Use os.path.commonpath() to identify child paths#684
Merged
Conversation
evansd
force-pushed
the
use-commonpath
branch
from
81b289c to
46fc3c4
Compare
adamchainz
reviewed
Feb 23, 2026
| def path_is_child_of(path, root): | ||
| try: | ||
| return os.path.commonpath((path, root)) + os.path.sep == root | ||
| except ValueError: |
Collaborator
There was a problem hiding this comment.
When is ValueError raised?
Owner
Author
There was a problem hiding this comment.
Fair question! I have amended with some extra comments. Let me know if that makes sense.
adamchainz
approved these changes
Feb 23, 2026
Collaborator
adamchainz
left a comment
adamchainz
left a comment
There was a problem hiding this comment.
LGTM just one outstanding question
Previously we used `os.path.commonprefix()` which will treat paths like
`/foo/bar_suffix` as matching `/foo/bar`. This gave rise to a potential
security vulnerability given the following conditions:
* An application running Whitenoise with `autorefresh` enabled.
* A sibling directory of a static root directory which shares a prefix
with it (e.g. `static` and `static_disallowed`).
* Knowledge of the absolute paths at which these directories are
located.
* A Windows server hosting the application.
An attacker could craft a URL like:
http://example.com/static/C:/path/to/static_disallowed/sensitive-file.txt
This would allow them to read a file from `static_disallowed` when they
should only be able to read files from `static`.
This is related to the Windows path traversal attack identified in #197
and to the `commonprefix()` path traversal attack identified in pip:
https://www.cve.org/CVERecord?id=CVE-2026-1703
Thanks to Seth Larson for reporting this.
This is a good opportunity to reiterate the warning in the documentation
that `autorefresh` is provided as a convenience for development and, for
both security and performance reasons, is not suitable for production
use.
evansd
force-pushed
the
use-commonpath
branch
from
46fc3c4 to
505ed8d
Compare
Owner
Author
|
I'm going to merge on optimistic basis that the new comments clear up your original question. |
github-merge-queue bot
pushed a commit
to gyrinx-app/gyrinx
that referenced
this pull request
Feb 28, 2026
… updates (#1515) Bumps the minor-and-patch group with 3 updates in the / directory: [bandit](https://github.com/PyCQA/bandit), [ruff](https://github.com/astral-sh/ruff) and [whitenoise](https://github.com/evansd/whitenoise). Updates `bandit` from 1.9.3 to 1.9.4 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/PyCQA/bandit/releases">bandit's releases</a>.</em></p> <blockquote> <h2>1.9.4</h2> <h2>What's Changed</h2> <ul> <li>chore: fixed some typos in comments by <a href="https://github.com/jakob1379"><code>@jakob1379</code></a> in <a href="https://redirect.github.com/PyCQA/bandit/pull/1351">PyCQA/bandit#1351</a></li> <li>Bump docker/login-action from 3.6.0 to 3.7.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/PyCQA/bandit/pull/1353">PyCQA/bandit#1353</a></li> <li>Bump docker/build-push-action from 6.18.0 to 6.19.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/PyCQA/bandit/pull/1357">PyCQA/bandit#1357</a></li> <li>Fix B613 crash when reading from stdin by <a href="https://github.com/worksbyfriday"><code>@worksbyfriday</code></a> in <a href="https://redirect.github.com/PyCQA/bandit/pull/1361">PyCQA/bandit#1361</a></li> <li>Include filename in nosec 'no failed test' warning by <a href="https://github.com/worksbyfriday"><code>@worksbyfriday</code></a> in <a href="https://redirect.github.com/PyCQA/bandit/pull/1363">PyCQA/bandit#1363</a></li> <li>Fix B615 false positive when revision is set via variable by <a href="https://github.com/worksbyfriday"><code>@worksbyfriday</code></a> in <a href="https://redirect.github.com/PyCQA/bandit/pull/1358">PyCQA/bandit#1358</a></li> <li>Lower version guard in check_ast_node to Python 3.12 by <a href="https://github.com/rcgray"><code>@rcgray</code></a> in <a href="https://redirect.github.com/PyCQA/bandit/pull/1355">PyCQA/bandit#1355</a></li> <li>Fix B106 reporting wrong line number on multiline function calls by <a href="https://github.com/worksbyfriday"><code>@worksbyfriday</code></a> in <a href="https://redirect.github.com/PyCQA/bandit/pull/1360">PyCQA/bandit#1360</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/jakob1379"><code>@jakob1379</code></a> made their first contribution in <a href="https://redirect.github.com/PyCQA/bandit/pull/1351">PyCQA/bandit#1351</a></li> <li><a href="https://github.com/worksbyfriday"><code>@worksbyfriday</code></a> made their first contribution in <a href="https://redirect.github.com/PyCQA/bandit/pull/1361">PyCQA/bandit#1361</a></li> <li><a href="https://github.com/rcgray"><code>@rcgray</code></a> made their first contribution in <a href="https://redirect.github.com/PyCQA/bandit/pull/1355">PyCQA/bandit#1355</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/PyCQA/bandit/compare/1.9.3...1.9.4">https://github.com/PyCQA/bandit/compare/1.9.3...1.9.4</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/PyCQA/bandit/commit/92ae8b82fb422a639f0ed8d99e96cea769594e08"><code>92ae8b8</code></a> Fix B106 reporting wrong line number on multiline function calls (<a href="https://redirect.github.com/PyCQA/bandit/issues/1360">#1360</a>)</li> <li><a href="https://github.com/PyCQA/bandit/commit/c8c8a55c3307333b8eb46cb2ef46d49b1fad6546"><code>c8c8a55</code></a> Lower version guard in check_ast_node to Python 3.12 (<a href="https://redirect.github.com/PyCQA/bandit/issues/1355">#1355</a>)</li> <li><a href="https://github.com/PyCQA/bandit/commit/8f2f9284fca830ca017b2e2cc3ddc2a7b74b7040"><code>8f2f928</code></a> Fix B615 false positive when revision is set via variable (<a href="https://redirect.github.com/PyCQA/bandit/issues/1358">#1358</a>)</li> <li><a href="https://github.com/PyCQA/bandit/commit/e27493f71c114e0e5dfc0a475d225d7f9f4a7e2b"><code>e27493f</code></a> Include filename in nosec 'no failed test' warning (<a href="https://redirect.github.com/PyCQA/bandit/issues/1363">#1363</a>)</li> <li><a href="https://github.com/PyCQA/bandit/commit/b69b336450301d424e5ba04c9a58e8d41b7169b6"><code>b69b336</code></a> Fix B613 crash when reading from stdin (<a href="https://redirect.github.com/PyCQA/bandit/issues/1361">#1361</a>)</li> <li><a href="https://github.com/PyCQA/bandit/commit/e418b798abcc3f2b00c07fd6315da8fe9aeead00"><code>e418b79</code></a> Bump docker/build-push-action from 6.18.0 to 6.19.2 (<a href="https://redirect.github.com/PyCQA/bandit/issues/1357">#1357</a>)</li> <li><a href="https://github.com/PyCQA/bandit/commit/ff646fd7e0e34fb350196fc58448fad17178c27a"><code>ff646fd</code></a> Bump docker/login-action from 3.6.0 to 3.7.0 (<a href="https://redirect.github.com/PyCQA/bandit/issues/1353">#1353</a>)</li> <li><a href="https://github.com/PyCQA/bandit/commit/c0def6c7ebab60f98c28ba759d488f4fbe6dae89"><code>c0def6c</code></a> chore: fixed some typos in comments (<a href="https://redirect.github.com/PyCQA/bandit/issues/1351">#1351</a>)</li> <li>See full diff in <a href="https://github.com/PyCQA/bandit/compare/1.9.3...1.9.4">compare view</a></li> </ul> </details> <br /> Updates `ruff` from 0.15.2 to 0.15.4 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/astral-sh/ruff/releases">ruff's releases</a>.</em></p> <blockquote> <h2>0.15.4</h2> <h2>Release Notes</h2> <p>Released on 2026-02-26.</p> <p>This is a follow-up release to 0.15.3 that resolves a panic when the new rule <code>PLR1712</code> was enabled with any rule that analyzes definitions, such as many of the <code>ANN</code> or <code>D</code> rules.</p> <h3>Bug fixes</h3> <ul> <li>Fix panic on access to definitions after analyzing definitions (<a href="https://redirect.github.com/astral-sh/ruff/pull/23588">#23588</a>)</li> <li>[<code>pyflakes</code>] Suppress false positive in <code>F821</code> for names used before <code>del</code> in stub files (<a href="https://redirect.github.com/astral-sh/ruff/pull/23550">#23550</a>)</li> </ul> <h3>Documentation</h3> <ul> <li>Clarify first-party import detection in Ruff (<a href="https://redirect.github.com/astral-sh/ruff/pull/23591">#23591</a>)</li> <li>Fix incorrect <code>import-heading</code> example (<a href="https://redirect.github.com/astral-sh/ruff/pull/23568">#23568</a>)</li> </ul> <h3>Contributors</h3> <ul> <li><a href="https://github.com/stakeswky"><code>@stakeswky</code></a></li> <li><a href="https://github.com/ntBre"><code>@ntBre</code></a></li> <li><a href="https://github.com/thejcannon"><code>@thejcannon</code></a></li> <li><a href="https://github.com/GeObts"><code>@GeObts</code></a></li> </ul> <h2>Install ruff 0.15.4</h2> <h3>Install prebuilt binaries via shell script</h3> <pre lang="sh"><code>curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/ruff/releases/download/0.15.4/ruff-installer.sh | sh </code></pre> <h3>Install prebuilt binaries via powershell script</h3> <pre lang="sh"><code>powershell -ExecutionPolicy Bypass -c "irm https://github.com/astral-sh/ruff/releases/download/0.15.4/ruff-installer.ps1 | iex" </code></pre> <h2>Download ruff 0.15.4</h2> <table> <thead> <tr> <th>File</th> <th>Platform</th> <th>Checksum</th> </tr> </thead> <tbody> <tr> <td><a href="https://github.com/astral-sh/ruff/releases/download/0.15.4/ruff-aarch64-apple-darwin.tar.gz">ruff-aarch64-apple-darwin.tar.gz</a></td> <td>Apple Silicon macOS</td> <td><a href="https://github.com/astral-sh/ruff/releases/download/0.15.4/ruff-aarch64-apple-darwin.tar.gz.sha256">checksum</a></td> </tr> <tr> <td><a href="https://github.com/astral-sh/ruff/releases/download/0.15.4/ruff-x86_64-apple-darwin.tar.gz">ruff-x86_64-apple-darwin.tar.gz</a></td> <td>Intel macOS</td> <td><a href="https://github.com/astral-sh/ruff/releases/download/0.15.4/ruff-x86_64-apple-darwin.tar.gz.sha256">checksum</a></td> </tr> <tr> <td><a href="https://github.com/astral-sh/ruff/releases/download/0.15.4/ruff-aarch64-pc-windows-msvc.zip">ruff-aarch64-pc-windows-msvc.zip</a></td> <td>ARM64 Windows</td> <td><a href="https://github.com/astral-sh/ruff/releases/download/0.15.4/ruff-aarch64-pc-windows-msvc.zip.sha256">checksum</a></td> </tr> <tr> <td><a href="https://github.com/astral-sh/ruff/releases/download/0.15.4/ruff-i686-pc-windows-msvc.zip">ruff-i686-pc-windows-msvc.zip</a></td> <td>x86 Windows</td> <td><a href="https://github.com/astral-sh/ruff/releases/download/0.15.4/ruff-i686-pc-windows-msvc.zip.sha256">checksum</a></td> </tr> <tr> <td><a href="https://github.com/astral-sh/ruff/releases/download/0.15.4/ruff-x86_64-pc-windows-msvc.zip">ruff-x86_64-pc-windows-msvc.zip</a></td> <td>x64 Windows</td> <td><a href="https://github.com/astral-sh/ruff/releases/download/0.15.4/ruff-x86_64-pc-windows-msvc.zip.sha256">checksum</a></td> </tr> <tr> <td><a href="https://github.com/astral-sh/ruff/releases/download/0.15.4/ruff-aarch64-unknown-linux-gnu.tar.gz">ruff-aarch64-unknown-linux-gnu.tar.gz</a></td> <td>ARM64 Linux</td> <td><a href="https://github.com/astral-sh/ruff/releases/download/0.15.4/ruff-aarch64-unknown-linux-gnu.tar.gz.sha256">checksum</a></td> </tr> <tr> <td><a href="https://github.com/astral-sh/ruff/releases/download/0.15.4/ruff-i686-unknown-linux-gnu.tar.gz">ruff-i686-unknown-linux-gnu.tar.gz</a></td> <td>x86 Linux</td> <td><a href="https://github.com/astral-sh/ruff/releases/download/0.15.4/ruff-i686-unknown-linux-gnu.tar.gz.sha256">checksum</a></td> </tr> <tr> <td><a href="https://github.com/astral-sh/ruff/releases/download/0.15.4/ruff-powerpc64-unknown-linux-gnu.tar.gz">ruff-powerpc64-unknown-linux-gnu.tar.gz</a></td> <td>PPC64 Linux</td> <td><a href="https://github.com/astral-sh/ruff/releases/download/0.15.4/ruff-powerpc64-unknown-linux-gnu.tar.gz.sha256">checksum</a></td> </tr> </tbody> </table> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md">ruff's changelog</a>.</em></p> <blockquote> <h2>0.15.4</h2> <p>Released on 2026-02-26.</p> <p>This is a follow-up release to 0.15.3 that resolves a panic when the new rule <code>PLR1712</code> was enabled with any rule that analyzes definitions, such as many of the <code>ANN</code> or <code>D</code> rules.</p> <h3>Bug fixes</h3> <ul> <li>Fix panic on access to definitions after analyzing definitions (<a href="https://redirect.github.com/astral-sh/ruff/pull/23588">#23588</a>)</li> <li>[<code>pyflakes</code>] Suppress false positive in <code>F821</code> for names used before <code>del</code> in stub files (<a href="https://redirect.github.com/astral-sh/ruff/pull/23550">#23550</a>)</li> </ul> <h3>Documentation</h3> <ul> <li>Clarify first-party import detection in Ruff (<a href="https://redirect.github.com/astral-sh/ruff/pull/23591">#23591</a>)</li> <li>Fix incorrect <code>import-heading</code> example (<a href="https://redirect.github.com/astral-sh/ruff/pull/23568">#23568</a>)</li> </ul> <h3>Contributors</h3> <ul> <li><a href="https://github.com/stakeswky"><code>@stakeswky</code></a></li> <li><a href="https://github.com/ntBre"><code>@ntBre</code></a></li> <li><a href="https://github.com/thejcannon"><code>@thejcannon</code></a></li> <li><a href="https://github.com/GeObts"><code>@GeObts</code></a></li> </ul> <h2>0.15.3</h2> <p>Released on 2026-02-26.</p> <h3>Preview features</h3> <ul> <li> <p>Drop explicit support for <code>.qmd</code> file extension (<a href="https://redirect.github.com/astral-sh/ruff/pull/23572">#23572</a>)</p> <p>This can now be enabled instead by setting the <a href="https://docs.astral.sh/ruff/settings/#extension"><code>extension</code></a> option:</p> <pre lang="toml"><code># ruff.toml extension = { qmd = "markdown" } <h1>pyproject.toml</h1> <p>[tool.ruff] extension = { qmd = "markdown" } </code></pre></p> </li> <li> <p>Include configured extensions in file discovery (<a href="https://redirect.github.com/astral-sh/ruff/pull/23400">#23400</a>)</p> </li> <li> <p>[<code>flake8-bandit</code>] Allow suspicious imports in <code>TYPE_CHECKING</code> blocks (<code>S401</code>-<code>S415</code>) (<a href="https://redirect.github.com/astral-sh/ruff/pull/23441">#23441</a>)</p> </li> <li> <p>[<code>flake8-bugbear</code>] Allow <code>B901</code> in pytest hook wrappers (<a href="https://redirect.github.com/astral-sh/ruff/pull/21931">#21931</a>)</p> </li> <li> <p>[<code>flake8-import-conventions</code>] Add missing conventions from upstream (<code>ICN001</code>, <code>ICN002</code>) (<a href="https://redirect.github.com/astral-sh/ruff/pull/21373">#21373</a>)</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/astral-sh/ruff/commit/f14edd8661e2803254f89265548c7487f47a09f6"><code>f14edd8</code></a> Bump 0.15.4 (<a href="https://redirect.github.com/astral-sh/ruff/issues/23595">#23595</a>)</li> <li><a href="https://github.com/astral-sh/ruff/commit/fd09d370076ab585444fd39f0fee79bf29280b68"><code>fd09d37</code></a> Fix panic on access to definitions after analyzing definitions (<a href="https://redirect.github.com/astral-sh/ruff/issues/23588">#23588</a>)</li> <li><a href="https://github.com/astral-sh/ruff/commit/81d655fadce087b792e524ed1964e9bcc31b73cd"><code>81d655f</code></a> [<code>pyflakes</code>] suppress false positive in <code>F821</code> for names used before <code>del</code> in...</li> <li><a href="https://github.com/astral-sh/ruff/commit/625b4f5a672d1baaa6f25e0999ca428f3f2522f1"><code>625b4f5</code></a> [ruff] docs: Clarify first-party import detection in Ruff (<a href="https://redirect.github.com/astral-sh/ruff/issues/23591">#23591</a>)</li> <li><a href="https://github.com/astral-sh/ruff/commit/60facfa0bc02689637e25237f0df5abfc2f27054"><code>60facfa</code></a> one word typo fix in a <code>while_loop.md</code> test case (<a href="https://redirect.github.com/astral-sh/ruff/issues/23589">#23589</a>)</li> <li><a href="https://github.com/astral-sh/ruff/commit/fbb9fa75cc1915973a739da0ec469094176bfdc6"><code>fbb9fa7</code></a> docs: fix incorrect import-heading example (<a href="https://redirect.github.com/astral-sh/ruff/issues/23568">#23568</a>)</li> <li><a href="https://github.com/astral-sh/ruff/commit/5bc49a941279c9100ff834edae1cb63053aeec93"><code>5bc49a9</code></a> Increase the ruleset size to 16 bits (<a href="https://redirect.github.com/astral-sh/ruff/issues/23586">#23586</a>)</li> <li><a href="https://github.com/astral-sh/ruff/commit/a62ba8c6e2bac0b899d90fd30a1b26c07aac44bb"><code>a62ba8c</code></a> [ty] Fix overloaded callable assignability for unary Callable targets (<a href="https://redirect.github.com/astral-sh/ruff/issues/23277">#23277</a>)</li> <li><a href="https://github.com/astral-sh/ruff/commit/e5f2f36a3f49b45fd7506d42b12c495c2517e936"><code>e5f2f36</code></a> Bump 0.15.3 (<a href="https://redirect.github.com/astral-sh/ruff/issues/23585">#23585</a>)</li> <li><a href="https://github.com/astral-sh/ruff/commit/0e19fc9a61477e71abc4eb76f05a129b6b9ab873"><code>0e19fc9</code></a> [ty] defer calculating conjunctions in narrowing constraints (<a href="https://redirect.github.com/astral-sh/ruff/issues/23552">#23552</a>)</li> <li>Additional commits viewable in <a href="https://github.com/astral-sh/ruff/compare/0.15.2...0.15.4">compare view</a></li> </ul> </details> <br /> Updates `whitenoise` from 6.11.0 to 6.12.0 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/evansd/whitenoise/blob/main/docs/changelog.rst">whitenoise's changelog</a>.</em></p> <blockquote> <h2>6.12.0 (2026-02-27)</h2> <ul> <li>Drop Python 3.9 support.</li> <li>Fix potential unauthorised file access vulnerability in "autorefesh" mode. See <code>PR [#684](evansd/whitenoise#684) <https://github.com/evansd/whitenoise/pull/684></code>__ for details, and a reminder that autorefresh mode has always been documented as unsuitable for production use. Thanks Seth Larson for reporting.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/evansd/whitenoise/commit/1e3a30bc9e6b82c79a03d35532a7ba72715918df"><code>1e3a30b</code></a> Version 6.12.0</li> <li><a href="https://github.com/evansd/whitenoise/commit/bc4c738d768f3f91a67b9e297490645b33adc3d4"><code>bc4c738</code></a> Merge pull request <a href="https://redirect.github.com/evansd/whitenoise/issues/684">#684</a> from evansd/use-commonpath</li> <li><a href="https://github.com/evansd/whitenoise/commit/505ed8d28d34307606ba6ed9ac7740c7c0701955"><code>505ed8d</code></a> Use <code>os.path.commonpath()</code> to identify child paths</li> <li><a href="https://github.com/evansd/whitenoise/commit/b6d8ed40206aea61d1265ca84d88e786366d891b"><code>b6d8ed4</code></a> Upgrade dependencies (<a href="https://redirect.github.com/evansd/whitenoise/issues/683">#683</a>)</li> <li><a href="https://github.com/evansd/whitenoise/commit/edc79de2d063ae04980a251b67d73acf7ef06d3d"><code>edc79de</code></a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/evansd/whitenoise/issues/682">#682</a>)</li> <li><a href="https://github.com/evansd/whitenoise/commit/79fb2f136fe34debe427d4d031b11ec10b7ca2cc"><code>79fb2f1</code></a> Bump the github-actions group with 2 updates (<a href="https://redirect.github.com/evansd/whitenoise/issues/680">#680</a>)</li> <li><a href="https://github.com/evansd/whitenoise/commit/2b245df895acb3aad86aadd02a794bfbf9374d3a"><code>2b245df</code></a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/evansd/whitenoise/issues/681">#681</a>)</li> <li><a href="https://github.com/evansd/whitenoise/commit/dcb50f36d437dddfab06ce8fc36e6ec1f34f5af5"><code>dcb50f3</code></a> Upgrade dependencies (<a href="https://redirect.github.com/evansd/whitenoise/issues/678">#678</a>)</li> <li><a href="https://github.com/evansd/whitenoise/commit/1c4a746afe1fdeaa458aa0fe2951cebe1fe0f026"><code>1c4a746</code></a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/evansd/whitenoise/issues/677">#677</a>)</li> <li><a href="https://github.com/evansd/whitenoise/commit/e7f970aac293079c3fabe44b5072a70670ec3268"><code>e7f970a</code></a> Bump actions/checkout from 5 to 6 in the github-actions group (<a href="https://redirect.github.com/evansd/whitenoise/issues/676">#676</a>)</li> <li>Additional commits viewable in <a href="https://github.com/evansd/whitenoise/compare/6.11.0...6.12.0">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
wtripp180901
pushed a commit
to azimuth-cloud/azimuth
that referenced
this pull request
Mar 24, 2026
Bumps the pip-updates group with 9 updates in the /api directory: | Package | From | To | | --- | --- | --- | | [attrs](https://github.com/sponsors/hynek) | `25.4.0` | `26.1.0` | | [certifi](https://github.com/certifi/python-certifi) | `2026.1.4` | `2026.2.25` | | [charset-normalizer](https://github.com/jawah/charset_normalizer) | `3.4.4` | `3.4.6` | | [django](https://github.com/django/django) | `6.0.2` | `6.0.3` | | [djangorestframework](https://github.com/encode/django-rest-framework) | `3.16.1` | `3.17.0` | | [gunicorn](https://github.com/benoitc/gunicorn) | `25.0.3` | `25.1.0` | | [pyasn1](https://github.com/pyasn1/pyasn1) | `0.6.2` | `0.6.3` | | [pytz](https://github.com/stub42/pytz) | `2025.2` | `2026.1.post1` | | [whitenoise](https://github.com/evansd/whitenoise) | `6.11.0` | `6.12.0` | Updates `attrs` from 25.4.0 to 26.1.0 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/sponsors/hynek/commits">compare view</a></li> </ul> </details> <br /> Updates `certifi` from 2026.1.4 to 2026.2.25 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/certifi/python-certifi/commit/8571a4ba5205675107f9026d0008ad2d7a2778bf"><code>8571a4b</code></a> 2026.02.25 (<a href="https://redirect.github.com/certifi/python-certifi/issues/395">#395</a>)</li> <li><a href="https://github.com/certifi/python-certifi/commit/6f7de00579d292af565bbb8a947643219794eb6d"><code>6f7de00</code></a> Bump peter-evans/create-pull-request from 8.0.0 to 8.1.0 (<a href="https://redirect.github.com/certifi/python-certifi/issues/390">#390</a>)</li> <li><a href="https://github.com/certifi/python-certifi/commit/a1de59b15105cad768afed4f066b36171134f04a"><code>a1de59b</code></a> Bump actions/checkout from 6.0.1 to 6.0.2 (<a href="https://redirect.github.com/certifi/python-certifi/issues/391">#391</a>)</li> <li><a href="https://github.com/certifi/python-certifi/commit/7f5ade5d8da615fd366e8de6a668271251c45d34"><code>7f5ade5</code></a> Bump actions/setup-python from 6.1.0 to 6.2.0 (<a href="https://redirect.github.com/certifi/python-certifi/issues/392">#392</a>)</li> <li>See full diff in <a href="https://github.com/certifi/python-certifi/compare/2026.01.04...2026.02.25">compare view</a></li> </ul> </details> <br /> Updates `charset-normalizer` from 3.4.4 to 3.4.6 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jawah/charset_normalizer/releases">charset-normalizer's releases</a>.</em></p> <blockquote> <h2>Version 3.4.6</h2> <h2><a href="https://github.com/Ousret/charset_normalizer/compare/3.4.5...3.4.6">3.4.6</a> (2026-03-15)</h2> <h3>Changed</h3> <ul> <li>Flattened the logic in <code>charset_normalizer.md</code> for higher performance. Removed <code>eligible(..)</code> and <code>feed(...)</code> in favor of <code>feed_info(...)</code>.</li> <li>Raised upper bound for mypy[c] to 1.20, for our optimized version.</li> <li>Updated <code>UNICODE_RANGES_COMBINED</code> using Unicode blocks v17.</li> </ul> <h3>Fixed</h3> <ul> <li>Edge case where noise difference between two candidates can be almost insignificant. (<a href="https://redirect.github.com/jawah/charset_normalizer/issues/672">#672</a>)</li> <li>CLI <code>--normalize</code> writing to wrong path when passing multiple files in. (<a href="https://redirect.github.com/jawah/charset_normalizer/issues/702">#702</a>)</li> </ul> <h3>Misc</h3> <ul> <li>Freethreaded pre-built wheels now shipped in PyPI starting with 3.14t. (<a href="https://redirect.github.com/jawah/charset_normalizer/issues/616">#616</a>)</li> </ul> <h2>Version 3.4.5</h2> <h2><a href="https://github.com/Ousret/charset_normalizer/compare/3.4.4...3.4.5">3.4.5</a> (2026-03-06)</h2> <h3>Changed</h3> <ul> <li>Update <code>setuptools</code> constraint to <code>setuptools>=68,<=82</code>.</li> <li>Raised upper bound of mypyc for the optional pre-built extension to v1.19.1</li> </ul> <h3>Fixed</h3> <ul> <li>Add explicit link to lib math in our optimized build. (<a href="https://redirect.github.com/jawah/charset_normalizer/issues/692">#692</a>)</li> <li>Logger level not restored correctly for empty byte sequences. (<a href="https://redirect.github.com/jawah/charset_normalizer/issues/701">#701</a>)</li> <li>TypeError when passing bytearray to from_bytes. (<a href="https://redirect.github.com/jawah/charset_normalizer/issues/703">#703</a>)</li> </ul> <h3>Misc</h3> <ul> <li>Applied safe micro-optimizations in both our noise detector and language detector.</li> <li>Rewrote the <code>query_yes_no</code> function (inside CLI) to avoid using ambiguous licensed code.</li> <li>Added <code>cd.py</code> submodule into mypyc optional compilation to reduce further the performance impact.</li> </ul> <blockquote> <p>[!WARNING]<br /> mypyc changed the usual binary output for the optimized wheel. Beware, especially if using PyInstaller or alike. See <a href="https://redirect.github.com/jawah/charset_normalizer/issues/714">jawah/charset_normalizer#714</a></p> </blockquote> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jawah/charset_normalizer/blob/master/CHANGELOG.md">charset-normalizer's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/Ousret/charset_normalizer/compare/3.4.5...3.4.6">3.4.6</a> (2026-03-15)</h2> <h3>Changed</h3> <ul> <li>Flattened the logic in <code>charset_normalizer.md</code> for higher performance. Removed <code>eligible(..)</code> and <code>feed(...)</code> in favor of <code>feed_info(...)</code>.</li> <li>Raised upper bound for mypy[c] to 1.20, for our optimized version.</li> <li>Updated <code>UNICODE_RANGES_COMBINED</code> using Unicode blocks v17.</li> </ul> <h3>Fixed</h3> <ul> <li>Edge case where noise difference between two candidates can be almost insignificant. (<a href="https://redirect.github.com/jawah/charset_normalizer/issues/672">#672</a>)</li> <li>CLI <code>--normalize</code> writing to wrong path when passing multiple files in. (<a href="https://redirect.github.com/jawah/charset_normalizer/issues/702">#702</a>)</li> </ul> <h3>Misc</h3> <ul> <li>Freethreaded pre-built wheels now shipped in PyPI starting with 3.14t. (<a href="https://redirect.github.com/jawah/charset_normalizer/issues/616">#616</a>)</li> </ul> <h2><a href="https://github.com/Ousret/charset_normalizer/compare/3.4.4...3.4.5">3.4.5</a> (2026-03-06)</h2> <h3>Changed</h3> <ul> <li>Update <code>setuptools</code> constraint to <code>setuptools>=68,<=82</code>.</li> <li>Raised upper bound of mypyc for the optional pre-built extension to v1.19.1</li> </ul> <h3>Fixed</h3> <ul> <li>Add explicit link to lib math in our optimized build. (<a href="https://redirect.github.com/jawah/charset_normalizer/issues/692">#692</a>)</li> <li>Logger level not restored correctly for empty byte sequences. (<a href="https://redirect.github.com/jawah/charset_normalizer/issues/701">#701</a>)</li> <li>TypeError when passing bytearray to from_bytes. (<a href="https://redirect.github.com/jawah/charset_normalizer/issues/703">#703</a>)</li> </ul> <h3>Misc</h3> <ul> <li>Applied safe micro-optimizations in both our noise detector and language detector.</li> <li>Rewrote the <code>query_yes_no</code> function (inside CLI) to avoid using ambiguous licensed code.</li> <li>Added <code>cd.py</code> submodule into mypyc optional compilation to reduce further the performance impact.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/jawah/charset_normalizer/commit/5478b84058a2a04e2d67a5dabbe0a273706707aa"><code>5478b84</code></a> Merge pull request <a href="https://redirect.github.com/jawah/charset_normalizer/issues/715">#715</a> from jawah/release-3.4.6</li> <li><a href="https://github.com/jawah/charset_normalizer/commit/5c0a09e2caf1b3977df691916e949e1de4b8a738"><code>5c0a09e</code></a> :heavy_check_mark: add confidence for threading usage, mostly due to lru_cach...</li> <li><a href="https://github.com/jawah/charset_normalizer/commit/ef826b28d9f21e0059c93acc69a8bf364126c179"><code>ef826b2</code></a> :pencil: update changelog</li> <li><a href="https://github.com/jawah/charset_normalizer/commit/5564f1aebe56584150a988f565ff69ee316dcefe"><code>5564f1a</code></a> :pencil: update docs accordingly</li> <li><a href="https://github.com/jawah/charset_normalizer/commit/0f2cf7d86e7c3ef4b77790a754b048bfada4fd09"><code>0f2cf7d</code></a> :pencil: update changelog</li> <li><a href="https://github.com/jawah/charset_normalizer/commit/54a189446becf4f2b42772f0dce89a5ef79fe8cc"><code>54a1894</code></a> :bug: fix --normalize writing to wrong path with multiple files</li> <li><a href="https://github.com/jawah/charset_normalizer/commit/2177e28828bb7fcc2f1bed2a2d4463161a180812"><code>2177e28</code></a> :pencil: update changelog</li> <li><a href="https://github.com/jawah/charset_normalizer/commit/b2497a54ba545dae84be01649d66fd52a7fcfc2d"><code>b2497a5</code></a> :bug: edge case where noise difference between two candidates can be almost i...</li> <li><a href="https://github.com/jawah/charset_normalizer/commit/13a5d0b471cfb9b60b8cda84c78b7874c0267123"><code>13a5d0b</code></a> :wrench: upgrade ci requirements</li> <li><a href="https://github.com/jawah/charset_normalizer/commit/b9ffbd4e8314b0f733ddb34eef32d80490eb947c"><code>b9ffbd4</code></a> :wrench: enable 3.14t nox mypyc session</li> <li>Additional commits viewable in <a href="https://github.com/jawah/charset_normalizer/compare/3.4.4...3.4.6">compare view</a></li> </ul> </details> <br /> Updates `django` from 6.0.2 to 6.0.3 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/django/django/commit/a0d3bdb5b0a22cdbb4d3f7e5eabd7fe0f7311f68"><code>a0d3bdb</code></a> [6.0.x] Bumped version for 6.0.3 release.</li> <li><a href="https://github.com/django/django/commit/264d5c70ef3281a8869cb2ad45a3a52d5adbe790"><code>264d5c7</code></a> [6.0.x] Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions o...</li> <li><a href="https://github.com/django/django/commit/b1444d9acf43db9de96e0da2b4737ad56af0eb76"><code>b1444d9</code></a> [6.0.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection.</li> <li><a href="https://github.com/django/django/commit/1b22d53bf67943cd193bbd6e327d955c19d2f5d2"><code>1b22d53</code></a> [6.0.x] Fixed <a href="https://redirect.github.com/django/django/issues/36961">#36961</a> -- Fixed TypeError in deprecation warnings if Django is ...</li> <li><a href="https://github.com/django/django/commit/27ed90a8a829aa25f2ff3dc121f8429c2b06f662"><code>27ed90a</code></a> [6.0.x] Ensured spelling checks pass OK.</li> <li><a href="https://github.com/django/django/commit/659bacfe54c2a28eb2e0589c1c721f1a99720ad2"><code>659bacf</code></a> [6.0.x] Aligned docs checks between GitHub Actions and local development.</li> <li><a href="https://github.com/django/django/commit/e65c412241578ead6dc17e9dc7280630a180d1c0"><code>e65c412</code></a> [6.0.x] Adjusted default DoS severity level in Security Policy.</li> <li><a href="https://github.com/django/django/commit/5b7025317fcf817f8d2e72d871dccd437eb4db72"><code>5b70253</code></a> [6.0.x] Fixed <a href="https://redirect.github.com/django/django/issues/36848">#36848</a> -- Mentioned BadRequest exception in docs/ref/views.txt.</li> <li><a href="https://github.com/django/django/commit/3a04b226edda13499ab61e24c1812114ad309231"><code>3a04b22</code></a> [6.0.x] Fixed <a href="https://redirect.github.com/django/django/issues/36951">#36951</a> -- Removed empty exc_info from log_task_finished signal ...</li> <li><a href="https://github.com/django/django/commit/d112203b19946659335db6462043f8652e6700a1"><code>d112203</code></a> [6.0.x] Fixed <a href="https://redirect.github.com/django/django/issues/36944">#36944</a> -- Removed MAX_LENGTH_HTML and related 5M chars limit re...</li> <li>Additional commits viewable in <a href="https://github.com/django/django/compare/6.0.2...6.0.3">compare view</a></li> </ul> </details> <br /> Updates `djangorestframework` from 3.16.1 to 3.17.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/encode/django-rest-framework/releases">djangorestframework's releases</a>.</em></p> <blockquote> <h2>3.17.0</h2> <!-- raw HTML omitted --> <h2>What's Changed</h2> <h3>Breaking changes</h3> <ul> <li>Drop support for Python 3.9 by <a href="https://github.com/auvipy"><code>@auvipy</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9781">encode/django-rest-framework#9781</a></li> <li>Drop deprecated coreapi support by <a href="https://github.com/browniebroke"><code>@browniebroke</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9895">encode/django-rest-framework#9895</a></li> </ul> <h3>Features</h3> <ul> <li>Add ability to specify output format for <code>DurationField</code> by <a href="https://github.com/sevdog"><code>@sevdog</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/8532">encode/django-rest-framework#8532</a></li> <li>Add missing decorators: <code>@versioning_class()</code>, <code>@content_negotiation_class()</code>, <code>@metadata_class()</code> for function-based views by <a href="https://github.com/qqii"><code>@qqii</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9719">encode/django-rest-framework#9719</a></li> <li>Add support for Python 3.14 by <a href="https://github.com/cclauss"><code>@cclauss</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9780">encode/django-rest-framework#9780</a></li> <li>Support <code>violation_error_code</code> and <code>violation_error_message</code> from <code>UniqueConstraint</code> in <code>UniqueTogetherValidator</code> by <a href="https://github.com/s-aleshin"><code>@s-aleshin</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9766">encode/django-rest-framework#9766</a></li> <li>Add support for <code>ipaddress</code> objects in <code>JSONEncoder</code> by <a href="https://github.com/corenting"><code>@corenting</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9087">encode/django-rest-framework#9087</a></li> <li>Add optional support to serialize <code>BigInteger</code> to string by <a href="https://github.com/HoodyH"><code>@HoodyH</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9775">encode/django-rest-framework#9775</a></li> <li>Add Django 6.0 support by <a href="https://github.com/MehrazRumman"><code>@MehrazRumman</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9819">encode/django-rest-framework#9819</a></li> </ul> <h3>Bug fixes</h3> <ul> <li>Prevent small risk of <code>Token</code> overwrite by <a href="https://github.com/mahdirahimi1999"><code>@mahdirahimi1999</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9754">encode/django-rest-framework#9754</a></li> <li>Fix <code>UniqueTogetherValidator</code> validation when condition references a read-only field by <a href="https://github.com/ticosax"><code>@ticosax</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9764">encode/django-rest-framework#9764</a></li> <li>Fix validation on many to many field when <code>default=None</code> by <a href="https://github.com/Genarito"><code>@Genarito</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9790">encode/django-rest-framework#9790</a></li> <li>Fix invalid SPDX license expression in <code>__init__.py</code> by <a href="https://github.com/TheFunctionalGuy"><code>@TheFunctionalGuy</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9799">encode/django-rest-framework#9799</a></li> <li>Fix <code>HTMLFormRenderer</code> to ensure a valid <code>datetime-local</code> format by <a href="https://github.com/mgaligniana"><code>@mgaligniana</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9365">encode/django-rest-framework#9365</a></li> <li>Fix mutable default arguments in OrderingFilter methods by <a href="https://github.com/killerdevildog"><code>@killerdevildog</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9742">encode/django-rest-framework#9742</a></li> <li>Update TokenAdmin to respect USERNAME_FIELD of the user model by <a href="https://github.com/m000"><code>@m000</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9836">encode/django-rest-framework#9836</a></li> <li>Preserve ordering in <code>MultipleChoiceField</code> by <a href="https://github.com/fbozhang"><code>@fbozhang</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9735">encode/django-rest-framework#9735</a></li> </ul> <h3>Translations</h3> <ul> <li>Update French translation by <a href="https://github.com/SebCorbin"><code>@SebCorbin</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9770">encode/django-rest-framework#9770</a></li> <li>Update Brazilian Portuguese translations by <a href="https://github.com/JVPinheiroReis"><code>@JVPinheiroReis</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9828">encode/django-rest-framework#9828</a></li> <li>Fix and improve French translations by <a href="https://github.com/deronnax"><code>@deronnax</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9896">encode/django-rest-framework#9896</a></li> <li>Add missing Russian translation by <a href="https://github.com/minorytanaka"><code>@minorytanaka</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9903">encode/django-rest-framework#9903</a></li> </ul> <h3>Packaging</h3> <ul> <li>Migrate packaging to <code>pyproject.toml</code> by <a href="https://github.com/deronnax"><code>@deronnax</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9056">encode/django-rest-framework#9056</a></li> <li>Move package data rules from <code>MANIFEST.in</code> to <code>pyproject.toml</code> by <a href="https://github.com/p-r-a-v-i-n"><code>@p-r-a-v-i-n</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9825">encode/django-rest-framework#9825</a></li> <li>Set up release workflow with trusted publisher by <a href="https://github.com/browniebroke"><code>@browniebroke</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9852">encode/django-rest-framework#9852</a></li> </ul> <h3>Other changes</h3> <ul> <li>Refactor token generation to use the <code>secrets</code> module by <a href="https://github.com/mahdirahimi1999"><code>@mahdirahimi1999</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9760">encode/django-rest-framework#9760</a></li> <li>Add validation for decorator out-of-order with <code>@api_view</code> by <a href="https://github.com/kernelshard"><code>@kernelshard</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9821">encode/django-rest-framework#9821</a></li> <li>Switch to mkdocs material theme for documentation by <a href="https://github.com/browniebroke"><code>@browniebroke</code></a> in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9849">encode/django-rest-framework#9849</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/khaledsukkar2"><code>@khaledsukkar2</code></a> made their first contribution in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9717">encode/django-rest-framework#9717</a></li> <li><a href="https://github.com/qqii"><code>@qqii</code></a> made their first contribution in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9719">encode/django-rest-framework#9719</a></li> <li><a href="https://github.com/zankoAn"><code>@zankoAn</code></a> made their first contribution in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9788">encode/django-rest-framework#9788</a></li> <li><a href="https://github.com/uche-wealth"><code>@uche-wealth</code></a> made their first contribution in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9795">encode/django-rest-framework#9795</a></li> <li><a href="https://github.com/s-aleshin"><code>@s-aleshin</code></a> made their first contribution in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9766">encode/django-rest-framework#9766</a></li> <li><a href="https://github.com/Infamous003"><code>@Infamous003</code></a> made their first contribution in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9794">encode/django-rest-framework#9794</a></li> <li><a href="https://github.com/Genarito"><code>@Genarito</code></a> made their first contribution in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9790">encode/django-rest-framework#9790</a></li> <li><a href="https://github.com/TheFunctionalGuy"><code>@TheFunctionalGuy</code></a> made their first contribution in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9799">encode/django-rest-framework#9799</a></li> <li><a href="https://github.com/mahdighadiriii"><code>@mahdighadiriii</code></a> made their first contribution in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9800">encode/django-rest-framework#9800</a></li> <li><a href="https://github.com/p-r-a-v-i-n"><code>@p-r-a-v-i-n</code></a> made their first contribution in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9801">encode/django-rest-framework#9801</a></li> <li><a href="https://github.com/itssimon"><code>@itssimon</code></a> made their first contribution in <a href="https://redirect.github.com/encode/django-rest-framework/pull/9718">encode/django-rest-framework#9718</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/encode/django-rest-framework/commit/021ab5664b085594876032cf062c1220bc1ca03c"><code>021ab56</code></a> Bump version and update release notes for 3.17.0 (<a href="https://redirect.github.com/encode/django-rest-framework/issues/9921">#9921</a>)</li> <li><a href="https://github.com/encode/django-rest-framework/commit/19ebad70ae560e3f83c0e30af6be7c7df3b5aeec"><code>19ebad7</code></a> Bump mkdocs-material[imaging] from 9.7.4 to 9.7.5 (<a href="https://redirect.github.com/encode/django-rest-framework/issues/9923">#9923</a>)</li> <li><a href="https://github.com/encode/django-rest-framework/commit/f222c55d8a498c9770f2795c6cd34fedffaf043c"><code>f222c55</code></a> Correct requires-python key in pyproject.toml</li> <li><a href="https://github.com/encode/django-rest-framework/commit/7e7de6fceee3ad2e20b0dd93b119b6b00eadd797"><code>7e7de6f</code></a> Remove code fences from release checklist</li> <li><a href="https://github.com/encode/django-rest-framework/commit/c599d309490fe59ae385954ad544a64b58abffd2"><code>c599d30</code></a> Update release process</li> <li><a href="https://github.com/encode/django-rest-framework/commit/866bf7c5d4a34d27f64dead26e741394f423ac9e"><code>866bf7c</code></a> Bump mkdocs-material[imaging] from 9.7.3 to 9.7.4 (<a href="https://redirect.github.com/encode/django-rest-framework/issues/9920">#9920</a>)</li> <li><a href="https://github.com/encode/django-rest-framework/commit/7f8ad25e15f911ef2afd54d91dcffb29ca1022f9"><code>7f8ad25</code></a> Drop deprecated coreapi support (<a href="https://redirect.github.com/encode/django-rest-framework/issues/9895">#9895</a>)</li> <li><a href="https://github.com/encode/django-rest-framework/commit/8bac51ad250dde39fc057fe7bb382eb14373f769"><code>8bac51a</code></a> Revert "Add <code>drf-commons</code> to third-party packages documentation (<a href="https://redirect.github.com/encode/django-rest-framework/issues/9916">#9916</a>)" (<a href="https://redirect.github.com/encode/django-rest-framework/issues/9917">#9917</a>)</li> <li><a href="https://github.com/encode/django-rest-framework/commit/9d7b26aa68135839e0192f1e3874c9cdbcc97187"><code>9d7b26a</code></a> Add <code>drf-commons</code> to third-party packages documentation (<a href="https://redirect.github.com/encode/django-rest-framework/issues/9916">#9916</a>)</li> <li><a href="https://github.com/encode/django-rest-framework/commit/dff3c8d622096d6f193b382452e056896d4ff885"><code>dff3c8d</code></a> Add django-pydantic-field and drf-pydantic to third-party packages documentat...</li> <li>Additional commits viewable in <a href="https://github.com/encode/django-rest-framework/compare/3.16.1...3.17.0">compare view</a></li> </ul> </details> <br /> Updates `gunicorn` from 25.0.3 to 25.1.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/benoitc/gunicorn/releases">gunicorn's releases</a>.</em></p> <blockquote> <h2>Gunicorn 25.1.0</h2> <h3>New Features</h3> <ul> <li> <p><strong>Control Interface (gunicornc)</strong>: Add interactive control interface for managing running Gunicorn instances, similar to birdc for BIRD routing daemon ([PR <a href="https://redirect.github.com/benoitc/gunicorn/issues/3505">#3505</a>](<a href="https://redirect.github.com/benoitc/gunicorn/pull/3505">benoitc/gunicorn#3505</a>))</p> <ul> <li>Unix socket-based communication with JSON protocol</li> <li>Interactive mode with readline support and command history</li> <li>Commands: <code>show all/workers/dirty/config/stats/listeners</code></li> <li>Worker management: <code>worker add/remove/kill</code>, <code>dirty add/remove</code></li> <li>Server control: <code>reload</code>, <code>reopen</code>, <code>shutdown</code></li> <li>New settings: <code>--control-socket</code>, <code>--control-socket-mode</code>, <code>--no-control-socket</code></li> <li>New CLI tool: <code>gunicornc</code> for connecting to control socket</li> <li>See <a href="https://gunicorn.org/guides/gunicornc/">Control Interface Guide</a> for details</li> </ul> </li> <li> <p><strong>Dirty Stash</strong>: Add global shared state between workers via <code>dirty.stash</code> ([PR <a href="https://redirect.github.com/benoitc/gunicorn/issues/3503">#3503</a>](<a href="https://redirect.github.com/benoitc/gunicorn/pull/3503">benoitc/gunicorn#3503</a>))</p> <ul> <li>In-memory key-value store accessible by all workers</li> <li>Supports get, set, delete, clear, keys, and has operations</li> <li>Useful for sharing state like feature flags, rate limits, or cached data</li> </ul> </li> <li> <p><strong>Dirty Binary Protocol</strong>: Implement efficient binary protocol for dirty arbiter IPC using TLV (Type-Length-Value) encoding ([PR <a href="https://redirect.github.com/benoitc/gunicorn/issues/3500">#3500</a>](<a href="https://redirect.github.com/benoitc/gunicorn/pull/3500">benoitc/gunicorn#3500</a>))</p> <ul> <li>More efficient than JSON for binary data</li> <li>Supports all Python types: str, bytes, int, float, bool, None, list, dict</li> <li>Better performance for large payloads</li> </ul> </li> <li> <p><strong>Dirty TTIN/TTOU Signals</strong>: Add dynamic worker scaling for dirty arbiters ([PR <a href="https://redirect.github.com/benoitc/gunicorn/issues/3504">#3504</a>](<a href="https://redirect.github.com/benoitc/gunicorn/pull/3504">benoitc/gunicorn#3504</a>))</p> <ul> <li>Send SIGTTIN to increase dirty workers</li> <li>Send SIGTTOU to decrease dirty workers</li> <li>Respects minimum worker constraints from app configurations</li> </ul> </li> </ul> <h3>Changes</h3> <ul> <li><strong>ASGI Worker</strong>: Promoted from beta to stable</li> <li><strong>Dirty Arbiters</strong>: Now marked as beta feature</li> </ul> <h3>Documentation</h3> <ul> <li>Fix Markdown formatting in /configure documentation</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/benoitc/gunicorn/commit/2d4310116dd67ee985819486ba32244d5c273ad6"><code>2d43101</code></a> docs: merge gunicornc into 25.1.0 release</li> <li><a href="https://github.com/benoitc/gunicorn/commit/bf4ad8d61030f473c149b759550ab1de9f1d1fff"><code>bf4ad8d</code></a> docs: update 25.1.0 release date to 2026-02-13</li> <li><a href="https://github.com/benoitc/gunicorn/commit/730350eb9f2edf35e0ada9c6f25776733b861902"><code>730350e</code></a> Merge pull request <a href="https://redirect.github.com/benoitc/gunicorn/issues/3505">#3505</a> from benoitc/feature/gunicornc-control-interface</li> <li><a href="https://github.com/benoitc/gunicorn/commit/63df19bd5cf11d22d8d6570c6dc940a5e021f197"><code>63df19b</code></a> fix(tests): use process groups for reliable signal handling in PyPy</li> <li><a href="https://github.com/benoitc/gunicorn/commit/cd77bcc941ed8e2293380536f96d4feb4f53465b"><code>cd77bcc</code></a> fix(tests): increase wait time for all server tests</li> <li><a href="https://github.com/benoitc/gunicorn/commit/02ea9855c15585308d662bf1453e8c20d6603781"><code>02ea985</code></a> fix(tests): improve server test reliability on FreeBSD</li> <li><a href="https://github.com/benoitc/gunicorn/commit/6d81c9ebcda658f3baf3411077a99afdccbd676d"><code>6d81c9e</code></a> fix: resolve pylint warnings</li> <li><a href="https://github.com/benoitc/gunicorn/commit/7486baa0ad0a3de3a41ec7c20225249b629ec693"><code>7486baa</code></a> fix: remove unused imports</li> <li><a href="https://github.com/benoitc/gunicorn/commit/3e60d2942d62347761bed51e87f4d919a5f8cfbc"><code>3e60d29</code></a> docs: add gunicornc control interface guide</li> <li><a href="https://github.com/benoitc/gunicorn/commit/e05e40d19ba4e6e99bf92d7732b20880a15cd7fc"><code>e05e40d</code></a> feat(ctl): add message-based dirty worker management</li> <li>Additional commits viewable in <a href="https://github.com/benoitc/gunicorn/compare/25.0.3...25.1.0">compare view</a></li> </ul> </details> <br /> Updates `pyasn1` from 0.6.2 to 0.6.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pyasn1/pyasn1/releases">pyasn1's releases</a>.</em></p> <blockquote> <h2>Release 0.6.3</h2> <p>It's a minor release.</p> <ul> <li>Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (CVE-2026-30922).</li> <li>Fixed OverflowError from oversized BER length field.</li> <li>Fixed DeprecationWarning stacklevel for deprecated attributes.</li> <li>Fixed asDateTime incorrect fractional seconds parsing.</li> </ul> <p>All changes are noted in the <a href="https://github.com/pyasn1/pyasn1/blob/master/CHANGES.rst">CHANGELOG</a>.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst">pyasn1's changelog</a>.</em></p> <blockquote> <h2>Revision 0.6.3, released 16-03-2026</h2> <ul> <li>CVE-2026-30922 (GHSA-jr27-m4p2-rc6r): Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (thanks for reporting, romanticpragmatism)</li> <li>Fixed OverflowError from oversized BER length field [issue <a href="https://redirect.github.com/pyasn1/pyasn1/issues/54">#54</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/issues/54">pyasn1/pyasn1#54</a>) [pr <a href="https://redirect.github.com/pyasn1/pyasn1/issues/100">#100</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/pull/100">pyasn1/pyasn1#100</a>)</li> <li>Fixed DeprecationWarning stacklevel for deprecated attributes [issue <a href="https://redirect.github.com/pyasn1/pyasn1/issues/86">#86</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/issues/86">pyasn1/pyasn1#86</a>) [pr <a href="https://redirect.github.com/pyasn1/pyasn1/issues/101">#101</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/pull/101">pyasn1/pyasn1#101</a>)</li> <li>Fixed asDateTime incorrect fractional seconds parsing [issue <a href="https://redirect.github.com/pyasn1/pyasn1/issues/81">#81</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/issues/81">pyasn1/pyasn1#81</a>) [pr <a href="https://redirect.github.com/pyasn1/pyasn1/issues/102">#102</a>](<a href="https://redirect.github.com/pyasn1/pyasn1/pull/102">pyasn1/pyasn1#102</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pyasn1/pyasn1/commit/af65c3b92e9deeae50db4de390982dd970d87f98"><code>af65c3b</code></a> Prepare release 0.6.3</li> <li><a href="https://github.com/pyasn1/pyasn1/commit/5a49bd1fe93b5b866a1210f6bf0a3924f21572c8"><code>5a49bd1</code></a> Merge commit from fork</li> <li><a href="https://github.com/pyasn1/pyasn1/commit/5494ba43f738e700ca9f7c7a69ec5c44908c9a9f"><code>5494ba4</code></a> Fix asDateTime incorrect fractional seconds parsing (<a href="https://redirect.github.com/pyasn1/pyasn1/issues/102">#102</a>)</li> <li><a href="https://github.com/pyasn1/pyasn1/commit/71f486e6c32d0f270868aa1b2bb5ceb7d5fd5476"><code>71f486e</code></a> Fix DeprecationWarning stacklevel for deprecated attributes (<a href="https://redirect.github.com/pyasn1/pyasn1/issues/101">#101</a>)</li> <li><a href="https://github.com/pyasn1/pyasn1/commit/d7cb42dcaa9a66e18f14c4609c2ed00c5b65f7e8"><code>d7cb42d</code></a> Fix OverflowError from oversized BER length field (<a href="https://redirect.github.com/pyasn1/pyasn1/issues/100">#100</a>)</li> <li>See full diff in <a href="https://github.com/pyasn1/pyasn1/compare/v0.6.2...v0.6.3">compare view</a></li> </ul> </details> <br /> Updates `pytz` from 2025.2 to 2026.1.post1 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/stub42/pytz/commit/02509d04e32b438351ada260bb0cc6d24d461ae9"><code>02509d0</code></a> Update test runners for new Pythons and github actions</li> <li><a href="https://github.com/stub42/pytz/commit/43c1cb28d7a243392f767d2459677e2775fc884b"><code>43c1cb2</code></a> Bump version number to 2026.1.post1</li> <li><a href="https://github.com/stub42/pytz/commit/6ee7e564acbd729972951880f2fbf9b93f95aacb"><code>6ee7e56</code></a> Try to access resource using <code>importlib.resources</code></li> <li><a href="https://github.com/stub42/pytz/commit/95fe75d8f15cfc3d5b70e1e71258ddebf0776436"><code>95fe75d</code></a> Bump version number to 2026.1 (2026a)</li> <li><a href="https://github.com/stub42/pytz/commit/70342757a549e712136cc21f21b3a9441cec5f90"><code>7034275</code></a> Updates for upstream directory layout changes</li> <li><a href="https://github.com/stub42/pytz/commit/4dd79d36d8fa4ab04ebcc3d3636406e31d4aed75"><code>4dd79d3</code></a> IANA 2026a</li> <li><a href="https://github.com/stub42/pytz/commit/08d7e76ec477b3adfc5983c64102803cf9ed47d8"><code>08d7e76</code></a> Squashed 'tz/' changes from 7e1145bfdb..e23c045f8f</li> <li><a href="https://github.com/stub42/pytz/commit/b07d947809771430cdecde253e7f8eb549686b07"><code>b07d947</code></a> try to access resource using <code>importlib.resources</code></li> <li>See full diff in <a href="https://github.com/stub42/pytz/compare/release_2025.2...release_2026.1.post1">compare view</a></li> </ul> </details> <br /> Updates `whitenoise` from 6.11.0 to 6.12.0 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/evansd/whitenoise/blob/main/docs/changelog.rst">whitenoise's changelog</a>.</em></p> <blockquote> <h2>6.12.0 (2026-02-27)</h2> <ul> <li>Drop Python 3.9 support.</li> <li>Fix potential unauthorised file access vulnerability in "autorefesh" mode. See <code>PR [#684](evansd/whitenoise#684) <https://github.com/evansd/whitenoise/pull/684></code>__ for details, and a reminder that autorefresh mode has always been documented as unsuitable for production use. Thanks Seth Larson for reporting.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/evansd/whitenoise/commit/1e3a30bc9e6b82c79a03d35532a7ba72715918df"><code>1e3a30b</code></a> Version 6.12.0</li> <li><a href="https://github.com/evansd/whitenoise/commit/bc4c738d768f3f91a67b9e297490645b33adc3d4"><code>bc4c738</code></a> Merge pull request <a href="https://redirect.github.com/evansd/whitenoise/issues/684">#684</a> from evansd/use-commonpath</li> <li><a href="https://github.com/evansd/whitenoise/commit/505ed8d28d34307606ba6ed9ac7740c7c0701955"><code>505ed8d</code></a> Use <code>os.path.commonpath()</code> to identify child paths</li> <li><a href="https://github.com/evansd/whitenoise/commit/b6d8ed40206aea61d1265ca84d88e786366d891b"><code>b6d8ed4</code></a> Upgrade dependencies (<a href="https://redirect.github.com/evansd/whitenoise/issues/683">#683</a>)</li> <li><a href="https://github.com/evansd/whitenoise/commit/edc79de2d063ae04980a251b67d73acf7ef06d3d"><code>edc79de</code></a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/evansd/whitenoise/issues/682">#682</a>)</li> <li><a href="https://github.com/evansd/whitenoise/commit/79fb2f136fe34debe427d4d031b11ec10b7ca2cc"><code>79fb2f1</code></a> Bump the github-actions group with 2 updates (<a href="https://redirect.github.com/evansd/whitenoise/issues/680">#680</a>)</li> <li><a href="https://github.com/evansd/whitenoise/commit/2b245df895acb3aad86aadd02a794bfbf9374d3a"><code>2b245df</code></a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/evansd/whitenoise/issues/681">#681</a>)</li> <li><a href="https://github.com/evansd/whitenoise/commit/dcb50f36d437dddfab06ce8fc36e6ec1f34f5af5"><code>dcb50f3</code></a> Upgrade dependencies (<a href="https://redirect.github.com/evansd/whitenoise/issues/678">#678</a>)</li> <li><a href="https://github.com/evansd/whitenoise/commit/1c4a746afe1fdeaa458aa0fe2951cebe1fe0f026"><code>1c4a746</code></a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/evansd/whitenoise/issues/677">#677</a>)</li> <li><a href="https://github.com/evansd/whitenoise/commit/e7f970aac293079c3fabe44b5072a70670ec3268"><code>e7f970a</code></a> Bump actions/checkout from 5 to 6 in the github-actions group (<a href="https://redirect.github.com/evansd/whitenoise/issues/676">#676</a>)</li> <li>Additional commits viewable in <a href="https://github.com/evansd/whitenoise/compare/6.11.0...6.12.0">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
karpet
pushed a commit
to BlueprintKansas/v3.ksvotes.org
that referenced
this pull request
Mar 25, 2026
Bumps [whitenoise](https://github.com/evansd/whitenoise) from 6.11.0 to 6.12.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/evansd/whitenoise/blob/main/docs/changelog.rst">whitenoise's changelog</a>.</em></p> <blockquote> <h2>6.12.0 (2026-02-27)</h2> <ul> <li>Drop Python 3.9 support.</li> <li>Fix potential unauthorised file access vulnerability in "autorefesh" mode. See <code>PR [#684](evansd/whitenoise#684) <https://github.com/evansd/whitenoise/pull/684></code>__ for details, and a reminder that autorefresh mode has always been documented as unsuitable for production use. Thanks Seth Larson for reporting.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/evansd/whitenoise/commit/1e3a30bc9e6b82c79a03d35532a7ba72715918df"><code>1e3a30b</code></a> Version 6.12.0</li> <li><a href="https://github.com/evansd/whitenoise/commit/bc4c738d768f3f91a67b9e297490645b33adc3d4"><code>bc4c738</code></a> Merge pull request <a href="https://redirect.github.com/evansd/whitenoise/issues/684">#684</a> from evansd/use-commonpath</li> <li><a href="https://github.com/evansd/whitenoise/commit/505ed8d28d34307606ba6ed9ac7740c7c0701955"><code>505ed8d</code></a> Use <code>os.path.commonpath()</code> to identify child paths</li> <li><a href="https://github.com/evansd/whitenoise/commit/b6d8ed40206aea61d1265ca84d88e786366d891b"><code>b6d8ed4</code></a> Upgrade dependencies (<a href="https://redirect.github.com/evansd/whitenoise/issues/683">#683</a>)</li> <li><a href="https://github.com/evansd/whitenoise/commit/edc79de2d063ae04980a251b67d73acf7ef06d3d"><code>edc79de</code></a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/evansd/whitenoise/issues/682">#682</a>)</li> <li><a href="https://github.com/evansd/whitenoise/commit/79fb2f136fe34debe427d4d031b11ec10b7ca2cc"><code>79fb2f1</code></a> Bump the github-actions group with 2 updates (<a href="https://redirect.github.com/evansd/whitenoise/issues/680">#680</a>)</li> <li><a href="https://github.com/evansd/whitenoise/commit/2b245df895acb3aad86aadd02a794bfbf9374d3a"><code>2b245df</code></a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/evansd/whitenoise/issues/681">#681</a>)</li> <li><a href="https://github.com/evansd/whitenoise/commit/dcb50f36d437dddfab06ce8fc36e6ec1f34f5af5"><code>dcb50f3</code></a> Upgrade dependencies (<a href="https://redirect.github.com/evansd/whitenoise/issues/678">#678</a>)</li> <li><a href="https://github.com/evansd/whitenoise/commit/1c4a746afe1fdeaa458aa0fe2951cebe1fe0f026"><code>1c4a746</code></a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/evansd/whitenoise/issues/677">#677</a>)</li> <li><a href="https://github.com/evansd/whitenoise/commit/e7f970aac293079c3fabe44b5072a70670ec3268"><code>e7f970a</code></a> Bump actions/checkout from 5 to 6 in the github-actions group (<a href="https://redirect.github.com/evansd/whitenoise/issues/676">#676</a>)</li> <li>Additional commits viewable in <a href="https://github.com/evansd/whitenoise/compare/6.11.0...6.12.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Previously we used
os.path.commonprefix()which will treat paths like/foo/bar_suffixas matching/foo/bar. This gave rise to a potential security vulnerability given the following conditions:autorefreshenabled.staticandstatic_disallowed).An attacker could craft a URL like:
This would allow them to read a file from
static_disallowedwhen they should only be able to read files fromstatic.This is related to the Windows path traversal attack identified in #197 and to the
commonprefix()path traversal attack identified in pip: https://www.cve.org/CVERecord?id=CVE-2026-1703Thanks to Seth Larson for reporting this.
This is a good opportunity to reiterate the warning in the documentation that
autorefreshis provided as a convenience for development and, for both security and performance reasons, is not suitable for production use.