build(deps): bump the pip group across 3 directories with 10 updates

[dependabot]

Bumps the pip group with 6 updates in the /autogpts/autogpt directory:

Package	From	To
orjson	3.9.10	3.9.15
pillow	10.1.0	10.3.0
black	23.12.0	24.3.0
aiohttp	3.9.1	3.9.2
fonttools	4.46.0	4.50.0
jinja2	3.1.2	3.1.3
Bumps the pip group with 6 updates in the /autogpts/forge directory:

Package	From	To
pillow	10.1.0	10.3.0
black	23.12.0	24.3.0
aiohttp	3.9.1	3.9.2
fonttools	4.46.0	4.50.0
jinja2	3.1.2	3.1.3
urllib3	2.1.0	2.2.1
Bumps the pip group with 8 updates in the /benchmark directory:

Package	From	To
fastapi	0.99.1	0.109.1
pillow	10.0.1	10.3.0
black	22.3.0	24.3.0
aiohttp	3.8.5	3.9.2
fonttools	4.42.1	4.43.0
jinja2	3.1.2	3.1.3
python-multipart	0.0.6	0.0.7
urllib3	2.0.5	2.0.7

Updates orjson from 3.9.10 to 3.9.15

Release notes

Sourced from orjson's releases.

3.9.15

Fixed

• Implement recursion limit of 1024 on orjson.loads().
• Use byte-exact read on str formatting SIMD path to avoid crash.

3.9.14

Fixed

• Fix crash serializing str introduced in 3.9.11.

Changed

• Build now depends on Rust 1.72 or later.

3.9.13

Fixed

• Serialization str escape uses only 128-bit SIMD.
• Fix compatibility with CPython 3.13 alpha 3.

Changed

• Publish musllinux_1_2 instead of musllinux_1_1 wheels.
• Serialization uses small integer optimization in CPython 3.12 or later.

3.9.12

Fixed

• Minimal musllinux_1_1 build due to sporadic CI failure.

Changed

• Update benchmarks in README.

3.9.11

Changed

• Improve performance of serializing. str is significantly faster. Documents using dict, list, and tuple are somewhat faster.

Changelog

Sourced from orjson's changelog.

3.9.15 - 2024-02-23

Fixed

• Implement recursion limit of 1024 on orjson.loads().
• Use byte-exact read on str formatting SIMD path to avoid crash.

3.9.14 - 2024-02-14

Fixed

• Fix crash serializing str introduced in 3.9.11.

Changed

• Build now depends on Rust 1.72 or later.

3.9.13 - 2024-02-03

Fixed

• Serialization str escape uses only 128-bit SIMD.
• Fix compatibility with CPython 3.13 alpha 3.

Changed

• Publish musllinux_1_2 instead of musllinux_1_1 wheels.
• Serialization uses small integer optimization in CPython 3.12 or later.

3.9.12 - 2024-01-18

Changed

• Update benchmarks in README.

Fixed

• Minimal musllinux_1_1 build due to sporadic CI failure.

3.9.11 - 2024-01-18

Changed

• Improve performance of serializing. str is significantly faster. Documents using dict, list, and tuple are somewhat faster.

Commits

• a348f59 3.9.15
• b0e4d2c yyjson 0eca326, recursion limit
• 5067ead impl_escape_unchecked() byte exact read
• e04ea73 cargo update, build misc
• ba8c701 3.9.14
• a2f7b7b impl_format_simd!() lift create from loop, rotate left
• 528220f format_escaped_str() fast and slow paths depending on page boundary
• 29884e6 Fix buffer overread in format_escaped_str
• c825472 cargo update
• 4eb4f00 3.9.13
• Additional commits viewable in compare view

Updates pillow from 10.1.0 to 10.3.0

Release notes

Sourced from pillow's releases.

10.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html

Changes

• CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [@​hugovk]
• Use functools.lru_cache for hopper() #7912 [@​hugovk]
• Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [@​radarhere]
• Improve speed of loading QOI images #7925 [@​radarhere]
• Added RGB to I;16N conversion #7920 [@​radarhere]
• Add --report argument to main.py to omit supported formats #7818 [@​nulano]
• Added RGB to I;16, I;16L and I;16B conversion #7918 [@​radarhere]
• Fix editable installation with custom build backend and configuration options #7658 [@​nulano]
• Fix putdata() for I;16N on big-endian #7209 [@​Yay295]
• Determine MPO size from markers, not EXIF data #7884 [@​radarhere]
• Improved conversion from RGB to RGBa, LA and La #7888 [@​radarhere]
• Support FITS images with GZIP_1 compression #7894 [@​radarhere]
• Use I;16 mode for 9-bit JPEG 2000 images #7900 [@​scaramallion]
• Raise ValueError if kmeans is negative #7891 [@​radarhere]
• Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [@​radarhere]
• Raise ValueError for negative values when loading P1-P3 PPM images #7882 [@​radarhere]
• Added reading of JPEG2000 palettes #7870 [@​radarhere]
• Added alpha_quality argument when saving WebP images #7872 [@​radarhere]
• Fixed joined corners for ImageDraw rounded_rectangle() non-integer dimensions #7881 [@​radarhere]
• Removed Python and NumPy pinning on Cygwin #7880 [@​radarhere]
• Update UnidentifiedImageError and version imports #7644 [@​radarhere]
• Stop reading EPS image at EOF marker #7753 [@​radarhere]
• PSD layer co-ordinates may be negative #7706 [@​radarhere]
• Use subprocess with CREATE_NO_WINDOW flag in ImageShow WindowsViewer #7791 [@​radarhere]
• When saving GIF frame that restores to background color, do not fill identical pixels #7788 [@​radarhere]
• Fixed reading PNG iCCP compression method #7823 [@​radarhere]
• Allow writing IFDRational to UNDEFINED tag #7840 [@​radarhere]
• Fix logged tag name when loading Exif data #7842 [@​radarhere]
• Use maximum frame size in IHDR chunk when saving APNG images #7821 [@​radarhere]
• Prevent opening P TGA images without a palette #7797 [@​radarhere]
• Use palette when loading ICO images #7798 [@​radarhere]
• Use consistent arguments for load_read and load_seek #7713 [@​radarhere]
• Turn off nullability warnings for macOS SDK #7827 [@​radarhere]
• Fix shift-sign issue in Convert.c #7838 [@​r-barnes]
• winbuild: Refactor dependency versions into constants #7843 [@​hugovk]
• Build macOS arm64 wheels natively #7852 [@​radarhere]
• Fixed typo #7855 [@​radarhere]
• Open 16-bit grayscale PNGs as I;16 #7849 [@​radarhere]
• Handle truncated chunks at the end of PNG images #7709 [@​lajiyuan]
• Match mask size to pasted image size in GifImagePlugin #7779 [@​radarhere]
• Changed SupportsGetMesh protocol to be public #7841 [@​radarhere]
• Release GIL while calling WebPAnimDecoderGetNext #7782 [@​evanmiller]
• Fixed reading FLI/FLC images with a prefix chunk #7804 [@​twolife]
• Updated package name for Tidelift #7810 [@​radarhere]
• Removed unused code #7744 [@​radarhere]

... (truncated)

Changelog

Sourced from pillow's changelog.

10.3.0 (2024-04-01)

• CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [radarhere, hugovk]

• Deprecate eval(), replacing it with lambda_eval() and unsafe_eval() #7927 [radarhere, hugovk]

• Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [radarhere]

• Add --report argument to __main__.py to omit supported formats #7818 [nulano, radarhere, hugovk]

• Added RGB to I;16, I;16L, I;16B and I;16N conversion #7918, #7920 [radarhere]

• Fix editable installation with custom build backend and configuration options #7658 [nulano, radarhere]

• Fix putdata() for I;16N on big-endian #7209 [Yay295, hugovk, radarhere]

• Determine MPO size from markers, not EXIF data #7884 [radarhere]

• Improved conversion from RGB to RGBa, LA and La #7888 [radarhere]

• Support FITS images with GZIP_1 compression #7894 [radarhere]

• Use I;16 mode for 9-bit JPEG 2000 images #7900 [scaramallion, radarhere]

• Raise ValueError if kmeans is negative #7891 [radarhere]

• Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [radarhere]

• Raise ValueError for negative values when loading P1-P3 PPM images #7882 [radarhere]

• Added reading of JPEG2000 palettes #7870 [radarhere]

• Added alpha_quality argument when saving WebP images #7872 [radarhere]

... (truncated)

Commits

• 5c89d88 10.3.0 version bump
• 63cbfcf Update CHANGES.rst [ci skip]
• 2776126 Merge pull request #7928 from python-pillow/lcms
• aeb51cb Merge branch 'main' into lcms
• 5beb0b6 Update CHANGES.rst [ci skip]
• cac6ffa Merge pull request #7927 from python-pillow/imagemath
• f5eeeac Name as 'options' in lambda_eval and unsafe_eval, but '_dict' in deprecated eval
• facf3af Added release notes
• 2a93aba Use strncpy to avoid buffer overflow
• a670597 Update CHANGES.rst [ci skip]
• Additional commits viewable in compare view

Updates black from 23.12.0 to 24.3.0

Release notes

Sourced from black's releases.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

• Don't move comments along with delimiters, which could cause crashes (#4248)
• Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
• Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

• Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

• Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

• Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

• Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
• Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
• Checking for newline before adding one on docstring that is almost at the line limit (#4185)
• Remove redundant parentheses in case statement if guards (#4214).

Configuration

... (truncated)

Changelog

Sourced from black's changelog.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

• Don't move comments along with delimiters, which could cause crashes (#4248)
• Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
• Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

• Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

• Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

• Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

• Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
• Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
• Checking for newline before adding one on docstring that is almost at the line limit (#4185)
• Remove redundant parentheses in case statement if guards (#4214).

... (truncated)

Commits

• 552baf8 Prepare release 24.3.0 (#4279)
• f000936 Fix catastrophic performance in lines_with_leading_tabs_expanded() (#4278)
• 7b5a657 Fix --line-ranges behavior when ranges are at EOF (#4273)
• 1abcffc Use regex where we ignore case on windows (#4252)
• 719e674 Fix 4227: Improve documentation for --quiet --check (#4236)
• e5510af update plugin url for Thonny (#4259)
• 6af7d11 Fix AST safety check false negative (#4270)
• f03ee11 Ensure blib2to3.pygram is initialized before use (#4224)
• e4bfedb fix: Don't move comments while splitting delimiters (#4248)
• d0287e1 Make trailing comma logic more concise (#4202)
• Additional commits viewable in compare view

Updates aiohttp from 3.9.1 to 3.9.2

Release notes

Sourced from aiohttp's releases.

3.9.2

Bug fixes

• Fixed server-side websocket connection leak.

  Related issues and pull requests on GitHub: #7978.

• Fixed web.FileResponse doing blocking I/O in the event loop.

  Related issues and pull requests on GitHub: #8012.

• Fixed double compress when compression enabled and compressed file exists in server file responses.

  Related issues and pull requests on GitHub: #8014.

• Added runtime type check for ClientSession timeout parameter.

  Related issues and pull requests on GitHub: #8021.

• Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

  Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected. Invalid header field names containing question mark or slash are now rejected. Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

  Related issues and pull requests on GitHub: #8074.

• Improved validation of paths for static resources requests to the server -- by :user:bdraco.

... (truncated)

Changelog

Sourced from aiohttp's changelog.

3.9.2 (2024-01-28)

Bug fixes

• Fixed server-side websocket connection leak.

  Related issues and pull requests on GitHub: :issue:7978.

• Fixed web.FileResponse doing blocking I/O in the event loop.

  Related issues and pull requests on GitHub: :issue:8012.

• Fixed double compress when compression enabled and compressed file exists in server file responses.

  Related issues and pull requests on GitHub: :issue:8014.

• Added runtime type check for ClientSession timeout parameter.

  Related issues and pull requests on GitHub: :issue:8021.

• Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

  Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected. Invalid header field names containing question mark or slash are now rejected. Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

  Related issues and pull requests on GitHub: :issue:8074.

... (truncated)

Commits

• 24a6d64 Release v3.9.2 (#8082)
• 9118a58 [PR #8079/1c335944 backport][3.9] Validate static paths (#8080)
• 435ad46 [PR #3955/8960063e backport][3.9] Replace all tmpdir fixtures with tmp_path (...
• d33bc21 Improve validation in HTTP parser (#8074) (#8078)
• 0d945d1 [PR #7916/822fbc74 backport][3.9] Add more information to contributing page (...
• 3ec4fa1 [PR #8069/69bbe874 backport][3.9] 📝 Only show changelog draft for non-release...
• 419d715 [PR #8066/cba34699 backport][3.9] 💅📝 Restructure the changelog for clarity (#...
• a54dab3 [PR #8049/a379e634 backport][3.9] Set cause for ClientPayloadError (#8050)
• 437ac47 [PR #7995/43a5bc50 backport][3.9] Fix examples of fallback_charset_resolver...
• 034e5e3 [PR #8042/4b91b530 backport][3.9] Tightening the runtime type check for ssl (...
• Additional commits viewable in compare view

Updates fonttools from 4.46.0 to 4.50.0

Release notes

Sourced from fonttools's releases.

4.49.0

• [otlLib] Add API for building MATH table (#3446)

4.48.1

• Fixed uploading wheels to PyPI, no code changes since v4.48.0.

4.48.0

• [varLib] Do not log when there are no OTL tables to be merged.
• [setup.py] Do not restrict lxml=5.
• [feaLib] Remove glyph and class names length restrictions in FEA (#3424).
• [roundingPens] Added transformRoundFunc parameter to the rounding pens to allow for custom rounding of the components' transforms (#3426).
• [feaLib] Keep declaration order of ligature components within a ligature set, instead of sorting by glyph name (#3429).
• [feaLib] Fixed ordering of alternates in aalt lookups, following the declaration order of feature references within the aalt feature block (#3430).
• [varLib.instancer] Fixed a bug in the instancer's IUP optimization (#3432).
• [sbix] Support sbix glyphs with new graphicType "flip" (#3433).
• [svgPathPen] Added --glyphs option to dump the SVG paths for the named glyphs in the font (0572f78).
• [designspaceLib] Added "description" attribute to <mappings> and <mapping> elements, and allow multiple <mappings> elements to group <mapping> elements that are logically related (#3435, #3437).
• [otlLib] Correctly choose the most compact GSUB contextual lookup format (#3439).

4.47.2

Minor release to fix uploading wheels to PyPI.

4.47.1

• [merge] Improve help message and add standard command line options (#3408)
• [otlLib] Pass ttFont to name.addName in buildStatTable (#3406)
• [featureVars] Re-use FeatureVariationRecords when possible (#3413)

4.47.0

• [varLib.models] New API for VariationModel: getMasterScalars and interpolateFromValuesAndScalars.
• [varLib.interpolatable] Various bugfixes and rendering improvements. In particular, add a Summary page in the front, and an Index and Table-of-Contents in the back. Change the page size to Letter.
• [Docs/designspaceLib] Defined a new public.fontInfo lib key, not used anywhere yet (#3358).

Changelog

Sourced from fonttools's changelog.

4.50.0 (released 2024-03-15)

• [pens] Added decomposing filter pens that draw components as regular contours (#3460).
• [instancer] Drop explicit no-op axes from TupleVariations (#3457).
• [cu2qu/ufo] Return set of modified glyph names from fonts_to_quadratic (#3456).

4.49.0 (released 2024-02-15)

• [otlLib] Add API for building MATH table (#3446)

4.48.1 (released 2024-02-06)

• Fixed uploading wheels to PyPI, no code changes since v4.48.0.

4.48.0 (released 2024-02-06)

• [varLib] Do not log when there are no OTL tables to be merged.
• [setup.py] Do not restrict lxml=5.
• [feaLib] Remove glyph and class names length restrictions in FEA (#3424).
• [roundingPens] Added transformRoundFunc parameter to the rounding pens to allow for custom rounding of the components' transforms (#3426).
• [feaLib] Keep declaration order of ligature components within a ligature set, instead of sorting by glyph name (#3429).
• [feaLib] Fixed ordering of alternates in aalt lookups, following the declaration order of feature references within the aalt feature block (#3430).
• [varLib.instancer] Fixed a bug in the instancer's IUP optimization (#3432).
• [sbix] Support sbix glyphs with new graphicType "flip" (#3433).
• [svgPathPen] Added --glyphs option to dump the SVG paths for the named glyphs in the font (0572f78).
• [designspaceLib] Added "description" attribute to <mappings> and <mapping> elements, and allow multiple <mappings> elements to group <mapping> elements that are logically related (#3435, #3437).
• [otlLib] Correctly choose the most compact GSUB contextual lookup format (#3439).

4.47.2 (released 2024-01-11)

Minor release to fix uploading wheels to PyPI.

4.47.1 (released 2024-01-11)

• [merge] Improve help message and add standard command line options (#3408)
• [otlLib] Pass ttFont to name.addName in buildStatTable (#3406)
• [featureVars] Re-use FeatureVariationRecord's when possible (#3413)

... (truncated)

Commits

• 10dd8b4 Release 4.50.0
• 8e52153 Update NEWS.rst [skip ci]
• 3e949ed recordingPen: add DecomposingRecordingPointPen to all list for star imports
• 0f06cba Merge pull request #3455 from fonttools/pyup-scheduled-update-2024-02-26
• 0f9b40d Merge branch 'main' into pyup-scheduled-update-2024-02-26
• 974fa0c Merge pull request #3459 from fonttools/dependabot/github_actions/pypa/gh-act...
• a3b9edd Merge pull request #3460 from fonttools/decompose-filter-pen
• f15857c filterPen_test: add tests for decomposing filter pens
• d84c74c [filterPen] add decomposing filter pens
• cccc358 [recordingPen] Add DecomposingRecordingPointPen, test new decomposing pen opt...
• Additional commits viewable in compare view

Updates jinja2 from 3.1.2 to 3.1.3

Release notes

Sourced from jinja2's releases.

3.1.3

This is a fix release for the 3.1.x feature branch.

• Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.
• Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-3
• Milestone: https://github.com/pallets/jinja/milestone/15?closed=1

Changelog

Sourced from jinja2's changelog.

Version 3.1.3

Released 2024-01-10

• Fix compiler error when checking if required blocks in parent templates are empty. :pr:1858
• xmlattr filter does not allow keys with spaces. GHSA-h5c8-rqwp-cp95
• Make error messages stemming from invalid nesting of {% trans %} blocks more helpful. :pr:1918

Commits

• d9de4bb release version 3.1.3
• 50124e1 skip test pypi
• 9ea7222 use trusted publishing
• da703f7 use trusted publishing
• bce1746 use trusted publishing
• 7277d80 update pre-commit hooks
• 5c8a105 Make nested-trans-block exceptions nicer (#1918)
• 19a55db Make nested-trans-block exceptions nicer
• 7167953 Merge pull request from GHSA-h5c8-rqwp-cp95
• 7dd3680 xmlattr filter disallows keys with spaces
• Additional commits viewable in compare view

Updates pillow from 10.1.0 to 10.3.0

Release notes

Sourced from pillow's releases.

10.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html

Changes

• CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [@​hugovk]
• Use functools.lru_cache for hopper() #7912 [@​hugovk]
• Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [@​radarhere]
• Improve speed of loading QOI images #7925 [@​radarhere]
• Added RGB to I;16N conversion #7920 [@​radarhere]
• Add --report argument to main.py to omit supported formats #7818 [@​nulano]
• Added RGB to I;16, I;16L and I;16B conversion #7918 [@​radarhere]
• Fix editable installation with custom build backend and configuration options #7658 [@​nulano]
• Fix putdata() for I;16N on big-endian #7209 [@​Yay295]
• Determine MPO size from markers, not EXIF data #7884 [@​radarhere]
• Improved conversion from RGB to RGBa, LA and La #7888 [@​radarhere]
• Support FITS images with GZIP_1 compression #7894 [@​radarhere]
• Use I;16 mode for 9-bit JPEG 2000 images #7900 [@​scaramallion]
• Raise ValueError if kmeans is negative #7891 [@​radarhere]
• Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [@​radarhere]
• Raise ValueError for negative values when loading P1-P3 PPM images #7882 [@​radarhere]
• Added reading of JPEG2000 palettes #7870 [@​radarhere]
• Added alpha_quality argument when saving WebP images #7872 [@​radarhere]
• Fixed joined corners for ImageDraw rounded_rectangle() non-integer dimensions #7881 [@​radarhere]
• Removed Python and NumPy pinning on Cygwin #7880 [@​radarhere]
• Update UnidentifiedImageError and version imports #7644 [@​radarhere]
• Stop reading EPS image at EOF marker #7753 [@​radarhere]
• PSD layer co-ordinates may be negative #7706 [@​radarhere]
• Use subprocess with CREATE_NO_WINDOW flag in ImageShow WindowsViewer #7791 [@​radarhere]
• When saving GIF frame that restores to background color, do not fill identical pixels #7788 [@​radarhere]
• Fixed reading PNG iCCP compression method #7823 [@​radarhere]
• Allow writing IFDRational to UNDEFINED tag #7840 [@​radarhere]
• Fix logged tag name when loading Exif data #7842 [@​radarhere]
• Use maximum frame size in IHDR chunk when saving APNG images #7821 [@​radarhere]
• Prevent opening P TGA images without a palette #7797 [@​radarhere]
• Use palette when loading ICO images #7798 [@​radarhere]
• Use consistent arguments for load_read and load_seek #7713 [@​radarhere]
• Turn off nullability warnings for macOS SDK #7827 [@​radarhere]
• Fix shift-sign issue in Convert.c #7838 [@​r-barnes]
• winbuild: Refactor dependency versions into constants #7843 [@​hugovk]
• Build macOS arm64 wheels natively #7852 [@​radarhere]
• Fixed typo #7855 [@​radarhere]
• Open 16-bit grayscale PNGs as I;16 #7849 [@​radarhere]
• Handle truncated chunks at the end of PNG images #7709 [@​lajiyuan]
• Match mask size to pasted image size in GifImagePlugin #7779 [@​radarhere]
• Changed SupportsGetMesh protocol to be public #7841 [@​radarhere]
• Release GIL while calling WebPAnimDecoderGetNext #7782 [@​evanmiller]
• Fixed reading FLI/FLC images with a prefix chunk #7804 [@​twolife]
• Updated package name for Tidelift #7810 [@​radarhere]
• Removed unused code #7744 [@​radarhere]

... (truncated)

Changelog

Sourced from pillow's changelog.

10.3.0 (2024-04-01)

• CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [radarhere, hugovk]

• Deprecate eval(), replacing it with lambda_eval() and unsafe_eval() #7927 [radarhere, hugovk]

• Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [radarhere]

• Add --report argument to __main__.py to omit supported formats #7818 [nulano, radarhere, hugovk]

• Added RGB to I;16, I;16L, I;16B and I;16N conversion #7918, #7920 [radarhere]

• Fix editable installation with custom build backend and configuration options #7658 [nulano, radarhere]

• Fix putdata() for I;16N on big-endian #7209 [Yay295, hugovk, radarhere]

• Determine MPO size from markers, not EXIF data #7884 [radarhere]

• Improved conversion from RGB to RGBa, LA and La #7888 [radarhere]

• Support FITS images with GZIP_1 compression #7894 [radarhere]

• Use I;16 mode for 9-bit JPEG 2000 images #7900 [scaramallion, radarhere]

• Raise ValueError if kmeans is negative #7891 [radarhere]

• Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [radarhere]

• Raise ValueError for negative values when loading P1-P3 PPM images #7882 [radarhere]

• Added reading of JPEG2000 palettes #7870 [radarhere]

• Added alpha_quality argument when saving WebP images #7872 [radarhere]

... (truncated)

Commits

• 5c89d88 10.3.0 version bump
• 63cbfcf Update CHANGES.rst [ci skip]
• 2776126 Merge pull request #7928 from python-pillow/lcms
• aeb51cb Merge branch 'main' into lcms
• 5beb0b6 Update CHANGES.rst [ci skip]
• cac6ffa Merge pull request #7927 from python-pillow/imagemath
• f5eeeac Name as 'options' in lambda_eval and unsafe_eval, but '_dict' in deprecated eval
• facf3af Added release notes
• 2a93aba Use strncpy to avoid buffer overflow
• a670597 Update CHANGES.rst [ci skip]
• Additional commits viewable in compare view

Updates black from 23.12.0 to 24.3.0

Release notes

Sourced from black's releases.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that a...

Description has been truncated

[github-actions]

This PR exceeds the recommended size of 500 lines. Please make sure you are NOT addressing multiple issues with one PR.

[dependabot]

Superseded by #17.