Skip to content

Commit

Permalink
Bump werkzeug from 2.2.2 to 2.2.3 in /app (#142)
Browse files Browse the repository at this point in the history 
Bumps [werkzeug](https://github.com/pallets/werkzeug) from 2.2.2 to
2.2.3.

## Release notes

Sourced from werkzeug's releases.

2.2.3
This is a fix release for the 2.2.x release branch.
- Changes: https://werkzeug.palletsprojects.com/en/2.2.x/changes/#version-2-2-3
- Milestone: https://github.com/pallets/werkzeug/milestone/26?closed=1

This release contains security fixes for:
- GHSA-xg9f-g7g7-2323
- GHSA-px8h-6qxv-m22q

## Changelog

Sourced from werkzeug's changelog.

Version 2.2.3
Released 2023-02-14

- Ensure that URL rules using path converters will redirect with strict slashes when the trailing slash is missing. :issue:2533
- Type signature for get_json specifies that return type is not optional when silent=False. :issue:2508
- parse_content_range_header returns None for a value like bytes */-1 where the length is invalid, instead of raising an AssertionError. :issue:2531
- Address remaining ResourceWarning related to the socket used by run_simple. Remove prepare_socket, which now happens when creating the server. :issue:2421
- Update pre-existing headers for multipart/form-data requests with the test client. :issue:2549
- Fix handling of header extended parameters such that they are no longer quoted. :issue:2529
- LimitedStream.read works correctly when wrapping a stream that may not return the requested size in one read call. :issue:2558
- A cookie header that starts with = is treated as an empty key and discarded, rather than stripping the leading ==.
- Specify a maximum number of multipart parts, default 1000, after which a RequestEntityTooLarge exception is raised on parsing. This mitigates a DoS attack where a larger number of form/file parts would result in disproportionate resource use.

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Loren Yu <[email protected]>
  • Loading branch information
@dependabot @lorenyu
dependabot[bot] and lorenyu authored Feb 17, 2023
1 parent 8985ee3 commit f964468
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 8 deletions.
5 changes: 1 addition & 4 deletions app/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,17 +155,14 @@ format-check:

lint: lint-py

lint-py: lint-flake lint-mypy lint-poetry-version
lint-py: lint-flake lint-mypy

lint-flake:
$(PY_RUN_CMD) flake8 --format=$(FLAKE8_FORMAT) api tests

lint-mypy:
$(PY_RUN_CMD) mypy --show-error-codes $(MYPY_FLAGS) api $(MYPY_POSTPROC)

lint-poetry-version: ## Check poetry version
grep --quiet 'lock-version = "1.1"' poetry.lock

lint-security: # https://bandit.readthedocs.io/en/latest/index.html
$(PY_RUN_CMD) bandit -c pyproject.toml -r . --number 3 --skip B101 -ll -x ./.venv

Expand Down
8 changes: 4 additions & 4 deletions app/poetry.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit f964468

Please sign in to comment.