Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency quart to ^0.20.0 [SECURITY] #107

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency quart to ^0.20.0 [SECURITY] #107

wants to merge 1 commit into from
+48 −20

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 25, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
quart (changelog) ^0.18.4 -> ^0.20.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-49767

Applications using Werkzeug to parse multipart/form-data requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the Request.max_form_memory_size setting.

The Request.max_content_length setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.

Release Notes

pallets/quart (quart)

v0.20.0

Compare Source

Released 2024-12-23

  • Drop support for Python 3.8.
  • Fix deprecated asyncio.iscoroutinefunction for Python 3.14.
  • Allow AsyncIterable to be passed to Response.
  • Support max_form_parts and max_form_memory_size.

v0.19.9

Compare Source

Released 2024-11-14

  • Fix missing PROVIDE_AUTOMATIC_OPTIONS config for compatibility with
    Flask 3.1.

v0.19.8

Compare Source

Released 2024-10-25

  • Fix missing check that caused the previous fix to raise an error.

v0.19.7

Compare Source

Released 2024-10-25

  • Fix how max_form_memory_size is applied when parsing large non-file fields.
    GHSA-q34m-jh98-gwm2

v0.19.6

Compare Source

Released 2024-05-19

  • Use ContentRange in the right way.
  • Hold a strong reference to background tasks.
  • Avoid ResourceWarning in DataBody.__aiter__.

v0.19.5

Compare Source

Released 2024-04-01

  • Address DeprecationWarning from datetime.utcnow().
  • Ensure request files are closed.
  • Fix development server restarting when commands are passed.
  • Restore teardown_websocket methods.
  • Correct the config_class type.
  • Allow kwargs to be passed to the test client (matches Flask API).

v0.19.4

Compare Source

Released 2023-11-19

  • Fix program not closing on Ctrl+C in Windows.
  • Fix the typing for AfterWebsocket functions.
  • Improve the typing of the ensure_async method.
  • Add a shutdown event to the app.

v0.19.3

Compare Source

Released 2023-10-04

  • Update the default config to better match Flask.

v0.19.2

Compare Source

Released 2023-10-01

  • Restore the app after_/before_websocket methods.
  • Correctly set the cli group in Quart.

v0.19.1

Compare Source

Released 2023-09-30

  • Remove QUART_ENV and env usage.

v0.19.0

Compare Source

Released 2023-09-30

  • Remove Flask-Patch. It has been replaced with the Quart-Flask-Patch extension.
  • Remove references to first request, as per Flask.
  • Await the background tasks before calling the after serving functions.
  • Don't copy the app context into the background task.
  • Allow background tasks a grace period to complete during shutdown.
  • Base Quart on Flask, utilising Flask code where possible. This introduces a
    dependency on Flask.
  • Fix trailing slash issue in URL concatenation for empty path.
  • Use only CR in SSE documentation.
  • Fix typing for websocket to accept auth data.
  • Ensure subdomains apply to nested blueprints.
  • Ensure make_response errors if the value is incorrect.
  • Fix propagated exception handling.
  • Ensure exceptions propagate before logging.
  • Cope with scope extension value being None.
  • Ensure the conditional 304 response is empty.
  • Handle empty path in URL concatenation.
  • Corrected typing hint for abort method.
  • Fix root_path usage.
  • Fix Werkzeug deprecation warnings.
  • Add .svg to Jinja's autoescaping.
  • Improve the WebsocketResponse error, by including the response.
  • Add a file mode parameter to the config.from_file method.
  • Show the subdomain or host in the routes command output.
  • Upgrade to Blinker 1.6.
  • Require Werkzeug 3.0.0 and Flask 3.0.0.
  • Use tomllib rather than toml.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/pypi-quart-vulnerability branch from 4fcec59 to 67fbcb5 Compare December 27, 2024 21:45
@renovate renovate bot changed the title Update dependency quart to ^0.19.0 [SECURITY] Update dependency quart to ^0.20.0 [SECURITY] Dec 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants