Bump the pip group across 1 directory with 5 updates

[dependabot]

Bumps the pip group with 5 updates in the / directory:

Package	From	To
pycryptodome	3.18.0	3.19.1
pymysql	1.1.0	1.1.1
tornado	6.3.2	6.5
certifi	2023.7.22	2024.7.4
pillow	10.0.0	10.3.0

Updates pycryptodome from 3.18.0 to 3.19.1

Release notes

Sourced from pycryptodome's releases.

v3.19.1 - Zeil

Resolved issues

• Fixed a side-channel leakage with OAEP decryption that could be exploited to carry out a Manger attack. Thanks to Hubert Kario.

v3.19.0 - Ulm

New features

• The update() methods of TupleHash128 and TupleHash256 objects can now hash multiple items (byte strings) at once. Thanks to Sylvain Pelissier.
• Added support for ECDH, with Crypto.Protocol.DH.

Resolved issues

• GH#754: due to a bug in cffi, do not use it on Windows with Python 3.12+.

Changelog

Sourced from pycryptodome's changelog.

3.19.1 (28 December 2023) ++++++++++++++++++++++++++

Resolved issues

• Fixed a side-channel leakage with OAEP decryption that could be exploited to carry out a Manger attack (CVE-2023-52323). Thanks to Hubert Kario.

3.19.0 (16 September 2023) ++++++++++++++++++++++++++

New features

• The update() methods of TupleHash128 and TupleHash256 objects can now hash multiple items (byte strings) at once. Thanks to Sylvain Pelissier.
• Added support for ECDH, with Crypto.Protocol.DH.

Resolved issues

• GH#754: due to a bug in cffi, do not use it on Windows with Python 3.12+.

Commits

• ef270ab Update wheels action
• 3278edd Update changelog and version
• 10e8216 Update PSS verify signature code example.
• 4ec4b85 Bump version
• 0deea1b Use constant-time (faster) padding decoding also for OAEP
• 519e7ae Avoid changing signature of RSA._decrypt() method if possible
• 1aa9dca Update changelog and bump version
• afb5e27 Fix side-channel leakage in RSA decryption
• ee91c67 Update CMAC.py
• 43a466d Fix small "passes" typo.
• Additional commits viewable in compare view

Updates pymysql from 1.1.0 to 1.1.1

Release notes

Sourced from pymysql's releases.

v1.1.1

[!WARNING] This release fixes a vulnerability (CVE-2024-36039). All users are recommended to update to this version.

If you can not update soon, check the input value from untrusted source has an expected type. Only dict input from untrusted source can be an attack vector.

What's Changed

• Prohibit dict parameter for Cursor.execute(). It didn't produce valid SQL and might cause SQL injection. (CVE-2024-36039)
• Added ssl_key_password param by @​svaskov in PyMySQL/PyMySQL#1145

Merged PRs

• Add support for Python 3.12 by @​hugovk in PyMySQL/PyMySQL#1134
• chore(deps): update actions/checkout action to v4 by @​renovate in PyMySQL/PyMySQL#1136
• Update codecov/codecov-action action to v4 by @​renovate in PyMySQL/PyMySQL#1137
• ci: use codecov@v3 by @​methane in PyMySQL/PyMySQL#1142
• chore(deps): update dessant/lock-threads action to v5 by @​renovate in PyMySQL/PyMySQL#1141
• doc: use rtd theme by @​methane in PyMySQL/PyMySQL#1143
• use Ruff as formatter by @​methane in PyMySQL/PyMySQL#1144
• chore(deps): update dependency sphinx-rtd-theme to v2 by @​renovate in PyMySQL/PyMySQL#1147
• chore(deps): update actions/setup-python action to v5 by @​renovate in PyMySQL/PyMySQL#1152
• chore(deps): update github/codeql-action action to v3 by @​renovate in PyMySQL/PyMySQL#1154
• chore(deps): update codecov/codecov-action action to v4 by @​renovate in PyMySQL/PyMySQL#1158
• Support error packet without sqlstate by @​methane in PyMySQL/PyMySQL#1160
• test json - mariadb without JSON type by @​grooverdan in PyMySQL/PyMySQL#1165

New Contributors

• @​hugovk made their first contribution in PyMySQL/PyMySQL#1134
• @​svaskov made their first contribution in PyMySQL/PyMySQL#1145

Full Changelog: PyMySQL/PyMySQL@v1.1.0...v1.1.1

Changelog

Sourced from pymysql's changelog.

v1.1.1

Release date: 2024-05-21

[!WARNING] This release fixes a vulnerability (CVE-2024-36039). All users are recommended to update to this version.

If you can not update soon, check the input value from untrusted source has an expected type. Only dict input from untrusted source can be an attack vector.

• Prohibit dict parameter for Cursor.execute(). It didn't produce valid SQL and might cause SQL injection. (CVE-2024-36039)
• Added ssl_key_password param. #1145

Commits

• 2cab9ec v1.1.1
• 521e400 forbid dict parameter
• 7f032a6 remove coveralls from requirements
• 69f6c74 ruff format
• b4ed688 test json - mariadb without JSON type (#1165)
• bbd049f Support error packet without sqlstate (#1160)
• 9694747 pyupgrade
• 1f0b785 chore(deps): update codecov/codecov-action action to v4 (#1158)
• 1e28be8 chore(deps): update github/codeql-action action to v3 (#1154)
• f13f054 chore(deps): update actions/setup-python action to v5 (#1152)
• Additional commits viewable in compare view

Updates tornado from 6.3.2 to 6.5

Changelog

Sourced from tornado's changelog.

Release notes

.. toctree:: :maxdepth: 2

releases/v6.5.1 releases/v6.5.0 releases/v6.4.2 releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1 releases/v3.2.0 releases/v3.1.1 releases/v3.1.0 releases/v3.0.2 releases/v3.0.1 releases/v3.0.0

... (truncated)

Commits

• ab5f354 Merge pull request #3498 from bdarnell/final-6.5
• 3623024 Final release notes for 6.5.0
• b39b892 Merge pull request #3497 from bdarnell/multipart-log-spam
• cc61050 httputil: Raise errors instead of logging in multipart/form-data parsing
• ae4a4e4 asyncio: Preserve contextvars across SelectorThread on Windows (#3479)
• 197ff13 Merge pull request #3496 from bdarnell/undeprecate-set-event-loop
• c3d906c requirements: Upgrade tox to 4.26.0
• a838977 testing: Remove deprecation warning filter for set_event_loop
• d8e0d36 build: Fix free-threaded build, mark speedups module as no-GIL
• bfe7489 Merge pull request #3492 from bdarnell/relnotes-6.5
• Additional commits viewable in compare view

Updates certifi from 2023.7.22 to 2024.7.4

Commits

• bd81538 2024.07.04 (#295)
• 06a2cbf Bump peter-evans/create-pull-request from 6.0.5 to 6.1.0 (#294)
• 13bba02 Bump actions/checkout from 4.1.6 to 4.1.7 (#293)
• e8abcd0 Bump pypa/gh-action-pypi-publish from 1.8.14 to 1.9.0 (#292)
• 124f4ad 2024.06.02 (#291)
• c2196ce --- (#290)
• fefdeec Bump actions/checkout from 4.1.4 to 4.1.5 (#289)
• 3c5fb15 Bump actions/download-artifact from 4.1.6 to 4.1.7 (#286)
• 4a9569a Bump actions/checkout from 4.1.2 to 4.1.4 (#287)
• 1fc8086 Bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 (#288)
• Additional commits viewable in compare view

Updates pillow from 10.0.0 to 10.3.0

Release notes

Sourced from pillow's releases.

10.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html

Deprecations

• Deprecate eval(), replacing it with lambda_eval() and unsafe_eval() #7927 [@​hugovk]
• Deprecate ImageCms constants and versions() function #7702 [@​nulano]

Changes

• CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [@​hugovk]
• Use functools.lru_cache for hopper() #7912 [@​hugovk]
• Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [@​radarhere]
• Improve speed of loading QOI images #7925 [@​radarhere]
• Added RGB to I;16N conversion #7920 [@​radarhere]
• Add --report argument to main.py to omit supported formats #7818 [@​nulano]
• Added RGB to I;16, I;16L and I;16B conversion #7918 [@​radarhere]
• Fix editable installation with custom build backend and configuration options #7658 [@​nulano]
• Fix putdata() for I;16N on big-endian #7209 [@​Yay295]
• Determine MPO size from markers, not EXIF data #7884 [@​radarhere]
• Improved conversion from RGB to RGBa, LA and La #7888 [@​radarhere]
• Support FITS images with GZIP_1 compression #7894 [@​radarhere]
• Use I;16 mode for 9-bit JPEG 2000 images #7900 [@​scaramallion]
• Raise ValueError if kmeans is negative #7891 [@​radarhere]
• Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [@​radarhere]
• Raise ValueError for negative values when loading P1-P3 PPM images #7882 [@​radarhere]
• Added reading of JPEG2000 palettes #7870 [@​radarhere]
• Added alpha_quality argument when saving WebP images #7872 [@​radarhere]
• Fixed joined corners for ImageDraw rounded_rectangle() non-integer dimensions #7881 [@​radarhere]
• Removed Python and NumPy pinning on Cygwin #7880 [@​radarhere]
• Update UnidentifiedImageError and version imports #7644 [@​radarhere]
• Stop reading EPS image at EOF marker #7753 [@​radarhere]
• PSD layer co-ordinates may be negative #7706 [@​radarhere]
• Use subprocess with CREATE_NO_WINDOW flag in ImageShow WindowsViewer #7791 [@​radarhere]
• When saving GIF frame that restores to background color, do not fill identical pixels #7788 [@​radarhere]
• Fixed reading PNG iCCP compression method #7823 [@​radarhere]
• Allow writing IFDRational to UNDEFINED tag #7840 [@​radarhere]
• Fix logged tag name when loading Exif data #7842 [@​radarhere]
• Use maximum frame size in IHDR chunk when saving APNG images #7821 [@​radarhere]
• Prevent opening P TGA images without a palette #7797 [@​radarhere]
• Use palette when loading ICO images #7798 [@​radarhere]
• Use consistent arguments for load_read and load_seek #7713 [@​radarhere]
• Turn off nullability warnings for macOS SDK #7827 [@​radarhere]
• Fix shift-sign issue in Convert.c #7838 [@​r-barnes]
• winbuild: Refactor dependency versions into constants #7843 [@​hugovk]
• Build macOS arm64 wheels natively #7852 [@​radarhere]
• Fixed typo #7855 [@​radarhere]
• Open 16-bit grayscale PNGs as I;16 #7849 [@​radarhere]
• Handle truncated chunks at the end of PNG images #7709 [@​lajiyuan]
• Match mask size to pasted image size in GifImagePlugin #7779 [@​radarhere]

... (truncated)

Changelog

Sourced from pillow's changelog.

10.3.0 (2024-04-01)

• CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [radarhere, hugovk]

• Deprecate eval(), replacing it with lambda_eval() and unsafe_eval() #7927 [radarhere, hugovk]

• Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [radarhere]

• Add --report argument to __main__.py to omit supported formats #7818 [nulano, radarhere, hugovk]

• Added RGB to I;16, I;16L, I;16B and I;16N conversion #7918, #7920 [radarhere]

• Fix editable installation with custom build backend and configuration options #7658 [nulano, radarhere]

• Fix putdata() for I;16N on big-endian #7209 [Yay295, hugovk, radarhere]

• Determine MPO size from markers, not EXIF data #7884 [radarhere]

• Improved conversion from RGB to RGBa, LA and La #7888 [radarhere]

• Support FITS images with GZIP_1 compression #7894 [radarhere]

• Use I;16 mode for 9-bit JPEG 2000 images #7900 [scaramallion, radarhere]

• Raise ValueError if kmeans is negative #7891 [radarhere]

• Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [radarhere]

• Raise ValueError for negative values when loading P1-P3 PPM images #7882 [radarhere]

• Added reading of JPEG2000 palettes #7870 [radarhere]

• Added alpha_quality argument when saving WebP images #7872 [radarhere]

... (truncated)

Commits

• 5c89d88 10.3.0 version bump
• 63cbfcf Update CHANGES.rst [ci skip]
• 2776126 Merge pull request #7928 from python-pillow/lcms
• aeb51cb Merge branch 'main' into lcms
• 5beb0b6 Update CHANGES.rst [ci skip]
• cac6ffa Merge pull request #7927 from python-pillow/imagemath
• f5eeeac Name as 'options' in lambda_eval and unsafe_eval, but '_dict' in deprecated eval
• facf3af Added release notes
• 2a93aba Use strncpy to avoid buffer overflow
• a670597 Update CHANGES.rst [ci skip]
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml