Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump cairosvg from 2.3.1 to 2.5.1 #6

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Jan 6, 2021

Bumps cairosvg from 2.3.1 to 2.5.1.

Release notes

Sourced from cairosvg's releases.

2.5.1

WARNING: this is a security update.

When processing SVG files, CairoSVG was using two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS).

If an attacker provided a malicious SVG, it could make CairoSVG get stuck processing the file for a very long time.

Other bug fixes:

  • Fix marker positions for unclosed paths
  • Follow hint when only output_width or output_height is set
  • Handle opacity on raster images
  • Don’t crash when use tags reference unknown tags
  • Take care of the next letter when A/a is replaced by l
  • Fix misalignment in node.vertices

2.5.0

  • Drop support of Python 3.5, add support of Python 3.9.
  • Add EPS export
  • Add background-color, negate-colors, and invert-images options
  • Improve support for font weights
  • Fix opacity of patterns and gradients
  • Support auto-start-reverse value for orient
  • Draw images contained in defs
  • Add Exif transposition support
  • Handle dominant-baseline
  • Support transform-origin

2.4.2

  • Fix race condition in tests
  • Fix scale for images with no viewBox

2.4.1

  • Fix the --scale parameter
  • Allow href attributes with no namespace
  • Fix the tree root detection

2.4.0

  • Fix aspect and position when resizing root SVG tag
  • Follow aspect and position hints when using forced output size
Changelog

Sourced from cairosvg's changelog.

Version 2.5.1 released on 2021-01-06

WARNING: this is a security update.

When processing SVG files, CairoSVG was using two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS).

If an attacker provided a malicious SVG, it could make CairoSVG get stuck processing the file for a very long time.

Other bug fixes:

  • Fix marker positions for unclosed paths
  • Follow hint when only output_width or output_height is set
  • Handle opacity on raster images
  • Don’t crash when use tags reference unknown tags
  • Take care of the next letter when A/a is replaced by l
  • Fix misalignment in node.vertices

Version 2.5.0 released on 2020-10-29

  • Drop support of Python 3.5, add support of Python 3.9.
  • Add EPS export
  • Add background-color, negate-colors, and invert-images options
  • Improve support for font weights
  • Fix opacity of patterns and gradients
  • Support auto-start-reverse value for orient
  • Draw images contained in defs
  • Add Exif transposition support
  • Handle dominant-baseline
  • Support transform-origin

Version 2.4.2 released on 2019-09-10

  • Fix race condition in tests
  • Fix scale for images with no viewBox

Version 2.4.1 released on 2019-08-21

  • Fix the --scale parameter
  • Allow href attributes with no namespace
  • Fix the tree root detection

... (truncated)

Commits
  • 44c5d42 Version 2.5.1
  • cfc9175 Merge pull request from GHSA-hq37-853p-g5cf
  • 063185b Don’t use overlapping groups for regular expressions
  • 9c4a982 Take care of the next letter when A/a is replaced by l
  • f0edc6e Don’t crash when use tags reference unknown tags
  • 73349a7 Handle opacity on raster images
  • dcfbca4 Merge pull request #254 from yig/master
  • 1d61bfd Merge branch 'master' into master
  • 83c0b83 Follow hint when only output_width or output_height is set
  • 6b4f2ba Fix angle for absolute vertical lines
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Jan 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants