chore(deps): bump the pip group across 1 directory with 6 updates

[dependabot]

Bumps the pip group with 6 updates in the / directory:

Package	From	To
aiohttp	3.9.3	3.9.4
black	24.2.0	24.3.0
idna	3.4	3.7
langchain-core	0.1.26	0.1.35
pydantic	2.2.1	2.4.0
tqdm	4.66.1	4.66.3

Updates aiohttp from 3.9.3 to 3.9.4

Release notes

Sourced from aiohttp's releases.

3.9.4

Bug fixes

• The asynchronous internals now set the underlying causes when assigning exceptions to the future objects -- by :user:webknjaz.

  Related issues and pull requests on GitHub: #8089.

• Treated values of Accept-Encoding header as case-insensitive when checking for gzip files -- by :user:steverep.

  Related issues and pull requests on GitHub: #8104.

• Improved the DNS resolution performance on cache hit -- by :user:bdraco.

  This is achieved by avoiding an :mod:asyncio task creation in this case.

  Related issues and pull requests on GitHub: #8163.

• Changed the type annotations to allow dict on :meth:aiohttp.MultipartWriter.append, :meth:aiohttp.MultipartWriter.append_json and :meth:aiohttp.MultipartWriter.append_form -- by :user:cakemanny

  Related issues and pull requests on GitHub: #7741.

• Ensure websocket transport is closed when client does not close it -- by :user:bdraco.

  The transport could remain open if the client did not close it. This change ensures the transport is closed when the client does not close it.

... (truncated)

Changelog

Sourced from aiohttp's changelog.

3.9.4 (2024-04-11)

Bug fixes

• The asynchronous internals now set the underlying causes when assigning exceptions to the future objects -- by :user:webknjaz.

  Related issues and pull requests on GitHub: :issue:8089.

• Treated values of Accept-Encoding header as case-insensitive when checking for gzip files -- by :user:steverep.

  Related issues and pull requests on GitHub: :issue:8104.

• Improved the DNS resolution performance on cache hit -- by :user:bdraco.

  This is achieved by avoiding an :mod:asyncio task creation in this case.

  Related issues and pull requests on GitHub: :issue:8163.

• Changed the type annotations to allow dict on :meth:aiohttp.MultipartWriter.append, :meth:aiohttp.MultipartWriter.append_json and :meth:aiohttp.MultipartWriter.append_form -- by :user:cakemanny

  Related issues and pull requests on GitHub: :issue:7741.

• Ensure websocket transport is closed when client does not close it -- by :user:bdraco.

  The transport could remain open if the client did not close it. This change ensures the transport is closed when the client does not close it.

... (truncated)

Commits

• b3397c7 Release v3.9.4 (#8201)
• a7e240a [PR #8320/9ba9a4e5 backport][3.9] Fix Python parser to mark responses without...
• 2833552 Escape filenames and paths in HTML when generating index pages (#8317) (#8319)
• ed43040 [PR #8309/c29945a1 backport][3.9] Improve reliability of run_app test (#8315)
• ec2be05 [PR #8299/28d026eb backport][3.9] Create marker for internal tests (#8307)
• 292d961 [PR #8304/88c80c14 backport][3.9] Check for backports in CI (#8305)
• cebe526 Fix handling of multipart/form-data (#8280) (#8302)
• 270ae9c [PR #8297/d15f07cf backport][3.9] Upgrade to llhttp 9.2.1 (#8292) (#8298)
• bb23105 [PR #8283/54e13b0a backport][3.9] Fix blocking I/O in the event loop while pr...
• 3f79241 [PR #8286/28f1fd88 backport][3.9] docs: remove repetitive word in comment (#8...
• Additional commits viewable in compare view

Updates black from 24.2.0 to 24.3.0

Release notes

Sourced from black's releases.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

• Don't move comments along with delimiters, which could cause crashes (#4248)
• Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
• Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

• Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

• Note what happens when --check is used with --quiet (#4236)

Changelog

Sourced from black's changelog.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

• Don't move comments along with delimiters, which could cause crashes (#4248)
• Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
• Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

• Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

• Note what happens when --check is used with --quiet (#4236)

Commits

• 552baf8 Prepare release 24.3.0 (#4279)
• f000936 Fix catastrophic performance in lines_with_leading_tabs_expanded() (#4278)
• 7b5a657 Fix --line-ranges behavior when ranges are at EOF (#4273)
• 1abcffc Use regex where we ignore case on windows (#4252)
• 719e674 Fix 4227: Improve documentation for --quiet --check (#4236)
• e5510af update plugin url for Thonny (#4259)
• 6af7d11 Fix AST safety check false negative (#4270)
• f03ee11 Ensure blib2to3.pygram is initialized before use (#4224)
• e4bfedb fix: Don't move comments while splitting delimiters (#4248)
• d0287e1 Make trailing comma logic more concise (#4202)
• Additional commits viewable in compare view

Updates idna from 3.4 to 3.7

Release notes

Sourced from idna's releases.

v3.7

What's Changed

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: kjd/idna@v3.6...v3.7

Changelog

Sourced from idna's changelog.

3.7 (2024-04-11) ++++++++++++++++

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

3.6 (2023-11-25) ++++++++++++++++

• Fix regression to include tests in source distribution.

3.5 (2023-11-24) ++++++++++++++++

• Update to Unicode 15.1.0
• String codec name is now "idna2008" as overriding the system codec "idna" was not working.
• Fix typing error for codec encoding
• "setup.cfg" has been added for this release due to some downstream lack of adherence to PEP 517. Should be removed in a future release so please prepare accordingly.
• Removed reliance on a symlink for the "idna-data" tool to comport with PEP 517 and the Python Packaging User Guide for sdist archives.
• Added security reporting protocol for project

Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions to this release.

Commits

• 1d365e1 Release v3.7
• c1b3154 Merge pull request #172 from kjd/optimize-contextj
• 0394ec7 Merge branch 'master' into optimize-contextj
• cd58a23 Merge pull request #152 from elliotwutingfeng/dev
• 5beb28b More efficient resolution of joiner contexts
• 1b12148 Update ossf/scorecard-action to v2.3.1
• d516b87 Update Github actions/checkout to v4
• c095c75 Merge branch 'master' into dev
• 60a0a4c Fix typo in GitHub Actions workflow key
• 5918a0e Merge branch 'master' into dev
• Additional commits viewable in compare view

Updates langchain-core from 0.1.26 to 0.1.35

Commits

• See full diff in compare view

Updates pydantic from 2.2.1 to 2.4.0

Release notes

Sourced from pydantic's releases.

v2.4.0 2023-09-25

What's Changed

Packaging

• Update pydantic-core to 2.10.0 by @​samuelcolvin in #7542

New Features

• Add Base64Url types by @​dmontagu in #7286
• Implement optional number to str coercion by @​lig in #7508
• Allow access to field_name and data in all validators if there is data and a field name by @​samuelcolvin in #7542
• Add BaseModel.model_validate_strings and TypeAdapter.validate_strings by @​hramezani in #7552
• Add Pydantic plugins experimental implementation by @​lig @​samuelcolvin and @​Kludex in #6820

Changes

• Do not override model_post_init in subclass with private attrs by @​Viicos in #7302
• Make fields with defaults not required in the serialization schema by default by @​dmontagu in #7275
• Mark Extra as deprecated by @​disrupted in #7299
• Make EncodedStr a dataclass by @​Kludex in #7396
• Move annotated_handlers to be public by @​samuelcolvin in #7569

Performance

• Simplify flattening and inlining of CoreSchema by @​adriangb in #7523
• Remove unused copies in CoreSchema walking by @​adriangb in #7528
• Add caches for collecting definitions and invalid schemas from a CoreSchema by @​adriangb in #7527
• Eagerly resolve discriminated unions and cache cases where we can't by @​adriangb in #7529
• Replace dict.get and dict.setdefault with more verbose versions in CoreSchema building hot paths by @​adriangb in #7536
• Cache invalid CoreSchema discovery by @​adriangb in #7535
• Allow disabling CoreSchema validation for faster startup times by @​adriangb in #7565

Fixes

• Fix config detection for TypedDict from grandparent classes by @​dmontagu in #7272
• Fix hash function generation for frozen models with unusual MRO by @​dmontagu in #7274
• Make strict config overridable in field for Path by @​hramezani in #7281
• Use ser_json_<timedelta|bytes> on default in GenerateJsonSchema by @​Kludex in #7269
• Adding a check that alias is validated as an identifier for Python by @​andree0 in #7319
• Raise an error when computed field overrides field by @​sydney-runkle in #7346
• Fix applying SkipValidation to referenced schemas by @​adriangb in #7381
• Enforce behavior of private attributes having double leading underscore by @​lig in #7265
• Standardize __get_pydantic_core_schema__ signature by @​hramezani in #7415
• Fix generic dataclass fields mutation bug (when using TypeAdapter) by @​sydney-runkle in #7435
• Fix TypeError on model_validator in wrap mode by @​pmmmwh in #7496
• Improve enum error message by @​hramezani in #7506
• Make repr work for instances that failed initialization when handling ValidationErrors by @​dmontagu in #7439
• Fixed a regular expression denial of service issue by limiting whitespaces by @​prodigysml in #7360
• Fix handling of UUID values having UUID.version=None by @​lig in #7566

... (truncated)

Changelog

Sourced from pydantic's changelog.

v2.4.0 (2023-09-22)

GitHub release

What's Changed

Packaging

• Update pydantic-core to 2.10.0 by @​samuelcolvin in #7542

New Features

• Add Base64Url types by @​dmontagu in #7286
• Implement optional number to str coercion by @​lig in #7508
• Allow access to field_name and data in all validators if there is data and a field name by @​samuelcolvin in #7542
• Add BaseModel.model_validate_strings and TypeAdapter.validate_strings by @​hramezani in #7552
• Add Pydantic plugins experimental implementation by @​lig @​samuelcolvin and @​Kludex in #6820

Changes

• Do not override model_post_init in subclass with private attrs by @​Viicos in #7302
• Make fields with defaults not required in the serialization schema by default by @​dmontagu in #7275
• Mark Extra as deprecated by @​disrupted in #7299
• Make EncodedStr a dataclass by @​Kludex in #7396
• Move annotated_handlers to be public by @​samuelcolvin in #7569

Performance

• Simplify flattening and inlining of CoreSchema by @​adriangb in #7523
• Remove unused copies in CoreSchema walking by @​adriangb in #7528
• Add caches for collecting definitions and invalid schemas from a CoreSchema by @​adriangb in #7527
• Eagerly resolve discriminated unions and cache cases where we can't by @​adriangb in #7529
• Replace dict.get and dict.setdefault with more verbose versions in CoreSchema building hot paths by @​adriangb in #7536
• Cache invalid CoreSchema discovery by @​adriangb in #7535
• Allow disabling CoreSchema validation for faster startup times by @​adriangb in #7565

Fixes

• Fix config detection for TypedDict from grandparent classes by @​dmontagu in #7272
• Fix hash function generation for frozen models with unusual MRO by @​dmontagu in #7274
• Make strict config overridable in field for Path by @​hramezani in #7281
• Use ser_json_<timedelta|bytes> on default in GenerateJsonSchema by @​Kludex in #7269
• Adding a check that alias is validated as an identifier for Python by @​andree0 in #7319
• Raise an error when computed field overrides field by @​sydney-runkle in #7346
• Fix applying SkipValidation to referenced schemas by @​adriangb in #7381
• Enforce behavior of private attributes having double leading underscore by @​lig in #7265
• Standardize __get_pydantic_core_schema__ signature by @​hramezani in #7415
• Fix generic dataclass fields mutation bug (when using TypeAdapter) by @​sydney-runkle in #7435
• Fix TypeError on model_validator in wrap mode by @​pmmmwh in #7496
• Improve enum error message by @​hramezani in #7506

... (truncated)

Commits

• 1f59075 fix unintentional drop of character in HISTORY (#7600)
• 7183c3e adding mkdocs_run_deps to docs (#7602)
• cd44ac1 Add missing @​Kludex mention to the HISTORY.md (#7603)
• 6136b9a Prepare release 2.4.0 (#7568)
• 389c074 Revert unecessary regex change from e4393ae (#7599)
• 4279fc5 WIP fixing redirects (#7596)
• 829af25 Improvements to version info message (#7594)
• cc4b8c2 Small improvements to import performance (#7590)
• 0af0cc3 revert plugin performance regression (#7589)
• 0c760c0 improve formatting of generated release notes (#7592)
• Additional commits viewable in compare view

Updates tqdm from 4.66.1 to 4.66.3

Release notes

Sourced from tqdm's releases.

tqdm v4.66.3 stable

• cli: eval safety (fixes CVE-2024-34062, GHSA-g7vv-2v7x-gj9p)

tqdm v4.66.2 stable

• pandas: add DataFrame.progress_map (#1549)
• notebook: fix HTML padding (#1506)
• keras: fix resuming training when verbose>=2 (#1508)
• fix format_num negative fractions missing leading zero (#1548)
• fix Python 3.12 DeprecationWarning on import (#1519)
• linting: use f-strings (#1549)
• update tests (#1549)
  • fix pandas warnings
  • fix asv (airspeed-velocity/asv#1323)
  • fix macos notebook docstring indentation
• CI: bump actions (#1549)

Commits

• 4e613f8 Merge pull request from GHSA-g7vv-2v7x-gj9p
• b53348c cli: eval safety
• cc372d0 bump version, merge pull request #1549 from tqdm/devel
• e9f0c05 use PyPI trusted publishing
• 7323d5b slight makefile clean
• 5306125 tests: bump pre-commit
• 4a6fd4f fix datetime.utcfromtimestamp py3.12 warning (#1519)
• 6f13759 tests: fix macos notebook indentation
• 3abcd2a tests: fix asv
• a4d15c8 tests: fix pandas warnings
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Sensitive Files Analyzer	❕	1 finding
Authn/Authz Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖.
Note that this summary is auto-generated and not meant to be a definitive list of security issues
but rather a helpful summary from a security perspective.

Summary:

The changes in this pull request focus on updating the Python dependencies listed in the requirements.txt file. The key updates include:

1. Upgrading the aiohttp library from version 3.9.3 to 3.9.4.
2. Updating the black code formatter from version 24.2.0 to 24.3.0.
3. Upgrading the idna library from version 3.4 to 3.7.
4. Updating the langchain-core library from version 0.1.26 to 0.1.35.
5. Upgrading the pydantic library from version 2.2.1 to 2.4.0.
6. Updating the tqdm progress bar library from version 4.66.1 to 4.66.3.

From an application security perspective, these updates are generally positive, as they likely include bug fixes and security improvements. However, it's important to review the release notes for each updated dependency to ensure that there are no known security vulnerabilities introduced by the new versions.

The update to the pydantic library is particularly noteworthy, as it is a key component for data validation and serialization in many Python applications, including the FastAPI framework used in this project. Upgrading to the latest version of pydantic can help ensure that the application is using the most secure and feature-rich version of this library.

Overall, the changes in this pull request appear to be routine updates to the project's dependencies, which is a good practice to maintain the security and stability of the application.

Files Changed:

• requirements.txt: This file has been updated to include the latest versions of the Python dependencies used in the project.

Powered by DryRun Security

[dependabot]

Superseded by #29.