Bump the pip group across 1 directory with 11 updates

[dependabot]

Bumps the pip group with 10 updates in the /api directory:

Package	From	To
certifi	2020.11.8	2023.7.22
django-ses	1.0.3	3.5.0
django	2.2.24	3.2.25
gunicorn	20.0.4	22.0.0
jinja2	2.11.3	3.1.4
protobuf	3.14.0	3.18.3
pyjwt	1.7.1	2.4.0
requests	2.24.0	2.32.2
sentry-sdk	0.19.4	1.14.0
sqlparse	0.4.1	0.5.0

Updates certifi from 2020.11.8 to 2023.7.22

Commits

• 8fb96ed 2023.07.22
• afe7722 Bump actions/setup-python from 4.6.1 to 4.7.0 (#230)
• 2038739 Bump dessant/lock-threads from 3.0.0 to 4.0.1 (#229)
• 44df761 Hash pin Actions and enable dependabot (#228)
• 8b3d7ba 2023.05.07
• 53da240 ci: Add Python 3.12-dev to the testing (#224)
• c2fc3b1 Create a Security Policy (#222)
• c211ef4 Set up permissions to github workflows (#218)
• 2087de5 Don't let deprecation warning fail CI (#219)
• e0b9fc5 remove paragraphs about 1024-bit roots from README
• Additional commits viewable in compare view

Updates django-ses from 1.0.3 to 3.5.0

Release notes

Sourced from django-ses's releases.

v3.5.0

Fix a security issue for certificates, see diff:

django-ses/django-ses@v3.4.1...v3.5.0

In particular b71b5f413293a13997b6e6314086cb9c22629795

v3.4.1

Fix #278 via #279

v3.4.0

Breaking change for AWS_SES_RETURN_PATH setting merged in #276

See django-ses/django-ses#276 for example

v3.3.0

• #269
• #268
• #266
• #265

v3.2.2

• #264

v3.2.1

• #263
• #260

v3.2.0

• #259
• #256

v3.1.2

#255 , #254, #252, #246

django-ses/django-ses@v3.1.0...v3.1.2

v3.1.0

#250 Add support for temporary AWS credentials using session token.

v3.0.1

#242

v3.0.0

Major version!

#238 - use poetry to build #239 - use cryptography instead of cumbersome-to-install m2crypto #240 - update changelog

... (truncated)

Changelog

Sourced from django-ses's changelog.

Change Log

For a list of releases, see: https://github.com/django-ses/django-ses/releases/

Upcoming (dev)

The following changes are not yet released, but are code complete:

Pulls and Issues:

• None

Features:

• None

Changes:

• None

Deprecations:

• None

Fixes:

• None

Current

4.1.0

Adds support for AWS Session Profile with a new setting.

This is a minor bump due to the new setting, it also changes the way the connection is initialized, see here.

Pulls:

• django-ses/django-ses#323

Issues:

• django-ses/django-ses#322

Past

4.0.0

Drops support for Django 2 and python 3.7

Pulls:

• django-ses/django-ses#318
• django-ses/django-ses#321

... (truncated)

Commits

• 2388f4b Update version in pyproject
• 3d62706 Remove remove this
• e37c28a Fix tests.
• 4765cae Add CVE details.
• b71b5f4 Restrict amazonaws allowed certificate URLs.
• c01fd52 Changelog, bump patch
• 1aa96d6 Fix FeedbackForwardingEmailAddress (#279)
• 8295661 Bump minor
• 3c48361 Bump sqlparse from 0.4.3 to 0.4.4 (#277)
• 5d1c76a Update pypi path.
• Additional commits viewable in compare view

Updates django from 2.2.24 to 3.2.25

Commits

• c98eca3 [3.2.x] Bumped version for 3.2.25 release.
• 072963e [3.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words().
• 2ad2676 [3.2.x] Added release date for 3.2.25.
• fc41af6 [3.2.x] Fixed #35172 -- Fixed intcomma for string floats.
• b9170b4 [3.2.x] Added CVE-2024-24680 to security archive.
• e5350a9 [3.2.x] Post release version bump.
• f5c8808 [3.2.x] Bumped version for 3.2.24 release.
• c1171ff [3.2.x] Fixed CVE-2024-24680 -- Mitigated potential DoS in intcomma template ...
• 9dc3456 [3.2.x] Added stub release notes 3.2.24.
• 90eae45 [3.2.x] Fixed documented alias of smart_text().
• Additional commits viewable in compare view

Updates gunicorn from 20.0.4 to 22.0.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12

** Breaking changes **

minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

** SECURITY **

fix CVE-2024-1135

1. Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
2. Packages: https://pypi.org/project/gunicorn/

Gunicorn 21.2.0 has been released

Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.

Changes:

21.2.0 - 2023-07-19
===================
fix thread worker: revert change considering connection as idle .
</tr></table> 

... (truncated)

Commits

• f63d59e bump to 22.0
• 4ac81e0 Merge pull request #3175 from e-kwsm/typo
• 401cecf Merge pull request #3179 from dhdaines/exclude-eventlet-0360
• 0243ec3 fix(deps): exclude eventlet 0.36.0
• 628a0bc chore: fix typos
• 88fc4a4 Merge pull request #3131 from pajod/patch-py12-rebased
• deae2fc CI: back off the agressive timeout
• f470382 docs: promise 3.12 compat
• 5e30bfa add changelog to project.urls (updated for PEP621)
• 481c3f9 remove setup.cfg - overridden by pyproject.toml
• Additional commits viewable in compare view

Updates jinja2 from 2.11.3 to 3.1.4

Release notes

Sourced from jinja2's releases.

3.1.4

This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Jinja2/3.1.4/ Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

• The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj

3.1.3

This is a fix release for the 3.1.x feature branch.

• Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.
• Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-3
• Milestone: https://github.com/pallets/jinja/milestone/15?closed=1

3.1.2

This is a fix release for the 3.1.0 feature release.

• Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-2
• Milestone: https://github.com/pallets/jinja/milestone/13?closed=1

3.1.1

• Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-1
• Milestone: https://github.com/pallets/jinja/milestone/12?closed=1

3.1.0

This is a feature release, which includes new features and removes previously deprecated features. The 3.1.x branch is now the supported bugfix branch, the 3.0.x branch has become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. We also encourage upgrading to MarkupSafe 2.1.1, the latest version at this time.

• Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-0
• Milestone: https://github.com/pallets/jinja/milestone/8?closed=1
• MarkupSafe changes: https://markupsafe.palletsprojects.com/en/2.1.x/changes/#version-2-1-1

3.0.3

• Changes: https://jinja.palletsprojects.com/en/3.0.x/changes/#version-3-0-3

3.0.2

• Changes: https://jinja.palletsprojects.com/en/3.0.x/changes/#version-3-0-2

3.0.1

• Changes: https://jinja.palletsprojects.com/en/3.0.x/changes/#version-3-0-1

3.0.0

New major versions of all the core Pallets libraries, including Jinja 3.0, have been released! 🎉

• Read the announcement on our blog: https://palletsprojects.com/blog/flask-2-0-released/
• Read the full list of changes: https://jinja.palletsprojects.com/changes/#version-3-0-0
• Retweet the announcement on Twitter: https://twitter.com/PalletsTeam/status/1392266507296514048
• Follow our blog, Twitter, or GitHub to see future announcements.

This represents a significant amount of work, and there are quite a few changes. Be sure to carefully read the changelog, and use tools such as pip-compile and Dependabot to pin your dependencies and control your updates.

... (truncated)

Changelog

Sourced from jinja2's changelog.

Version 3.1.4

Released 2024-05-05

• The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. :ghsa:h75v-3vvj-5mfj

Version 3.1.3

Released 2024-01-10

• Fix compiler error when checking if required blocks in parent templates are empty. :pr:1858
• xmlattr filter does not allow keys with spaces. :ghsa:h5c8-rqwp-cp95
• Make error messages stemming from invalid nesting of {% trans %} blocks more helpful. :pr:1918

Version 3.1.2

Released 2022-04-28

• Add parameters to Environment.overlay to match __init__. :issue:1645
• Handle race condition in FileSystemBytecodeCache. :issue:1654

Version 3.1.1

Released 2022-03-25

• The template filename on Windows uses the primary path separator. :issue:1637

Version 3.1.0

Released 2022-03-24

• Drop support for Python 3.6. :pr:1534
• Remove previously deprecated code. :pr:1544

... (truncated)

Commits

• dd4a8b5 release version 3.1.4
• 0668239 Merge pull request from GHSA-h75v-3vvj-5mfj
• d655030 disallow invalid characters in keys to xmlattr filter
• a7863ba add ghsa links
• b5c98e7 start version 3.1.4
• da3a9f0 update project files (#1968)
• 0ee5eb4 satisfy formatter, linter, and strict mypy
• 20477c6 update project files (#5457)
• e491223 update pyyaml dev dependency
• 36f9885 fix pr link
• Additional commits viewable in compare view

Updates protobuf from 3.14.0 to 3.18.3

Release notes

Sourced from protobuf's releases.

Protocol Buffers v3.18.3

C++

• Reduce memory consumption of MessageSet parsing
• This release addresses a Security Advisory for C++ and Python users

Protocol Buffers v3.18.2

Java

• Improve performance characteristics of UnknownFieldSet parsing (#9371)

Protocol Buffers v3.18.1

Python

• Update setup.py to reflect that we now require at least Python 3.5 (#8989)
• Performance fix for DynamicMessage: force GetRaw() to be inlined (#9023)

Ruby

• Update ruby_generator.cc to allow proto2 imports in proto3 (#9003)

Protocol Buffers v3.18.0

C++

• Fix warnings raised by clang 11 (#8664)
• Make StringPiece constructible from std::string_view (#8707)
• Add missing capability attributes for LLVM 12 (#8714)
• Stop using std::iterator (deprecated in C++17). (#8741)
• Move field_access_listener from libprotobuf-lite to libprotobuf (#8775)
• Fix #7047 Safely handle setlocale (#8735)
• Remove deprecated version of SetTotalBytesLimit() (#8794)
• Support arena allocation of google::protobuf::AnyMetadata (#8758)
• Fix undefined symbol error around SharedCtor() (#8827)
• Fix default value of enum(int) in json_util with proto2 (#8835)
• Better Smaller ByteSizeLong
• Introduce event filters for inject_field_listener_events
• Reduce memory usage of DescriptorPool
• For lazy fields copy serialized form when allowed.
• Re-introduce the InlinedStringField class
• v2 access listener
• Reduce padding in the proto's ExtensionRegistry map.
• GetExtension performance optimizations
• Make tracker a static variable rather than call static functions
• Support extensions in field access listener
• Annotate MergeFrom for field access listener
• Fix incomplete types for field access listener
• Add map_entry/new_map_entry to SpecificField in MessageDifferencer. They record the map items which are different in MessageDifferencer's reporter.
• Reduce binary size due to fieldless proto messages
• TextFormat: ParseInfoTree supports getting field end location in addition to start.
• Fix repeated enum extension size in field listener
• Enable Any Text Expansion for Descriptors::DebugString()
• Switch from int{8,16,32,64} to int{8,16,32,64}_t

... (truncated)

Commits

• a902b39 No-op whitespace change
• ae62acd Updating version.json and repo version numbers to: 18.3
• f43ac49 Merge pull request #10542 from deannagarcia/3.18.x
• 9efdf55 Add missing includes
• d1635e1 Apply patch
• 5b37c91 Update version.json with "lts": true (#10534)
• c39d622 Merge pull request #10529 from protocolbuffers/deannagarcia-patch-5
• f77d3b6 Update version.json
• 8178b06 Merge pull request #10503 from deannagarcia/3.18.x
• 24ca839 Add version file
• Additional commits viewable in compare view

Updates pyjwt from 1.7.1 to 2.4.0

Release notes

Sourced from pyjwt's releases.

2.4.0

Security

• [CVE-2022-29217] Prevent key confusion through non-blocklisted public key formats. GHSA-ffqj-6fqr-9h24

What's Changed

• Add support for Python 3.10 by @​hugovk in jpadilla/pyjwt#699
• Don't use implicit optionals by @​rekyungmin in jpadilla/pyjwt#705
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jpadilla/pyjwt#708
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jpadilla/pyjwt#710
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jpadilla/pyjwt#711
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jpadilla/pyjwt#712
• documentation fix: show correct scope for decode_complete() by @​sseering in jpadilla/pyjwt#661
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jpadilla/pyjwt#716
• Explicit check the key for ECAlgorithm by @​estin in jpadilla/pyjwt#713
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jpadilla/pyjwt#720
• api_jwk: Add PyJWKSet.getitem by @​woodruffw in jpadilla/pyjwt#725
• Update usage.rst by @​guneybilen in jpadilla/pyjwt#727
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jpadilla/pyjwt#728
• fix: Update copyright information by @​kkirsche in jpadilla/pyjwt#729
• Docs: mention performance reasons for reusing RSAPrivateKey when encoding by @​dmahr1 in jpadilla/pyjwt#734
• Fixed typo in usage.rst by @​israelabraham in jpadilla/pyjwt#738
• Add detached payload support for JWS encoding and decoding by @​fviard in jpadilla/pyjwt#723
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jpadilla/pyjwt#740
• Raise DeprecationWarning for jwt.decode(verify=...) by @​akx in jpadilla/pyjwt#742
• Don't mutate options dictionary in .decode_complete() by @​akx in jpadilla/pyjwt#743
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jpadilla/pyjwt#748
• Replace various string interpolations with f-strings by @​akx in jpadilla/pyjwt#744
• Update CHANGELOG.rst by @​hipertracker in jpadilla/pyjwt#751

New Contributors

• @​hugovk made their first contribution in jpadilla/pyjwt#699
• @​rekyungmin made their first contribution in jpadilla/pyjwt#705
• @​sseering made their first contribution in jpadilla/pyjwt#661
• @​estin made their first contribution in jpadilla/pyjwt#713
• @​woodruffw made their first contribution in jpadilla/pyjwt#725
• @​guneybilen made their first contribution in jpadilla/pyjwt#727
• @​dmahr1 made their first contribution in jpadilla/pyjwt#734
• @​israelabraham made their first contribution in jpadilla/pyjwt#738
• @​fviard made their first contribution in jpadilla/pyjwt#723
• @​akx made their first contribution in jpadilla/pyjwt#742
• @​hipertracker made their first contribution in jpadilla/pyjwt#751

Full Changelog: jpadilla/pyjwt@2.3.0...2.4.0

2.3.0

What's Changed

• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jpadilla/pyjwt#700
• Add exception chaining by @​ehdgua01 in jpadilla/pyjwt#702
• Revert "Remove arbitrary kwargs." by @​auvipy in jpadilla/pyjwt#701

... (truncated)

Changelog

Sourced from pyjwt's changelog.

v2.4.0 <https://github.com/jpadilla/pyjwt/compare/2.3.0...2.4.0>__

Security

- [CVE-2022-29217] Prevent key confusion through non-blocklisted public key formats. https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24
Changed

- Explicit check the key for ECAlgorithm by @estin in https://github.com/jpadilla/pyjwt/pull/713
- Raise DeprecationWarning for jwt.decode(verify=...) by @akx in https://github.com/jpadilla/pyjwt/pull/742
Fixed

- Don't use implicit optionals by @rekyungmin in https://github.com/jpadilla/pyjwt/pull/705
- documentation fix: show correct scope for decode_complete() by @sseering in https://github.com/jpadilla/pyjwt/pull/661
- fix: Update copyright information by @kkirsche in https://github.com/jpadilla/pyjwt/pull/729
- Don't mutate options dictionary in .decode_complete() by @akx in https://github.com/jpadilla/pyjwt/pull/743

Added


Add support for Python 3.10 by @hugovk in https://github.com/jpadilla/pyjwt/pull/699
api_jwk: Add PyJWKSet.getitem by @woodruffw in https://github.com/jpadilla/pyjwt/pull/725
Update usage.rst by @guneybilen in https://github.com/jpadilla/pyjwt/pull/727
Docs: mention performance reasons for reusing RSAPrivateKey when encoding by @dmahr1 in https://github.com/jpadilla/pyjwt/pull/734
Fixed typo in usage.rst by @israelabraham in https://github.com/jpadilla/pyjwt/pull/738
Add detached payload support for JWS encoding and decoding by @fviard in https://github.com/jpadilla/pyjwt/pull/723
Replace various string interpolations with f-strings by @akx in https://github.com/jpadilla/pyjwt/pull/744
Update CHANGELOG.rst by @hipertracker in https://github.com/jpadilla/pyjwt/pull/751

v2.3.0 <https://github.com/jpadilla/pyjwt/compare/2.2.0...2.3.0>__
Fixed

- Revert "Remove arbitrary kwargs." `[#701](https://github.com/jpadilla/pyjwt/issues/701) <https://github.com/jpadilla/pyjwt/pull/701>`__

Added


Add exception chaining [#702](https://github.com/jpadilla/pyjwt/issues/702) <https://github.com/jpadilla/pyjwt/pull/702>__

v2.2.0 <https://github.com/jpadilla/pyjwt/compare/2.1.0...2.2.0>__
</tr></table>

</code></pre>

</blockquote>

<p>... (truncated)</p>

</details>

<details>

<summary>Commits</summary>
<ul>

<li><a href="https://github.com/jpadilla/pyjwt/commit/83ff831a4d11190e3a0bed781da43f8d84352653&quot;&gt;&lt;code&gt;83ff831&lt;/code&gt;&lt;/a> chore: update changelog</li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/4c1ce8fd9019dd312ff257b5141cdb6d897379d9&quot;&gt;&lt;code&gt;4c1ce8f&lt;/code&gt;&lt;/a> chore: update changelog</li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/96f3f0275745c5a455c019a0d3476a054980e8ea&quot;&gt;&lt;code&gt;96f3f02&lt;/code&gt;&lt;/a> fix: failing advisory test</li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc&quot;&gt;&lt;code&gt;9c52867&lt;/code&gt;&lt;/a> Merge pull request from GHSA-ffqj-6fqr-9h24</li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/24b29adfebcb4f057a3cef5aaf35653bc0c1c8cc&quot;&gt;&lt;code&gt;24b29ad&lt;/code&gt;&lt;/a> Update CHANGELOG.rst (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/751&quot;&gt;#751&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/31f5acb8fb3ec6cdfe2b1b0a4a8f329b5f3ca67f&quot;&gt;&lt;code&gt;31f5acb&lt;/code&gt;&lt;/a> Replace various string interpolations with f-strings (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/744&quot;&gt;#744&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/5581a31c21de70444c1162bcfa29f7e0fc86edda&quot;&gt;&lt;code&gt;5581a31&lt;/code&gt;&lt;/a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/748&quot;&gt;#748&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/3d4d82248f1120c87f1f4e0e8793eaa1d54843a6&quot;&gt;&lt;code&gt;3d4d822&lt;/code&gt;&lt;/a> Don't mutate options dictionary in .decode_complete() (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/743&quot;&gt;#743&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/1f1fe15bb41846c602b3e106176b2c692b93a613&quot;&gt;&lt;code&gt;1f1fe15&lt;/code&gt;&lt;/a> Add a deprecation warning when jwt.decode() is called with the legacy verify=...</li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/35fa28e59d99b99c6a780d2a029a74d6bbba8b1e&quot;&gt;&lt;code&gt;35fa28e&lt;/code&gt;&lt;/a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/740&quot;&gt;#740&lt;/a&gt;)&lt;/li>

<li>Additional commits viewable in <a href="https://github.com/jpadilla/pyjwt/compare/1.7.1...2.4.0&quot;&gt;compare view</a></li>

</ul>

</details>
<br />


Updates requests from 2.24.0 to 2.32.2

Release notes
Sourced from requests's releases.

v2.32.2
2.32.2 (2024-05-21)
Deprecations


To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed _get_connection to
a new public API, get_connection_with_tls_context. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
get_connection is considered deprecated in all versions of Requests>=2.32.0.
A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (#6710)


v2.32.1
2.32.1 (2024-05-20)
Bugfixes

Add missing test certs to the sdist distributed on PyPI.

v2.32.0
2.32.0 (2024-05-20)
🐍 PYCON US 2024 EDITION 🐍
Security

Fixed an issue where setting verify=False on the first request from a
Session will cause subsequent requests to the same origin to also ignore
cert verification, regardless of the value of verify.
(https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)

Improvements

verify=True now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (#6667)
Requests now supports optional use of character detection
(chardet or charset_normalizer) when repackaged or vendored.
This enables pip and other projects to minimize their vendoring
surface area. The Response.text() and apparent_encoding APIs
will default to utf-8 if neither library is present. (#6702)

Bugfixes

Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (#6589)
Fixed deserialization bug in JSONDecodeError. (#6629)
Fixed bug where an extra leading / (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (#6644)



... (truncated)


Changelog
Sourced from requests's changelog.

2.32.2 (2024-05-21)
Deprecations


To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed _get_connection to
a new public API, get_connection_with_tls_context. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
get_connection is considered deprecated in all versions of Requests>=2.32.0.
A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (#6710)


2.32.1 (2024-05-20)
Bugfixes

Add missing test certs to the sdist distributed on PyPI.

2.32.0 (2024-05-20)
Security

Fixed an issue where setting verify=False on the first request from a
Session will cause subsequent requests to the same origin to also ignore
cert verification, regardless of the value of verify.
(https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)

Improvements

verify=True now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (#6667)
Requests now supports optional use of character detection
(chardet or charset_normalizer) when repackaged or vendored.
This enables pip and other projects to minimize their vendoring
surface area. The Response.text() and apparent_encoding APIs
will default to utf-8 if neither library is present. (#6702)

Bugfixes

Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (#6589)
Fixed deserialization bug in JSONDecodeError. (#6629)
Fixed bug where an extra leading / (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (#6644)

Deprecations


... (truncated)


Commits

88dce9d v2.32.2
c98e4d1 Merge pull request #6710 from nateprewitt/api_rename
92075b3 Add deprecation warning
aa1461b Move _get_connection to get_connection_with_tls_context
970e8ce v2.32.1
d6ebc4a v2.32.0
9a40d12 Avoid reloading root certificates to improve concurrent performance (#6667)
0c030f7 Merge pull request #6702 from nateprewitt/no_char_detection
555b870 Allow character detection dependencies to be optional in post-packaging steps
d6dded3 Merge pull request #6700 from franekmagiera/update-redirect-to-invalid-uri-test
Additional commits viewable in compare view




Updates sentry-sdk from 0.19.4 to 1.14.0

Release notes
Sourced from sentry-sdk's releases.

1.14.0
Various fixes & improvements


Add before_send_transaction (#1840) by @​antonpirker
Adds a hook (similar to before_send) that is called for all transaction events (performance releated data).
Usage:
  import sentry_sdk
def strip_sensitive_data(event, hint):
# modify event here (or return None if you want to drop the event entirely)
return event
sentry_sdk.init(
# ...
before_send_transaction=strip_sensitive_data,
)

See also: https://docs.sentry.io/platforms/python/configuration/filtering/#using-platformidentifier-namebefore-send-transaction-


Django: Always remove values of Django session related cookies. (#1842) by @​antonpirker


Profiling: Enable profiling for ASGI frameworks (#1824) by @​Zylphrex


Profiling: Better gevent support (#1822) by @​Zylphrex


Profiling: Add profile context to transaction (#1860) by @​Zylphrex


Profiling: Use co_qualname in python 3.11 (#1831) by @​Zylphrex


OpenTelemetry: fix Use dict for sentry-trace context instead of tuple (#1847) by @​AbhiPrasad


OpenTelemetry: fix extra dependency (#1825) by @​bernardotorres


OpenTelemetry: fix NoOpSpan updates scope (#1834) by @​Zylphrex


OpenTelemetry: Make sure to noop when there is no DSN (#1852) by @​antonpirker


FastAPI: Fix middleware being patched multiple times (#1841) by @​JohnnyDeuss


Starlette: Avoid import of pkg_resource with Starlette integration (#1836) by @​mgu


Removed code coverage target (#1862) by @​antonpirker


1.13.0
Various fixes & improvements


Add Starlite integration (#1748) by @​gazorby
Adding support for the Starlite framework. Unhandled errors are captured. Performance spans for Starlite middleware are also captured. Thanks @​gazorby for the great work!
Usage:
from starlite import Starlite, get
import sentry_sdk





... (truncated)


Changelog
Sourced from sentry-sdk's changelog.

1.14.0
Various fixes & improvements


Add before_send_transaction (#1840) by @​antonpirker
Adds a hook (similar to before_send) that is called for all transaction events (performance releated data).
Usage:
  import sentry_sdk
def strip_sensitive_data(event, hint):
# modify event here (or return None if you want to drop the event entirely)
return event
sentry_sdk.init(
# ...
before_send_transaction=strip_sensitive_data,
)

See also: https://docs.sentry.io/platforms/python/configuration/filtering/#using-platformidentifier-namebefore-send-transaction-


Django: Always remove values of Django session related cookies. (#1842) by @​antonpirker


Profiling: Enable profiling for ASGI frameworks (#1824) by @​Zylphrex


Profiling: Better gevent support (#1822) by @​Zylphrex


Profiling: Add profile context to transaction (#1860) by @​Zylphrex


Profiling: Use co_qualname in python 3.11 (#1831) by @​Zylphrex


OpenTelemetry: fix Use dict for sentry-trace context instead of tuple (#1847) by @​AbhiPrasad


OpenTelemetry: fix extra dependency (#1825) by @​bernardotorres


OpenTelemetry: fix NoOpSpan updates scope (#1834) by @​Zylphrex


OpenTelemetry: Make sure to noop when there is no DSN (#1852) by @​antonpirker


FastAPI: Fix middleware being patched multiple times (#1841) by @​JohnnyDeuss


Starlette: Avoid import of pkg_resource with Starlette integration (#1836) by @​mgu


Removed code coverage target (#1862) by @​antonpirker


1.13.0
Various fixes & improvements


Add Starlite integration (#1748) by @​gazorby
Adding support for the Starlite framework. Unhandled errors are captured. Performance spans for Starlite middleware are also captured. Thanks @​gazorby for the great work!
Usage:
from starlite import Starlite, get





... (truncated)


Commits

8c4a19a Updated changelog
f095df7 release: 1.14.0
d27808f Removed code coverage target (#1862)
cd2f51b feat(profiling): Add profile context to transaction (#1860)
d515233 Always remove Django session related cookies. (#1842)
032ea57 Make sure to noop when there is no DSN (#1852)
086e385 feat(profiling): Use co_qualname in python 3.11 (