fix(deps): update mend: high confidence minor and patch dependency updates #70

mend-for-github-com · 2024-02-28T02:49:31Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
aws-xray-sdk	`2.9.0` -> `2.14.0`
bandit (source, changelog)	`1.7.1` -> `1.7.10`
coverage	`6.2` -> `6.5.0`
email-validator	`1.2.1` -> `1.3.1`
fastjsonschema	`2.15.3` -> `2.20.0`
flake8-black	`^0.2.3` -> `^0.3.0`
flake8-bugbear (changelog)	`22.4.25` -> `22.12.6`
flake8-eradicate	`1.2.1` -> `1.5.0`
flake8-isort (changelog)	`4.1.1` -> `4.2.0`
isort (source, changelog)	`5.10.1` -> `5.13.2`
mkdocs-material (changelog)	`8.2.7` -> `8.5.11`
pydantic (changelog)	`1.9.1` -> `1.10.13`
pytest (changelog)	`7.0.1` -> `7.4.4`
pytest-asyncio (changelog)	`^0.16.0` -> `^0.24.0`
pytest-mock (changelog)	`3.6.1` -> `3.14.0`
xenon	`0.9.0` -> `0.9.3`

By merging this PR, the issue #79 will be automatically resolved and closed:

Severity	CVSS Score	CVE	Reachability
Medium	5.9	CVE-2024-3772

Release Notes

aws/aws-xray-sdk-python (aws-xray-sdk)

`v2.14.0`

Compare Source

==========

bugfix: Fix warning message condition for subsegment ending https://github.com/aws/aws-xray-sdk-python/pull/434

`v2.13.1`

Compare Source

==========

improvement: Bump idna from 3.6 to 3.7 in /sample-apps/flask https://github.com/aws/aws-xray-sdk-python/pull/425
bugfix: Fix end_time param type docstring from int to float https://github.com/aws/aws-xray-sdk-python/pull/426
improvement: Bump werkzeug from 3.0.1 to 3.0.3 in /sample-apps/flask https://github.com/aws/aws-xray-sdk-python/pull/428
improvement: [LambdaContext] Create dummy segment when trace header is incomplete https://github.com/aws/aws-xray-sdk-python/pull/429
bugfix: [LambdaContext] Fix logging to only happen inside lambda function https://github.com/aws/aws-xray-sdk-python/pull/431

`v2.13.0`

Compare Source

==========

bugfix: Fix passing multiple values in testenv.passenv in tox.ini https://github.com/aws/aws-xray-sdk-python/pull/399
improvement: Pin flask < 3.x for flask sqlalchemy tests https://github.com/aws/aws-xray-sdk-python/pull/412
improvement: Bump werkzeug from 2.2.3 to 3.0.1 in /sample-apps/flask https://github.com/aws/aws-xray-sdk-python/pull/413
improvement: Fix typo in docs https://github.com/aws/aws-xray-sdk-python/pull/419
bugfix: Fix sqlalchemy_core patch errors for unencoded special characters in db url https://github.com/aws/aws-xray-sdk-python/pull/418
bugfix: Fix EB platform version for integration test https://github.com/aws/aws-xray-sdk-python/pull/420

`v2.12.1`

Compare Source

==========

bugfix: set_trace_entity() in lambda adds segment to thread PR409 https://github.com/aws/aws-xray-sdk-python/pull/409
bugfix: Cleanup after drop of support for Python PR387 https://github.com/aws/aws-xray-sdk-python/pull/387

`v2.12.0`

Compare Source

==========

improvement: Default Context Missing Strategy set to Log Error PR372 https://github.com/aws/aws-xray-sdk-python/pull/372
bugfix: Pin tox version to <=3.27.1 to fix CI tests PR374 https://github.com/aws/aws-xray-sdk-python/pull/374
improvement: Sample app dependency update PR373 https://github.com/aws/aws-xray-sdk-python/pull/373
bugfix: Fix pynamodb tests for Python < 3.6 PR375 https://github.com/aws/aws-xray-sdk-python/pull/375
improvement: Use latest GH Actions versions in CI tests PR365 https://github.com/aws/aws-xray-sdk-python/pull/365
improvement: Simplify setup script PR363 https://github.com/aws/aws-xray-sdk-python/pull/363
bugfix: Fix deprecation warnings related to asyncio PR364 https://github.com/aws/aws-xray-sdk-python/pull/364
improvement: Run tests against Python 3.10 and 3.11 PR376 https://github.com/aws/aws-xray-sdk-python/pull/376
improvement: Sample app dependency update PR380 https://github.com/aws/aws-xray-sdk-python/pull/380
bugfix: Pin sqlalchemy version to 1.x to fix tests PR381 https://github.com/aws/aws-xray-sdk-python/pull/381
bugfix: Fix sample app dependencies incompatibility with XRay SDK PR382 https://github.com/aws/aws-xray-sdk-python/pull/382
bugfix: Start MySQL from GH Actions, upgrade Ubuntu, and remove Python versions for unit tests PR384 https://github.com/aws/aws-xray-sdk-python/pull/384

`v2.11.0`

Compare Source

==========

bugfix: Fix TypeError by patching register_default_jsonb from psycopg2 PR350 https://github.com/aws/aws-xray-sdk-python/pull/350
improvement: Add annotations PR348 https://github.com/aws/aws-xray-sdk-python/pull/348
bugfix: Use service parameter to match centralized sampling rules PR 353 https://github.com/aws/aws-xray-sdk-python/pull/353
bugfix: Implement PEP3134 to discover underlying problems with python3 PR355 https://github.com/aws/aws-xray-sdk-python/pull/355
improvement: Allow list TopicArn for SNS PublishBatch request PR358 https://github.com/aws/aws-xray-sdk-python/pull/358
bugfix: Version pinning flask-sqlalchemy version to 2.5.1 or less PR360 https://github.com/aws/aws-xray-sdk-python/pull/360
bugfix: Fix UnboundLocalError when aiohttp server raises a CancelledError PR356 https://github.com/aws/aws-xray-sdk-python/pull/356
improvement: Instrument httpx >= 0.20 PR357 https://github.com/aws/aws-xray-sdk-python/pull/357
improvement: [LambdaContext] persist original trace header PR362 https://github.com/aws/aws-xray-sdk-python/pull/362
bugfix: Run tests against Django 4.x PR361 https://github.com/aws/aws-xray-sdk-python/pull/361
improvement: Oversampling Mitigation PR366 https://github.com/aws/aws-xray-sdk-python/pull/366

`v2.10.0`

Compare Source

==========

bugfix: Only import future for py2. PR343 <https://github.com/aws/aws-xray-sdk-python/pull/343>_.
bugfix: Defensively copy context entities to async thread. PR340 <https://github.com/aws/aws-xray-sdk-python/pull/340>_.
improvement: Added support for IGNORE_ERROR option when context is missing. PR338 <https://github.com/aws/aws-xray-sdk-python/pull/338>_.

PyCQA/bandit (bandit)

`v1.7.10`

Compare Source

What's Changed

Bump docker/build-push-action from 5.4.0 to 6.0.0 by @dependabot in https://github.com/PyCQA/bandit/pull/1147
Suggested small refactors in assignments by @ericwb in https://github.com/PyCQA/bandit/pull/1150
Performance improvement in blacklist function by @ericwb in https://github.com/PyCQA/bandit/pull/1148
Add test for usage of FTP_TLS by @ericwb in https://github.com/PyCQA/bandit/pull/1149
New check: B113: TrojanSource - Bidirectional control characters by @Lucas-C in https://github.com/PyCQA/bandit/pull/757
Bump docker/build-push-action from 6.0.0 to 6.1.0 by @dependabot in https://github.com/PyCQA/bandit/pull/1152
feat(plugins): add support for httpx in B113 by @mkniewallner in https://github.com/PyCQA/bandit/pull/1060
Nit: remove unused variable by @ericwb in https://github.com/PyCQA/bandit/pull/1153
Add recent releases to version choice in bug report by @ericwb in https://github.com/PyCQA/bandit/pull/1151
Bump docker/build-push-action from 6.1.0 to 6.2.0 by @dependabot in https://github.com/PyCQA/bandit/pull/1155
Bump docker/build-push-action from 6.2.0 to 6.3.0 by @dependabot in https://github.com/PyCQA/bandit/pull/1157
Bump docker/setup-buildx-action from 3.3.0 to 3.4.0 by @dependabot in https://github.com/PyCQA/bandit/pull/1156
Bump docker/setup-buildx-action from 3.4.0 to 3.5.0 by @dependabot in https://github.com/PyCQA/bandit/pull/1158
Bump docker/login-action from 3.2.0 to 3.3.0 by @dependabot in https://github.com/PyCQA/bandit/pull/1159
Bump docker/build-push-action from 6.3.0 to 6.5.0 by @dependabot in https://github.com/PyCQA/bandit/pull/1160
Bump docker/setup-buildx-action from 3.5.0 to 3.6.1 by @dependabot in https://github.com/PyCQA/bandit/pull/1163
Bump docker/build-push-action from 6.5.0 to 6.6.1 by @dependabot in https://github.com/PyCQA/bandit/pull/1166
Bump sigstore/cosign-installer from 3.5.0 to 3.6.0 by @dependabot in https://github.com/PyCQA/bandit/pull/1165
Bump docker/build-push-action from 6.6.1 to 6.7.0 by @dependabot in https://github.com/PyCQA/bandit/pull/1168
Use consistent file naming of docs by @ericwb in https://github.com/PyCQA/bandit/pull/1170
Pytorch Load / Save Plugin by @lukehinds in https://github.com/PyCQA/bandit/pull/1114

'Test plugin listing' in docs incorrectly pointing B612 to plugin ref of B102 by @rajaramsrn in https://github.com/PyCQA/bandit/pull/897

Make small fixes in docs by @mportesdev in https://github.com/PyCQA/bandit/pull/899

Specify semver range for Python 3.11 by @mportesdev in https://github.com/PyCQA/bandit/pull/901

Add another bad example of yaml load by @ericwb in https://github.com/PyCQA/bandit/pull/905

Add releases link in "Version control integration" by @travisjungroth in https://github.com/PyCQA/bandit/pull/909

Update version of dependency-review-action by @mportesdev in https://github.com/PyCQA/bandit/pull/911

Avoid redundant message if debug on by @ericwb in https://github.com/PyCQA/bandit/pull/913

Remove invalid checking on hashlib by @ericwb in https://github.com/PyCQA/bandit/pull/914

Add some missing curve types by @ericwb in https://github.com/PyCQA/bandit/pull/920

add jsonpickle deserialization blacklist by @SugarP1g in https://github.com/PyCQA/bandit/pull/707

Fix reading the number argument from config file by @KAUTH in https://github.com/PyCQA/bandit/pull/923

Add end_col_offset if available by @ericwb in https://github.com/PyCQA/bandit/pull/851

Enhancement Proposal: Plugin "assert_used" config-skip snippet by @marianomartinelli in https://github.com/PyCQA/bandit/pull/695

Blacklist pandas read_pickle and add functional test for it by @jaspersival in https://github.com/PyCQA/bandit/pull/710

Docs for request without timeout has dead link by @ericwb in https://github.com/PyCQA/bandit/pull/925

Add case for global exec by @tonybaloney in https://github.com/PyCQA/bandit/pull/570

Fix a false positive condition yaml_load by @ericwb in https://github.com/PyCQA/bandit/pull/927

Fix issue #453 jinja2 template select_autoescape when using jinja2.select_autoescape by @kinow in https://github.com/PyCQA/bandit/pull/454

Adding tarfile.extractall() plugin with examples by @yilmi in https://github.com/PyCQA/bandit/pull/549

Check for deprecated TLS 1.1 by @ericwb in https://github.com/PyCQA/bandit/pull/928

weak_cryptographic_key assumes positional arg by @ericwb in https://github.com/PyCQA/bandit/pull/930

Fix filename of B202 in docs by @mportesdev in https://github.com/PyCQA/bandit/pull/932

Remove python 2 reference in docs by @ericwb in https://github.com/PyCQA/bandit/pull/933

Pass correct number of arguments to match the %s placeholders. by @mportesdev in https://github.com/PyCQA/bandit/pull/934

Fixup some invalid pickle testing by @ericwb in https://github.com/PyCQA/bandit/pull/924

Fix json and yaml formatters to respect num lines by @ericwb in https://github.com/PyCQA/bandit/pull/929

Fix AttributeError on detect of tuple assign condition by @ericwb in https://github.com/PyCQA/bandit/pull/931

[docs] Mention exclude_dirs option available in TOML and YAML by @bittner in https://github.com/PyCQA/bandit/pull/876

Typo fix by @PermanAtayev in https://github.com/PyCQA/bandit/pull/945

remove py2 exec example in docs by @clavedeluna in https://github.com/PyCQA/bandit/pull/947

Add official Python 3.11 support by @ericwb in https://github.com/PyCQA/bandit/pull/964

DOC: Add explanation on how to use pre-commit with config file by @phofl in https://github.com/PyCQA/bandit/pull/968

Fix breaking build due to new tox by @ericwb in https://github.com/PyCQA/bandit/pull/983

Correct build status badge in README by @gliptak in https://github.com/PyCQA/bandit/pull/980

Improve detecting SQL injections in f-strings by @kfrydel in https://github.com/PyCQA/bandit/pull/917

Improve handling nosec for multi-line strings by @kfrydel in https://github.com/PyCQA/bandit/pull/915

Check for github action updates monthly by @jlosito in https://github.com/PyCQA/bandit/pull/989

Added a bit more project_urls by @KOLANICH in https://github.com/PyCQA/bandit/pull/985

New Contributors

@mschfh made their first contribution in https://github.com/PyCQA/bandit/pull/743

@raj3shp made their first contribution in https://github.com/PyCQA/bandit/pull/874

@a-takahashi223 made their first contribution in https://github.com/PyCQA/bandit/pull/868

@mportesdev made their first contribution in https://github.com/PyCQA/bandit/pull/893

@rajaramsrn made their first contribution in https://github.com/PyCQA/bandit/pull/897

@travisjungroth made their first contribution in https://github.com/PyCQA/bandit/pull/909

@SugarP1g made their first contribution in [https://github.co

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

mend-for-github-com · 2024-02-28T02:49:32Z

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: poetry.lock

Creating virtualenv aws-lambda-powertools-j4tV00Qc-py3.12 in /home/ubuntu/.cache/pypoetry/virtualenvs
Updating dependencies
Resolving dependencies...


The current project's Python requirement (>=3.6.2,<4.0.0) is not compatible with some of the required packages Python requirement:
  - flake8-black requires Python >=3.7, so it will not be satisfied for Python >=3.6.2,<3.7
  - flake8-black requires Python >=3.7, so it will not be satisfied for Python >=3.6.2,<3.7
  - flake8-black requires Python >=3.7, so it will not be satisfied for Python >=3.6.2,<3.7
  - flake8-black requires Python >=3.7, so it will not be satisfied for Python >=3.6.2,<3.7
  - flake8-black requires Python >=3.7, so it will not be satisfied for Python >=3.6.2,<3.7

Because no versions of flake8-black match >0.3.0,<0.3.2 || >0.3.2,<0.3.3 || >0.3.3,<0.3.4 || >0.3.4,<0.3.5 || >0.3.5,<0.3.6 || >0.3.6,<0.4.0
 and flake8-black (0.3.0) depends on black (>=22.1.0), flake8-black (>=0.3.0,<0.3.2 || >0.3.2,<0.3.3 || >0.3.3,<0.3.4 || >0.3.4,<0.3.5 || >0.3.5,<0.3.6 || >0.3.6,<0.4.0) requires black (>=22.1.0).
And because flake8-black (0.3.2) requires Python >=3.7, flake8-black (>=0.3.0,<0.3.3 || >0.3.3,<0.3.4 || >0.3.4,<0.3.5 || >0.3.5,<0.3.6 || >0.3.6,<0.4.0) requires black (>=22.1.0).
And because flake8-black (0.3.3) requires Python >=3.7
 and flake8-black (0.3.4) requires Python >=3.7, flake8-black (>=0.3.0,<0.3.5 || >0.3.5,<0.3.6 || >0.3.6,<0.4.0) requires black (>=22.1.0).
And because flake8-black (0.3.5) requires Python >=3.7
 and flake8-black (0.3.6) requires Python >=3.7, flake8-black (>=0.3.0,<0.4.0) requires black (>=22.1.0).
So, because aws-lambda-powertools depends on both black (^21.12b0) and flake8-black (^0.3.0), version solving failed.

  • Check your dependencies Python requirement: The Python requirement can be specified via the `python` or `markers` properties
    
    For flake8-black, a possible solution would be to set the `python` property to ">=3.7,<4.0.0"
    For flake8-black, a possible solution would be to set the `python` property to ">=3.7,<4.0.0"
    For flake8-black, a possible solution would be to set the `python` property to ">=3.7,<4.0.0"
    For flake8-black, a possible solution would be to set the `python` property to ">=3.7,<4.0.0"
    For flake8-black, a possible solution would be to set the `python` property to ">=3.7,<4.0.0"

    https://python-poetry.org/docs/dependency-specification/#python-restricted-dependencies,
    https://python-poetry.org/docs/dependency-specification/#using-environment-markers

mend-for-github-com · 2024-05-22T02:44:03Z

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: poetry.lock

Creating virtualenv aws-lambda-powertools-o7w5jyWA-py3.13 in /home/ubuntu/.cache/pypoetry/virtualenvs
Updating dependencies
Resolving dependencies...


The current project's Python requirement (>=3.6.2,<4.0.0) is not compatible with some of the required packages Python requirement:
  - pytest-asyncio requires Python >=3.8, so it will not be satisfied for Python >=3.6.2,<3.8

Because pytest-asyncio (0.24.0) requires Python >=3.8
 and no versions of pytest-asyncio match >0.24.0,<0.25.0, pytest-asyncio is forbidden.
So, because aws-lambda-powertools depends on pytest-asyncio (^0.24.0), version solving failed.

  • Check your dependencies Python requirement: The Python requirement can be specified via the `python` or `markers` properties
    
    For pytest-asyncio, a possible solution would be to set the `python` property to ">=3.8,<4.0.0"

    https://python-poetry.org/docs/dependency-specification/#python-restricted-dependencies,
    https://python-poetry.org/docs/dependency-specification/#using-environment-markers

…dates

mend-for-github-com bot changed the title ~~fix(deps): update mend: high confidence minor and patch dependency updates~~ chore(deps): update mend: high confidence minor and patch dependency updates Mar 7, 2024

mend-for-github-com bot changed the title ~~chore(deps): update mend: high confidence minor and patch dependency updates~~ fix(deps): update mend: high confidence minor and patch dependency updates Mar 11, 2024

mend-for-github-com bot changed the title ~~fix(deps): update mend: high confidence minor and patch dependency updates~~ chore(deps): update mend: high confidence minor and patch dependency updates Mar 12, 2024

mend-for-github-com bot changed the title ~~chore(deps): update mend: high confidence minor and patch dependency updates~~ fix(deps): update mend: high confidence minor and patch dependency updates Apr 8, 2024

mend-for-github-com bot changed the title ~~fix(deps): update mend: high confidence minor and patch dependency updates~~ chore(deps): update mend: high confidence minor and patch dependency updates Apr 9, 2024

mend-for-github-com bot changed the title ~~chore(deps): update mend: high confidence minor and patch dependency updates~~ fix(deps): update mend: high confidence minor and patch dependency updates May 7, 2024

mend-for-github-com bot changed the title ~~fix(deps): update mend: high confidence minor and patch dependency updates~~ chore(deps): update mend: high confidence minor and patch dependency updates May 22, 2024

mend-for-github-com bot changed the title ~~chore(deps): update mend: high confidence minor and patch dependency updates~~ fix(deps): update mend: high confidence minor and patch dependency updates May 25, 2024

mend-for-github-com bot changed the title ~~fix(deps): update mend: high confidence minor and patch dependency updates~~ chore(deps): update mend: high confidence minor and patch dependency updates Jun 5, 2024

mend-for-github-com bot changed the title ~~chore(deps): update mend: high confidence minor and patch dependency updates~~ fix(deps): update mend: high confidence minor and patch dependency updates Jun 9, 2024

fix(deps): update mend: high confidence minor and patch dependency up…

6c0d870

…dates

mend-for-github-com bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch from 3d86905 to 6c0d870 Compare August 29, 2024 03:08

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update mend: high confidence minor and patch dependency updates #70

fix(deps): update mend: high confidence minor and patch dependency updates #70

mend-for-github-com bot commented Feb 28, 2024 •

edited

Loading

mend-for-github-com bot commented Feb 28, 2024 •

edited

Loading

mend-for-github-com bot commented May 22, 2024 •

edited

Loading

fix(deps): update mend: high confidence minor and patch dependency updates #70

Are you sure you want to change the base?

fix(deps): update mend: high confidence minor and patch dependency updates #70

Conversation

mend-for-github-com bot commented Feb 28, 2024 • edited Loading

Release Notes

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

Configuration

mend-for-github-com bot commented Feb 28, 2024 • edited Loading

⚠ Artifact update problem

File name: poetry.lock

mend-for-github-com bot commented May 22, 2024 • edited Loading

⚠️ Artifact update problem

File name: poetry.lock

mend-for-github-com bot commented Feb 28, 2024 •

edited

Loading

mend-for-github-com bot commented Feb 28, 2024 •

edited

Loading

mend-for-github-com bot commented May 22, 2024 •

edited

Loading