From 13261607a9217dc506f90f2620f2112a6c9a0f74 Mon Sep 17 00:00:00 2001 From: Matthew Hughes Date: Wed, 4 Dec 2024 21:42:54 +0000 Subject: [PATCH 1/6] Ignore security issue with `mkdocs-material` This requires handling upstream (see linked issue), trying to bump this dependency errored with: Because mkdocs-material (9.5.32) depends on mkdocs (>=1.6,<2.0) and portray (1.8.0) depends on mkdocs (>=1.3.0,<1.4.0), mkdocs-material (9.5.32) is incompatible with portray (1.8.0). And because no versions of portray match >1.8.0, mkdocs-material (9.5.32) is incompatible with portray (>=1.8.0). So, because isort depends on both portray (>=1.8.0) and mkdocs-material (9.5.32), version solving failed. --- scripts/lint.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/lint.sh b/scripts/lint.sh index c85e7a63..3d938a9a 100755 --- a/scripts/lint.sh +++ b/scripts/lint.sh @@ -7,5 +7,7 @@ poetry run black --target-version py38 --check . poetry run isort --profile hug --check --diff isort/ tests/ poetry run isort --profile hug --check --diff example_*/ poetry run flake8 isort/ tests/ -poetry run safety check -i 51457 -i 59587 # https://github.com/tiangolo/typer/discussions/674 + # 51457: https://github.com/tiangolo/typer/discussions/674 + # 72715: https://github.com/timothycrosley/portray/issues/95 +poetry run safety check -i 72715 -i 51457 -i 59587 poetry run bandit -r isort/ -x isort/_vendored From fa5a9fe8ce40e2adc838477c07e7f44e8fff498f Mon Sep 17 00:00:00 2001 From: Matthew Hughes Date: Wed, 4 Dec 2024 21:13:45 +0000 Subject: [PATCH 2/6] Bump some dependencies for security fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bump `jinja` -> Vulnerability found in jinja2 version 3.1.3 Vulnerability ID: 71591 Affected spec: <3.1.4 ADVISORY: Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute... CVE-2024-34064 For more information, please visit https://data.safetycli.com/v/71591/f17 Bump `anyio` -> Vulnerability found in anyio version 4.1.0 Vulnerability ID: 71199 Affected spec: <4.4.0 ADVISORY: Anyio version 4.4.0 addresses a thread race condition in `_eventloop.get_asynclib()` that caused crashes when multiple event loops... PVE-2024-71199 For more information, please visit https://data.safetycli.com/v/71199/f17 Bump `bandit` -> Vulnerability found in bandit version 1.7.6 Vulnerability ID: 64484 Affected spec: <1.7.7 ADVISORY: Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing... PVE-2024-64484 For more information, please visit https://data.safetycli.com/v/64484/f17 Bump `certifi` -> Vulnerability found in certifi version 2023.11.17 Vulnerability ID: 72083 Affected spec: >=2021.05.30,<2024.07.04 ADVISORY: Certifi affected versions recognized root certificates from GLOBALTRUST. Certifi patch removes these root certificates from the root... CVE-2024-39689 For more information, please visit https://data.safetycli.com/v/72083/f17 Bump `idna` -> Vulnerability found in idna version 3.6 Vulnerability ID: 67895 Affected spec: <3.7 ADVISORY: Affected versions of Idna are vulnerable to Denial Of Service via the idna.encode(), where a specially crafted argument could... CVE-2024-3651 For more information, please visit https://data.safetycli.com/v/67895/f17 Bump `requests` -> Vulnerability found in requests version 2.31.0 Vulnerability ID: 71064 Affected spec: <2.32.2 ADVISORY: Affected versions of Requests, when making requests through a Requests `Session`, if the first request is made with `verify=False` to... CVE-2024-35195 For more information, please visit https://data.safetycli.com/v/71064/f17 Bump `setuptools` -> Vulnerability found in requests version 2.31.0 Vulnerability ID: 71064 Affected spec: <2.32.2 ADVISORY: Affected versions of Requests, when making requests through a Requests `Session`, if the first request is made with `verify=False` to... CVE-2024-35195 For more information, please visit https://data.safetycli.com/v/71064/f17 Bump `tornado` -> Vulnerability found in tornado version 6.4 Vulnerability ID: 71957 Affected spec: <=6.4.0 ADVISORY: When Tornado receives a request with two Transfer-Encoding: chunked headers, it ignores them both. This enables request smuggling when... PVE-2024-71957 For more information, please visit https://data.safetycli.com/v/71957/f17 -> Vulnerability found in tornado version 6.4 Vulnerability ID: 71956 Affected spec: <6.4.1 ADVISORY: Tornado’s curl_httpclient.CurlAsyncHTTPClient class is vulnerable to CRLF (carriage return/line feed) injection in the request... PVE-2024-71956 For more information, please visit https://data.safetycli.com/v/71956/f17 Bump `urllib3` -> Vulnerability found in urllib3 version 2.1.0 Vulnerability ID: 71608 Affected spec: >=2.0.0a1,<=2.2.1 ADVISORY: Urllib3's ProxyManager ensures that the Proxy-Authorization header is correctly directed only to configured proxies. However, when... CVE-2024-37891 For more information, please visit https://data.safetycli.com/v/71608/f17 Bump `zipp` -> Vulnerability found in zipp version 3.17.0 Vulnerability ID: 72132 Affected spec: <3.19.1 ADVISORY: A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library. The vulnerability is triggered when processing a... CVE-2024-5569 For more information, please visit https://data.safetycli.com/v/72132/f17 Bump `virutalenv` -> Vulnerability found in virtualenv version 20.25.0 Vulnerability ID: 73456 Affected spec: <20.26.6 ADVISORY: Affected versions of the virtualenv package are vulnerable to command injection. This vulnerability could allow an attacker to execute arbitrary commands by exploiting improperly quoted string placeholders in activation scripts. The vulnerable functions include various shell activation scripts where placeholders like __VIRTUAL_ENV__ are used. The exploitability depends on the ability to control the input to these placeholders. Users are advised to update to the version where a quoting mechanism has been implemented to mitigate this... PVE-2024-73456 For more information, please visit https://data.safetycli.com/v/73456/f17 --- poetry.lock | 108 +++++++++++++++++++++++++------------------------ pyproject.toml | 2 +- 2 files changed, 56 insertions(+), 54 deletions(-) diff --git a/poetry.lock b/poetry.lock index 19901f4f..ad2d0e69 100644 --- a/poetry.lock +++ b/poetry.lock @@ -16,19 +16,20 @@ typing-extensions = {version = ">=4.0.0", markers = "python_version < \"3.9\""} [[package]] name = "anyio" -version = "4.1.0" +version = "4.4.0" description = "High level compatibility layer for multiple asynchronous event loop implementations" optional = false python-versions = ">=3.8" files = [ - {file = "anyio-4.1.0-py3-none-any.whl", hash = "sha256:56a415fbc462291813a94528a779597226619c8e78af7de0507333f700011e5f"}, - {file = "anyio-4.1.0.tar.gz", hash = "sha256:5a0bec7085176715be77df87fc66d6c9d70626bd752fcc85f57cdbee5b3760da"}, + {file = "anyio-4.4.0-py3-none-any.whl", hash = "sha256:c1b2d8f46a8a812513012e1107cb0e68c17159a7a594208005a57dc776e1bdc7"}, + {file = "anyio-4.4.0.tar.gz", hash = "sha256:5aadc6a1bbb7cdb0bede386cac5e2940f5e2ff3aa20277e991cf028e0585ce94"}, ] [package.dependencies] exceptiongroup = {version = ">=1.0.2", markers = "python_version < \"3.11\""} idna = ">=2.8" sniffio = ">=1.1" +typing-extensions = {version = ">=4.1", markers = "python_version < \"3.11\""} [package.extras] doc = ["Sphinx (>=7)", "packaging", "sphinx-autodoc-typehints (>=1.2.0)", "sphinx-rtd-theme"] @@ -114,24 +115,24 @@ files = [ [[package]] name = "bandit" -version = "1.7.6" +version = "1.7.7" description = "Security oriented static analyser for python code." optional = false python-versions = ">=3.8" files = [ - {file = "bandit-1.7.6-py3-none-any.whl", hash = "sha256:36da17c67fc87579a5d20c323c8d0b1643a890a2b93f00b3d1229966624694ff"}, - {file = "bandit-1.7.6.tar.gz", hash = "sha256:72ce7bc9741374d96fb2f1c9a8960829885f1243ffde743de70a19cee353e8f3"}, + {file = "bandit-1.7.7-py3-none-any.whl", hash = "sha256:17e60786a7ea3c9ec84569fd5aee09936d116cb0cb43151023258340dbffb7ed"}, + {file = "bandit-1.7.7.tar.gz", hash = "sha256:527906bec6088cb499aae31bc962864b4e77569e9d529ee51df3a93b4b8ab28a"}, ] [package.dependencies] colorama = {version = ">=0.3.9", markers = "platform_system == \"Windows\""} -GitPython = ">=3.1.30" PyYAML = ">=5.3.1" rich = "*" stevedore = ">=1.20.0" [package.extras] -test = ["beautifulsoup4 (>=4.8.0)", "coverage (>=4.5.4)", "fixtures (>=3.0.0)", "flake8 (>=4.0.0)", "pylint (==1.9.4)", "stestr (>=2.5.0)", "testscenarios (>=0.5.0)", "testtools (>=2.3.0)", "tomli (>=1.1.0)"] +baseline = ["GitPython (>=3.1.30)"] +test = ["beautifulsoup4 (>=4.8.0)", "coverage (>=4.5.4)", "fixtures (>=3.0.0)", "flake8 (>=4.0.0)", "pylint (==1.9.4)", "stestr (>=2.5.0)", "testscenarios (>=0.5.0)", "testtools (>=2.3.0)"] toml = ["tomli (>=1.1.0)"] yaml = ["PyYAML"] @@ -204,13 +205,13 @@ files = [ [[package]] name = "certifi" -version = "2023.11.17" +version = "2024.7.4" description = "Python package for providing Mozilla's CA Bundle." optional = false python-versions = ">=3.6" files = [ - {file = "certifi-2023.11.17-py3-none-any.whl", hash = "sha256:e036ab49d5b79556f99cfc2d9320b34cfbe5be05c5871b51de9329f0603b0474"}, - {file = "certifi-2023.11.17.tar.gz", hash = "sha256:9b469f3a900bf28dc19b8cfbf8019bf47f7fdd1a65a1d4ffb98fc14166beb4d1"}, + {file = "certifi-2024.7.4-py3-none-any.whl", hash = "sha256:c198e21b1289c2ab85ee4e67bb4b4ef3ead0892059901a8d5b622f24a1101e90"}, + {file = "certifi-2024.7.4.tar.gz", hash = "sha256:5a1e7645bc0ec61a09e26c36f6106dd4cf40c6db3a1fb6352b0244e7fb057c7b"}, ] [[package]] @@ -840,13 +841,13 @@ license = ["ukkonen"] [[package]] name = "idna" -version = "3.6" +version = "3.7" description = "Internationalized Domain Names in Applications (IDNA)" optional = false python-versions = ">=3.5" files = [ - {file = "idna-3.6-py3-none-any.whl", hash = "sha256:c05567e9c24a6b9faaa835c4821bad0590fbb9d5779e7caa6e1cc4978e7eb24f"}, - {file = "idna-3.6.tar.gz", hash = "sha256:9ecdbbd083b06798ae1e86adcbfe8ab1479cf864e4ee30fe4e46a003d12491ca"}, + {file = "idna-3.7-py3-none-any.whl", hash = "sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0"}, + {file = "idna-3.7.tar.gz", hash = "sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc"}, ] [[package]] @@ -939,13 +940,13 @@ testing = ["Django", "attrs", "colorama", "docopt", "pytest (<7.0.0)"] [[package]] name = "jinja2" -version = "3.1.3" +version = "3.1.4" description = "A very fast and expressive template engine." optional = false python-versions = ">=3.7" files = [ - {file = "Jinja2-3.1.3-py3-none-any.whl", hash = "sha256:7d6d50dd97d52cbc355597bd845fabfbac3f551e1f99619e39a35ce8c370b5fa"}, - {file = "Jinja2-3.1.3.tar.gz", hash = "sha256:ac8bd6544d4bb2c9792bf3a159e80bba8fda7f07e81bc3aed565432d5925ba90"}, + {file = "jinja2-3.1.4-py3-none-any.whl", hash = "sha256:bc5dd2abb727a5319567b7a813e6a2e7318c39f4f487cfe6c89c6f9c7d25197d"}, + {file = "jinja2-3.1.4.tar.gz", hash = "sha256:4a3aee7acbbe7303aede8e9648d13b8bf88a429282aa6122a993f0ac800cb369"}, ] [package.dependencies] @@ -2016,6 +2017,7 @@ files = [ {file = "PyYAML-6.0.1-cp311-cp311-win_amd64.whl", hash = "sha256:bf07ee2fef7014951eeb99f56f39c9bb4af143d8aa3c21b1677805985307da34"}, {file = "PyYAML-6.0.1-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:855fb52b0dc35af121542a76b9a84f8d1cd886ea97c84703eaa6d88e37a2ad28"}, {file = "PyYAML-6.0.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:40df9b996c2b73138957fe23a16a4f0ba614f4c0efce1e9406a184b6d07fa3a9"}, + {file = "PyYAML-6.0.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a08c6f0fe150303c1c6b71ebcd7213c2858041a7e01975da3a99aed1e7a378ef"}, {file = "PyYAML-6.0.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6c22bec3fbe2524cde73d7ada88f6566758a8f7227bfbf93a408a9d86bcc12a0"}, {file = "PyYAML-6.0.1-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8d4e9c88387b0f5c7d5f281e55304de64cf7f9c0021a3525bd3b1c542da3b0e4"}, {file = "PyYAML-6.0.1-cp312-cp312-win32.whl", hash = "sha256:d483d2cdf104e7c9fa60c544d92981f12ad66a457afae824d146093b8c294c54"}, @@ -2066,13 +2068,13 @@ pyyaml = "*" [[package]] name = "requests" -version = "2.31.0" +version = "2.32.2" description = "Python HTTP for Humans." optional = false -python-versions = ">=3.7" +python-versions = ">=3.8" files = [ - {file = "requests-2.31.0-py3-none-any.whl", hash = "sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f"}, - {file = "requests-2.31.0.tar.gz", hash = "sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1"}, + {file = "requests-2.32.2-py3-none-any.whl", hash = "sha256:fc06670dd0ed212426dfeb94fc1b983d917c4f9847c863f313c9dfaaffb7c23c"}, + {file = "requests-2.32.2.tar.gz", hash = "sha256:dd951ff5ecf3e3b3aa26b40703ba77495dab41da839ae72ef3c8e5d8e2433289"}, ] [package.dependencies] @@ -2233,19 +2235,18 @@ gitlab = ["python-gitlab (>=1.3.0)"] [[package]] name = "setuptools" -version = "69.0.2" +version = "70.0.0" description = "Easily download, build, install, upgrade, and uninstall Python packages" optional = false python-versions = ">=3.8" files = [ - {file = "setuptools-69.0.2-py3-none-any.whl", hash = "sha256:1e8fdff6797d3865f37397be788a4e3cba233608e9b509382a2777d25ebde7f2"}, - {file = "setuptools-69.0.2.tar.gz", hash = "sha256:735896e78a4742605974de002ac60562d286fa8051a7e2299445e8e8fbb01aa6"}, + {file = "setuptools-70.0.0-py3-none-any.whl", hash = "sha256:54faa7f2e8d2d11bcd2c07bed282eef1046b5c080d1c32add737d7b5817b1ad4"}, + {file = "setuptools-70.0.0.tar.gz", hash = "sha256:f211a66637b8fa059bb28183da127d4e86396c991a942b028c6650d4319c3fd0"}, ] [package.extras] -docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "rst.linker (>=1.9)", "sphinx (<7.2.5)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-inline-tabs", "sphinx-lint", "sphinx-notfound-page (>=1,<2)", "sphinx-reredirects", "sphinxcontrib-towncrier"] -testing = ["build[virtualenv]", "filelock (>=3.4.0)", "flake8-2020", "ini2toml[lite] (>=0.9)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "pip (>=19.1)", "pytest (>=6)", "pytest-black (>=0.3.7)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-mypy (>=0.9.1)", "pytest-perf", "pytest-ruff", "pytest-timeout", "pytest-xdist", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel"] -testing-integration = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "packaging (>=23.1)", "pytest", "pytest-enabler", "pytest-xdist", "tomli", "virtualenv (>=13.0.0)", "wheel"] +docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "pyproject-hooks (!=1.1)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-inline-tabs", "sphinx-lint", "sphinx-notfound-page (>=1,<2)", "sphinx-reredirects", "sphinxcontrib-towncrier"] +testing = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "importlib-metadata", "ini2toml[lite] (>=0.14)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "mypy (==1.9)", "packaging (>=23.2)", "pip (>=19.1)", "pyproject-hooks (!=1.1)", "pytest (>=6,!=8.1.1)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-home (>=0.5)", "pytest-mypy", "pytest-perf", "pytest-ruff (>=0.2.1)", "pytest-subprocess", "pytest-timeout", "pytest-xdist (>=3)", "tomli", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel"] [[package]] name = "six" @@ -2395,22 +2396,22 @@ files = [ [[package]] name = "tornado" -version = "6.4" +version = "6.4.1" description = "Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed." optional = false -python-versions = ">= 3.8" +python-versions = ">=3.8" files = [ - {file = "tornado-6.4-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:02ccefc7d8211e5a7f9e8bc3f9e5b0ad6262ba2fbb683a6443ecc804e5224ce0"}, - {file = "tornado-6.4-cp38-abi3-macosx_10_9_x86_64.whl", hash = "sha256:27787de946a9cffd63ce5814c33f734c627a87072ec7eed71f7fc4417bb16263"}, - {file = "tornado-6.4-cp38-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f7894c581ecdcf91666a0912f18ce5e757213999e183ebfc2c3fdbf4d5bd764e"}, - {file = "tornado-6.4-cp38-abi3-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e43bc2e5370a6a8e413e1e1cd0c91bedc5bd62a74a532371042a18ef19e10579"}, - {file = "tornado-6.4-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f0251554cdd50b4b44362f73ad5ba7126fc5b2c2895cc62b14a1c2d7ea32f212"}, - {file = "tornado-6.4-cp38-abi3-musllinux_1_1_aarch64.whl", hash = "sha256:fd03192e287fbd0899dd8f81c6fb9cbbc69194d2074b38f384cb6fa72b80e9c2"}, - {file = "tornado-6.4-cp38-abi3-musllinux_1_1_i686.whl", hash = "sha256:88b84956273fbd73420e6d4b8d5ccbe913c65d31351b4c004ae362eba06e1f78"}, - {file = "tornado-6.4-cp38-abi3-musllinux_1_1_x86_64.whl", hash = "sha256:71ddfc23a0e03ef2df1c1397d859868d158c8276a0603b96cf86892bff58149f"}, - {file = "tornado-6.4-cp38-abi3-win32.whl", hash = "sha256:6f8a6c77900f5ae93d8b4ae1196472d0ccc2775cc1dfdc9e7727889145c45052"}, - {file = "tornado-6.4-cp38-abi3-win_amd64.whl", hash = "sha256:10aeaa8006333433da48dec9fe417877f8bcc21f48dda8d661ae79da357b2a63"}, - {file = "tornado-6.4.tar.gz", hash = "sha256:72291fa6e6bc84e626589f1c29d90a5a6d593ef5ae68052ee2ef000dfd273dee"}, + {file = "tornado-6.4.1-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:163b0aafc8e23d8cdc3c9dfb24c5368af84a81e3364745ccb4427669bf84aec8"}, + {file = "tornado-6.4.1-cp38-abi3-macosx_10_9_x86_64.whl", hash = "sha256:6d5ce3437e18a2b66fbadb183c1d3364fb03f2be71299e7d10dbeeb69f4b2a14"}, + {file = "tornado-6.4.1-cp38-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e2e20b9113cd7293f164dc46fffb13535266e713cdb87bd2d15ddb336e96cfc4"}, + {file = "tornado-6.4.1-cp38-abi3-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:8ae50a504a740365267b2a8d1a90c9fbc86b780a39170feca9bcc1787ff80842"}, + {file = "tornado-6.4.1-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:613bf4ddf5c7a95509218b149b555621497a6cc0d46ac341b30bd9ec19eac7f3"}, + {file = "tornado-6.4.1-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:25486eb223babe3eed4b8aecbac33b37e3dd6d776bc730ca14e1bf93888b979f"}, + {file = "tornado-6.4.1-cp38-abi3-musllinux_1_2_i686.whl", hash = "sha256:454db8a7ecfcf2ff6042dde58404164d969b6f5d58b926da15e6b23817950fc4"}, + {file = "tornado-6.4.1-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:a02a08cc7a9314b006f653ce40483b9b3c12cda222d6a46d4ac63bb6c9057698"}, + {file = "tornado-6.4.1-cp38-abi3-win32.whl", hash = "sha256:d9a566c40b89757c9aa8e6f032bcdb8ca8795d7c1a9762910c722b1635c9de4d"}, + {file = "tornado-6.4.1-cp38-abi3-win_amd64.whl", hash = "sha256:b24b8982ed444378d7f21d563f4180a2de31ced9d8d84443907a0a64da2072e7"}, + {file = "tornado-6.4.1.tar.gz", hash = "sha256:92d3ab53183d8c50f8204a51e6f91d18a15d5ef261e84d452800d4ff6fc504e9"}, ] [[package]] @@ -2521,29 +2522,30 @@ typing-extensions = ">=3.7.4" [[package]] name = "urllib3" -version = "2.1.0" +version = "2.2.2" description = "HTTP library with thread-safe connection pooling, file post, and more." optional = false python-versions = ">=3.8" files = [ - {file = "urllib3-2.1.0-py3-none-any.whl", hash = "sha256:55901e917a5896a349ff771be919f8bd99aff50b79fe58fec595eb37bbc56bb3"}, - {file = "urllib3-2.1.0.tar.gz", hash = "sha256:df7aa8afb0148fa78488e7899b2c59b5f4ffcfa82e6c54ccb9dd37c1d7b52d54"}, + {file = "urllib3-2.2.2-py3-none-any.whl", hash = "sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472"}, + {file = "urllib3-2.2.2.tar.gz", hash = "sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168"}, ] [package.extras] brotli = ["brotli (>=1.0.9)", "brotlicffi (>=0.8.0)"] +h2 = ["h2 (>=4,<5)"] socks = ["pysocks (>=1.5.6,!=1.5.7,<2.0)"] zstd = ["zstandard (>=0.18.0)"] [[package]] name = "virtualenv" -version = "20.25.0" +version = "20.26.6" description = "Virtual Python Environment builder" optional = false python-versions = ">=3.7" files = [ - {file = "virtualenv-20.25.0-py3-none-any.whl", hash = "sha256:4238949c5ffe6876362d9c0180fc6c3a824a7b12b80604eeb8085f2ed7460de3"}, - {file = "virtualenv-20.25.0.tar.gz", hash = "sha256:bf51c0d9c7dd63ea8e44086fa1e4fb1093a31e963b86959257378aef020e1f1b"}, + {file = "virtualenv-20.26.6-py3-none-any.whl", hash = "sha256:7345cc5b25405607a624d8418154577459c3e0277f5466dd79c49d5e492995f2"}, + {file = "virtualenv-20.26.6.tar.gz", hash = "sha256:280aede09a2a5c317e409a00102e7077c6432c5a38f0ef938e643805a7ad2c48"}, ] [package.dependencies] @@ -2552,7 +2554,7 @@ filelock = ">=3.12.2,<4" platformdirs = ">=3.9.1,<5" [package.extras] -docs = ["furo (>=2023.7.26)", "proselint (>=0.13)", "sphinx (>=7.1.2)", "sphinx-argparse (>=0.4)", "sphinxcontrib-towncrier (>=0.2.1a0)", "towncrier (>=23.6)"] +docs = ["furo (>=2023.7.26)", "proselint (>=0.13)", "sphinx (>=7.1.2,!=7.3)", "sphinx-argparse (>=0.4)", "sphinxcontrib-towncrier (>=0.2.1a0)", "towncrier (>=23.6)"] test = ["covdefaults (>=2.3)", "coverage (>=7.2.7)", "coverage-enable-subprocess (>=1)", "flaky (>=3.7)", "packaging (>=23.1)", "pytest (>=7.4)", "pytest-env (>=0.8.2)", "pytest-freezer (>=0.4.8)", "pytest-mock (>=3.11.1)", "pytest-randomly (>=3.12)", "pytest-timeout (>=2.1)", "setuptools (>=68)", "time-machine (>=2.10)"] [[package]] @@ -2646,18 +2648,18 @@ files = [ [[package]] name = "zipp" -version = "3.17.0" +version = "3.19.1" description = "Backport of pathlib-compatible object wrapper for zip files" optional = false python-versions = ">=3.8" files = [ - {file = "zipp-3.17.0-py3-none-any.whl", hash = "sha256:0e923e726174922dce09c53c59ad483ff7bbb8e572e00c7f7c46b88556409f31"}, - {file = "zipp-3.17.0.tar.gz", hash = "sha256:84e64a1c28cf7e91ed2078bb8cc8c259cb19b76942096c8d7b84947690cabaf0"}, + {file = "zipp-3.19.1-py3-none-any.whl", hash = "sha256:2828e64edb5386ea6a52e7ba7cdb17bb30a73a858f5eb6eb93d8d36f5ea26091"}, + {file = "zipp-3.19.1.tar.gz", hash = "sha256:35427f6d5594f4acf82d25541438348c26736fa9b3afa2754bcd63cdb99d8e8f"}, ] [package.extras] -docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (<7.2.5)", "sphinx (>=3.5)", "sphinx-lint"] -testing = ["big-O", "jaraco.functools", "jaraco.itertools", "more-itertools", "pytest (>=6)", "pytest-black (>=0.3.7)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-ignore-flaky", "pytest-mypy (>=0.9.1)", "pytest-ruff"] +doc = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-lint"] +test = ["big-O", "jaraco.functools", "jaraco.itertools", "jaraco.test", "more-itertools", "pytest (>=6,!=8.1.*)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-ignore-flaky", "pytest-mypy", "pytest-ruff (>=0.2.1)"] [extras] colors = ["colorama"] @@ -2666,4 +2668,4 @@ plugins = [] [metadata] lock-version = "2.0" python-versions = ">=3.8.0" -content-hash = "dcdd2152c62b8850f32727259106f0328370694549991626c315e02aaba73770" +content-hash = "955ebec91f42b0681a42ee192b60dab58a9cca8df4f51e7a2b8c72049d00fd82" diff --git a/pyproject.toml b/pyproject.toml index f4d3ecda..550447ca 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -48,7 +48,7 @@ colors = ["colorama"] plugins = ["setuptools"] [tool.poetry.dev-dependencies] -bandit = ">=1.6" +bandit = ">=1.7.7" black = ">=22.6.0" colorama = ">=0.4.6" coverage = {version = ">=6.5.0", extras = ["toml"]} From 5b74abaf27d43fd4502fd1993e0991c7f347045d Mon Sep 17 00:00:00 2001 From: Matthew Hughes Date: Wed, 4 Dec 2024 21:23:57 +0000 Subject: [PATCH 3/6] Update `black` -> Vulnerability found in black version 23.11.0 Vulnerability ID: 66742 Affected spec: <24.3.0 ADVISORY: Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the... CVE-2024-21503 For more information, please visit https://data.safetycli.com/v/66742/f17 Also re-run `black` to pick up any changes from the new version and update some unit test that relied on how black formats. --- isort/__init__.py | 1 + isort/api.py | 6 +-- isort/deprecated/finders.py | 1 + isort/exceptions.py | 1 + isort/hooks.py | 1 + isort/identify.py | 1 + isort/io.py | 1 + isort/main.py | 1 + isort/parse.py | 7 +-- isort/place.py | 1 + isort/profiles.py | 1 + isort/sections.py | 1 + isort/settings.py | 9 ++-- isort/wrap.py | 6 +-- isort/wrap_modes.py | 1 + poetry.lock | 46 ++++++++++--------- pyproject.toml | 2 +- scripts/lint.sh | 2 +- tests/integration/test_literal.py | 1 + .../integration/test_projects_using_isort.py | 1 + tests/integration/test_ticketed_features.py | 1 + tests/unit/conftest.py | 1 + tests/unit/profiles/test_black.py | 12 ++--- tests/unit/profiles/test_wemake.py | 1 + tests/unit/test_action_comments.py | 1 + tests/unit/test_api.py | 1 + tests/unit/test_importable.py | 1 + tests/unit/test_isort.py | 1 + tests/unit/test_place.py | 1 + tests/unit/test_regressions.py | 1 + tests/unit/test_ticketed_features.py | 1 + 31 files changed, 70 insertions(+), 43 deletions(-) diff --git a/isort/__init__.py b/isort/__init__.py index e0754da4..ba2bef89 100644 --- a/isort/__init__.py +++ b/isort/__init__.py @@ -1,4 +1,5 @@ """Defines the public isort interface""" + __all__ = ( "Config", "ImportKey", diff --git a/isort/api.py b/isort/api.py index 2c89d373..3a304c1c 100644 --- a/isort/api.py +++ b/isort/api.py @@ -442,9 +442,9 @@ def sort_file( file_input=source_file.stream.read(), file_output=output_stream.read(), file_path=actual_file_path, - output=None - if show_diff is True - else cast(TextIO, show_diff), + output=( + None if show_diff is True else cast(TextIO, show_diff) + ), color_output=config.color_output, ) if show_diff or ( diff --git a/isort/deprecated/finders.py b/isort/deprecated/finders.py index eac650e2..45c85e71 100644 --- a/isort/deprecated/finders.py +++ b/isort/deprecated/finders.py @@ -1,4 +1,5 @@ """Finders try to find right section for passed module name""" + import importlib.machinery import inspect import os diff --git a/isort/exceptions.py b/isort/exceptions.py index 6be82406..41ec51f8 100644 --- a/isort/exceptions.py +++ b/isort/exceptions.py @@ -1,4 +1,5 @@ """All isort specific exception classes should be defined here""" + from functools import partial from pathlib import Path from typing import Any, Dict, List, Type, Union diff --git a/isort/hooks.py b/isort/hooks.py index bb566108..b248d354 100644 --- a/isort/hooks.py +++ b/isort/hooks.py @@ -3,6 +3,7 @@ usage: exit_code = git_hook(strict=True|False, modify=True|False) """ + import os import subprocess # nosec - Needed for hook from pathlib import Path diff --git a/isort/identify.py b/isort/identify.py index 8223e256..b1964b41 100644 --- a/isort/identify.py +++ b/isort/identify.py @@ -1,6 +1,7 @@ """Fast stream based import identification. Eventually this will likely replace parse.py """ + from functools import partial from pathlib import Path from typing import Iterator, NamedTuple, Optional, TextIO, Tuple diff --git a/isort/io.py b/isort/io.py index 94698917..35a73683 100644 --- a/isort/io.py +++ b/isort/io.py @@ -1,4 +1,5 @@ """Defines any IO utilities used by isort""" + import dataclasses import re import tokenize diff --git a/isort/main.py b/isort/main.py index 7dd85e05..07b177ce 100644 --- a/isort/main.py +++ b/isort/main.py @@ -1,4 +1,5 @@ """Tool for sorting imports alphabetically, and automatically separated into sections.""" + import argparse import functools import json diff --git a/isort/parse.py b/isort/parse.py index 2c3c41ef..c7641a02 100644 --- a/isort/parse.py +++ b/isort/parse.py @@ -1,4 +1,5 @@ """Defines parsing functions used by isort for parsing import definitions""" + import re from collections import OrderedDict, defaultdict from functools import partial @@ -475,9 +476,9 @@ def file_contents(contents: str, config: Config = DEFAULT_CONFIG) -> ParsedConte import_from, {} ) existing_comment = nested_from_comments.get(just_imports[0], "") - nested_from_comments[ - just_imports[0] - ] = f"{existing_comment}{'; ' if existing_comment else ''}{'; '.join(comments)}" + nested_from_comments[just_imports[0]] = ( + f"{existing_comment}{'; ' if existing_comment else ''}{'; '.join(comments)}" + ) comments = [] if comments and attach_comments_to is None: diff --git a/isort/place.py b/isort/place.py index 8a972f50..b3a25366 100644 --- a/isort/place.py +++ b/isort/place.py @@ -1,4 +1,5 @@ """Contains all logic related to placing an import within a certain section.""" + import importlib from fnmatch import fnmatch from functools import lru_cache diff --git a/isort/profiles.py b/isort/profiles.py index fe2aac49..0dd0bd9c 100644 --- a/isort/profiles.py +++ b/isort/profiles.py @@ -1,4 +1,5 @@ """Common profiles are defined here to be easily used within a project using --profile {name}""" + from typing import Any, Dict black = { diff --git a/isort/sections.py b/isort/sections.py index f59db692..eda2d79e 100644 --- a/isort/sections.py +++ b/isort/sections.py @@ -1,4 +1,5 @@ """Defines all sections isort uses by default""" + from typing import Tuple FUTURE: str = "FUTURE" diff --git a/isort/settings.py b/isort/settings.py index a3658fff..0a7211c6 100644 --- a/isort/settings.py +++ b/isort/settings.py @@ -2,6 +2,7 @@ Defines how the default settings for isort should be loaded """ + import configparser import fnmatch import os @@ -761,9 +762,11 @@ def _as_list(value: str) -> List[str]: def _abspaths(cwd: str, values: Iterable[str]) -> Set[str]: paths = { - os.path.join(cwd, value) - if not value.startswith(os.path.sep) and value.endswith(os.path.sep) - else value + ( + os.path.join(cwd, value) + if not value.startswith(os.path.sep) and value.endswith(os.path.sep) + else value + ) for value in values } return paths diff --git a/isort/wrap.py b/isort/wrap.py index 119531ad..9eced44b 100644 --- a/isort/wrap.py +++ b/isort/wrap.py @@ -92,9 +92,9 @@ def line(content: str, line_separator: str, config: Config = DEFAULT_CONFIG) -> ) else "" ) - line_parts[ - -1 - ] = f"{line_parts[-1].strip()}{_comma_maybe}{config.comment_prefix}{comment}" + line_parts[-1] = ( + f"{line_parts[-1].strip()}{_comma_maybe}{config.comment_prefix}{comment}" + ) next_line = [] while (len(content) + 2) > ( config.wrap_length or config.line_length diff --git a/isort/wrap_modes.py b/isort/wrap_modes.py index b4ffd0ac..e7909ea2 100644 --- a/isort/wrap_modes.py +++ b/isort/wrap_modes.py @@ -1,4 +1,5 @@ """Defines all wrap modes that can be used when outputting formatted imports""" + import enum from inspect import signature from typing import Any, Callable, Dict, List diff --git a/poetry.lock b/poetry.lock index ad2d0e69..77fdc27d 100644 --- a/poetry.lock +++ b/poetry.lock @@ -152,29 +152,33 @@ chardet = ">=3.0.2" [[package]] name = "black" -version = "23.11.0" +version = "24.3.0" description = "The uncompromising code formatter." optional = false python-versions = ">=3.8" files = [ - {file = "black-23.11.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:dbea0bb8575c6b6303cc65017b46351dc5953eea5c0a59d7b7e3a2d2f433a911"}, - {file = "black-23.11.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:412f56bab20ac85927f3a959230331de5614aecda1ede14b373083f62ec24e6f"}, - {file = "black-23.11.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d136ef5b418c81660ad847efe0e55c58c8208b77a57a28a503a5f345ccf01394"}, - {file = "black-23.11.0-cp310-cp310-win_amd64.whl", hash = "sha256:6c1cac07e64433f646a9a838cdc00c9768b3c362805afc3fce341af0e6a9ae9f"}, - {file = "black-23.11.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:cf57719e581cfd48c4efe28543fea3d139c6b6f1238b3f0102a9c73992cbb479"}, - {file = "black-23.11.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:698c1e0d5c43354ec5d6f4d914d0d553a9ada56c85415700b81dc90125aac244"}, - {file = "black-23.11.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:760415ccc20f9e8747084169110ef75d545f3b0932ee21368f63ac0fee86b221"}, - {file = "black-23.11.0-cp311-cp311-win_amd64.whl", hash = "sha256:58e5f4d08a205b11800332920e285bd25e1a75c54953e05502052738fe16b3b5"}, - {file = "black-23.11.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:45aa1d4675964946e53ab81aeec7a37613c1cb71647b5394779e6efb79d6d187"}, - {file = "black-23.11.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:4c44b7211a3a0570cc097e81135faa5f261264f4dfaa22bd5ee2875a4e773bd6"}, - {file = "black-23.11.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2a9acad1451632021ee0d146c8765782a0c3846e0e0ea46659d7c4f89d9b212b"}, - {file = "black-23.11.0-cp38-cp38-win_amd64.whl", hash = "sha256:fc7f6a44d52747e65a02558e1d807c82df1d66ffa80a601862040a43ec2e3142"}, - {file = "black-23.11.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:7f622b6822f02bfaf2a5cd31fdb7cd86fcf33dab6ced5185c35f5db98260b055"}, - {file = "black-23.11.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:250d7e60f323fcfc8ea6c800d5eba12f7967400eb6c2d21ae85ad31c204fb1f4"}, - {file = "black-23.11.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5133f5507007ba08d8b7b263c7aa0f931af5ba88a29beacc4b2dc23fcefe9c06"}, - {file = "black-23.11.0-cp39-cp39-win_amd64.whl", hash = "sha256:421f3e44aa67138ab1b9bfbc22ee3780b22fa5b291e4db8ab7eee95200726b07"}, - {file = "black-23.11.0-py3-none-any.whl", hash = "sha256:54caaa703227c6e0c87b76326d0862184729a69b73d3b7305b6288e1d830067e"}, - {file = "black-23.11.0.tar.gz", hash = "sha256:4c68855825ff432d197229846f971bc4d6666ce90492e5b02013bcaca4d9ab05"}, + {file = "black-24.3.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:7d5e026f8da0322b5662fa7a8e752b3fa2dac1c1cbc213c3d7ff9bdd0ab12395"}, + {file = "black-24.3.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:9f50ea1132e2189d8dff0115ab75b65590a3e97de1e143795adb4ce317934995"}, + {file = "black-24.3.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e2af80566f43c85f5797365077fb64a393861a3730bd110971ab7a0c94e873e7"}, + {file = "black-24.3.0-cp310-cp310-win_amd64.whl", hash = "sha256:4be5bb28e090456adfc1255e03967fb67ca846a03be7aadf6249096100ee32d0"}, + {file = "black-24.3.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:4f1373a7808a8f135b774039f61d59e4be7eb56b2513d3d2f02a8b9365b8a8a9"}, + {file = "black-24.3.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:aadf7a02d947936ee418777e0247ea114f78aff0d0959461057cae8a04f20597"}, + {file = "black-24.3.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:65c02e4ea2ae09d16314d30912a58ada9a5c4fdfedf9512d23326128ac08ac3d"}, + {file = "black-24.3.0-cp311-cp311-win_amd64.whl", hash = "sha256:bf21b7b230718a5f08bd32d5e4f1db7fc8788345c8aea1d155fc17852b3410f5"}, + {file = "black-24.3.0-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:2818cf72dfd5d289e48f37ccfa08b460bf469e67fb7c4abb07edc2e9f16fb63f"}, + {file = "black-24.3.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:4acf672def7eb1725f41f38bf6bf425c8237248bb0804faa3965c036f7672d11"}, + {file = "black-24.3.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c7ed6668cbbfcd231fa0dc1b137d3e40c04c7f786e626b405c62bcd5db5857e4"}, + {file = "black-24.3.0-cp312-cp312-win_amd64.whl", hash = "sha256:56f52cfbd3dabe2798d76dbdd299faa046a901041faf2cf33288bc4e6dae57b5"}, + {file = "black-24.3.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:79dcf34b33e38ed1b17434693763301d7ccbd1c5860674a8f871bd15139e7837"}, + {file = "black-24.3.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:e19cb1c6365fd6dc38a6eae2dcb691d7d83935c10215aef8e6c38edee3f77abd"}, + {file = "black-24.3.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:65b76c275e4c1c5ce6e9870911384bff5ca31ab63d19c76811cb1fb162678213"}, + {file = "black-24.3.0-cp38-cp38-win_amd64.whl", hash = "sha256:b5991d523eee14756f3c8d5df5231550ae8993e2286b8014e2fdea7156ed0959"}, + {file = "black-24.3.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:c45f8dff244b3c431b36e3224b6be4a127c6aca780853574c00faf99258041eb"}, + {file = "black-24.3.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:6905238a754ceb7788a73f02b45637d820b2f5478b20fec82ea865e4f5d4d9f7"}, + {file = "black-24.3.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d7de8d330763c66663661a1ffd432274a2f92f07feeddd89ffd085b5744f85e7"}, + {file = "black-24.3.0-cp39-cp39-win_amd64.whl", hash = "sha256:7bb041dca0d784697af4646d3b62ba4a6b028276ae878e53f6b4f74ddd6db99f"}, + {file = "black-24.3.0-py3-none-any.whl", hash = "sha256:41622020d7120e01d377f74249e677039d20e6344ff5851de8a10f11f513bf93"}, + {file = "black-24.3.0.tar.gz", hash = "sha256:a0c9c4a0771afc6919578cec71ce82a3e31e054904e7197deacbc9382671c41f"}, ] [package.dependencies] @@ -188,7 +192,7 @@ typing-extensions = {version = ">=4.0.1", markers = "python_version < \"3.11\""} [package.extras] colorama = ["colorama (>=0.4.3)"] -d = ["aiohttp (>=3.7.4)"] +d = ["aiohttp (>=3.7.4)", "aiohttp (>=3.7.4,!=3.9.0)"] jupyter = ["ipython (>=7.8.0)", "tokenize-rt (>=3.2.0)"] uvloop = ["uvloop (>=0.15.2)"] @@ -2668,4 +2672,4 @@ plugins = [] [metadata] lock-version = "2.0" python-versions = ">=3.8.0" -content-hash = "955ebec91f42b0681a42ee192b60dab58a9cca8df4f51e7a2b8c72049d00fd82" +content-hash = "6969eccd5d691d77d8f78a9f82e3ed626675d646a7e2b896fb4ad4aa64db0dfa" diff --git a/pyproject.toml b/pyproject.toml index 550447ca..4f5a01eb 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -49,7 +49,7 @@ plugins = ["setuptools"] [tool.poetry.dev-dependencies] bandit = ">=1.7.7" -black = ">=22.6.0" +black = "24.3.0" colorama = ">=0.4.6" coverage = {version = ">=6.5.0", extras = ["toml"]} cruft = ">=2.12.0" diff --git a/scripts/lint.sh b/scripts/lint.sh index 3d938a9a..ca71cc7d 100755 --- a/scripts/lint.sh +++ b/scripts/lint.sh @@ -3,7 +3,7 @@ set -euxo pipefail poetry run cruft check poetry run mypy -p isort -p tests -poetry run black --target-version py38 --check . +poetry run black --target-version py38 . poetry run isort --profile hug --check --diff isort/ tests/ poetry run isort --profile hug --check --diff example_*/ poetry run flake8 isort/ tests/ diff --git a/tests/integration/test_literal.py b/tests/integration/test_literal.py index fe555e32..20a98528 100644 --- a/tests/integration/test_literal.py +++ b/tests/integration/test_literal.py @@ -1,4 +1,5 @@ """Tests that need installation of other packages.""" + # TODO: find a way to install example-isort-formatting-plugin to pass tests # import isort.literal diff --git a/tests/integration/test_projects_using_isort.py b/tests/integration/test_projects_using_isort.py index 923a1285..515fc084 100644 --- a/tests/integration/test_projects_using_isort.py +++ b/tests/integration/test_projects_using_isort.py @@ -6,6 +6,7 @@ It is important to isort that as few regressions as possible are experienced by our users. Having your project tested here is the most sure way to keep those regressions form ever happening. """ + from __future__ import annotations from pathlib import Path diff --git a/tests/integration/test_ticketed_features.py b/tests/integration/test_ticketed_features.py index 2a8eddbb..a8dab50a 100644 --- a/tests/integration/test_ticketed_features.py +++ b/tests/integration/test_ticketed_features.py @@ -1,4 +1,5 @@ """Tests that need installation of other packages.""" + # TODO: find a way to install example-isort-formatting-plugin to pass tests # from io import StringIO diff --git a/tests/unit/conftest.py b/tests/unit/conftest.py index 1e0bd9df..4d8b8736 100644 --- a/tests/unit/conftest.py +++ b/tests/unit/conftest.py @@ -1,4 +1,5 @@ """isort test wide fixtures and configuration""" + import os from pathlib import Path diff --git a/tests/unit/profiles/test_black.py b/tests/unit/profiles/test_black.py index bd1835a6..3ae60d1e 100644 --- a/tests/unit/profiles/test_black.py +++ b/tests/unit/profiles/test_black.py @@ -392,12 +392,10 @@ def test_black_pyi_file(): import numpy as np -def add(a: np.ndarray, b: np.ndarray) -> np.ndarray: - ... +def add(a: np.ndarray, b: np.ndarray) -> np.ndarray: ... -def sub(a: np.ndarray, b: np.ndarray) -> np.ndarray: - ... +def sub(a: np.ndarray, b: np.ndarray) -> np.ndarray: ... """, """# comment @@ -408,12 +406,10 @@ def sub(a: np.ndarray, b: np.ndarray) -> np.ndarray: import numpy as np -def add(a: np.ndarray, b: np.ndarray) -> np.ndarray: - ... +def add(a: np.ndarray, b: np.ndarray) -> np.ndarray: ... -def sub(a: np.ndarray, b: np.ndarray) -> np.ndarray: - ... +def sub(a: np.ndarray, b: np.ndarray) -> np.ndarray: ... """, is_pyi=False, lines_before_imports=2, diff --git a/tests/unit/profiles/test_wemake.py b/tests/unit/profiles/test_wemake.py index 123eef05..bcfcf038 100644 --- a/tests/unit/profiles/test_wemake.py +++ b/tests/unit/profiles/test_wemake.py @@ -3,6 +3,7 @@ Snippets are taken directly from the wemake-python-styleguide project here: https://github.com/wemake-services/wemake-python-styleguide """ + from functools import partial from ..utils import isort_test diff --git a/tests/unit/test_action_comments.py b/tests/unit/test_action_comments.py index 508db0d2..149639dc 100644 --- a/tests/unit/test_action_comments.py +++ b/tests/unit/test_action_comments.py @@ -1,4 +1,5 @@ """Tests for isort action comments, such as isort: skip""" + import isort diff --git a/tests/unit/test_api.py b/tests/unit/test_api.py index 7fe73ab9..4f17f16b 100644 --- a/tests/unit/test_api.py +++ b/tests/unit/test_api.py @@ -1,4 +1,5 @@ """Tests the isort API module""" + import os from io import StringIO from unittest.mock import MagicMock, patch diff --git a/tests/unit/test_importable.py b/tests/unit/test_importable.py index 617a9d99..61eeffd6 100644 --- a/tests/unit/test_importable.py +++ b/tests/unit/test_importable.py @@ -1,4 +1,5 @@ """Basic set of tests to ensure entire code base is importable""" + import pytest diff --git a/tests/unit/test_isort.py b/tests/unit/test_isort.py index 7b6743c7..e043125a 100644 --- a/tests/unit/test_isort.py +++ b/tests/unit/test_isort.py @@ -2,6 +2,7 @@ Should be ran using py.test by simply running py.test in the isort project directory """ + import os import os.path import subprocess diff --git a/tests/unit/test_place.py b/tests/unit/test_place.py index 11abdd66..c850c689 100644 --- a/tests/unit/test_place.py +++ b/tests/unit/test_place.py @@ -1,4 +1,5 @@ """Tests for the isort import placement module""" + from functools import partial from isort import place, sections diff --git a/tests/unit/test_regressions.py b/tests/unit/test_regressions.py index 69008b2d..a14a8d97 100644 --- a/tests/unit/test_regressions.py +++ b/tests/unit/test_regressions.py @@ -1,4 +1,5 @@ """A growing set of tests designed to ensure isort doesn't have regressions in new versions""" + from io import StringIO import pytest diff --git a/tests/unit/test_ticketed_features.py b/tests/unit/test_ticketed_features.py index 32eeb709..78654584 100644 --- a/tests/unit/test_ticketed_features.py +++ b/tests/unit/test_ticketed_features.py @@ -1,6 +1,7 @@ """A growing set of tests designed to ensure when isort implements a feature described in a ticket it fully works as defined in the associated ticket. """ + from functools import partial from io import StringIO From 1b81face2a634ccbbcbd6babb371ac2995165d10 Mon Sep 17 00:00:00 2001 From: Matthew Hughes Date: Thu, 5 Dec 2024 16:45:56 +0000 Subject: [PATCH 4/6] CI: use `pip` over `pipx for poetry install MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `pipx` is installed on all the runners by default, but using this means `pipx` is run with the system Python, and not the one installed with `steup-python`. This was noticed when e.g. the MacOS Python 3.9 job would report: creating virtual environment... creating shared libraries... upgrading shared libraries... installing poetry... done! ✨ 🌟 ✨ installed package poetry 1.3.1, installed using Python 3.13.0 These apps are now globally available - poetry Poetry (version 1.3.1) Python 3.13.0 is the system version pre-installed on these runners[1], and a similar pattern was seen on the Ubuntu and Windows runners. An alternative would be to add an install step for `pipx` but this feels simpler Link: https://github.com/actions/runner-images/blob/de16eefce8361c24c716958843d8c87cb1c25990/images/macos/macos-14-Readme.md [1] --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8c128230..6a29d9fc 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -64,7 +64,7 @@ jobs: - name: Install Poetry run: | - pipx install --pip-args=--constraint=.github/workflows/poetry-constraints.txt poetry + pip install --constraint=.github/workflows/poetry-constraints.txt poetry poetry --version - name: Install dependencies From 846b64dcff68bf2b399175958bddaa6e05c6b625 Mon Sep 17 00:00:00 2001 From: Matthew Hughes Date: Thu, 5 Dec 2024 16:56:27 +0000 Subject: [PATCH 5/6] Update `pip` for GitHub runner This is to address an error seen on some Python 3.12 runners: <-- SNIP --> File "/Library/Frameworks/Python.framework/Versions/3.12/lib/python3.12/site-packages/pip/_vendor/pkg_resources/__init__.py", line 2164, in register_finder(pkgutil.ImpImporter, find_on_path) ^^^^^^^^^^^^^^^^^^^ AttributeError: module 'pkgutil' has no attribute 'ImpImporter'. Did you mean: 'zipimporter'? ^^^^^^^^^^^^^^^^^^^ This looks to be the issue[1] fixed in Pip 23.2 so use that verison Link: https://github.com/pypa/pip/issues/11501 [1] --- .github/workflows/constraints.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/constraints.txt b/.github/workflows/constraints.txt index 249a21f6..b098a52d 100644 --- a/.github/workflows/constraints.txt +++ b/.github/workflows/constraints.txt @@ -1,2 +1,2 @@ -pip==22.3.1 +pip==23.2 virtualenv==20.17.1 From 6a83152941a983e092967c536f7d37eb30a1fdc9 Mon Sep 17 00:00:00 2001 From: Matthew Hughes Date: Sun, 8 Dec 2024 10:50:26 +0000 Subject: [PATCH 6/6] Update code to address `deepsource` errors It complained about an else-return issue[1] and some commented-out code Link: https://pylint.pycqa.org/en/latest/user_guide/messages/refactor/no-else-return.html [1] --- isort/deprecated/finders.py | 1 - isort/settings.py | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/isort/deprecated/finders.py b/isort/deprecated/finders.py index 45c85e71..4f99a5dc 100644 --- a/isort/deprecated/finders.py +++ b/isort/deprecated/finders.py @@ -233,7 +233,6 @@ def _load_mapping() -> Optional[Dict[str, str]]: import_name, _, pypi_name = line.strip().partition(":") mappings[pypi_name] = import_name return mappings - # return dict(tuple(line.strip().split(":")[::-1]) for line in f) def _load_names(self) -> List[str]: """Return list of thirdparty modules from requirements""" diff --git a/isort/settings.py b/isort/settings.py index 0a7211c6..7f66dc47 100644 --- a/isort/settings.py +++ b/isort/settings.py @@ -554,8 +554,7 @@ def is_supported_filetype(self, file_name: str) -> bool: line = fp.readline(100) except OSError: return False - else: - return bool(_SHEBANG_RE.match(line)) + return bool(_SHEBANG_RE.match(line)) def _check_folder_git_ls_files(self, folder: str) -> Optional[Path]: env = {**os.environ, "LANG": "C.UTF-8"}