Bump the pip group across 1 directory with 7 updates

[dependabot]

Bumps the pip group with 7 updates in the / directory:

Package	From	To
gunicorn	21.2.0	22.0.0
eventlet	0.34.3	0.35.2
aiohttp	3.9.3	3.9.4
yt-dlp	2023.12.30	2024.4.9
pillow	10.2.0	10.3.0
black	24.2.0	24.3.0
idna	3.6	3.7

Updates gunicorn from 21.2.0 to 22.0.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12

** Breaking changes **

minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

** SECURITY **

fix CVE-2024-1135

1. Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
2. Packages: https://pypi.org/project/gunicorn/

Commits

• f63d59e bump to 22.0
• 4ac81e0 Merge pull request #3175 from e-kwsm/typo
• 401cecf Merge pull request #3179 from dhdaines/exclude-eventlet-0360
• 0243ec3 fix(deps): exclude eventlet 0.36.0
• 628a0bc chore: fix typos
• 88fc4a4 Merge pull request #3131 from pajod/patch-py12-rebased
• deae2fc CI: back off the agressive timeout
• f470382 docs: promise 3.12 compat
• 5e30bfa add changelog to project.urls (updated for PEP621)
• 481c3f9 remove setup.cfg - overridden by pyproject.toml
• Additional commits viewable in compare view

Updates eventlet from 0.34.3 to 0.35.2

Changelog

Sourced from eventlet's changelog.

0.35.2

• [fix] Fix tool.setuptools/packages list eventlet/eventlet#921
• [security] Dnspython 2.6.1 - Address DoS via the Tudoor mechanism (CVE-2023-29483) eventlet/eventlet#916
• [doc] add asyncio into the doc hub page eventlet/eventlet#918
• [clean] clean obsolete python 2 code from the ssl module eventlet/eventlet#915
• [fix] Add get_server_info to db_pool.py eventlet/eventlet#324
• [fix] wsgi: Handle Timeouts from applications eventlet/eventlet#911
• [fix] shrinks window before connecting eventlet/eventlet#905

0.35.1

• [fix] Do not allow failed patching to stop execution eventlet/eventlet#907

0.35.0

• [doc] Basic documentation for asyncio migration eventlet/eventlet#892
• [tests] add minimal linting eventlet/eventlet#894
• [doc] officially host docs on readthedocs eventlet/eventlet#899
• [fix] fix truncate size nullable eventlet/eventlet#789
• [fix] Handle transport endpoint shutdown in conditions eventlet/eventlet#884
• [fix] Rework reject_bad_requests option eventlet/eventlet#890
• [fix] Fix NameError introduced by #826 eventlet/eventlet#890
• [feature] Support awaiting GreenThread in an async def context eventlet/eventlet#889
• [infra] Extend test cert to 2049 eventlet/eventlet#643
• [feature] Asyncio hub support for Python 3.7 to 3.9 eventlet/eventlet#886
• [infra] Modernize doc generation eventlet/eventlet#880
• [fix] Fix bad exceptions handlings eventlet/eventlet#883
• [feature] Support using asyncio coroutines from inside greenlets eventlet/eventlet#877
• [removal] Remove deprecated CGIHTTPServer and SimpleHTTPServer eventlet/eventlet#881
• [governance] Update maintenance goals eventlet/eventlet#850
• [feature] Add an asyncio hub for eventlet eventlet/eventlet#870

Commits

• edd9e7e Update changelog for version 0.35.2 (#920)
• a23fd0e Fix tool.setuptools/packages list (#921)
• 51e3c49 Dnspython 2.6.1 - Address DoS via the Tudoor mechanism (CVE-2023-29483)
• b6f6e7c add asyncio into the doc hub page (#918)
• 96a3940 clean obsolete python 2 code from the ssl module (#915)
• 06ec630 Add get_server_info to db_pool.py (#324)
• dfcc939 wsgi: Handle Timeouts from applications (#911)
• 799dabc [Fix] shrinks window before connecting (#905)
• 3f8c9e4 Do not allow failed patching to stop execution (#907)
• d467343 Add Python 3.7 to pyproject classifiers (#904)
• Additional commits viewable in compare view

Updates aiohttp from 3.9.3 to 3.9.4

Release notes

Sourced from aiohttp's releases.

3.9.4

Bug fixes

• The asynchronous internals now set the underlying causes when assigning exceptions to the future objects -- by :user:webknjaz.

  Related issues and pull requests on GitHub: #8089.

• Treated values of Accept-Encoding header as case-insensitive when checking for gzip files -- by :user:steverep.

  Related issues and pull requests on GitHub: #8104.

• Improved the DNS resolution performance on cache hit -- by :user:bdraco.

  This is achieved by avoiding an :mod:asyncio task creation in this case.

  Related issues and pull requests on GitHub: #8163.

• Changed the type annotations to allow dict on :meth:aiohttp.MultipartWriter.append, :meth:aiohttp.MultipartWriter.append_json and :meth:aiohttp.MultipartWriter.append_form -- by :user:cakemanny

  Related issues and pull requests on GitHub: #7741.

• Ensure websocket transport is closed when client does not close it -- by :user:bdraco.

  The transport could remain open if the client did not close it. This change ensures the transport is closed when the client does not close it.

... (truncated)

Changelog

Sourced from aiohttp's changelog.

3.9.4 (2024-04-11)

Bug fixes

• The asynchronous internals now set the underlying causes when assigning exceptions to the future objects -- by :user:webknjaz.

  Related issues and pull requests on GitHub: :issue:8089.

• Treated values of Accept-Encoding header as case-insensitive when checking for gzip files -- by :user:steverep.

  Related issues and pull requests on GitHub: :issue:8104.

• Improved the DNS resolution performance on cache hit -- by :user:bdraco.

  This is achieved by avoiding an :mod:asyncio task creation in this case.

  Related issues and pull requests on GitHub: :issue:8163.

• Changed the type annotations to allow dict on :meth:aiohttp.MultipartWriter.append, :meth:aiohttp.MultipartWriter.append_json and :meth:aiohttp.MultipartWriter.append_form -- by :user:cakemanny

  Related issues and pull requests on GitHub: :issue:7741.

• Ensure websocket transport is closed when client does not close it -- by :user:bdraco.

  The transport could remain open if the client did not close it. This change ensures the transport is closed when the client does not close it.

... (truncated)

Commits

• b3397c7 Release v3.9.4 (#8201)
• a7e240a [PR #8320/9ba9a4e5 backport][3.9] Fix Python parser to mark responses without...
• 2833552 Escape filenames and paths in HTML when generating index pages (#8317) (#8319)
• ed43040 [PR #8309/c29945a1 backport][3.9] Improve reliability of run_app test (#8315)
• ec2be05 [PR #8299/28d026eb backport][3.9] Create marker for internal tests (#8307)
• 292d961 [PR #8304/88c80c14 backport][3.9] Check for backports in CI (#8305)
• cebe526 Fix handling of multipart/form-data (#8280) (#8302)
• 270ae9c [PR #8297/d15f07cf backport][3.9] Upgrade to llhttp 9.2.1 (#8292) (#8298)
• bb23105 [PR #8283/54e13b0a backport][3.9] Fix blocking I/O in the event loop while pr...
• 3f79241 [PR #8286/28f1fd88 backport][3.9] docs: remove repetitive word in comment (#8...
• Additional commits viewable in compare view

Updates yt-dlp from 2023.12.30 to 2024.4.9

Release notes

Sourced from yt-dlp's releases.

yt-dlp 2024.04.09

A description of the various files are in the README

---

Important changes

• Security: [CVE-2024-22423] Prevent RCE when using --exec with %q on Windows
  • The shell escape function now properly escapes %, \ and \n.
  • utils.Popen has been patched accordingly.

Core changes

• Add new option --progress-delta (#9082) by Grub4K
• Add new options --impersonate and --list-impersonate-targets by bashonly, coletdjnz, Grub4K, pukkandan
• Add option --no-break-on-existing (#9610) by bashonly
• Fix filesize_approx calculation (#9560) by pukkandan, seproDev
• Infer acodec for single-codec containers by pukkandan
• Prevent RCE when using --exec with %q (CVE-2024-22423) by Grub4K
• cookies: Add --cookies-from-browser support for Firefox Flatpak (#9619) by un-def
• utils
  • traverse_obj
    • Allow unbranching using all and any (#9571) by Grub4K
    • Convenience improvements (#9577) by Grub4K

Extractor changes

• Add extractor impersonate API (#9474) by bashonly, Grub4K, pukkandan
• afreecatv
  • Overhaul extractor (#9566) by bashonly, Tomoka1
  • live: Fix extractor (#9348) by hui1601
• asobistage: Add extractor (#8735) by pzhlkj6612
• box: Support URLs without file IDs (#9504) by shreyasminocha
• cbc.ca: player: Support new URL format (#9561) by trainman261
• crunchyroll
  • Extract vo_adaptive_hls formats by default (#9447) by bashonly
  • Fix extractor (#9615) by bytedream
• dropbox: Fix formats extraction (#9627) by bashonly
• fathom: Add extractor (#9495) by src-tinkerer
• gofile: Fix extractor (#9446) by jazz1611
• imgur: Fix extraction (#9471) by trwstin
• jiosaavn
  • Extract artists (#9612) by bashonly
  • Fix format extensions (#9609) by bashonly
  • Support playlists (#9622) by bashonly
• joqrag: Fix live status detection (#9624) by pzhlkj6612
• kick: Support browser impersonation (#9611) by bashonly
• loom: Add extractors (#8686) by bashonly, hruzgar
• medici: Fix extractor (#9518) by Offert4324

... (truncated)

Changelog

Sourced from yt-dlp's changelog.

Changelog

2024.04.09

Important changes

• Security: [CVE-2024-22423] Prevent RCE when using --exec with %q on Windows
  • The shell escape function now properly escapes %, \ and \n.
  • utils.Popen has been patched accordingly.

Core changes

• Add new option --progress-delta (#9082) by Grub4K
• Add new options --impersonate and --list-impersonate-targets by bashonly, coletdjnz, Grub4K, pukkandan
• Add option --no-break-on-existing (#9610) by bashonly
• Fix filesize_approx calculation (#9560) by pukkandan, seproDev
• Infer acodec for single-codec containers by pukkandan
• Prevent RCE when using --exec with %q (CVE-2024-22423) by Grub4K
• cookies: Add --cookies-from-browser support for Firefox Flatpak (#9619) by un-def
• utils
  • traverse_obj
    • Allow unbranching using all and any (#9571) by Grub4K
    • Convenience improvements (#9577) by Grub4K

Extractor changes

• Add extractor impersonate API (#9474) by bashonly, Grub4K, pukkandan
• afreecatv
  • Overhaul extractor (#9566) by bashonly, Tomoka1
  • live: Fix extractor (#9348) by hui1601
• asobistage: Add extractor (#8735) by pzhlkj6612
• box: Support URLs without file IDs (#9504) by shreyasminocha
• cbc.ca: player: Support new URL format (#9561) by trainman261
• crunchyroll
  • Extract vo_adaptive_hls formats by default (#9447) by bashonly
  • Fix extractor (#9615) by bytedream
• dropbox: Fix formats extraction (#9627) by bashonly
• fathom: Add extractor (#9495) by src-tinkerer
• gofile: Fix extractor (#9446) by jazz1611
• imgur: Fix extraction (#9471) by trwstin
• jiosaavn
  • Extract artists (#9612) by bashonly
  • Fix format extensions (#9609) by bashonly
  • Support playlists (#9622) by bashonly
• joqrag: Fix live status detection (#9624) by pzhlkj6612
• kick: Support browser impersonation (#9611) by bashonly
• loom: Add extractors (#8686) by bashonly, hruzgar
• medici: Fix extractor (#9518) by Offert4324
• mixch

... (truncated)

Commits

• 168e72d Release 2024.04.09
• ff07792 [core] Prevent RCE when using --exec with %q (CVE-2024-22423)
• 216f6a3 [cleanup] Misc (#9426)
• b19ae09 [build] Do not include curl_cffi in macos_legacy (#9653)
• 9590cc6 Add new option --progress-delta (#9082)
• 79a451e [networking] Respect SSLKEYLOGFILE environment variable (#9543)
• df0e138 [docs] Various manpage fixes
• 2e94602 [ie/jiosaavn] Support playlists (#9622)
• 4af9d5c [ie/nhk] Fix NHK World extractors (#9623)
• 36b240f [ie/patreon] Do not extract dead embed URLs (#9613)
• Additional commits viewable in compare view

Updates pillow from 10.2.0 to 10.3.0

Release notes

Sourced from pillow's releases.

10.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html

Changes

• CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [@​hugovk]
• Use functools.lru_cache for hopper() #7912 [@​hugovk]
• Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [@​radarhere]
• Improve speed of loading QOI images #7925 [@​radarhere]
• Added RGB to I;16N conversion #7920 [@​radarhere]
• Add --report argument to main.py to omit supported formats #7818 [@​nulano]
• Added RGB to I;16, I;16L and I;16B conversion #7918 [@​radarhere]
• Fix editable installation with custom build backend and configuration options #7658 [@​nulano]
• Fix putdata() for I;16N on big-endian #7209 [@​Yay295]
• Determine MPO size from markers, not EXIF data #7884 [@​radarhere]
• Improved conversion from RGB to RGBa, LA and La #7888 [@​radarhere]
• Support FITS images with GZIP_1 compression #7894 [@​radarhere]
• Use I;16 mode for 9-bit JPEG 2000 images #7900 [@​scaramallion]
• Raise ValueError if kmeans is negative #7891 [@​radarhere]
• Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [@​radarhere]
• Raise ValueError for negative values when loading P1-P3 PPM images #7882 [@​radarhere]
• Added reading of JPEG2000 palettes #7870 [@​radarhere]
• Added alpha_quality argument when saving WebP images #7872 [@​radarhere]
• Fixed joined corners for ImageDraw rounded_rectangle() non-integer dimensions #7881 [@​radarhere]
• Removed Python and NumPy pinning on Cygwin #7880 [@​radarhere]
• Update UnidentifiedImageError and version imports #7644 [@​radarhere]
• Stop reading EPS image at EOF marker #7753 [@​radarhere]
• PSD layer co-ordinates may be negative #7706 [@​radarhere]
• Use subprocess with CREATE_NO_WINDOW flag in ImageShow WindowsViewer #7791 [@​radarhere]
• When saving GIF frame that restores to background color, do not fill identical pixels #7788 [@​radarhere]
• Fixed reading PNG iCCP compression method #7823 [@​radarhere]
• Allow writing IFDRational to UNDEFINED tag #7840 [@​radarhere]
• Fix logged tag name when loading Exif data #7842 [@​radarhere]
• Use maximum frame size in IHDR chunk when saving APNG images #7821 [@​radarhere]
• Prevent opening P TGA images without a palette #7797 [@​radarhere]
• Use palette when loading ICO images #7798 [@​radarhere]
• Use consistent arguments for load_read and load_seek #7713 [@​radarhere]
• Turn off nullability warnings for macOS SDK #7827 [@​radarhere]
• Fix shift-sign issue in Convert.c #7838 [@​r-barnes]
• winbuild: Refactor dependency versions into constants #7843 [@​hugovk]
• Build macOS arm64 wheels natively #7852 [@​radarhere]
• Fixed typo #7855 [@​radarhere]
• Open 16-bit grayscale PNGs as I;16 #7849 [@​radarhere]
• Handle truncated chunks at the end of PNG images #7709 [@​lajiyuan]
• Match mask size to pasted image size in GifImagePlugin #7779 [@​radarhere]
• Changed SupportsGetMesh protocol to be public #7841 [@​radarhere]
• Release GIL while calling WebPAnimDecoderGetNext #7782 [@​evanmiller]
• Fixed reading FLI/FLC images with a prefix chunk #7804 [@​twolife]
• Updated package name for Tidelift #7810 [@​radarhere]
• Removed unused code #7744 [@​radarhere]

... (truncated)

Changelog

Sourced from pillow's changelog.

10.3.0 (2024-04-01)

• CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [radarhere, hugovk]

• Deprecate eval(), replacing it with lambda_eval() and unsafe_eval() #7927 [radarhere, hugovk]

• Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [radarhere]

• Add --report argument to __main__.py to omit supported formats #7818 [nulano, radarhere, hugovk]

• Added RGB to I;16, I;16L, I;16B and I;16N conversion #7918, #7920 [radarhere]

• Fix editable installation with custom build backend and configuration options #7658 [nulano, radarhere]

• Fix putdata() for I;16N on big-endian #7209 [Yay295, hugovk, radarhere]

• Determine MPO size from markers, not EXIF data #7884 [radarhere]

• Improved conversion from RGB to RGBa, LA and La #7888 [radarhere]

• Support FITS images with GZIP_1 compression #7894 [radarhere]

• Use I;16 mode for 9-bit JPEG 2000 images #7900 [scaramallion, radarhere]

• Raise ValueError if kmeans is negative #7891 [radarhere]

• Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [radarhere]

• Raise ValueError for negative values when loading P1-P3 PPM images #7882 [radarhere]

• Added reading of JPEG2000 palettes #7870 [radarhere]

• Added alpha_quality argument when saving WebP images #7872 [radarhere]

... (truncated)

Commits

• 5c89d88 10.3.0 version bump
• 63cbfcf Update CHANGES.rst [ci skip]
• 2776126 Merge pull request #7928 from python-pillow/lcms
• aeb51cb Merge branch 'main' into lcms
• 5beb0b6 Update CHANGES.rst [ci skip]
• cac6ffa Merge pull request #7927 from python-pillow/imagemath
• f5eeeac Name as 'options' in lambda_eval and unsafe_eval, but '_dict' in deprecated eval
• facf3af Added release notes
• 2a93aba Use strncpy to avoid buffer overflow
• a670597 Update CHANGES.rst [ci skip]
• Additional commits viewable in compare view

Updates black from 24.2.0 to 24.3.0

Release notes

Sourced from black's releases.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

• Don't move comments along with delimiters, which could cause crashes (#4248)
• Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
• Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

• Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

• Note what happens when --check is used with --quiet (#4236)

Changelog

Sourced from black's changelog.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

• Don't move comments along with delimiters, which could cause crashes (#4248)
• Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
• Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

• Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

• Note what happens when --check is used with --quiet (#4236)

Commits

• 552baf8 Prepare release 24.3.0 (#4279)
• f000936 Fix catastrophic performance in lines_with_leading_tabs_expanded() (#4278)
• 7b5a657 Fix --line-ranges behavior when ranges are at EOF (#4273)
• 1abcffc Use regex where we ignore case on windows (#4252)
• 719e674 Fix 4227: Improve documentation for --quiet --check (#4236)
• e5510af update plugin url for Thonny (#4259)
• 6af7d11 Fix AST safety check false negative (#4270)
• f03ee11 Ensure blib2to3.pygram is initialized before use (#4224)
• e4bfedb fix: Don't move comments while splitting delimiters (#4248)
• d0287e1 Make trailing comma logic more concise (#4202)
• Additional commits viewable in compare view

Updates idna from 3.6 to 3.7

Release notes

Sourced from idna's releases.

v3.7

What's Changed

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: kjd/idna@v3.6...v3.7

Changelog

Sourced from idna's changelog.

3.7 (2024-04-11) ++++++++++++++++

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Commits

• 1d365e1 Release v3.7
• c1b3154 Merge pull request #172 from kjd/optimize-contextj
• 0394ec7 Merge branch 'master' into optimize-contextj
• cd58a23 Merge pull request #152 from elliotwutingfeng/dev
• 5beb28b More efficient resolution of joiner contexts
• 1b12148 Update ossf/scorecard-action to v2.3.1
• d516b87 Update Github actions/checkout to v4
• c095c75 Merge branch 'master' into dev
• 60a0a4c Fix typo in GitHub Actions workflow key
• 5918a0e Merge branch 'master' into dev
• Additional commit...

  Description has been truncated