chore(deps): update dependency astropy to v5.3.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
astropy	==5.1 -> ==5.3.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-41334

Summary

RCE due to improper input validation in TranformGraph().to_dot_graph function

Details

Due to improper input validation a malicious user can provide a command or a script file as a value to savelayout argument, which will be placed as the first value in a list of arguments passed to subprocess.Popen.
https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539
Although an error will be raised, the command or script will be executed successfully.

PoC

$ cat /tmp/script

#!/bin/bash
echo astrorce > /tmp/poc.txt

$ python3
Python 3.9.2 (default, Feb 28 2021, 17:03:44) 
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from astropy.coordinates.transformations import TransformGraph
>>> tg = TransformGraph()
>>> tg.to_dot_graph(savefn="/tmp/1.txt", savelayout="/tmp/script")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/u32i/.local/lib/python3.9/site-packages/astropy/coordinates/transformations.py", line 584, in to_dot_graph
    stdout, stderr = proc.communicate(dotgraph)
  File "/usr/lib/python3.9/subprocess.py", line 1134, in communicate
    stdout, stderr = self._communicate(input, endtime, timeout)
  File "/usr/lib/python3.9/subprocess.py", line 1961, in _communicate
    input_view = memoryview(self._input)
TypeError: memoryview: a bytes-like object is required, not 'str'
>>> 

$ cat /tmp/poc.txt
astrorce

Impact

code execution on the user's machine

---

Release Notes

astropy/astropy (astropy)

v5.3.3

Compare Source

===========================

Bug Fixes

astropy.coordinates
^^^^^^^^^^^^^^^^^^^

• TransformGraph.to_dot_graph() now throws an exception for invalid savelayout.

astropy.cosmology
^^^^^^^^^^^^^^^^^

• The exponent of w0wzCDM functions in inv_efunc has been corrected to 3, from -3. [#​15224]

astropy.modeling
^^^^^^^^^^^^^^^^

• Astropy modeling can filter non-finite data values using the filter_non_finite
  keyword argument in a fitter call. Now when filter_non_finite is True,
  non-finite weights will also be filtered to prevent crashes in LevMarLSQFitter. [#​15215]

astropy.units
^^^^^^^^^^^^^

• Fixed astropy.units.Quantity's implementation of numpy.nanmedian(),
  where for Numpy >= 1.25 an exception was raised for some array shapes and axis
  combinations. [#​15228]

Other Changes and Additions

• v5.3.x will not support NumPy 2.0 or later. [#​15234]

v5.3.2

Compare Source

==========================

Bug Fixes

astropy.coordinates
^^^^^^^^^^^^^^^^^^^

• Fixed import when called with Python -OO flag. [#​15037]

astropy.nddata
^^^^^^^^^^^^^^

• Fix for collapse operations on NDData without masks or units. [#​15082]

astropy.units
^^^^^^^^^^^^^

• Modified the implementation of np.power() for instances of Quantity to
  allow any array as the second operand if all its elements have the same value. [#​15101]

v5.3.1

Compare Source

==========================

Bug Fixes

astropy.cosmology
^^^^^^^^^^^^^^^^^

• The exponent in wowzCDM.de_density_scale has been corrected to 3, from -3. [#​14991]

astropy.io.fits
^^^^^^^^^^^^^^^

• Fix crash when a PrimaryHDU has a GROUPS keyword with a non-boolean value (i.e.
  not a random-groups HDU). [#​14998]

• Fixed a bug that caused Cutout2D to not work correctly with CompImageHDU.section [#​14999]

• Fixed a bug that caused compressed images with TFORM missing the optional '1' prefix to not be readable. [#​15001]

astropy.modeling
^^^^^^^^^^^^^^^^

• All models can be pickled now. [#​14902]

astropy.nddata
^^^^^^^^^^^^^^

• Restore bitmask propagation behavior in NDData.mask, plus a fix
  for arithmetic between masked and unmasked NDData objects. [#​14995]

astropy.table
^^^^^^^^^^^^^

• Fix a bug where table indexes were not using a stable sort order. This was causing the
  order of rows within groups to not match the original table order when an indexed table
  was grouped. [#​14907]

astropy.units
^^^^^^^^^^^^^

• In VOunits, "pix", "au", "a", and "ct" are removed from the list of deprecated units. [#​14885]

v5.3

Compare Source

==========================

Bug Fixes

astropy.io.misc
^^^^^^^^^^^^^^^

• Updated astropy.io.misc.yaml so dump()` with a numpy object array orload()with YAML representing a Numpy object array both raiseTypeError``. This prevents problems like a segmentation fault. [#​15373]

astropy.io.votable
^^^^^^^^^^^^^^^^^^

• Fixed a bug in convert_to_writable_filelike where GzipFile was not
  closed properly. [#​15359]

astropy.units
^^^^^^^^^^^^^

• In VOUnit, the spaces around the slash were removed in the formatting of
  fractions, and fractional powers now also use the "**" operator. [#​15282]

• We now ensure that the unit u.cgs.cm is just an alias of u.si.cm,
  instead of a redefinition. This ensures that u.Unit("cm") / u.cm
  will reliably cancel to dimensionless (instead of some "cm / cm"). [#​15368]

astropy.utils
^^^^^^^^^^^^^

• For Masked, np.ptp and the .ptp() method now properly account for
  the mask, ensuring the result is identical to subtracting the maximum and
  minimum (with the same arguments). [#​15380]

Other Changes and Additions

• Compatibility with Python 3.12. [#​14784]

• Replaced the URL of IETF_LEAP_SECOND_URL because the original is now
  defunct and IETF now defers to IANA for such look-up. [#​15421]

v5.2.2

Compare Source

==========================

Bug Fixes

astropy.io.ascii
^^^^^^^^^^^^^^^^

• CDS and MRT tables with units that contain with multiple divisions, such as
  km/s/Mpc now parse correctly as being equal to km/(s.Mpc). [#​14369]

astropy.io.fits
^^^^^^^^^^^^^^^

• Fix FITSDiff when table contains a VLA column with the Q type. [#​14539]

astropy.table
^^^^^^^^^^^^^

• Fix a bug when creating a QTable when a Quantity input column is present and the
  units argument modifies the unit of that column. This now works as expected where
  previously this caused an exception. [#​14357]

astropy.units
^^^^^^^^^^^^^

• CDS units with multiple divisions, such as km/s/Mpc now parse
  correctly as being equal to km/(s.Mpc). [#​14369]

astropy.wcs
^^^^^^^^^^^

• Fixed a bug that caused subclasses of BaseHighLevelWCS and HighLevelWCSMixin to
  not work correctly under certain conditions if they did not have world_n_dim
  and pixel_n_dim defined on them. [#​14495]

v5.2.1

Compare Source

==========================

Bug Fixes

astropy.coordinates
^^^^^^^^^^^^^^^^^^^

• Fix to ITRS frame earth_location attribute to give the correct result for
  a topocentric frame. [#​14180]

astropy.cosmology
^^^^^^^^^^^^^^^^^

• Bounds are no longer passed to the scipy minimizer for methods Brent and
  Golden. The scipy minimizer never used the bounds but silently accepted them.
  In scipy v1.11.0.dev0+ an error is raised, so we now pass None as the bounds
  to the minimizer. Users should not be affected by this change. [#​14232]

astropy.io.fits
^^^^^^^^^^^^^^^

• Tables with multidimensional variable length array can now be properly read
  and written. [#​13417]

astropy.units
^^^^^^^^^^^^^

• Modified the behavior of numpy.histogram(),
  numpy.histogram_bin_edges(), numpy.histogram2d(), and
  numpy.histogramdd() so that the range argument must a compatible
  instance of astropy.units.Quantity if the other arguments are instances of
  astropy.units.Quantity. [#​14213]

astropy.visualization
^^^^^^^^^^^^^^^^^^^^^

• Improved the performance of drawing WCSAxes grids by skipping some unnecessary
  computations. [#​14164]

• Fixed WCSAxes sometimes triggering a NumPy RuntimeWarning when determining the
  coordinate range of the axes. [#​14211]

Other Changes and Additions

• Fix compatibility with Numpy 1.24. [#​14193]

v5.2

Compare Source

==========================

Bug Fixes

astropy.io.ascii
^^^^^^^^^^^^^^^^

• CDS and MRT tables with units that contain with multiple divisions, such as
  km/s/Mpc now parse correctly as being equal to km/(s.Mpc). [#​14369]

astropy.io.fits
^^^^^^^^^^^^^^^

• Fix FITSDiff when table contains a VLA column with the Q type. [#​14539]

astropy.table
^^^^^^^^^^^^^

• Fix a bug when creating a QTable when a Quantity input column is present and the
  units argument modifies the unit of that column. This now works as expected where
  previously this caused an exception. [#​14357]

astropy.units
^^^^^^^^^^^^^

• CDS units with multiple divisions, such as km/s/Mpc now parse
  correctly as being equal to km/(s.Mpc). [#​14369]

astropy.wcs
^^^^^^^^^^^

• Fixed a bug that caused subclasses of BaseHighLevelWCS and HighLevelWCSMixin to
  not work correctly under certain conditions if they did not have world_n_dim
  and pixel_n_dim defined on them. [#​14495]

v5.1.1

Compare Source

==========================

API Changes

astropy.wcs
^^^^^^^^^^^

• The pixel argument to astropy.visualization.wcsaxes.ticklabels.TickLabels.add
  no longer does anything, is deprecated, and will be removed in a future
  astropy version. It has been replaced by a new required data argument, which
  should be used to specify the data coordinates of the tick label being added.

  This changes has been made because it is (in general) not possible to correctly
  calculate pixel coordinates before Matplotlib is drawing a figure. [#​12630]

Bug Fixes

astropy.coordinates
^^^^^^^^^^^^^^^^^^^

• Fixed a bug that prevented SkyOffsetFrame instances to be pickled by adding
  a custom __reduce__ method to the class (see issue #​9249). [#​13305]

• Fixed the check for invalid Latitude values for float32 values.
  Latitude now accepts the float32 value of pi/2, which was rejected
  before because a comparison was made using the slightly smaller float64 representation.
  See issue #​13708. [#​13745]

astropy.io.ascii
^^^^^^^^^^^^^^^^

• Fixed confusing chained exception messages of read() function when it fails. [#​13170]

• When writing out a :class:~astropy.table.Table to HTML format, the
  formats keyword argument to the :meth:~astropy.table.Table.write method
  will now be applied. [#​13453]

astropy.io.fits
^^^^^^^^^^^^^^^

• heapsize is now checked for VLA tables. An error is thrown whether P format is used
  but the heap size is bigger than what can be indexed with a 32 bit signed int. [#​13429]

• Fix parsing of ascii TFORM when precision is missing. [#​13520]

• A compressed image HDU created from the header of a PRIMARY HDU, now correctly updates
  'XTENSION' and 'SIMPLE' keywords. [#​13557]

• Empty variable-length arrays are now properly handled when pathological combinations of
  heapoffset and heapsize are encountered. [#​13621]

• PCOUNT and GCOUNT keywords are now removed from an uncompressed Primary header,
  for compliance with fitsverify behavior. [#​13753]

astropy.modeling
^^^^^^^^^^^^^^^^

• Bugfix for using MagUnit units on model parameters. [#​13158]

• Fix bug in using non-linear fitters to fit 0-degree polynomials using weights. [#​13628]

astropy.table
^^^^^^^^^^^^^

• Fix a problem where accessing one field of a structured column returned a Column
  with the same info as the original column. This resulted in unintuitive behavior
  in general and an exception if the format for the column was set. [#​13269]

• Tables with columns with structured data can now be properly stacked and joined. [#​13306]

• Update jQuery to 3.6.0, to pick up security fixes. [#​13438]

• Fix a Python 3.11 compatibility issue. Ensure that when removing a table column
  that the pprint_include_names or pprint_exclude_names attributes get
  updated correctly. [#​13639]

• When using add_columns with same indexes in indexes option or without
  specifying the option, the order of the new columns will now be kept. [#​13783]

• Fix a bug when printing or getting the representation of a multidimensional
  table column that has a zero dimension. [#​13838]

• Ensure that mixin columns and their info are not shared between tables
  even when their underlying data is shared with copy=False. [#​13842]

astropy.time
^^^^^^^^^^^^

• Fix Time.insert() on times which have their out_subfmt set. [#​12732]

• Prevent Time() from being initialized with an invalid precision
  leading to incorrect results when representing the time as a string. [#​13068]

• Fix a bug in Time where a date string like "2022-08-01.123" was being parsed
  as an ISO-format time "2022-08-01 00:00:00.123". The fractional part at the
  end of the string was being taken as seconds. Now this raises an exception
  because the string is not in ISO format. [#​13731]

astropy.units
^^^^^^^^^^^^^

• Significantly improved the performance of parsing composite units with the FITS
  format, by ensuring the detailed_exception argument is properly passed on
  and thus used. [#​12699]

• Ensure that np.concatenate on quantities can take a dtype argument (added in numpy 1.20). [#​13323]

• Ensure that the units of any initial argument to reductions such as
  np.add.reduce (which underlies np.sum) are properly taken into account. [#​13340]

astropy.utils
^^^^^^^^^^^^^

• Ensure that np.concatenate on masked data can take a dtype argument (added in numpy 1.20). [#​13323]

• Fix error when suppressing download progress bar while using non-default
  sys.stdout stream. [#​13352]

• Ensure str and repr work properly for Masked versions of
  structured subarrays. [#​13404]

• If an attribute is created using deprecated_attribute() with the
  alternative argument then getting or setting the value of the deprecated
  attribute now accesses its replacement. [#​13824]

astropy.visualization
^^^^^^^^^^^^^^^^^^^^^

• Fixed calling .tight_layout() on a WCSAxes. [#​12418]

astropy.wcs
^^^^^^^^^^^

• WCS.pixel_to_world now creates an EarthLocation object using MJD-AVG
  if present before falling back to the old behaviour of using MJD-OBS. [#​12598]

• The locations of WCSAxes ticks and tick-labels are now correctly calculated
  when the DPI of a figure changes between a WCSAxes being created and the figure
  being drawn, or when a rasterized artist is added to the WCSAxes. [#​12630]

• Fix a bug where SlicedLowLevelWCS.world_to_pixel_values would break when
  the result of the transform is dependent on the coordinate of a sliced out
  pixel. [#​13579]

• Updated bundled WCSLIB version to 7.12. This update includes bug fixes to
  wcssub() in how it handles temporal axes with -TAB and fixes handling
  of status returns from linp2x() and linx2p() relating to distortion
  functions, in particular affecting TPV distortions - see #​13509. For a full
  list of changes - see http://www.atnf.csiro.au/people/mcalabre/WCS/CHANGES or
  astropy/cextern/wcslib/CHANGES <https://github.com/astropy/astropy/blob/24e8730c63902d035cb9110eae2a9ebec12d8905/cextern/wcslib/CHANGES>_. [#​13635]

• Fixed WCS validation not working properly if HDUList is needed
  for multi-extension FITS file. [#​13668]

Other Changes and Additions

• Development wheels of astropy should now be installed from
  https://pypi.anaconda.org/astropy/simple instead of from
  https://pkgs.dev.azure.com/astropy-project/astropy/\_packaging/nightly/pypi/simple. [#​13431]

• Compatibility with Python 3.11, 3.10.7, 3.9.14, 3.8.14 [#​13614]

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.