Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump pygithub from 1.58.2 to 2.5.0 #11215

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 7, 2024

Bumps pygithub from 1.58.2 to 2.5.0.

Release notes

Sourced from pygithub's releases.

v2.5.0

Breaking Changes

  • Parameters of method github.Requester.Requester.graphql_named_mutation have been renamed:
    • Parameter variables renamed to mutation_input
    • Parameter output renamed to output_schema
    • Default value of parameter output has been removed

New features

Improvements

Bug Fixes

  • Fix requesting urls containing parameters with parameters dict @​EnricoMi (#2929)
  • PullRequest.delete_branch: fix the remaining pull requests check @​fetsko (#3063)

Maintenance

v2.4.0

New features

Improvements

... (truncated)

Changelog

Sourced from pygithub's changelog.

Version 2.5.0 (November 06, 2024)

Breaking Changes ^^^^^^^^^^^^^^^^

  • Parameters of method github.Requester.Requester.graphql_named_mutation have been renamed:

    • Parameter variables renamed to mutation_input
    • Parameter output renamed to output_schema
    • Default value of parameter output has been removed

New features ^^^^^^^^^^^^

  • Rework GraphQL mutations (#3046) (27222251)
  • Make pagination work with GraphQL response data (#3047) (cd30e379)
  • Add RepositoryDiscussion powered by GraphQL API (#3048) (29359f3c)
  • Add Repository.get_discussion() to get a single Discussion (#3072) (44120b1e)

Improvements ^^^^^^^^^^^^

  • Adds List organization memberships for the authenticated user (#3040) (cf443955)
  • Add actor property to WorkflowRun (#2764) (612ba68e)
  • Make requester a public attribute (#3056) (c44ec523)

Bug Fixes ^^^^^^^^^

  • Fix requesting urls containing parameters with parameters dict (#2929) (e1d67ada)
  • PullRequest.delete_branch: fix the remaining pull requests check (#3063) (72fa6278)

Maintenance ^^^^^^^^^^^

  • Remove stale bot (510c1402)
  • Upgrade Github actions (#3075) (323e2828)
  • Add top issues dashboard action (#3049) (c91f26a7)
  • Make tests pass some more years (#3045) (352c55aa)
  • Run top issues workflow only in PyGithub repo (0d395d4e)
  • Replace pre-commit Github action in order to pin pre-commit version (#3059) (1a05b43d)

Version 2.4.0 (August 26, 2024)

Breaking Changes ^^^^^^^^^^^^^^^^

  • The github.Commit.Commit class provides a files property that used to return a list[github.File.File],

... (truncated)

Commits

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

Bumps [pygithub](https://github.com/pygithub/pygithub) from 1.58.2 to 2.5.0.
- [Release notes](https://github.com/pygithub/pygithub/releases)
- [Changelog](https://github.com/PyGithub/PyGithub/blob/main/doc/changes.rst)
- [Commits](PyGithub/PyGithub@v1.58.2...v2.5.0)

---
updated-dependencies:
- dependency-name: pygithub
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Nov 7, 2024
Copy link

dryrunsecurity bot commented Nov 7, 2024

DryRun Security Summary

The provided code change updates the requirements.txt file for the DefectDojo application, with the key change being the upgrade of the PyGithub library from version 1.58.2 to 2.5.0, which is used to interact with the GitHub API, and the rest of the changes appear to be updates to other Python dependencies to keep the application up-to-date and secure.

Expand for full summary

Summary:

The provided code change is an update to the requirements.txt file, which lists the Python dependencies required for the DefectDojo application. The key change is the update of the PyGithub library from version 1.58.2 to 2.5.0. This library is used to interact with the GitHub API, and the update may introduce new features or bug fixes.

From an application security perspective, the update to the PyGithub library is worth reviewing. While library upgrades can often improve security, it's important to review the changelog and release notes to understand if there were any security-related fixes or improvements. Additionally, it's a good practice to test the changes thoroughly to ensure that the update does not introduce any regressions or new vulnerabilities. The rest of the changes appear to be updates to other Python dependencies, which is a common practice to keep the application up-to-date and secure. However, it's still important to review the changes to these dependencies to ensure that there are no known security vulnerabilities in the updated versions.

Files Changed:

  • requirements.txt: This file has been updated to include the latest version of the PyGithub library, which has been upgraded from 1.58.2 to 2.5.0. The rest of the changes appear to be updates to other Python dependencies, which is a common practice to keep the application up-to-date and secure.

Code Analysis

We ran 9 analyzers against 1 file and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking merge

See #9948 (review)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file python Pull requests that update Python code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants