Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

chore(deps): bump requests from 2.28.2 to 2.31.0#2573

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Closed
dependabot wants to merge1 commit intomainfromdependabot/pip/requests-2.31.0

Conversation

dependabot[bot]
Copy link

@dependabotdependabotbot commented on behalf ofgithubMay 23, 2023
edited
Loading

Bumpsrequests from 2.28.2 to 2.31.0.

Release notes

Sourced fromrequests's releases.

v2.31.0

2.31.0 (2023-05-22)

Security

  • Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potentialforwarding ofProxy-Authorization headers to destination servers whenfollowing HTTPS redirects.

    When proxies are defined with user info (https://user:pass@proxy:8080), Requestswill construct aProxy-Authorization header that is attached to the request toauthenticate with the proxy.

    In cases where Requests receives a redirect response, it previously reattachedtheProxy-Authorization header incorrectly, resulting in the value beingsent through the tunneled connection to the destination server. Users who rely ondefining their proxy credentials in the URL arestrongly encouraged to upgradeto Requests 2.31.0+ to prevent unintentional leakage and rotate their proxycredentials once the change has been fully deployed.

    Users who do not use a proxy or do not supply their proxy credentials throughthe user information portion of their proxy URL are not subject to thisvulnerability.

    Full details can be read in ourGithub Security AdvisoryandCVE-2023-32681.

v2.30.0

2.30.0 (2023-05-03)

Dependencies

v2.29.0

2.29.0 (2023-04-26)

Improvements

  • Requests now defers chunked requests to the urllib3 implementation to improvestandardization. (#6226)
  • Requests relaxes header component requirements to support bytes/str subclasses. (#6356)
Changelog

Sourced fromrequests's changelog.

2.31.0 (2023-05-22)

Security

  • Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potentialforwarding ofProxy-Authorization headers to destination servers whenfollowing HTTPS redirects.

    When proxies are defined with user info (https://user:pass@proxy:8080), Requestswill construct aProxy-Authorization header that is attached to the request toauthenticate with the proxy.

    In cases where Requests receives a redirect response, it previously reattachedtheProxy-Authorization header incorrectly, resulting in the value beingsent through the tunneled connection to the destination server. Users who rely ondefining their proxy credentials in the URL arestrongly encouraged to upgradeto Requests 2.31.0+ to prevent unintentional leakage and rotate their proxycredentials once the change has been fully deployed.

    Users who do not use a proxy or do not supply their proxy credentials throughthe user information portion of their proxy URL are not subject to thisvulnerability.

    Full details can be read in ourGithub Security AdvisoryandCVE-2023-32681.

2.30.0 (2023-05-03)

Dependencies

2.29.0 (2023-04-26)

Improvements

  • Requests now defers chunked requests to the urllib3 implementation to improvestandardization. (#6226)
  • Requests relaxes header component requirements to support bytes/str subclasses. (#6356)
Commits

Dependabot compatibility score

You can trigger a rebase of this PR by commenting@dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from theSecurity Alerts page.
> **Note**> Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabotdependabotbot added the dependenciesPull requests that update a dependency file labelMay 23, 2023
@dependabotdependabotbotforce-pushed thedependabot/pip/requests-2.31.0 branch 3 times, most recently fromb946bd8 to77848baCompareMay 31, 2023 07:36
@dependabotdependabotbotforce-pushed thedependabot/pip/requests-2.31.0 branch 2 times, most recently from7260e84 tob650d0fCompareJune 21, 2023 08:32
Bumps [requests](https://github.com/psf/requests) from 2.28.2 to 2.31.0.- [Release notes](https://github.com/psf/requests/releases)- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)- [Commits](psf/requests@v2.28.2...v2.31.0)---updated-dependencies:- dependency-name: requests  dependency-type: direct:production...Signed-off-by: dependabot[bot] <support@github.com>
@dependabotdependabotbotforce-pushed thedependabot/pip/requests-2.31.0 branch fromb650d0f to931a93aCompareJune 21, 2023 10:43
@nejch
Copy link
Member

Replaced by#2627.

@nejchnejch closed thisAug 19, 2023
@dependabot@github
Copy link
Author

dependabotbot commented on behalf ofgithubAug 19, 2023

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting@dependabot ignore this major version or@dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@nejchnejch deleted the dependabot/pip/requests-2.31.0 branchAugust 19, 2023 05:47
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependenciesPull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

1 participant
@nejch
[8]ページ先頭
©2009-2025 Movatter.jp