Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency quart to v0.20.0 [security] #146

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Oct 25, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
quart (changelog) ==0.17.0 -> ==0.20.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-49767

Applications using Werkzeug to parse multipart/form-data requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the Request.max_form_memory_size setting.

The Request.max_content_length setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.


Release Notes

pallets/quart (quart)

v0.20.0

Compare Source

Released 2024-12-23

  • Drop support for Python 3.8.
  • Fix deprecated asyncio.iscoroutinefunction for Python 3.14.
  • Allow AsyncIterable to be passed to Response.
  • Support max_form_parts and max_form_memory_size.

v0.19.9

Compare Source

Released 2024-11-14

  • Fix missing PROVIDE_AUTOMATIC_OPTIONS config for compatibility with
    Flask 3.1.

v0.19.8

Compare Source

Released 2024-10-25

  • Fix missing check that caused the previous fix to raise an error.

v0.19.7

Compare Source

Released 2024-10-25

  • Fix how max_form_memory_size is applied when parsing large non-file fields.
    GHSA-q34m-jh98-gwm2

v0.19.6

Compare Source

Released 2024-05-19

  • Use ContentRange in the right way.
  • Hold a strong reference to background tasks.
  • Avoid ResourceWarning in DataBody.__aiter__.

v0.19.5

Compare Source

Released 2024-04-01

  • Address DeprecationWarning from datetime.utcnow().
  • Ensure request files are closed.
  • Fix development server restarting when commands are passed.
  • Restore teardown_websocket methods.
  • Correct the config_class type.
  • Allow kwargs to be passed to the test client (matches Flask API).

v0.19.4

Compare Source

Released 2023-11-19

  • Fix program not closing on Ctrl+C in Windows.
  • Fix the typing for AfterWebsocket functions.
  • Improve the typing of the ensure_async method.
  • Add a shutdown event to the app.

v0.19.3

Compare Source

Released 2023-10-04

  • Update the default config to better match Flask.

v0.19.2

Compare Source

Released 2023-10-01

  • Restore the app after_/before_websocket methods.
  • Correctly set the cli group in Quart.

v0.19.1

Compare Source

Released 2023-09-30

  • Remove QUART_ENV and env usage.

v0.19.0

Compare Source

Released 2023-09-30

  • Remove Flask-Patch. It has been replaced with the Quart-Flask-Patch extension.
  • Remove references to first request, as per Flask.
  • Await the background tasks before calling the after serving functions.
  • Don't copy the app context into the background task.
  • Allow background tasks a grace period to complete during shutdown.
  • Base Quart on Flask, utilising Flask code where possible. This introduces a
    dependency on Flask.
  • Fix trailing slash issue in URL concatenation for empty path.
  • Use only CR in SSE documentation.
  • Fix typing for websocket to accept auth data.
  • Ensure subdomains apply to nested blueprints.
  • Ensure make_response errors if the value is incorrect.
  • Fix propagated exception handling.
  • Ensure exceptions propagate before logging.
  • Cope with scope extension value being None.
  • Ensure the conditional 304 response is empty.
  • Handle empty path in URL concatenation.
  • Corrected typing hint for abort method.
  • Fix root_path usage.
  • Fix Werkzeug deprecation warnings.
  • Add .svg to Jinja's autoescaping.
  • Improve the WebsocketResponse error, by including the response.
  • Add a file mode parameter to the config.from_file method.
  • Show the subdomain or host in the routes command output.
  • Upgrade to Blinker 1.6.
  • Require Werkzeug 3.0.0 and Flask 3.0.0.
  • Use tomllib rather than toml.

v0.18.4

Compare Source

Released 2023-04-09

  • Restrict Blinker to < 1.6 for 0.18.x versions to ensure it works with Quart's
    implementation.

v0.18.3

Compare Source

Released 2022-10-08

  • Corrected quart.json.loads type annotation.
  • Fix signal handling on Windows.
  • Add missing globals to Flask-Patch.

v0.18.2

Compare Source

Released 2022-10-04

  • Use add_signal_handler not signal.signal.

v0.18.1

Compare Source

Released 2022-10-03

  • Fix static hosting with resource path escaping the root.
  • Adopt the Werkzeug/Flask make_conditional API/functionality.
  • Restore the reloader to Quart.
  • Support subdomains when testing.
  • Fix the signal handling to work on Windows.

v0.18.0

Compare Source

Released 2022-07-23

  • Remove Quart's safe_join, use Werkzeug's version instead.
  • Drop toml dependency, as it isn't required in Quart (use config.from_file as
    desired).
  • Change websocket.send_json to match jsonify's options.
  • Allow while serving decorators on blueprints.
  • Support synchronous background tasks, they will be run on a thread.
  • Follow Flask's API and allow empty argument Response construction.
  • Add get_root_path to helpers to match Flask.
  • Support silent argument in config.from_envvar.
  • Adopt Flask's logging setup.
  • Add stream_template and stream_template_string functions to stream a large
    template in parts.
  • Switch to Flask's top level name export style.
  • Add aborter object to app to allow for abort customisation.
  • Add redirect method to app to allow for redirect customisation.
  • Remove usage of LocalStacks, using ContextVars more directly. This should
    improve performance, but introduces backwards incompatibility. _*_ctx_stack
    globals are removed, use _context instead. Extensions should store on
    g as appropriate. Requires Werkzeug >= 2.2.0.
  • Returned lists are now jsonified.
  • Move url_for to the app to allow for url_for customisation.
  • Remove config.from_json, use from_file instead.
  • Match the Flask views classes and API.
  • Adopt the Flask cli code adding --app, --env, and -debug options to the
    CLI.
  • Adopt the Flask JSON provider interface, use instead of JSON encoders and
    decoders.
  • Switch to being a Pallets project.
  • Requires at least Click version 8.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot force-pushed the renovate/pypi-quart-vulnerability branch from c2e3829 to de15abb Compare December 27, 2024 21:05
@renovate-bot renovate-bot changed the title chore(deps): update dependency quart to v0.19.7 [security] chore(deps): update dependency quart to v0.20.0 [security] Dec 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant