail in ResourceGather (CVE-2021-37654)

Fixes a heap OOB in ResourceScatterUpdate (CVE-2021-37655)

Fixes an undefined behavior arising from reference binding to nullptr in RaggedTensorToSparse (CVE-2021-37656)

Fixes an undefined behavior arising from reference binding to nullptr in MatrixDiagV* ops (CVE-2021-37657)

Fixes an undefined behavior arising from reference binding to nullptr in MatrixSetDiagV* ops (CVE-2021-37658)

Fixes an undefined behavior arising from reference binding to nullptr and heap OOB in binary cwise ops (CVE-2021-37659)

Fixes a division by 0 in inplace operations (CVE-2021-37660)

Fixes a crash caused by integer conversion to unsigned (CVE-2021-37661)

Fixes an undefined behavior arising from reference binding to nullptr in boosted trees (CVE-2021-37662)

Fixes a heap OOB in boosted trees (CVE-2021-37664)

Fixes vulnerabilities arising from incomplete validation in QuantizeV2 (CVE-2021-37663)

Fixes vulnerabilities arising from incomplete validation in MKL requantization (CVE-2021-37665)

Fixes an undefined behavior arising from reference binding to nullptr in RaggedTensorToVariant (CVE-2021-37666)

Fixes an undefined behavior arising from reference binding to nullptr in unicode encoding (CVE-2021-37667)

Fixes an FPE in tf.raw_ops.UnravelIndex (CVE-2021-37668)

Fixes a crash in NMS ops caused by integer conversion to unsigned (CVE-2021-37669)

Fixes a heap OOB in UpperBound and LowerBound (CVE-2021-37670)

Fixes an undefined behavior arising from reference binding to nullptr in map operations (CVE-2021-37671)

Fixes a heap OOB in SdcaOptimizerV2 (CVE-2021-37672)

Fixes a CHECK-fail in MapStage (CVE-2021-37673)

Fixes a vulnerability arising from incomplete validation in MaxPoolGrad (CVE-2021-37674)

Fixes an undefined behavior arising from reference binding to nullptr in shape inference (CVE-2021-37676)

Fixes a division by 0 in most convolution operators (CVE-2021-37675)

Fixes vulnerabilities arising from missing validation in shape inference for Dequantize (CVE-2021-37677)

Fixes an arbitrary code execution due to YAML deserialization (CVE-2021-37678)

Fixes a heap OOB in nested tf.map_fn with RaggedTensors (CVE-2021-37679)

... (truncated)

Changelog

Sourced from tensorflow's changelog.

Release 2.5.1

This release introduces several vulnerability fixes:

Fixes a heap out of bounds access in sparse reduction operations (CVE-2021-37635)

Fixes a floating point exception in SparseDenseCwiseDiv (CVE-2021-37636)

Fixes a null pointer dereference in CompressElement (CVE-2021-37637)

Fixes a null pointer dereference in RaggedTensorToTensor (CVE-2021-37638)

Fixes a null pointer dereference and a heap OOB read arising from operations restoring tensors (CVE-2021-37639)

Fixes an integer division by 0 in sparse reshaping (CVE-2021-37640)

Fixes a division by 0 in ResourceScatterDiv (CVE-2021-37642)

Fixes a heap OOB in RaggedGather (CVE-2021-37641)

Fixes a std::abort raised from TensorListReserve (CVE-2021-37644)

Fixes a null pointer dereference in MatrixDiagPartOp (CVE-2021-37643)

Fixes an integer overflow due to conversion to unsigned (CVE-2021-37645)

Fixes a bad allocation error in StringNGrams caused by integer conversion (CVE-2021-37646)

Fixes a null pointer dereference in SparseTensorSliceDataset (CVE-2021-37647)

Fixes an incorrect validation of SaveV2 inputs (CVE-2021-37648)

Fixes a null pointer dereference in UncompressElement (CVE-2021-37649)

Fixes a segfault and a heap buffer overflow in {Experimental,}DatasetToTFRecord (CVE-2021-37650)

Fixes a heap buffer overflow in FractionalAvgPoolGrad (CVE-2021-37651)

Fixes a use after free in boosted trees creation (CVE-2021-37652)

Fixes a division by 0 in ResourceGather (CVE-2021-37653)

Fixes a heap OOB and a CHECK fail in ResourceGather (CVE-2021-37654)

Fixes a heap OOB in ResourceScatterUpdate (CVE-2021-37655)

Fixes an undefined behavior arising from reference binding to nullptr in RaggedTensorToSparse

... (truncated)

Commits

8222c1c Merge pull request #51381 from tensorflow/mm-fix-r2.5-build
d584260 Disable broken/flaky test
f6c6ce3 Merge pull request #51367 from tensorflow-jenkins/version-numbers-2.5.1-17468
3ca7812 Update version numbers to 2.5.1
4fdf683 Merge pull request #51361 from tensorflow/mm-update-relnotes-on-r2.5
05fc01a Put CVE numbers for fixes in parentheses
bee1dc4 Update release notes for the new patch release
47beb4c Merge pull request #50597 from kruglov-dmitry/v2.5.0-sync-abseil-cmake-bazel
6f39597 Merge pull request #49383 from ashahab/abin-load-segfault-r2.5
0539b34 Merge pull request #48979 from liufengdb/r2.5-cherrypick
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies python

opened by dependabot[bot] 1

chore(deps): bump express from 4.17.1 to 4.17.3 in /webchat

Bumps express from 4.17.1 to 4.17.3.

Release notes

Sourced from express's releases.

4.17.3

deps: accepts@~1.3.8

deps: mime-types@~2.1.34

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

Fix handling of __proto__ keys

pref: remove unnecessary regexp for trust proxy

4.17.2

Fix handling of undefined in res.jsonp

Fix handling of undefined when "json escape" is enabled

Fix incorrect middleware execution with unanchored RegExps

Fix res.jsonp(obj, status) deprecation message

Fix typo in res.is JSDoc

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: type-is@~1.6.18

deps: [email protected]

deps: [email protected]

deps: [email protected]

Fix maxAge option to reject invalid values

deps: proxy-addr@~2.0.7

Use req.socket over deprecated req.connection

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

pref: ignore empty http tokens

deps: [email protected]

deps: [email protected]

deps: [email protected]

Changelog

Sourced from express's changelog.

4.17.3 / 2022-02-16

deps: accepts@~1.3.8

deps: mime-types@~2.1.34

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

Fix handling of __proto__ keys

pref: remove unnecessary regexp for trust proxy

4.17.2 / 2021-12-16

Fix handling of undefined in res.jsonp

Fix handling of undefined when "json escape" is enabled

Fix incorrect middleware execution with unanchored RegExps

Fix res.jsonp(obj, status) deprecation message

Fix typo in res.is JSDoc

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: type-is@~1.6.18

deps: [email protected]

deps: [email protected]

deps: [email protected]

Fix maxAge option to reject invalid values

deps: proxy-addr@~2.0.7

Use req.socket over deprecated req.connection

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

pref: ignore empty http tokens

deps: [email protected]

deps: [email protected]

deps: [email protected]

Commits

3d7fce5 4.17.3
f906371 build: update example dependencies
6381bc6 deps: [email protected]
a007863 deps: [email protected]
e98f584 Revert "build: use [email protected] for Node.js < 4"
a659137 tests: use strict mode
a39e409 tests: prevent leaking changes to NODE_ENV
82de4de examples: fix path traversal in downloads example
12310c5 build: use nyc for test coverage
884657d examples: remove bitwise syntax for includes check
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies javascript

opened by dependabot[bot] 0

chore(deps): bump express from 4.17.1 to 4.17.3 in /api

Bumps express from 4.17.1 to 4.17.3.

Release notes

Sourced from express's releases.

4.17.3

deps: accepts@~1.3.8

deps: mime-types@~2.1.34

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

Fix handling of __proto__ keys

pref: remove unnecessary regexp for trust proxy

4.17.2

Fix handling of undefined in res.jsonp

Fix handling of undefined when "json escape" is enabled

Fix incorrect middleware execution with unanchored RegExps

Fix res.jsonp(obj, status) deprecation message

Fix typo in res.is JSDoc

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: type-is@~1.6.18

deps: [email protected]

deps: [email protected]

deps: [email protected]

Fix maxAge option to reject invalid values

deps: proxy-addr@~2.0.7

Use req.socket over deprecated req.connection

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

pref: ignore empty http tokens

deps: [email protected]

deps: [email protected]

deps: [email protected]

Changelog

Sourced from express's changelog.

4.17.3 / 2022-02-16

deps: accepts@~1.3.8

deps: mime-types@~2.1.34

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

Fix handling of __proto__ keys

pref: remove unnecessary regexp for trust proxy

4.17.2 / 2021-12-16

Fix handling of undefined in res.jsonp

Fix handling of undefined when "json escape" is enabled

Fix incorrect middleware execution with unanchored RegExps

Fix res.jsonp(obj, status) deprecation message

Fix typo in res.is JSDoc

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: type-is@~1.6.18

deps: [email protected]

deps: [email protected]

deps: [email protected]

Fix maxAge option to reject invalid values

deps: proxy-addr@~2.0.7

Use req.socket over deprecated req.connection

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

pref: ignore empty http tokens

deps: [email protected]

deps: [email protected]

deps: [email protected]

Commits

3d7fce5 4.17.3
f906371 build: update example dependencies
6381bc6 deps: [email protected]
a007863 deps: [email protected]
e98f584 Revert "build: use [email protected] for Node.js < 4"
a659137 tests: use strict mode
a39e409 tests: prevent leaking changes to NODE_ENV
82de4de examples: fix path traversal in downloads example
12310c5 build: use nyc for test coverage
884657d examples: remove bitwise syntax for includes check
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies javascript

opened by dependabot[bot] 0

chore(deps): bump certifi from 2021.5.30 to 2022.12.7 in /chatbot

Bumps certifi from 2021.5.30 to 2022.12.7.

Commits

9e9e840 2022.12.07
b81bdb2 2022.09.24
939a28f 2022.09.14
aca828a 2022.06.15.2
de0eae1 Only use importlib.resources's new files() / Traversable API on Python ≥3.11 ...
b8eb5e9 2022.06.15.1
47fb7ab Fix deprecation warning on Python 3.11 (#199)
b0b48e0 fixes #198 -- update link in license
9d514b4 2022.06.15
4151e88 Add py.typed to MANIFEST.in to package in sdist (#196)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies python

opened by dependabot[bot] 0

chore(deps): bump pillow from 9.0.1 to 9.3.0 in /chatbot

Bumps pillow from 9.0.1 to 9.3.0.

Release notes

Sourced from pillow's releases.

9.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/9.3.0.html

Changes

Initialize libtiff buffer when saving #6699 [@radarhere]

Limit SAMPLESPERPIXEL to avoid runtime DOS #6700 [@wiredfool]

Inline fname2char to fix memory leak #6329 [@nulano]

Fix memory leaks related to text features #6330 [@nulano]

Use double quotes for version check on old CPython on Windows #6695 [@hugovk]

GHA: replace deprecated set-output command with GITHUB_OUTPUT file #6697 [@nulano]

Remove backup implementation of Round for Windows platforms #6693 [@cgohlke]

Upload fribidi.dll to GitHub Actions #6532 [@nulano]

Fixed set_variation_by_name offset #6445 [@radarhere]

Windows build improvements #6562 [@nulano]

Fix malloc in _imagingft.c:font_setvaraxes #6690 [@cgohlke]

Only use ASCII characters in C source file #6691 [@cgohlke]

Release Python GIL when converting images using matrix operations #6418 [@hmaarrfk]

Added ExifTags enums #6630 [@radarhere]

Do not modify previous frame when calculating delta in PNG #6683 [@radarhere]

Added support for reading BMP images with RLE4 compression #6674 [@npjg]

Decode JPEG compressed BLP1 data in original mode #6678 [@radarhere]

pylint warnings #6659 [@marksmayo]

Added GPS TIFF tag info #6661 [@radarhere]

Added conversion between RGB/RGBA/RGBX and LAB #6647 [@radarhere]

Do not attempt normalization if mode is already normal #6644 [@radarhere]

Fixed seeking to an L frame in a GIF #6576 [@radarhere]

Consider all frames when selecting mode for PNG save_all #6610 [@radarhere]

Don't reassign crc on ChunkStream close #6627 [@radarhere]

Raise a warning if NumPy failed to raise an error during conversion #6594 [@radarhere]

Only read a maximum of 100 bytes at a time in IMT header #6623 [@radarhere]

Show all frames in ImageShow #6611 [@radarhere]

Allow FLI palette chunk to not be first #6626 [@radarhere]

If first GIF frame has transparency for RGB_ALWAYS loading strategy, use RGBA mode #6592 [@radarhere]

Round box position to integer when pasting embedded color #6517 [@radarhere]

Removed EXIF prefix when saving WebP #6582 [@radarhere]

Pad IM palette to 768 bytes when saving #6579 [@radarhere]

Added DDS BC6H reading #6449 [@ShadelessFox]

Added support for opening WhiteIsZero 16-bit integer TIFF images #6642 [@JayWiz]

Raise an error when allocating translucent color to RGB palette #6654 [@jsbueno]

Moved mode check outside of loops #6650 [@radarhere]

Added reading of TIFF child images #6569 [@radarhere]

Improved ImageOps palette handling #6596 [@PososikTeam]

Defer parsing of palette into colors #6567 [@radarhere]

Apply transparency to P images in ImageTk.PhotoImage #6559 [@radarhere]

Use rounding in ImageOps contain() and pad() #6522 [@bibinhashley]

Fixed GIF remapping to palette with duplicate entries #6548 [@radarhere]

Allow remap_palette() to return an image with less than 256 palette entries #6543 [@radarhere]

Corrected BMP and TGA palette size when saving #6500 [@radarhere]

... (truncated)

Changelog

Sourced from pillow's changelog.

9.3.0 (2022-10-29)

Limit SAMPLESPERPIXEL to avoid runtime DOS #6700 [wiredfool]

Initialize libtiff buffer when saving #6699 [radarhere]

Inline fname2char to fix memory leak #6329 [nulano]

Fix memory leaks related to text features #6330 [nulano]

Use double quotes for version check on old CPython on Windows #6695 [hugovk]

Remove backup implementation of Round for Windows platforms #6693 [cgohlke]

Fixed set_variation_by_name offset #6445 [radarhere]

Fix malloc in _imagingft.c:font_setvaraxes #6690 [cgohlke]

Release Python GIL when converting images using matrix operations #6418 [hmaarrfk]

Added ExifTags enums #6630 [radarhere]

Do not modify previous frame when calculating delta in PNG #6683 [radarhere]

Added support for reading BMP images with RLE4 compression #6674 [npjg, radarhere]

Decode JPEG compressed BLP1 data in original mode #6678 [radarhere]

Added GPS TIFF tag info #6661 [radarhere]

Added conversion between RGB/RGBA/RGBX and LAB #6647 [radarhere]

Do not attempt normalization if mode is already normal #6644 [radarhere]

... (truncated)

Commits

d594f4c Update CHANGES.rst [ci skip]
909dc64 9.3.0 version bump
1a51ce7 Merge pull request #6699 from hugovk/security-libtiff_buffer
2444cdd Merge pull request #6700 from hugovk/security-samples_per_pixel-sec
744f455 Added release notes
0846bfa Add to release notes
799a6a0 Fix linting
00b25fd Hide UserWarning in logs
05b175e Tighter test case
13f2c5a Prevent DOS with large SAMPLESPERPIXEL in Tiff IFD
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies python

opened by dependabot[bot] 0

chore(deps): bump tensorflow from 2.7.2 to 2.9.3 in /chatbot

Bumps tensorflow from 2.7.2 to 2.9.3.

Release notes

Sourced from tensorflow's releases.

TensorFlow 2.9.3

Release 2.9.3

This release introduces several vulnerability fixes:

Fixes an overflow in tf.keras.losses.poisson (CVE-2022-41887)

Fixes a heap OOB failure in ThreadUnsafeUnigramCandidateSampler caused by missing validation (CVE-2022-41880)

Fixes a segfault in ndarray_tensor_bridge (CVE-2022-41884)

Fixes an overflow in FusedResizeAndPadConv2D (CVE-2022-41885)

Fixes a overflow in ImageProjectiveTransformV2 (CVE-2022-41886)

Fixes an FPE in tf.image.generate_bounding_box_proposals on GPU (CVE-2022-41888)

Fixes a segfault in pywrap_tfe_src caused by invalid attributes (CVE-2022-41889)

Fixes a CHECK fail in BCast (CVE-2022-41890)

Fixes a segfault in TensorListConcat (CVE-2022-41891)

Fixes a CHECK_EQ fail in TensorListResize (CVE-2022-41893)

Fixes an overflow in CONV_3D_TRANSPOSE on TFLite (CVE-2022-41894)

Fixes a heap OOB in MirrorPadGrad (CVE-2022-41895)

Fixes a crash in Mfcc (CVE-2022-41896)

Fixes a heap OOB in FractionalMaxPoolGrad (CVE-2022-41897)

Fixes a CHECK fail in SparseFillEmptyRowsGrad (CVE-2022-41898)

Fixes a CHECK fail in SdcaOptimizer (CVE-2022-41899)

Fixes a heap OOB in FractionalAvgPool and FractionalMaxPool(CVE-2022-41900)

Fixes a CHECK_EQ in SparseMatrixNNZ (CVE-2022-41901)

Fixes an OOB write in grappler (CVE-2022-41902)

Fixes a overflow in ResizeNearestNeighborGrad (CVE-2022-41907)

Fixes a CHECK fail in PyFunc (CVE-2022-41908)

Fixes a segfault in CompositeTensorVariantToComponents (CVE-2022-41909)

Fixes a invalid char to bool conversion in printing a tensor (CVE-2022-41911)

Fixes a heap overflow in QuantizeAndDequantizeV2 (CVE-2022-41910)

Fixes a CHECK failure in SobolSample via missing validation (CVE-2022-35935)

Fixes a CHECK fail in TensorListScatter and TensorListScatterV2 in eager mode (CVE-2022-35935)

TensorFlow 2.9.2

Release 2.9.2

This releases introduces several vulnerability fixes:

Fixes a CHECK failure in tf.reshape caused by overflows (CVE-2022-35934)

Fixes a CHECK failure in SobolSample caused by missing validation (CVE-2022-35935)

Fixes an OOB read in Gather_nd op in TF Lite (CVE-2022-35937)

Fixes a CHECK failure in TensorListReserve caused by missing validation (CVE-2022-35960)

Fixes an OOB write in Scatter_nd op in TF Lite (CVE-2022-35939)

Fixes an integer overflow in RaggedRangeOp (CVE-2022-35940)

Fixes a CHECK failure in AvgPoolOp (CVE-2022-35941)

Fixes a CHECK failures in UnbatchGradOp (CVE-2022-35952)

Fixes a segfault TFLite converter on per-channel quantized transposed convolutions (CVE-2022-36027)

Fixes a CHECK failures in AvgPool3DGrad (CVE-2022-35959)

Fixes a CHECK failures in FractionalAvgPoolGrad (CVE-2022-35963)

Fixes a segfault in BlockLSTMGradV2 (CVE-2022-35964)

Fixes a segfault in LowerBound and UpperBound (CVE-2022-35965)

... (truncated)

Changelog

Sourced from tensorflow's changelog.

Release 2.9.3

This release introduces several vulnerability fixes:

Fixes an overflow in tf.keras.losses.poisson (CVE-2022-41887)

Fixes a heap OOB failure in ThreadUnsafeUnigramCandidateSampler caused by missing validation (CVE-2022-41880)

Fixes a segfault in ndarray_tensor_bridge (CVE-2022-41884)

Fixes an overflow in FusedResizeAndPadConv2D (CVE-2022-41885)

Fixes a overflow in ImageProjectiveTransformV2 (CVE-2022-41886)

Fixes an FPE in tf.image.generate_bounding_box_proposals on GPU (CVE-2022-41888)

Fixes a segfault in pywrap_tfe_src caused by invalid attributes (CVE-2022-41889)

Fixes a CHECK fail in BCast (CVE-2022-41890)

Fixes a segfault in TensorListConcat (CVE-2022-41891)

Fixes a CHECK_EQ fail in TensorListResize (CVE-2022-41893)

Fixes an overflow in CONV_3D_TRANSPOSE on TFLite (CVE-2022-41894)

Fixes a heap OOB in MirrorPadGrad (CVE-2022-41895)

Fixes a crash in Mfcc (CVE-2022-41896)

Fixes a heap OOB in FractionalMaxPoolGrad (CVE-2022-41897)

Fixes a CHECK fail in SparseFillEmptyRowsGrad (CVE-2022-41898)

Fixes a CHECK fail in SdcaOptimizer (CVE-2022-41899)

Fixes a heap OOB in FractionalAvgPool and FractionalMaxPool(CVE-2022-41900)

Fixes a CHECK_EQ in SparseMatrixNNZ (CVE-2022-41901)

Fixes an OOB write in grappler (CVE-2022-41902)

Fixes a overflow in ResizeNearestNeighborGrad (CVE-2022-41907)

Fixes a CHECK fail in PyFunc (CVE-2022-41908)

Fixes a segfault in CompositeTensorVariantToComponents (CVE-2022-41909)

Fixes a invalid char to bool conversion in printing a tensor (CVE-2022-41911)

Fixes a heap overflow in QuantizeAndDequantizeV2 (CVE-2022-41910)

Fixes a CHECK failure in SobolSample via missing validation (CVE-2022-35935)

Fixes a CHECK fail in TensorListScatter and TensorListScatterV2 in eager mode (CVE-2022-35935)

Release 2.8.4

This release introduces several vulnerability fixes:

Fixes a heap OOB failure in ThreadUnsafeUnigramCandidateSampler caused by missing validation (CVE-2022-41880)

Fixes a segfault in ndarray_tensor_bridge (CVE-2022-41884)

Fixes an overflow in FusedResizeAndPadConv2D (CVE-2022-41885)

Fixes a overflow in ImageProjectiveTransformV2 (CVE-2022-41886)

Fixes an FPE in tf.image.generate_bounding_box_proposals on GPU (CVE-2022-41888)

Fixes a segfault in pywrap_tfe_src caused by invalid attributes (CVE-2022-41889)

Fixes a CHECK fail in BCast (CVE-2022-41890)

Fixes a segfault in TensorListConcat (CVE-2022-41891)

Fixes a CHECK_EQ fail in TensorListResize (CVE-2022-41893)

Fixes an overflow in CONV_3D_TRANSPOSE on TFLite (CVE-2022-41894)

Fixes a heap OOB in MirrorPadGrad (CVE-2022-41895)

Fixes a crash in Mfcc (CVE-2022-41896)

Fixes a heap OOB in FractionalMaxPoolGrad (CVE-2022-41897)

Fixes a CHECK fail in SparseFillEmptyRowsGrad (CVE-2022-41898)

Fixes a CHECK fail in SdcaOptimizer (CVE-2022-41899)

... (truncated)

Commits

a5ed5f3 Merge pull request #58584 from tensorflow/vinila21-patch-2
258f9a1 Update py_func.cc
cd27cfb Merge pull request #58580 from tensorflow-jenkins/version-numbers-2.9.3-24474
3e75385 Update version numbers to 2.9.3
bc72c39 Merge pull request #58482 from tensorflow-jenkins/relnotes-2.9.3-25695
3506c90 Update RELEASE.md
8dcb48e Update RELEASE.md
4f34ec8 Merge pull request #58576 from pak-laura/c2.99f03a9d3bafe902c1e6beb105b2f2417...
6fc67e4 Replace CHECK with returning an InternalError on failing to create python tuple
5dbe90a Merge pull request #58570 from tensorflow/r2.9-7b174a0f2e4
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies python

opened by dependabot[bot] 0

chore(deps): bump minimatch from 3.0.4 to 3.1.2 in /api

Bumps minimatch from 3.0.4 to 3.1.2.

Commits

699c459 3.1.2
2f2b5ff fix: trim pattern
25d7c0d 3.1.1
55dda29 fix: treat nocase:true as always having magic
5e1fb8d 3.1.0
f8145c5 Add 'allowWindowsEscape' option
570e8b1 add publishConfig for v3 publishes
5b7cd33 3.0.6
20b4b56 [fix] revert all breaking syntax changes
2ff0388 document, expose, and test 'partial:true' option
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language