Skip to content

Bump the pip group across 2 directories with 6 updates #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dependabot wants to merge 1 commit into from
Closed

Bump the pip group across 2 directories with 6 updates #1

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github May 5, 2024

Bumps the pip group with 6 updates in the / directory:

Package From To
black 23.3.0 24.3.0
tornado 6.3.3 6.4
cryptography 41.0.6 42.0.4
jupyter-server 1.23.5 2.11.2
pymongo 4.3.3 4.6.3
dbt-core 1.7.4 1.7.13

Bumps the pip group with 1 update in the /mage_integrations directory: pymongo.

Updates black from 23.3.0 to 24.3.0

Release notes

Sourced from black's releases.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

  • Don't move comments along with delimiters, which could cause crashes (#4248)
  • Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
  • Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

  • Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

  • Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

  • Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

  • Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
  • Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
  • Checking for newline before adding one on docstring that is almost at the line limit (#4185)
  • Remove redundant parentheses in case statement if guards (#4214).

Configuration

... (truncated)

Changelog

Sourced from black's changelog.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

  • Don't move comments along with delimiters, which could cause crashes (#4248)
  • Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
  • Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

  • Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

  • Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

  • Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

  • Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
  • Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
  • Checking for newline before adding one on docstring that is almost at the line limit (#4185)
  • Remove redundant parentheses in case statement if guards (#4214).

... (truncated)

Commits

Updates tornado from 6.3.3 to 6.4

Changelog

Sourced from tornado's changelog.

Release notes

.. toctree:: :maxdepth: 2

releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1 releases/v3.2.0 releases/v3.1.1 releases/v3.1.0 releases/v3.0.2 releases/v3.0.1 releases/v3.0.0 releases/v2.4.1 releases/v2.4.0 releases/v2.3.0 releases/v2.2.1

... (truncated)

Commits
  • b3f2a4b Merge pull request #3352 from bdarnell/master
  • 451419c Set version to 6.4 final
  • 5a87723 Merge pull request #3348 from bdarnell/iostream-hostname-test
  • 2da0a99 iostream_test: Don't require server-side log on windows
  • 06e1a65 iostream_test: Test check_hostname functionality.
  • a6dfd70 Merge pull request #3341 from bdarnell/more-utcnow
  • c60d80c web,demos: Remove more uses of deprecated datetime utc methods
  • 55db80e Merge pull request #3339 from tornadoweb/dependabot/pip/urllib3-1.26.18
  • ec59fa0 Merge pull request #3332 from bdarnell/selector-thread-atexit
  • dcc6e59 build(deps): bump urllib3 from 1.26.17 to 1.26.18
  • Additional commits viewable in compare view

Updates cryptography from 41.0.6 to 42.0.4

Changelog

Sourced from cryptography's changelog.

42.0.4 - 2024-02-20


* Fixed a null-pointer-dereference and segfault that could occur when creating
  a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
  issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
  and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
  definitions in :rfc:`2633` :rfc:`3370`.

.. _v42-0-3:


42.0.3 - 2024-02-15

  • Fixed an initialization issue that caused key loading failures for some users.

.. _v42-0-2:

42.0.2 - 2024-01-30


* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol objects in
  ``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
  ``X25519PrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
  ``X448PrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
  and ``DHPrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.

.. _v42-0-1:


42.0.1 - 2024-01-24

  • Fixed an issue with incorrect keyword-argument naming with EllipticCurvePrivateKey :meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign.
  • Resolved compatibility issue with loading certain RSA public keys in :func:~cryptography.hazmat.primitives.serialization.load_pem_public_key.

.. _v42-0-0:

42.0.0 - 2024-01-22


</tr></table>

... (truncated)

Commits

Updates jupyter-server from 1.23.5 to 2.11.2

Release notes

Sourced from jupyter-server's releases.

v2.11.2

2.11.2

(Full Changelog)

Contributors to this release

(GitHub contributors page for this release)

v2.11.1

2.11.1

(Full Changelog)

Bugs fixed

Contributors to this release

(GitHub contributors page for this release)

@​blink1073 | @​fcollonval | @​minrk | @​Wh1isper

v2.11.0

2.11.0

(Full Changelog)

Enhancements made

Maintenance and upkeep improvements

Documentation improvements

Contributors to this release

... (truncated)

Changelog

Sourced from jupyter-server's changelog.

2.11.2

(Full Changelog)

Contributors to this release

(GitHub contributors page for this release)

2.11.1

(Full Changelog)

Bugs fixed

Contributors to this release

(GitHub contributors page for this release)

@​blink1073 | @​fcollonval | @​minrk | @​Wh1isper

2.11.0

(Full Changelog)

Enhancements made

Maintenance and upkeep improvements

Documentation improvements

Contributors to this release

(GitHub contributors page for this release)

@​blink1073 | @​IITII | @​welcome | @​Wh1isper

2.10.1

(Full Changelog)

... (truncated)

Commits

Updates pymongo from 4.3.3 to 4.6.3

Release notes

Sourced from pymongo's releases.

PyMongo 4.6.2

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-2-released/267404

PyMongo 4.6.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-1-released/255752

PyMongo 4.6.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-0-released/251866

PyMongo 4.5.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-5-0-released/240662

PyMongo 4.4.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-1-released/235045

PyMongo 4.4.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-released/232211

PyMongo 4.4.0b0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-0b0-release/210471

Changelog

Sourced from pymongo's changelog.

Changes in Version 4.6.3

PyMongo 4.6.3 fixes the following bug:

  • Fixed a potential memory access violation when decoding invalid bson.

Issues Resolved ...............

See the PyMongo 4.6.3 release notes in JIRA_ for the list of resolved issues in this release.

.. _PyMongo 4.6.3 release notes in JIRA: https://jira.mongodb.org/secure/ReleaseNote.jspa?projectId=10004&version=38360

Changes in Version 4.6.2

PyMongo 4.6.2 fixes the following bug:

  • Fixed a bug appearing in Python 3.12 where "RuntimeError: can't create new thread at interpreter shutdown" could be written to stderr when a MongoClient's thread starts as the python interpreter is shutting down.

Issues Resolved ...............

See the PyMongo 4.6.2 release notes in JIRA_ for the list of resolved issues in this release.

.. _PyMongo 4.6.2 release notes in JIRA: https://jira.mongodb.org/secure/ReleaseNote.jspa?projectId=10004&version=37906

Changes in Version 4.6.1

PyMongo 4.6.1 fixes the following bug:

  • Ensure retryable read OperationFailure errors re-raise exception when 0 or NoneType error code is provided.

Issues Resolved ...............

See the PyMongo 4.6.1 release notes in JIRA_ for the list of resolved issues in this release.

.. _PyMongo 4.6.1 release notes in JIRA: https://jira.mongodb.org/secure/ReleaseNote.jspa?projectId=10004&version=37138

Changes in Version 4.6

PyMongo 4.6 brings a number of improvements including:

... (truncated)

Commits
  • 8da192f BUMP 4.6.3
  • 56b6b6d PYTHON-4305 Fix bson size check (#1564)
  • 449d0f3 BUMP to 4.6.3.dev0
  • e04576d DEVPROD-3871 Use teardown_task when there is one function/command (#1533)
  • cf1c6a1 PYTHON-4219 Prep for 4.6.2 Release (#1530)
  • d29b2b7 PYTHON-4147 [v4.6]: Silence noisy thread.start() RuntimeError at shutdown (#1...
  • 0477b9b PYTHON-4077 [v4.6]: Ensure there is a MacOS wheel for Python 3.7 (#1527)
  • ecad17d BUMP 4.6.2.dev0
  • 485e0a5 BUMP 4.6.1
  • 995365c PYTHON-4038 [v4.6]: Ensure retryable read OperationFailures re-raise except...
  • Additional commits viewable in compare view

Updates dbt-core from 1.7.4 to 1.7.13

Release notes

Sourced from dbt-core's releases.

dbt-core v1.7.13

dbt-core 1.7.13 - April 18, 2024

Security

Contributors

dbt-core v1.7.12

dbt-core 1.7.12 - April 16, 2024

Fixes

  • Fix assorted source freshness edgecases so check is run or actionable information is given (#9078)
  • Exclude password-like fields for considering reparse (#9795)

dbt-core v1.7.11

dbt-core 1.7.11 - March 28, 2024

Fixes

  • Tighten exception handling to avoid worker thread hangs. (#9583)
  • Add field wrapper to BaseRelation members that were missing it. (#9681)

dbt-core v1.7.10

dbt-core 1.7.10 - March 14, 2024

Fixes

  • Do not add duplicate input_measures (#9360)
  • Fix partial parsing KeyError on deleted schema files (#8860)
  • Support saved queries in dbt list (#9532)

Dependencies

  • Restrict protobuf to 4.* versions (#9566)

dbt-core v1.7.9

dbt-core 1.7.9 - February 28, 2024

Fixes

  • Fix node_info contextvar handling so incorrect node_info doesn't persist (#8866)
  • Add target-path to retry (#8948)

Under the Hood

  • Make dbt-core compatible with Python 3.12 (#9007)

... (truncated)

Changelog

Sourced from dbt-core's changelog.

dbt-core 1.7.13 - April 18, 2024

Security

Contributors

dbt-core 1.7.12 - April 16, 2024

Fixes

  • Fix assorted source freshness edgecases so check is run or actionable information is given (#9078)
  • Exclude password-like fields for considering reparse (#9795)

dbt-core 1.7.11 - March 28, 2024

Fixes

  • Tighten exception handling to avoid worker thread hangs. (#9583)
  • Add field wrapper to BaseRelation members that were missing it. (#9681)

dbt-core 1.7.10 - March 14, 2024

Fixes

  • Do not add duplicate input_measures (#9360)
  • Fix partial parsing KeyError on deleted schema files (#8860)
  • Support saved queries in dbt list (#9532)

Dependencies

  • Restrict protobuf to 4.* versions (#9566)

dbt-core 1.7.9 - February 28, 2024

Fixes

  • Fix node_info contextvar handling so incorrect node_info doesn't persist (#8866)
  • Add target-path to retry (#8948)

Under the Hood

  • Make dbt-core compatible with Python 3.12 (#9007)
  • Restrict protobuf to major version 4. (#9566)

Security

... (truncated)

Commits
  • 6095b02 Bumping version to 1.7.13 and generate changelog
  • 483a4e8 [BACKPORT 1.7] bump sqlparse (#9965)
  • f9cff92 [Automated] Merged prep-release/1.7.12_8708637173 into target 1.7.latest duri...
  • ef37e62 Bumping version to 1.7.12 and generate changelog
  • 227877e be less explicit (#9936) (#9937)
  • ffa1a38 update to wrk for all versions (#9916) (#9919)
  • 2c24aa7 [1.7] Fix Workflow Deprecations (#9799)
  • 947f397 [BACKPORT 1.7] Exclude password-like fields for considering reparse (#9844) ...
  • b8681a3 [Backport to 1.7.latest] Fix assorted source freshness edgecases so check is ...
  • dd070b9 [Automated] Merged prep-release/1.7.11_8461692987 into target 1.7.latest duri...
  • Additional commits viewable in compare view

Updates pymongo from 4.3.3 to 4.6.3

Release notes

Sourced from pymongo's releases.

PyMongo 4.6.2

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-2-released/267404

PyMongo 4.6.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-1-released/255752

PyMongo 4.6.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-0-released/251866

PyMongo 4.5.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-5-0-released/240662

PyMongo 4.4.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-1-released/235045

PyMongo 4.4.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-released/232211

PyMongo 4.4.0b0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-0b0-release/210471

Changelog

Sourced from pymongo's changelog.

Changes in Version 4.6.3

PyMongo 4.6.3 fixes the following bug:

  • Fixed a potential memory access violation when decoding invalid bson.

Issues Resolved ...............

See the PyMongo 4.6.3 release notes in JIRA_ for the list of resolved issues in this release.

.. _PyMongo 4.6.3 release notes in JIRA: https://jira.mongodb.org/secure/ReleaseNote.jspa?projectId=10004&version=38360

Changes in Version 4.6.2

PyMongo 4.6.2 fixes the following bug:

  • Fixed a bug appearing in Python 3.12 where "RuntimeError: can't create new thread at interpreter shutdown" could be written to stderr when a MongoClient's thread starts as the python interpreter is shutting down.

Issues Resolved ...............

See the PyMongo 4.6.2 release notes in JIRA_ for the list of resolved issues in this release.

.. _PyMongo 4.6.2 release notes in JIRA: https://jira.mongodb.org/secure/ReleaseNote.jspa?projectId=10004&version=37906

Changes in Version 4.6.1

PyMongo 4.6.1 fixes the following bug:

  • Ensure retryable read OperationFailure errors re-raise exception when 0 or NoneType error code is provided.

Issues Resolved ...............

See the PyMongo 4.6.1 release notes in JIRA_ for the list of resolved issues in this release.

.. _PyMongo 4.6.1 release notes in JIRA: https://jira.mongodb.org/secure/ReleaseNote.jspa?projectId=10004&version=37138

Changes in Version 4.6

PyMongo 4.6 brings a number of improvements including:

... (truncated)

Commits
  • 8da192f BUMP 4.6.3
  • 56b6b6d PYTHON-4305 Fix bson size check (#1564)
  • 449d0f3 BUMP to 4.6.3.dev0
  • e04576d DEVPROD-3871 Use teardown_task when there is one function/command (#1533)
  • cf1c6a1 PYTHON-4219 Prep for 4.6.2 Release (#1530)
  • d29b2b7 PYTHON-4147 [v4.6]: Silence noisy thread.start() RuntimeError at shutdown (#1...
  • 0477b9b PYTHON-4077 [v4.6]: Ensure there is a MacOS wheel for Python 3.7 (#1527)
  • ecad17d BUMP 4.6.2.dev0
  • 485e0a5 BUMP 4.6.1
  • 995365c PYTHON-4038 [v4.6]: Ensure retryable read OperationFailures re-raise except...
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the pip group across 2 directories with 6 updates
67f4cee 
Bumps the pip group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [black](https://github.com/psf/black) | `23.3.0` | `24.3.0` |
| [tornado](https://github.com/tornadoweb/tornado) | `6.3.3` | `6.4` |
| [cryptography](https://github.com/pyca/cryptography) | `41.0.6` | `42.0.4` |
| [jupyter-server](https://github.com/jupyter-server/jupyter_server) | `1.23.5` | `2.11.2` |
| [pymongo](https://github.com/mongodb/mongo-python-driver) | `4.3.3` | `4.6.3` |
| [dbt-core](https://github.com/dbt-labs/dbt-core) | `1.7.4` | `1.7.13` |

Bumps the pip group with 1 update in the /mage_integrations directory: [pymongo](https://github.com/mongodb/mongo-python-driver).


Updates `black` from 23.3.0 to 24.3.0
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](psf/black@23.3.0...24.3.0)

Updates `tornado` from 6.3.3 to 6.4
- [Changelog](https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst)
- [Commits](tornadoweb/tornado@v6.3.3...v6.4.0)

Updates `cryptography` from 41.0.6 to 42.0.4
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@41.0.6...42.0.4)

Updates `jupyter-server` from 1.23.5 to 2.11.2
- [Release notes](https://github.com/jupyter-server/jupyter_server/releases)
- [Changelog](https://github.com/jupyter-server/jupyter_server/blob/main/CHANGELOG.md)
- [Commits](jupyter-server/jupyter_server@v1.23.5...v2.11.2)

Updates `pymongo` from 4.3.3 to 4.6.3
- [Release notes](https://github.com/mongodb/mongo-python-driver/releases)
- [Changelog](https://github.com/mongodb/mongo-python-driver/blob/master/doc/changelog.rst)
- [Commits](mongodb/mongo-python-driver@4.3.3...4.6.3)

Updates `dbt-core` from 1.7.4 to 1.7.13
- [Release notes](https://github.com/dbt-labs/dbt-core/releases)
- [Changelog](https://github.com/dbt-labs/dbt-core/blob/v1.7.13/CHANGELOG.md)
- [Commits](dbt-labs/dbt-core@v1.7.4...v1.7.13)

Updates `pymongo` from 4.3.3 to 4.6.3
- [Release notes](https://github.com/mongodb/mongo-python-driver/releases)
- [Changelog](https://github.com/mongodb/mongo-python-driver/blob/master/doc/changelog.rst)
- [Commits](mongodb/mongo-python-driver@4.3.3...4.6.3)

---
updated-dependencies:
- dependency-name: black
  dependency-type: direct:development
  dependency-group: pip
- dependency-name: tornado
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: cryptography
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: jupyter-server
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pymongo
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: dbt-core
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pymongo
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label May 5, 2024
@dryrunsecurity
Copy link

dryrunsecurity bot commented May 5, 2024
edited
Loading

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Configured Codepaths Analyzer 0 findings
Secrets Analyzer 0 findings
AppSec Analyzer 0 findings
Authn/Authz Analyzer 0 findings
Sensitive Files Analyzer 2 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖.
Note that this summary is auto-generated and not meant to be a definitive list of security issues
but rather a helpful summary from a security perspective.

Summary:

The changes in this pull request primarily involve updating the dependency versions for various Python libraries and tools used in the Mage AI project. These updates include:

  1. Updating the pymongo library from version 4.3.3 to 4.6.3.
  2. Updating the dbt-core dependency from version 1.7.4 to 1.7.13.
  3. Updating the cryptography, Jupyter Server, Tornado, PyMongo, and DBT Core libraries to their latest versions.
  4. Updating the black package from version 23.3.0 to 24.4.2, and the typing-extensions package from 3.10.0.0 to 4.5.0.

From an application security perspective, these changes are generally positive, as they allow the project to take advantage of the latest bug fixes and security patches. However, it's important to thoroughly test the updated dependencies to ensure that there are no regressions or compatibility issues.

Additionally, it's worth noting that the pymongo library is a popular MongoDB client library, and changes to the version can potentially impact the security posture of the application. It's recommended to review the release notes and security advisories for the new version of pymongo to understand any potential security implications.

Overall, the changes in this pull request appear to be routine dependency updates, which is a common practice in software development. As long as the application is thoroughly tested after the updates, there does not seem to be any significant security concern based on the information provided.

Files Changed:

  1. mage_integrations/requirements.txt: The pymongo library is being updated from version 4.3.3 to 4.6.3.
  2. setup.py: The dbt-core dependency is being updated from version 1.7.4 to 1.7.13, and the pymongo dependency is being updated from version 4.3.3 to 4.6.3.
  3. requirements.txt: Several dependencies are being updated, including cryptography, Jupyter Server, Tornado, PyMongo, and DBT Core.
  4. poetry.lock: The black package is being updated from version 23.3.0 to 24.4.2, and the typing-extensions package is being updated from 3.10.0.0 to 4.5.0.

Powered by DryRun Security

@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github May 6, 2024

Superseded by #2.

@dependabot dependabot bot closed this May 6, 2024
@dependabot dependabot bot deleted the dependabot/pip/pip-a363a4f473 branch May 6, 2024 20:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant