Because
- Json schemas were incorrectly failing validation on `firefoxLabsTitle`
and `firefoxLabsDescription` fields. We need to allow them to be `null`
(omitted).
This commit
- Updates `DesktopNimbusExperiment` and `DesktopNimbusExperiment`
classes' fields mentioned above.
- Updates schema version.
- Generates new TS schema.
- Adds new test (fixture) for this use case.
Fixes#11749
Because:
- Experimenter uses a different placeholder feature ID than the
specified in the schemas; and
- using the new split schema in Firefox Desktop would break the world
This commit:
- splits the Firefox Desktop schema into two versions: a strict,
backwards-compatible version (one that enforces the branches[].feature
field is present), and a more lax client version (that does not require
the branches[].feature field);
- updates the strict schema to use the correct placeholder feature ID;
- updates all the fixtures to use the correct placeholder;
- updates all the tests to test against both the strict and lax schemas;
and
- updates the schemas package to 2024.11.4.
Fixes#11717
Because:
- our current pan-application schema currently allows SDK experiments to
validate on Firefox Desktop (because there is no conditional validation
enforcing a relationship between the application field and the branches
field);
- we no longer publish single feature experiments; and
- we no longer support applications that do not support multi-feature
experiments.
This commit:
- splits our NimbusExperiment schema into a DesktopNimbusExperiment and
an SdkNimbusExperiment;
- removes support for mono-feature experiments from both Desktop and SDK
experiment schemas;
- removes some old, mono-feature fixtures that do not validate with our
new schemas; and
- bumps the schemas package version to 2024.11.3 to publish these
changes.
Fixes#11704
Because
- We found a bug where the `firefoxLabsTitle` field was set as required
on the `ExperimentMultiFeatureDesktopBranch` class.
This commit
- Updates the `firefoxLabsTitle` field on the above class to use
`default=None`.
- Updates schema version to `2024.11.2`.
- Updates TS schema
Fixes#11701
Because:
- we were running poetry install *after* copying files, which was
causing unnecessary layer invalidation
This commit:
- re-orders the dependency installtion before file copying, so that file
edits do not require you to reinstall dependencies.
Fixes#11676
Because:
- we previously were using the generated JSONSchema definition of the
localizations field to validate it in Experimenter; and
- we now have pydantic v2 in Experimenter
This commit:
- pulls out the localizations field into a separate model so that we can
use that for valdiation directly in Experimenter; and
- bumps the version to 2024.11.1
Fixes#11673
Because:
- Docker has deprecated `ENV KEY value` syntax and is now complaining
about our usage
This commit:
- updates our usage to the new syntax.
Fixes#11678
Because:
- using the file-loader layer can trigger unnecessary layer rebuilds due
to invalidating the layer cache
This commit:
- removes the file caching layer from the schemas Dockerfile
Fixes#11670
chore(schemas): upgrade to Poetry 1.8.4
Because:
- everything else is using Poetry 1.8.4; and
- the README says we're using Python 3.11 but actually we're using 3.10
This commit:
- updates mozilla_nimbus_schemas to use Poetry 1.8.4; and
- updates the Python version in the README.
Fixes#11645
Because
- We need to update the Nimbus Experiment schema with Firefox Labs
relevant fields.
This commit
- Updates `NimbusExperiment` class in the `experiments.py` module with
these optional fields `isFirefoxLabsOptIn`, `firefoxLabsTitle`,
`firefoxLabsDescription`.
- Updates `ExperimentMultiFeatureDesktopBranch` class in the
`experiments.py` module with the optional field `firefoxLabsTitle`.
- Adds relevant generated json and TS schemas.
- Updates and adds unit tests for `NimbusExperiment`.
- Adds fixtures(json) for the above tests.
Fixes #[11562](https://github.com/mozilla/experimenter/issues/11562)
Bumps [ruff](https://github.com/astral-sh/ruff) from 0.6.1 to 0.7.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/astral-sh/ruff/releases">ruff's
releases</a>.</em></p>
<blockquote>
<h2>0.7.0</h2>
<h2>Release Notes</h2>
<p>Check out the <a href="https://astral.sh/blog/ruff-v0.7.0">blog
post</a> for a migration guide and overview of the changes!</p>
<h3>Breaking changes</h3>
<ul>
<li>The pytest rules <code>PT001</code> and <code>PT023</code> now
default to omitting the decorator parentheses when there are no
arguments
(<a
href="https://redirect.github.com/astral-sh/ruff/pull/12838">#12838</a>,
<a
href="https://redirect.github.com/astral-sh/ruff/pull/13292">#13292</a>).
This was a change that we attempted to make in Ruff v0.6.0, but only
partially made due to an error on our part.
See the <a href="https://astral.sh/blog/ruff-v0.7.0">blog post</a> for
more details.</li>
<li>The <code>useless-try-except</code> rule (in our
<code>tryceratops</code> category) has been recoded from
<code>TRY302</code> to
<code>TRY203</code> (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13502">#13502</a>).
This ensures Ruff's code is consistent with
the same rule in the <a
href="https://github.com/guilatrova/tryceratops"><code>tryceratops</code></a>
linter.</li>
<li>The <code>lint.allow-unused-imports</code> setting has been removed
(<a
href="https://redirect.github.com/astral-sh/ruff/pull/13677">#13677</a>).
Use
<a
href="https://docs.astral.sh/ruff/settings/#lint_pyflakes_allowed-unused-imports"><code>lint.pyflakes.allow-unused-imports</code></a>
instead.</li>
</ul>
<h3>Formatter preview style</h3>
<ul>
<li>Normalize implicit concatenated f-string quotes per part (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13539">#13539</a>)</li>
</ul>
<h3>Preview linter features</h3>
<ul>
<li>[<code>refurb</code>] implement
<code>hardcoded-string-charset</code> (FURB156) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13530">#13530</a>)</li>
<li>[<code>refurb</code>] Count codepoints not bytes for
<code>slice-to-remove-prefix-or-suffix (FURB188)</code> (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13631">#13631</a>)</li>
</ul>
<h3>Rule changes</h3>
<ul>
<li>[<code>pylint</code>] Mark <code>PLE1141</code> fix as unsafe (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13629">#13629</a>)</li>
<li>[<code>flake8-async</code>] Consider async generators to be
"checkpoints" for <code>cancel-scope-no-checkpoint</code>
(<code>ASYNC100</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13639">#13639</a>)</li>
<li>[<code>flake8-bugbear</code>] Do not suggest setting parameter
<code>strict=</code> to <code>False</code> in <code>B905</code>
diagnostic message (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13656">#13656</a>)</li>
<li>[<code>flake8-todos</code>] Only flag the word "TODO", not
words starting with "todo" (<code>TD006</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13640">#13640</a>)</li>
<li>[<code>pycodestyle</code>] Fix whitespace-related false positives
and false negatives inside type-parameter lists (<code>E231</code>,
<code>E251</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13704">#13704</a>)</li>
<li>[<code>flake8-simplify</code>] Stabilize preview behavior for
<code>SIM115</code> so that the rule can detect files
being opened from a wider range of standard-library functions (<a
href="https://redirect.github.com/astral-sh/ruff/pull/12959">#12959</a>).</li>
</ul>
<h3>CLI</h3>
<ul>
<li>Add explanation of fixable in <code>--statistics</code> command (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13774">#13774</a>)</li>
</ul>
<h3>Bug fixes</h3>
<ul>
<li>[<code>pyflakes</code>] Allow <code>ipytest</code> cell magic
(<code>F401</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13745">#13745</a>)</li>
<li>[<code>flake8-use-pathlib</code>] Fix <code>PTH123</code> false
positive when <code>open</code> is passed a file descriptor (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13616">#13616</a>)</li>
<li>[<code>flake8-bandit</code>] Detect patterns from multi line SQL
statements (<code>S608</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13574">#13574</a>)</li>
<li>[<code>flake8-pyi</code>] - Fix dropped expressions in
<code>PYI030</code> autofix (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13727">#13727</a>)</li>
</ul>
<h2>Contributors</h2>
<ul>
<li><a
href="https://github.com/AlexWaygood"><code>@AlexWaygood</code></a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md">ruff's
changelog</a>.</em></p>
<blockquote>
<h2>0.7.0</h2>
<p>Check out the <a href="https://astral.sh/blog/ruff-v0.7.0">blog
post</a> for a migration guide and overview of the changes!</p>
<h3>Breaking changes</h3>
<ul>
<li>The pytest rules <code>PT001</code> and <code>PT023</code> now
default to omitting the decorator parentheses when there are no
arguments
(<a
href="https://redirect.github.com/astral-sh/ruff/pull/12838">#12838</a>,
<a
href="https://redirect.github.com/astral-sh/ruff/pull/13292">#13292</a>).
This was a change that we attempted to make in Ruff v0.6.0, but only
partially made due to an error on our part.
See the <a href="https://astral.sh/blog/ruff-v0.7.0">blog post</a> for
more details.</li>
<li>The <code>useless-try-except</code> rule (in our
<code>tryceratops</code> category) has been recoded from
<code>TRY302</code> to
<code>TRY203</code> (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13502">#13502</a>).
This ensures Ruff's code is consistent with
the same rule in the <a
href="https://github.com/guilatrova/tryceratops"><code>tryceratops</code></a>
linter.</li>
<li>The <code>lint.allow-unused-imports</code> setting has been removed
(<a
href="https://redirect.github.com/astral-sh/ruff/pull/13677">#13677</a>).
Use
<a
href="https://docs.astral.sh/ruff/settings/#lint_pyflakes_allowed-unused-imports"><code>lint.pyflakes.allow-unused-imports</code></a>
instead.</li>
</ul>
<h3>Formatter preview style</h3>
<ul>
<li>Normalize implicit concatenated f-string quotes per part (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13539">#13539</a>)</li>
</ul>
<h3>Preview linter features</h3>
<ul>
<li>[<code>refurb</code>] implement
<code>hardcoded-string-charset</code> (FURB156) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13530">#13530</a>)</li>
<li>[<code>refurb</code>] Count codepoints not bytes for
<code>slice-to-remove-prefix-or-suffix (FURB188)</code> (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13631">#13631</a>)</li>
</ul>
<h3>Rule changes</h3>
<ul>
<li>[<code>pylint</code>] Mark <code>PLE1141</code> fix as unsafe (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13629">#13629</a>)</li>
<li>[<code>flake8-async</code>] Consider async generators to be
"checkpoints" for <code>cancel-scope-no-checkpoint</code>
(<code>ASYNC100</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13639">#13639</a>)</li>
<li>[<code>flake8-bugbear</code>] Do not suggest setting parameter
<code>strict=</code> to <code>False</code> in <code>B905</code>
diagnostic message (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13656">#13656</a>)</li>
<li>[<code>flake8-todos</code>] Only flag the word "TODO", not
words starting with "todo" (<code>TD006</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13640">#13640</a>)</li>
<li>[<code>pycodestyle</code>] Fix whitespace-related false positives
and false negatives inside type-parameter lists (<code>E231</code>,
<code>E251</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13704">#13704</a>)</li>
<li>[<code>flake8-simplify</code>] Stabilize preview behavior for
<code>SIM115</code> so that the rule can detect files
being opened from a wider range of standard-library functions (<a
href="https://redirect.github.com/astral-sh/ruff/pull/12959">#12959</a>).</li>
</ul>
<h3>CLI</h3>
<ul>
<li>Add explanation of fixable in <code>--statistics</code> command (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13774">#13774</a>)</li>
</ul>
<h3>Bug fixes</h3>
<ul>
<li>[<code>pyflakes</code>] Allow <code>ipytest</code> cell magic
(<code>F401</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13745">#13745</a>)</li>
<li>[<code>flake8-use-pathlib</code>] Fix <code>PTH123</code> false
positive when <code>open</code> is passed a file descriptor (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13616">#13616</a>)</li>
<li>[<code>flake8-bandit</code>] Detect patterns from multi line SQL
statements (<code>S608</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13574">#13574</a>)</li>
<li>[<code>flake8-pyi</code>] - Fix dropped expressions in
<code>PYI030</code> autofix (<a
href="https://redirect.github.com/astral-sh/ruff/pull/13727">#13727</a>)</li>
</ul>
<h2>0.6.9</h2>
<h3>Preview features</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="5e6de4e0c6"><code>5e6de4e</code></a>
Changelog for Ruff v0.7 (<a
href="https://redirect.github.com/astral-sh/ruff/issues/13794">#13794</a>)</li>
<li><a
href="70e5c4a8ba"><code>70e5c4a</code></a>
Recode <code>TRY302</code> to <code>TRY203</code> (<a
href="https://redirect.github.com/astral-sh/ruff/issues/13502">#13502</a>)</li>
<li><a
href="9218d6bedc"><code>9218d6b</code></a>
Remove <code>allow-unused-imports</code> setting from the common lint
options (<a
href="https://redirect.github.com/astral-sh/ruff/issues/13677">#13677</a>)</li>
<li><a
href="1b79ae9817"><code>1b79ae9</code></a>
[ruff-0.7] Stabilise the expansion of
<code>open-file-with-context-handler</code> to wor...</li>
<li><a
href="2b87587ac2"><code>2b87587</code></a>
[<code>flake8-pytest-style</code>] Fix defaults when
<code>lint.flake8-pytest-style</code> config s...</li>
<li><a
href="d1e15f6246"><code>d1e15f6</code></a>
Remove tab-size setting (<a
href="https://redirect.github.com/astral-sh/ruff/issues/12835">#12835</a>)</li>
<li><a
href="89a82158a1"><code>89a8215</code></a>
Remove error messages for removed CLI aliases (<a
href="https://redirect.github.com/astral-sh/ruff/issues/12833">#12833</a>)</li>
<li><a
href="202c6a6d75"><code>202c6a6</code></a>
Remove <code>output-format=text</code> setting (<a
href="https://redirect.github.com/astral-sh/ruff/issues/12836">#12836</a>)</li>
<li><a
href="5c3c0c4705"><code>5c3c0c4</code></a>
[red-knot] Inference for comparison of union types (<a
href="https://redirect.github.com/astral-sh/ruff/issues/13781">#13781</a>)</li>
<li><a
href="6b7a738825"><code>6b7a738</code></a>
Add explanation of fixable in <code>--statistics</code> command (<a
href="https://redirect.github.com/astral-sh/ruff/issues/13774">#13774</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/astral-sh/ruff/compare/0.6.1...0.7.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Because:
- we need the .schema.json files in Desktop;
- they are not currently packaged into either the NPM or PyPI packages;
and
- the generated schemas do not include the custom validation logic
expressed by Pydantic validators
This commit:
- adds JSON schema validation via Pydantic's json_schema_extra hook to
give the JSON schemas validation parity with the Pydantic models and
existing JSON schemas in Desktop;
- generates the JSON schemas and commits them (in schemas/schemas);
- packages the produced schemas into the NPM package;
- packages the produced schemas into the PyPI package (but uncommitted,
since they are duplicates);
- revises the Makefile build steps for schema package generation; and
- bumps the schema package version.
Fixes#11518
Because:
- our schemas were still slightly misaligned with nimbus-shared and
Firefox Desktop;
- some fields were missing descriptions; and
- the feature manifest formats for Desktop and the SDK are sufficiently
different that they warrant separate schemas
This commit:
- splits the FeatureManifest schema into DesktopFeatureManifest and
SdkFeatureManifest schemas;
- aligns the schemas with nimbus-shared and Desktop;
- adds field descriptions; and
- adds unit tests for the new validation logic.
Fixes#11571
Because:
- the generated TypeScript interfaces did not match the TypeScript
interfaces from nimbus-shared; and
- all fields and types were missing descriptions
this commit:
- adds descriptions to almost every experiment schema (copied from
nimbus-shared and updated as appropriate); and
- aligns the types so that the generated interfaces more closely match
the existing interfaces from nimbus-shared.
Fixes#11481
Because:
- we will be adding more logic to generate_json_schema.py to generate
per-model JSON schema files
this commit:
- cleans up some of the unnecessary logic; and
- modernizes the script to use pathlib, subprocess, and more types.
Fixes#11494
Because
- last publish of schemas package to PyPI failed
- failure appears to be related to a bug documented in twine that was
fixed in the latest version
This commit
- upgrades to the latest 5.1.1 version
- bumps version of schemas so it will be published
Fixes#11331
Because
- the schemas package is used by a lot of data tooling
- the data tooling is starting to complain about schemas requiring
pydantic v1 due to other dependencies
- the pydantic-to-typescript package is outdated and does not support
pydantic v2
This commit
- updates the schemas package to v2
- changes the typescript generation to a script internal to experimenter
Fixes#11214
Because
- we added p_value to Statistic but never had time to follow up with
using it
- Jetstream would need to update to add this field to the results schema
- we don't foresee being able to do anything with this anytime soon
- it's easy to add back if we ever get around to using it
This commit
- remove p_value from Statistic
Fixes#11287
Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.4
to 43.0.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's
changelog</a>.</em></p>
<blockquote>
<p>43.0.1 - 2024-09-03</p>
<pre><code>
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL
3.3.2.
<p>.. _v43-0-0:</p>
<p>43.0.0 - 2024-07-20<br />
</code></pre></p>
<ul>
<li><strong>BACKWARDS INCOMPATIBLE:</strong> Support for OpenSSL less
than 1.1.1e has been
removed. Users on older version of OpenSSL will need to upgrade.</li>
<li><strong>BACKWARDS INCOMPATIBLE:</strong> Dropped support for
LibreSSL < 3.8.</li>
<li>Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL
3.3.1.</li>
<li>Updated the minimum supported Rust version (MSRV) to 1.65.0, from
1.63.0.</li>
<li>:func:<code>~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key</code>
now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is
still
considered insecure, users should generally use a key size of
2048-bits.</li>
<li>:func:<code>~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates</code>
now emits ASN.1 that more closely follows the recommendations in
:rfc:<code>2315</code>.</li>
<li>Added new :doc:<code>/hazmat/decrepit/index</code> module which
contains outdated and
insecure cryptographic primitives.
:class:<code>~cryptography.hazmat.primitives.ciphers.algorithms.CAST5</code>,
:class:<code>~cryptography.hazmat.primitives.ciphers.algorithms.SEED</code>,
:class:<code>~cryptography.hazmat.primitives.ciphers.algorithms.IDEA</code>,
and
:class:<code>~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish</code>,
which were
deprecated in 37.0.0, have been added to this module. They will be
removed
from the <code>cipher</code> module in 45.0.0.</li>
<li>Moved
:class:<code>~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES</code>
and
:class:<code>~cryptography.hazmat.primitives.ciphers.algorithms.ARC4</code>
into
:doc:<code>/hazmat/decrepit/index</code> and deprecated them in the
<code>cipher</code> module.
They will be removed from the <code>cipher</code> module in 48.0.0.</li>
<li>Added support for deterministic
:class:<code>~cryptography.hazmat.primitives.asymmetric.ec.ECDSA</code>
(:rfc:<code>6979</code>)</li>
<li>Added support for client certificate verification to the
:mod:<code>X.509 path validation
<cryptography.x509.verification></code> APIs in the
form of
:class:<code>~cryptography.x509.verification.ClientVerifier</code>,
:class:<code>~cryptography.x509.verification.VerifiedClient</code>, and
<code>PolicyBuilder</code>
:meth:<code>~cryptography.x509.verification.PolicyBuilder.build_client_verifier</code>.</li>
<li>Added Certificate
:attr:<code>~cryptography.x509.Certificate.public_key_algorithm_oid</code>
and Certificate Signing Request
:attr:<code>~cryptography.x509.CertificateSigningRequest.public_key_algorithm_oid</code>
to determine the
:class:<code>~cryptography.hazmat._oid.PublicKeyAlgorithmOID</code>
Object Identifier of the public key found inside the certificate.</li>
<li>Added
:attr:<code>~cryptography.x509.InvalidityDate.invalidity_date_utc</code>,
a
timezone-aware alternative to the naïve <code>datetime</code> attribute
:attr:<code>~cryptography.x509.InvalidityDate.invalidity_date</code>.</li>
<li>Added support for parsing empty DN string in</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="a773387828"><code>a773387</code></a>
bump for 43.0.1 (<a
href="https://redirect.github.com/pyca/cryptography/issues/11533">#11533</a>)</li>
<li><a
href="0393fef575"><code>0393fef</code></a>
Backport setuptools version ban (<a
href="https://redirect.github.com/pyca/cryptography/issues/11526">#11526</a>)</li>
<li><a
href="6687bab97a"><code>6687bab</code></a>
Bump openssl from 0.10.65 to 0.10.66 in /src/rust (<a
href="https://redirect.github.com/pyca/cryptography/issues/11320">#11320</a>)
(<a
href="https://redirect.github.com/pyca/cryptography/issues/11324">#11324</a>)</li>
<li><a
href="ebf14f2edc"><code>ebf14f2</code></a>
bump for 43.0.0 and update changelog (<a
href="https://redirect.github.com/pyca/cryptography/issues/11311">#11311</a>)</li>
<li><a
href="42788a0353"><code>42788a0</code></a>
Fix exchange with keys that had Q automatically computed (<a
href="https://redirect.github.com/pyca/cryptography/issues/11309">#11309</a>)</li>
<li><a
href="2dbdfb8f39"><code>2dbdfb8</code></a>
don't assign unused name (<a
href="https://redirect.github.com/pyca/cryptography/issues/11310">#11310</a>)</li>
<li><a
href="ccc66e6cdf"><code>ccc66e6</code></a>
Bump openssl from 0.10.64 to 0.10.65 in /src/rust (<a
href="https://redirect.github.com/pyca/cryptography/issues/11308">#11308</a>)</li>
<li><a
href="4310c8727b"><code>4310c87</code></a>
Bump sphinxcontrib-qthelp from 1.0.7 to 1.0.8 (<a
href="https://redirect.github.com/pyca/cryptography/issues/11307">#11307</a>)</li>
<li><a
href="f66a9c4b4f"><code>f66a9c4</code></a>
Bump sphinxcontrib-htmlhelp from 2.0.5 to 2.0.6 (<a
href="https://redirect.github.com/pyca/cryptography/issues/11306">#11306</a>)</li>
<li><a
href="a8fcf18ee0"><code>a8fcf18</code></a>
Bump openssl-sys from 0.9.102 to 0.9.103 in /src/rust (<a
href="https://redirect.github.com/pyca/cryptography/issues/11305">#11305</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/pyca/cryptography/compare/42.0.4...43.0.1">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/mozilla/experimenter/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Because
- analysis tooling is using python 3.10
- schemas package is using 3.11
- analysis tooling relies on schemas package
This commit
- downgrades schemas package to bring them in sync on python 3.10
Fixes#11266
Because
- randomization unit is configurable
- new profile mgmt feature requires jetstream to behave differently
depending on the randomization unit
- randomization unit options are defined in Experimenter where Jetstream
can't use them
- we don't want to redefined the options in multiple places
This commit
- adds randomization unit enum to schemas package so it can be used by
both Experimenter and Jetstream
Fixes#11244
Bumps [black](https://github.com/psf/black) from 24.4.0 to 24.8.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/psf/black/releases">black's
releases</a>.</em></p>
<blockquote>
<h2>24.8.0</h2>
<h3>Stable style</h3>
<ul>
<li>Fix crash when <code># fmt: off</code> is used before a closing
parenthesis or bracket. (<a
href="https://redirect.github.com/psf/black/issues/4363">#4363</a>)</li>
</ul>
<h3>Packaging</h3>
<ul>
<li>Packaging metadata updated: docs are explictly linked, the issue
tracker is now also
linked. This improves the PyPI listing for Black. (<a
href="https://redirect.github.com/psf/black/issues/4345">#4345</a>)</li>
</ul>
<h3>Parser</h3>
<ul>
<li>Fix regression where Black failed to parse a multiline f-string
containing another
multiline string (<a
href="https://redirect.github.com/psf/black/issues/4339">#4339</a>)</li>
<li>Fix regression where Black failed to parse an escaped single quote
inside an f-string
(<a
href="https://redirect.github.com/psf/black/issues/4401">#4401</a>)</li>
<li>Fix bug with Black incorrectly parsing empty lines with a backslash
(<a
href="https://redirect.github.com/psf/black/issues/4343">#4343</a>)</li>
<li>Fix bugs with Black's tokenizer not handling <code>\{</code> inside
f-strings very well (<a
href="https://redirect.github.com/psf/black/issues/4422">#4422</a>)</li>
<li>Fix incorrect line numbers in the tokenizer for certain tokens
within f-strings
(<a
href="https://redirect.github.com/psf/black/issues/4423">#4423</a>)</li>
</ul>
<h3>Performance</h3>
<ul>
<li>Improve performance when a large directory is listed in
<code>.gitignore</code> (<a
href="https://redirect.github.com/psf/black/issues/4415">#4415</a>)</li>
</ul>
<h3><em>Blackd</em></h3>
<ul>
<li>Fix blackd (and all extras installs) for docker container (<a
href="https://redirect.github.com/psf/black/issues/4357">#4357</a>)</li>
</ul>
<h2>24.4.2</h2>
<p>This is a bugfix release to fix two regressions in the new f-string
parser introduced in
24.4.1.</p>
<h3>Parser</h3>
<ul>
<li>Fix regression where certain complex f-strings failed to parse (<a
href="https://redirect.github.com/psf/black/issues/4332">#4332</a>)</li>
</ul>
<h3>Performance</h3>
<ul>
<li>Fix bad performance on certain complex string literals (<a
href="https://redirect.github.com/psf/black/issues/4331">#4331</a>)</li>
</ul>
<h2>24.4.1</h2>
<h3>Highlights</h3>
<ul>
<li>Add support for the new Python 3.12 f-string syntax introduced by
PEP 701 (<a
href="https://redirect.github.com/psf/black/issues/3822">#3822</a>)</li>
</ul>
<h3>Stable style</h3>
<ul>
<li>Fix crash involving indented dummy functions containing newlines (<a
href="https://redirect.github.com/psf/black/issues/4318">#4318</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/psf/black/blob/main/CHANGES.md">black's
changelog</a>.</em></p>
<blockquote>
<h2>24.8.0</h2>
<h3>Stable style</h3>
<ul>
<li>Fix crash when <code># fmt: off</code> is used before a closing
parenthesis or bracket. (<a
href="https://redirect.github.com/psf/black/issues/4363">#4363</a>)</li>
</ul>
<h3>Packaging</h3>
<ul>
<li>Packaging metadata updated: docs are explictly linked, the issue
tracker is now also
linked. This improves the PyPI listing for Black. (<a
href="https://redirect.github.com/psf/black/issues/4345">#4345</a>)</li>
</ul>
<h3>Parser</h3>
<ul>
<li>Fix regression where Black failed to parse a multiline f-string
containing another
multiline string (<a
href="https://redirect.github.com/psf/black/issues/4339">#4339</a>)</li>
<li>Fix regression where Black failed to parse an escaped single quote
inside an f-string
(<a
href="https://redirect.github.com/psf/black/issues/4401">#4401</a>)</li>
<li>Fix bug with Black incorrectly parsing empty lines with a backslash
(<a
href="https://redirect.github.com/psf/black/issues/4343">#4343</a>)</li>
<li>Fix bugs with Black's tokenizer not handling <code>\{</code> inside
f-strings very well (<a
href="https://redirect.github.com/psf/black/issues/4422">#4422</a>)</li>
<li>Fix incorrect line numbers in the tokenizer for certain tokens
within f-strings
(<a
href="https://redirect.github.com/psf/black/issues/4423">#4423</a>)</li>
</ul>
<h3>Performance</h3>
<ul>
<li>Improve performance when a large directory is listed in
<code>.gitignore</code> (<a
href="https://redirect.github.com/psf/black/issues/4415">#4415</a>)</li>
</ul>
<h3><em>Blackd</em></h3>
<ul>
<li>Fix blackd (and all extras installs) for docker container (<a
href="https://redirect.github.com/psf/black/issues/4357">#4357</a>)</li>
</ul>
<h2>24.4.2</h2>
<p>This is a bugfix release to fix two regressions in the new f-string
parser introduced in
24.4.1.</p>
<h3>Parser</h3>
<ul>
<li>Fix regression where certain complex f-strings failed to parse (<a
href="https://redirect.github.com/psf/black/issues/4332">#4332</a>)</li>
</ul>
<h3>Performance</h3>
<ul>
<li>Fix bad performance on certain complex string literals (<a
href="https://redirect.github.com/psf/black/issues/4331">#4331</a>)</li>
</ul>
<h2>24.4.1</h2>
<h3>Highlights</h3>
<ul>
<li>Add support for the new Python 3.12 f-string syntax introduced by
PEP 701 (<a
href="https://redirect.github.com/psf/black/issues/3822">#3822</a>)</li>
</ul>
<h3>Stable style</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="b965c2a502"><code>b965c2a</code></a>
Prepare release 24.8.0 (<a
href="https://redirect.github.com/psf/black/issues/4426">#4426</a>)</li>
<li><a
href="9ccf279a17"><code>9ccf279</code></a>
Document <code>find_project_root</code> ignoring
<code>pyproject.toml</code> without <code>[tool.black]</code>...</li>
<li><a
href="14b6e61970"><code>14b6e61</code></a>
fix: Enhace black efficiently to skip directories listed in .gitignore
(<a
href="https://redirect.github.com/psf/black/issues/4415">#4415</a>)</li>
<li><a
href="b1c4dd96d7"><code>b1c4dd9</code></a>
fix: respect braces better in f-string parsing (<a
href="https://redirect.github.com/psf/black/issues/4422">#4422</a>)</li>
<li><a
href="4b4ae43e8b"><code>4b4ae43</code></a>
Fix incorrect linenos on fstring tokens with escaped newlines (<a
href="https://redirect.github.com/psf/black/issues/4423">#4423</a>)</li>
<li><a
href="7fa1faf83a"><code>7fa1faf</code></a>
docs: fix the installation command of extra for blackd (<a
href="https://redirect.github.com/psf/black/issues/4413">#4413</a>)</li>
<li><a
href="8827accf56"><code>8827acc</code></a>
Bump sphinx from 7.3.7 to 7.4.0 in /docs (<a
href="https://redirect.github.com/psf/black/issues/4404">#4404</a>)</li>
<li><a
href="b0da11d370"><code>b0da11d</code></a>
Bump furo from 2024.5.6 to 2024.7.18 in /docs (<a
href="https://redirect.github.com/psf/black/issues/4409">#4409</a>)</li>
<li><a
href="721dff5493"><code>721dff5</code></a>
fix: avoid formatting backslash strings inside f-strings (<a
href="https://redirect.github.com/psf/black/issues/4401">#4401</a>)</li>
<li><a
href="7e2afc9bfd"><code>7e2afc9</code></a>
Update <code>actions/checkout</code> to v4 to stop node deprecation
warnings (<a
href="https://redirect.github.com/psf/black/issues/4379">#4379</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/psf/black/compare/24.4.0...24.8.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [zipp](https://github.com/jaraco/zipp) from 3.16.2 to 3.19.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jaraco/zipp/blob/main/NEWS.rst">zipp's
changelog</a>.</em></p>
<blockquote>
<h1>v3.19.1</h1>
<h2>Bugfixes</h2>
<ul>
<li>Improved handling of malformed zip files. (<a
href="https://redirect.github.com/jaraco/zipp/issues/119">#119</a>)</li>
</ul>
<h1>v3.19.0</h1>
<h2>Features</h2>
<ul>
<li>Implement is_symlink. (<a
href="https://redirect.github.com/jaraco/zipp/issues/117">#117</a>)</li>
</ul>
<h1>v3.18.2</h1>
<p>No significant changes.</p>
<h1>v3.18.1</h1>
<p>No significant changes.</p>
<h1>v3.18.0</h1>
<h2>Features</h2>
<ul>
<li>Bypass ZipFile.namelist in glob for better performance. (<a
href="https://redirect.github.com/jaraco/zipp/issues/106">#106</a>)</li>
<li>Refactored glob functionality to support a more generalized solution
with support for platform-specific path separators. (<a
href="https://redirect.github.com/jaraco/zipp/issues/108">#108</a>)</li>
</ul>
<h2>Bugfixes</h2>
<ul>
<li>Add special accounting for pypy when computing the stack level for
text encoding warnings. (<a
href="https://redirect.github.com/jaraco/zipp/issues/114">#114</a>)</li>
</ul>
<h1>v3.17.0</h1>
<p>Features</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="6d1cb72aa5"><code>6d1cb72</code></a>
Finalize</li>
<li><a
href="fd604bd34f"><code>fd604bd</code></a>
Merge pull request <a
href="https://redirect.github.com/jaraco/zipp/issues/120">#120</a> from
jaraco/bugfix/119-malformed-paths</li>
<li><a
href="c18417ed29"><code>c18417e</code></a>
Add news fragment.</li>
<li><a
href="58115d2be9"><code>58115d2</code></a>
Employ SanitizedNames in CompleteDirs. Fixes broken test.</li>
<li><a
href="564fcc10cd"><code>564fcc1</code></a>
Add SanitizedNames mixin.</li>
<li><a
href="79a309fe54"><code>79a309f</code></a>
Add some assertions about malformed paths.</li>
<li><a
href="2d015c2234"><code>2d015c2</code></a>
Merge <a
href="https://github.com/jaraco/skeleton">https://github.com/jaraco/skeleton</a></li>
<li><a
href="a595a0fad0"><code>a595a0f</code></a>
Rename extras to align with core metadata spec.</li>
<li><a
href="608f90a6e7"><code>608f90a</code></a>
Finalize</li>
<li><a
href="3a22d724ac"><code>3a22d72</code></a>
Merge pull request <a
href="https://redirect.github.com/jaraco/zipp/issues/118">#118</a> from
jaraco/feature/is-symlink</li>
<li>Additional commits viewable in <a
href="https://github.com/jaraco/zipp/compare/v3.16.2...v3.19.1">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/mozilla/experimenter/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Because
- #10930 forgot to change the version number for the npm and pypi
packages so a new version was not published
This commit
- changes the version numbers
Fixes#10931
Because
- we added "all" as a possible user type in precomputed pop sizing data
This commit
- adds "all" as an option to the SizingUserType enum
Fixes#10929
Bumps [requests](https://github.com/psf/requests) from 2.31.0 to 2.32.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/psf/requests/releases">requests's
releases</a>.</em></p>
<blockquote>
<h2>v2.32.2</h2>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code>
to
a new public API, <code>get_connection_with_tls_context</code>. Existing
custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of
Requests>=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom
adapter
is subject to the same issue described in CVE-2024-35195. (<a
href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>v2.32.1</h2>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>v2.32.0</h2>
<h2>2.32.0 (2024-05-20)</h2>
<h2>🐍 PYCON US 2024 EDITION 🐍</h2>
<p><strong>Security</strong></p>
<ul>
<li>Fixed an issue where setting <code>verify=False</code> on the first
request from a
Session will cause subsequent requests to the <em>same origin</em> to
also ignore
cert verification, regardless of the value of <code>verify</code>.
(<a
href="https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56">https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56</a>)</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li><code>verify=True</code> now reuses a global SSLContext which should
improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a
Python
version built with OpenSSL 3.x. (<a
href="https://redirect.github.com/psf/requests/issues/6667">#6667</a>)</li>
<li>Requests now supports optional use of character detection
(<code>chardet</code> or <code>charset_normalizer</code>) when
repackaged or vendored.
This enables <code>pip</code> and other projects to minimize their
vendoring
surface area. The <code>Response.text()</code> and
<code>apparent_encoding</code> APIs
will default to <code>utf-8</code> if neither library is present. (<a
href="https://redirect.github.com/psf/requests/issues/6702">#6702</a>)</li>
</ul>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (<a
href="https://redirect.github.com/psf/requests/issues/6589">#6589</a>)</li>
<li>Fixed deserialization bug in JSONDecodeError. (<a
href="https://redirect.github.com/psf/requests/issues/6629">#6629</a>)</li>
<li>Fixed bug where an extra leading <code>/</code> (path separator)
could lead
urllib3 to unnecessarily reparse the request URI. (<a
href="https://redirect.github.com/psf/requests/issues/6644">#6644</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's
changelog</a>.</em></p>
<blockquote>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code>
to
a new public API, <code>get_connection_with_tls_context</code>. Existing
custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of
Requests>=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom
adapter
is subject to the same issue described in CVE-2024-35195. (<a
href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>2.32.0 (2024-05-20)</h2>
<p><strong>Security</strong></p>
<ul>
<li>Fixed an issue where setting <code>verify=False</code> on the first
request from a
Session will cause subsequent requests to the <em>same origin</em> to
also ignore
cert verification, regardless of the value of <code>verify</code>.
(<a
href="https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56">https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56</a>)</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li><code>verify=True</code> now reuses a global SSLContext which should
improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a
Python
version built with OpenSSL 3.x. (<a
href="https://redirect.github.com/psf/requests/issues/6667">#6667</a>)</li>
<li>Requests now supports optional use of character detection
(<code>chardet</code> or <code>charset_normalizer</code>) when
repackaged or vendored.
This enables <code>pip</code> and other projects to minimize their
vendoring
surface area. The <code>Response.text()</code> and
<code>apparent_encoding</code> APIs
will default to <code>utf-8</code> if neither library is present. (<a
href="https://redirect.github.com/psf/requests/issues/6702">#6702</a>)</li>
</ul>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (<a
href="https://redirect.github.com/psf/requests/issues/6589">#6589</a>)</li>
<li>Fixed deserialization bug in JSONDecodeError. (<a
href="https://redirect.github.com/psf/requests/issues/6629">#6629</a>)</li>
<li>Fixed bug where an extra leading <code>/</code> (path separator)
could lead
urllib3 to unnecessarily reparse the request URI. (<a
href="https://redirect.github.com/psf/requests/issues/6644">#6644</a>)</li>
</ul>
<p><strong>Deprecations</strong></p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="88dce9d854"><code>88dce9d</code></a>
v2.32.2</li>
<li><a
href="c98e4d133e"><code>c98e4d1</code></a>
Merge pull request <a
href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>
from nateprewitt/api_rename</li>
<li><a
href="92075b330a"><code>92075b3</code></a>
Add deprecation warning</li>
<li><a
href="aa1461b68a"><code>aa1461b</code></a>
Move _get_connection to get_connection_with_tls_context</li>
<li><a
href="970e8cec98"><code>970e8ce</code></a>
v2.32.1</li>
<li><a
href="d6ebc4a2f1"><code>d6ebc4a</code></a>
v2.32.0</li>
<li><a
href="9a40d12778"><code>9a40d12</code></a>
Avoid reloading root certificates to improve concurrent performance (<a
href="https://redirect.github.com/psf/requests/issues/6667">#6667</a>)</li>
<li><a
href="0c030f78d2"><code>0c030f7</code></a>
Merge pull request <a
href="https://redirect.github.com/psf/requests/issues/6702">#6702</a>
from nateprewitt/no_char_detection</li>
<li><a
href="555b870eb1"><code>555b870</code></a>
Allow character detection dependencies to be optional in post-packaging
steps</li>
<li><a
href="d6dded3f00"><code>d6dded3</code></a>
Merge pull request <a
href="https://redirect.github.com/psf/requests/issues/6700">#6700</a>
from franekmagiera/update-redirect-to-invalid-uri-test</li>
<li>Additional commits viewable in <a
href="https://github.com/psf/requests/compare/v2.31.0...v2.32.2">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/mozilla/experimenter/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [ruff](https://github.com/astral-sh/ruff) from 0.3.0 to 0.4.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/astral-sh/ruff/releases">ruff's
releases</a>.</em></p>
<blockquote>
<h2>v0.4.1</h2>
<h2>Changes</h2>
<h3>Preview features</h3>
<ul>
<li>[<code>pylint</code>] Implement <code>invalid-hash-returned</code>
(<code>PLE0309</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/10961">#10961</a>)</li>
<li>[<code>pylint</code>] Implement <code>invalid-index-returned</code>
(<code>PLE0305</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/10962">#10962</a>)</li>
</ul>
<h3>Bug fixes</h3>
<ul>
<li>[<code>pylint</code>] Allow <code>NoReturn</code>-like functions for
<code>__str__</code>, <code>__len__</code>, etc. (<code>PLE0307</code>)
(<a
href="https://redirect.github.com/astral-sh/ruff/pull/11017">#11017</a>)</li>
<li>Parser: Use empty range when there's "gap" in token source
(<a
href="https://redirect.github.com/astral-sh/ruff/pull/11032">#11032</a>)</li>
<li>[<code>ruff</code>] Ignore stub functions in
<code>unused-async</code> (<code>RUF029</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/11026">#11026</a>)</li>
<li>Parser: Expect indented case block instead of match stmt (<a
href="https://redirect.github.com/astral-sh/ruff/pull/11033">#11033</a>)</li>
</ul>
<h2>Contributors</h2>
<ul>
<li><a
href="https://github.com/AlexWaygood"><code>@AlexWaygood</code></a></li>
<li><a
href="https://github.com/HenryAsa"><code>@HenryAsa</code></a></li>
<li><a
href="https://github.com/MithicSpirit"><code>@MithicSpirit</code></a></li>
<li><a
href="https://github.com/charliermarsh"><code>@charliermarsh</code></a></li>
<li><a
href="https://github.com/dhruvmanila"><code>@dhruvmanila</code></a></li>
<li><a
href="https://github.com/tibor-reiss"><code>@tibor-reiss</code></a></li>
</ul>
<h2>v0.4.0</h2>
<h2>Changes</h2>
<h3>A new, hand-written parser</h3>
<p>Ruff's new parser is <strong>>2x faster</strong>, which translates
to a <strong>20-40% speedup</strong> for all linting and formatting
invocations. There's a lot to say about this exciting change, so check
out the <a href="https://astral.sh/blog/ruff-v0.4.0">blog post</a> for
more details!</p>
<p>See <a
href="https://redirect.github.com/astral-sh/ruff/pull/10036">#10036</a>
for implementation details.</p>
<h3>A new language server in Rust</h3>
<p>With this release, we also want to highlight our new language server.
<code>ruff server</code> is a Rust-powered language server that comes
built-in with Ruff. It can be used with any editor that supports the <a
href="https://microsoft.github.io/language-server-protocol/">Language
Server Protocol</a> (LSP). It uses a multi-threaded, lock-free
architecture inspired by <code>rust-analyzer</code> and it will open the
door for a lot of exciting features. It’s also faster than our previous
<a href="https://github.com/astral-sh/ruff-lsp">Python-based language
server</a> -- but you probably guessed that already.</p>
<p><code>ruff server</code> is only in alpha, but it has a lot of
features that you can try out today:</p>
<ul>
<li>Lints Python files automatically and shows quick-fixes when
available</li>
<li>Formats Python files, with support for range formatting</li>
<li>Comes with commands for quickly performing actions:
<code>ruff.applyAutofix</code>, <code>ruff.applyFormat</code>, and
<code>ruff.applyOrganizeImports</code></li>
<li>Supports <code>source.fixAll</code> and
<code>source.organizeImports</code> source actions</li>
<li>Automatically reloads your project configuration when you change
it</li>
</ul>
<p>To setup <code>ruff server</code> with your editor, refer to the <a
href="https://github.com/astral-sh/ruff/blob/main/crates/ruff_server/README.md">README.md</a>.</p>
<h3>Preview features</h3>
<ul>
<li>[<code>pycodestyle</code>] Do not trigger <code>E3</code> rules on
<code>def</code>s following a function/method with a dummy body (<a
href="https://redirect.github.com/astral-sh/ruff/pull/10704">#10704</a>)</li>
<li>[<code>pylint</code>] Implement <code>invalid-bytes-returned</code>
(<code>E0308</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/10959">#10959</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md">ruff's
changelog</a>.</em></p>
<blockquote>
<h2>0.4.1</h2>
<h3>Preview features</h3>
<ul>
<li>[<code>pylint</code>] Implement <code>invalid-hash-returned</code>
(<code>PLE0309</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/10961">#10961</a>)</li>
<li>[<code>pylint</code>] Implement <code>invalid-index-returned</code>
(<code>PLE0305</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/10962">#10962</a>)</li>
</ul>
<h3>Bug fixes</h3>
<ul>
<li>[<code>pylint</code>] Allow <code>NoReturn</code>-like functions for
<code>__str__</code>, <code>__len__</code>, etc. (<code>PLE0307</code>)
(<a
href="https://redirect.github.com/astral-sh/ruff/pull/11017">#11017</a>)</li>
<li>Parser: Use empty range when there's "gap" in token source
(<a
href="https://redirect.github.com/astral-sh/ruff/pull/11032">#11032</a>)</li>
<li>[<code>ruff</code>] Ignore stub functions in
<code>unused-async</code> (<code>RUF029</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/11026">#11026</a>)</li>
<li>Parser: Expect indented case block instead of match stmt (<a
href="https://redirect.github.com/astral-sh/ruff/pull/11033">#11033</a>)</li>
</ul>
<h2>0.4.0</h2>
<h3>A new, hand-written parser</h3>
<p>Ruff's new parser is <strong>>2x faster</strong>, which translates
to a <strong>20-40% speedup</strong> for all linting and formatting
invocations.
There's a lot to say about this exciting change, so check out the <a
href="https://astral.sh/blog/ruff-v0.4.0">blog post</a> for more
details!</p>
<p>See <a
href="https://redirect.github.com/astral-sh/ruff/pull/10036">#10036</a>
for implementation details.</p>
<h3>A new language server in Rust</h3>
<p>With this release, we also want to highlight our new language server.
<code>ruff server</code> is a Rust-powered language
server that comes built-in with Ruff. It can be used with any editor
that supports the <a
href="https://microsoft.github.io/language-server-protocol/">Language
Server Protocol</a> (LSP).
It uses a multi-threaded, lock-free architecture inspired by
<code>rust-analyzer</code> and it will open the door for a lot
of exciting features. It’s also faster than our previous <a
href="https://github.com/astral-sh/ruff-lsp">Python-based language
server</a>
-- but you probably guessed that already.</p>
<p><code>ruff server</code> is only in alpha, but it has a lot of
features that you can try out today:</p>
<ul>
<li>Lints Python files automatically and shows quick-fixes when
available</li>
<li>Formats Python files, with support for range formatting</li>
<li>Comes with commands for quickly performing actions:
<code>ruff.applyAutofix</code>, <code>ruff.applyFormat</code>, and
<code>ruff.applyOrganizeImports</code></li>
<li>Supports <code>source.fixAll</code> and
<code>source.organizeImports</code> source actions</li>
<li>Automatically reloads your project configuration when you change
it</li>
</ul>
<p>To setup <code>ruff server</code> with your editor, refer to the <a
href="https://github.com/astral-sh/ruff/blob/main/crates/ruff_server/README.md">README.md</a>.</p>
<h3>Preview features</h3>
<ul>
<li>[<code>pycodestyle</code>] Do not trigger <code>E3</code> rules on
<code>def</code>s following a function/method with a dummy body (<a
href="https://redirect.github.com/astral-sh/ruff/pull/10704">#10704</a>)</li>
<li>[<code>pylint</code>] Implement <code>invalid-bytes-returned</code>
(<code>E0308</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/10959">#10959</a>)</li>
<li>[<code>pylint</code>] Implement <code>invalid-length-returned</code>
(<code>E0303</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/10963">#10963</a>)</li>
<li>[<code>pylint</code>] Implement <code>self-cls-assignment</code>
(<code>W0642</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/pull/9267">#9267</a>)</li>
<li>[<code>pylint</code>] Omit stubs from <code>invalid-bool</code> and
<code>invalid-str-return-type</code> (<a
href="https://redirect.github.com/astral-sh/ruff/pull/11008">#11008</a>)</li>
<li>[<code>ruff</code>] New rule <code>unused-async</code>
(<code>RUF029</code>) to detect unneeded <code>async</code> keywords on
functions (<a
href="https://redirect.github.com/astral-sh/ruff/pull/9966">#9966</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="0ff25a540c"><code>0ff25a5</code></a>
Bump version to 0.4.1 (<a
href="https://redirect.github.com/astral-sh/ruff/issues/11035">#11035</a>)</li>
<li><a
href="34873ec009"><code>34873ec</code></a>
Add a script to fuzz the parser (courtesy of
<code>pysource-codegen</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/issues/11015">#11015</a>)</li>
<li><a
href="d3cd61f804"><code>d3cd61f</code></a>
Use empty range when there's "gap" in token source (<a
href="https://redirect.github.com/astral-sh/ruff/issues/11032">#11032</a>)</li>
<li><a
href="9b80cc09ee"><code>9b80cc0</code></a>
Select fewer ruff rules when linting Python files in
<code>scripts/</code> (<a
href="https://redirect.github.com/astral-sh/ruff/issues/11034">#11034</a>)</li>
<li><a
href="9bb23b0a38"><code>9bb23b0</code></a>
Expect indented case block instead of match stmt (<a
href="https://redirect.github.com/astral-sh/ruff/issues/11033">#11033</a>)</li>
<li><a
href="06c248a126"><code>06c248a</code></a>
[<code>ruff]</code> Ignore stub functions in <code>unused-async</code>
(<code>RUF029</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/issues/11026">#11026</a>)</li>
<li><a
href="27902b7130"><code>27902b7</code></a>
[<code>pylint</code>] Implement <code>invalid-index-returned</code>
(<code>PLE0305</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/issues/10962">#10962</a>)</li>
<li><a
href="97acf1d59b"><code>97acf1d</code></a>
ENH: Bump <code>ruff</code> dependency versions to support the latest
release of `v0.4.0...</li>
<li><a
href="adf63d9013"><code>adf63d9</code></a>
[<code>pylint</code>] Implement <code>invalid-hash-returned</code>
(<code>PLE0309</code>) (<a
href="https://redirect.github.com/astral-sh/ruff/issues/10961">#10961</a>)</li>
<li><a
href="5d3c9f2637"><code>5d3c9f2</code></a>
<code>ruff server</code>: fix Neovim setup guide command (<a
href="https://redirect.github.com/astral-sh/ruff/issues/11021">#11021</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/astral-sh/ruff/compare/v0.3.0...v0.4.1">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [black](https://github.com/psf/black) from 24.3.0 to 24.4.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/psf/black/releases">black's
releases</a>.</em></p>
<blockquote>
<h2>24.4.0</h2>
<h3>Stable style</h3>
<ul>
<li>Fix unwanted crashes caused by AST equivalency check (<a
href="https://redirect.github.com/psf/black/issues/4290">#4290</a>)</li>
</ul>
<h3>Preview style</h3>
<ul>
<li><code>if</code> guards in <code>case</code> blocks are now wrapped
in parentheses when the line is too long.
(<a
href="https://redirect.github.com/psf/black/issues/4269">#4269</a>)</li>
<li>Stop moving multiline strings to a new line unless inside brackets
(<a
href="https://redirect.github.com/psf/black/issues/4289">#4289</a>)</li>
</ul>
<h3>Integrations</h3>
<ul>
<li>Add a new option <code>use_pyproject</code> to the GitHub Action
<code>psf/black</code>. This will read the
Black version from <code>pyproject.toml</code>. (<a
href="https://redirect.github.com/psf/black/issues/4294">#4294</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/psf/black/blob/main/CHANGES.md">black's
changelog</a>.</em></p>
<blockquote>
<h2>24.4.0</h2>
<h3>Stable style</h3>
<ul>
<li>Fix unwanted crashes caused by AST equivalency check (<a
href="https://redirect.github.com/psf/black/issues/4290">#4290</a>)</li>
</ul>
<h3>Preview style</h3>
<ul>
<li><code>if</code> guards in <code>case</code> blocks are now wrapped
in parentheses when the line is too long.
(<a
href="https://redirect.github.com/psf/black/issues/4269">#4269</a>)</li>
<li>Stop moving multiline strings to a new line unless inside brackets
(<a
href="https://redirect.github.com/psf/black/issues/4289">#4289</a>)</li>
</ul>
<h3>Integrations</h3>
<ul>
<li>Add a new option <code>use_pyproject</code> to the GitHub Action
<code>psf/black</code>. This will read the
Black version from <code>pyproject.toml</code>. (<a
href="https://redirect.github.com/psf/black/issues/4294">#4294</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="8fe627072f"><code>8fe6270</code></a>
Prepare release 24.4.0 (<a
href="https://redirect.github.com/psf/black/issues/4307">#4307</a>)</li>
<li><a
href="6b25e7cdab"><code>6b25e7c</code></a>
Bump peter-evans/find-comment from 3.0.0 to 3.1.0 (<a
href="https://redirect.github.com/psf/black/issues/4304">#4304</a>)</li>
<li><a
href="07fe1ca88a"><code>07fe1ca</code></a>
docs: remove repetitive word (<a
href="https://redirect.github.com/psf/black/issues/4303">#4303</a>)</li>
<li><a
href="3383f531bc"><code>3383f53</code></a>
GitHub Action: Allow reading version from pyproject.toml (<a
href="https://redirect.github.com/psf/black/issues/4294">#4294</a>)</li>
<li><a
href="c8f1a5542c"><code>c8f1a55</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/psf/black/issues/4297">#4297</a>)</li>
<li><a
href="836acad863"><code>836acad</code></a>
Improve AST safety check (<a
href="https://redirect.github.com/psf/black/issues/4290">#4290</a>)</li>
<li><a
href="13bd0925eb"><code>13bd092</code></a>
fix: Stop moving multiline strings to a new line unless inside brackets
(<a
href="https://redirect.github.com/psf/black/issues/4289">#4289</a>)</li>
<li><a
href="c9d2635b55"><code>c9d2635</code></a>
Remove mocking from tests (<a
href="https://redirect.github.com/psf/black/issues/4287">#4287</a>)</li>
<li><a
href="bf1195612c"><code>bf11956</code></a>
Fix two logging calls in the test helper (<a
href="https://redirect.github.com/psf/black/issues/4286">#4286</a>)</li>
<li><a
href="97993f997f"><code>97993f9</code></a>
Bump pypa/cibuildwheel from 2.16.5 to 2.17.0 (<a
href="https://redirect.github.com/psf/black/issues/4283">#4283</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/psf/black/compare/24.3.0...24.4.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [idna](https://github.com/kjd/idna) from 3.4 to 3.7.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/kjd/idna/releases">idna's
releases</a>.</em></p>
<blockquote>
<h2>v3.7</h2>
<h2>What's Changed</h2>
<ul>
<li>Fix issue where specially crafted inputs to encode() could take
exceptionally long amount of time to process. [CVE-2024-3651]</li>
</ul>
<p>Thanks to Guido Vranken for reporting the issue.</p>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/kjd/idna/compare/v3.6...v3.7">https://github.com/kjd/idna/compare/v3.6...v3.7</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/kjd/idna/blob/master/HISTORY.rst">idna's
changelog</a>.</em></p>
<blockquote>
<p>3.7 (2024-04-11)
++++++++++++++++</p>
<ul>
<li>Fix issue where specially crafted inputs to encode() could
take exceptionally long amount of time to process. [CVE-2024-3651]</li>
</ul>
<p>Thanks to Guido Vranken for reporting the issue.</p>
<p>3.6 (2023-11-25)
++++++++++++++++</p>
<ul>
<li>Fix regression to include tests in source distribution.</li>
</ul>
<p>3.5 (2023-11-24)
++++++++++++++++</p>
<ul>
<li>Update to Unicode 15.1.0</li>
<li>String codec name is now "idna2008" as overriding the
system codec
"idna" was not working.</li>
<li>Fix typing error for codec encoding</li>
<li>"setup.cfg" has been added for this release due to some
downstream
lack of adherence to PEP 517. Should be removed in a future release
so please prepare accordingly.</li>
<li>Removed reliance on a symlink for the "idna-data" tool to
comport
with PEP 517 and the Python Packaging User Guide for sdist
archives.</li>
<li>Added security reporting protocol for project</li>
</ul>
<p>Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for
contributions
to this release.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="1d365e17e1"><code>1d365e1</code></a>
Release v3.7</li>
<li><a
href="c1b3154939"><code>c1b3154</code></a>
Merge pull request <a
href="https://redirect.github.com/kjd/idna/issues/172">#172</a> from
kjd/optimize-contextj</li>
<li><a
href="0394ec76ff"><code>0394ec7</code></a>
Merge branch 'master' into optimize-contextj</li>
<li><a
href="cd58a23173"><code>cd58a23</code></a>
Merge pull request <a
href="https://redirect.github.com/kjd/idna/issues/152">#152</a> from
elliotwutingfeng/dev</li>
<li><a
href="5beb28b9dd"><code>5beb28b</code></a>
More efficient resolution of joiner contexts</li>
<li><a
href="1b121483ed"><code>1b12148</code></a>
Update ossf/scorecard-action to v2.3.1</li>
<li><a
href="d516b874c3"><code>d516b87</code></a>
Update Github actions/checkout to v4</li>
<li><a
href="c095c75943"><code>c095c75</code></a>
Merge branch 'master' into dev</li>
<li><a
href="60a0a4cb61"><code>60a0a4c</code></a>
Fix typo in GitHub Actions workflow key</li>
<li><a
href="5918a0ef80"><code>5918a0e</code></a>
Merge branch 'master' into dev</li>
<li>Additional commits viewable in <a
href="https://github.com/kjd/idna/compare/v3.4...v3.7">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/mozilla/experimenter/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Because
- we want to export metric and image version metadata from jetstream
(https://github.com/mozilla/jetstream/issues/1786)
- schemas_build make command was confusing
This commit
- adds config version to the jetstream metadata schema
- makes schemas_build do the npm and pypi builds
Fixes#10450Fixes#10080
Bumps [black](https://github.com/psf/black) from 23.12.0 to 24.3.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/psf/black/releases">black's
releases</a>.</em></p>
<blockquote>
<h2>24.3.0</h2>
<h3>Highlights</h3>
<p>This release is a milestone: it fixes Black's first CVE security
vulnerability. If you
run Black on untrusted input, or if you habitually put thousands of
leading tab
characters in your docstrings, you are strongly encouraged to upgrade
immediately to fix
<a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21503">CVE-2024-21503</a>.</p>
<p>This release also fixes a bug in Black's AST safety check that
allowed Black to make
incorrect changes to certain f-strings that are valid in Python 3.12 and
higher.</p>
<h3>Stable style</h3>
<ul>
<li>Don't move comments along with delimiters, which could cause crashes
(<a
href="https://redirect.github.com/psf/black/issues/4248">#4248</a>)</li>
<li>Strengthen AST safety check to catch more unsafe changes to strings.
Previous versions
of Black would incorrectly format the contents of certain unusual
f-strings containing
nested strings with the same quote type. Now, Black will crash on such
strings until
support for the new f-string syntax is implemented. (<a
href="https://redirect.github.com/psf/black/issues/4270">#4270</a>)</li>
<li>Fix a bug where line-ranges exceeding the last code line would not
work as expected
(<a
href="https://redirect.github.com/psf/black/issues/4273">#4273</a>)</li>
</ul>
<h3>Performance</h3>
<ul>
<li>Fix catastrophic performance on docstrings that contain large
numbers of leading tab
characters. This fixes
<a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21503">CVE-2024-21503</a>.
(<a
href="https://redirect.github.com/psf/black/issues/4278">#4278</a>)</li>
</ul>
<h3>Documentation</h3>
<ul>
<li>Note what happens when <code>--check</code> is used with
<code>--quiet</code> (<a
href="https://redirect.github.com/psf/black/issues/4236">#4236</a>)</li>
</ul>
<h2>24.2.0</h2>
<h3>Stable style</h3>
<ul>
<li>Fixed a bug where comments where mistakenly removed along with
redundant parentheses
(<a
href="https://redirect.github.com/psf/black/issues/4218">#4218</a>)</li>
</ul>
<h3>Preview style</h3>
<ul>
<li>Move the <code>hug_parens_with_braces_and_square_brackets</code>
feature to the unstable style
due to an outstanding crash and proposed formatting tweaks (<a
href="https://redirect.github.com/psf/black/issues/4198">#4198</a>)</li>
<li>Fixed a bug where base expressions caused inconsistent formatting of
** in tenary
expression (<a
href="https://redirect.github.com/psf/black/issues/4154">#4154</a>)</li>
<li>Checking for newline before adding one on docstring that is almost
at the line limit
(<a
href="https://redirect.github.com/psf/black/issues/4185">#4185</a>)</li>
<li>Remove redundant parentheses in <code>case</code> statement
<code>if</code> guards (<a
href="https://redirect.github.com/psf/black/issues/4214">#4214</a>).</li>
</ul>
<h3>Configuration</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/psf/black/blob/main/CHANGES.md">black's
changelog</a>.</em></p>
<blockquote>
<h2>24.3.0</h2>
<h3>Highlights</h3>
<p>This release is a milestone: it fixes Black's first CVE security
vulnerability. If you
run Black on untrusted input, or if you habitually put thousands of
leading tab
characters in your docstrings, you are strongly encouraged to upgrade
immediately to fix
<a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21503">CVE-2024-21503</a>.</p>
<p>This release also fixes a bug in Black's AST safety check that
allowed Black to make
incorrect changes to certain f-strings that are valid in Python 3.12 and
higher.</p>
<h3>Stable style</h3>
<ul>
<li>Don't move comments along with delimiters, which could cause crashes
(<a
href="https://redirect.github.com/psf/black/issues/4248">#4248</a>)</li>
<li>Strengthen AST safety check to catch more unsafe changes to strings.
Previous versions
of Black would incorrectly format the contents of certain unusual
f-strings containing
nested strings with the same quote type. Now, Black will crash on such
strings until
support for the new f-string syntax is implemented. (<a
href="https://redirect.github.com/psf/black/issues/4270">#4270</a>)</li>
<li>Fix a bug where line-ranges exceeding the last code line would not
work as expected
(<a
href="https://redirect.github.com/psf/black/issues/4273">#4273</a>)</li>
</ul>
<h3>Performance</h3>
<ul>
<li>Fix catastrophic performance on docstrings that contain large
numbers of leading tab
characters. This fixes
<a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21503">CVE-2024-21503</a>.
(<a
href="https://redirect.github.com/psf/black/issues/4278">#4278</a>)</li>
</ul>
<h3>Documentation</h3>
<ul>
<li>Note what happens when <code>--check</code> is used with
<code>--quiet</code> (<a
href="https://redirect.github.com/psf/black/issues/4236">#4236</a>)</li>
</ul>
<h2>24.2.0</h2>
<h3>Stable style</h3>
<ul>
<li>Fixed a bug where comments where mistakenly removed along with
redundant parentheses
(<a
href="https://redirect.github.com/psf/black/issues/4218">#4218</a>)</li>
</ul>
<h3>Preview style</h3>
<ul>
<li>Move the <code>hug_parens_with_braces_and_square_brackets</code>
feature to the unstable style
due to an outstanding crash and proposed formatting tweaks (<a
href="https://redirect.github.com/psf/black/issues/4198">#4198</a>)</li>
<li>Fixed a bug where base expressions caused inconsistent formatting of
** in tenary
expression (<a
href="https://redirect.github.com/psf/black/issues/4154">#4154</a>)</li>
<li>Checking for newline before adding one on docstring that is almost
at the line limit
(<a
href="https://redirect.github.com/psf/black/issues/4185">#4185</a>)</li>
<li>Remove redundant parentheses in <code>case</code> statement
<code>if</code> guards (<a
href="https://redirect.github.com/psf/black/issues/4214">#4214</a>).</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="552baf8229"><code>552baf8</code></a>
Prepare release 24.3.0 (<a
href="https://redirect.github.com/psf/black/issues/4279">#4279</a>)</li>
<li><a
href="f000936726"><code>f000936</code></a>
Fix catastrophic performance in lines_with_leading_tabs_expanded() (<a
href="https://redirect.github.com/psf/black/issues/4278">#4278</a>)</li>
<li><a
href="7b5a657285"><code>7b5a657</code></a>
Fix --line-ranges behavior when ranges are at EOF (<a
href="https://redirect.github.com/psf/black/issues/4273">#4273</a>)</li>
<li><a
href="1abcffc818"><code>1abcffc</code></a>
Use regex where we ignore case on windows (<a
href="https://redirect.github.com/psf/black/issues/4252">#4252</a>)</li>
<li><a
href="719e67462c"><code>719e674</code></a>
Fix 4227: Improve documentation for --quiet --check (<a
href="https://redirect.github.com/psf/black/issues/4236">#4236</a>)</li>
<li><a
href="e5510afc06"><code>e5510af</code></a>
update plugin url for Thonny (<a
href="https://redirect.github.com/psf/black/issues/4259">#4259</a>)</li>
<li><a
href="6af7d11096"><code>6af7d11</code></a>
Fix AST safety check false negative (<a
href="https://redirect.github.com/psf/black/issues/4270">#4270</a>)</li>
<li><a
href="f03ee113c9"><code>f03ee11</code></a>
Ensure <code>blib2to3.pygram</code> is initialized before use (<a
href="https://redirect.github.com/psf/black/issues/4224">#4224</a>)</li>
<li><a
href="e4bfedbec2"><code>e4bfedb</code></a>
fix: Don't move comments while splitting delimiters (<a
href="https://redirect.github.com/psf/black/issues/4248">#4248</a>)</li>
<li><a
href="d0287e1f75"><code>d0287e1</code></a>
Make trailing comma logic more concise (<a
href="https://redirect.github.com/psf/black/issues/4202">#4202</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/psf/black/compare/23.12.0...24.3.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/mozilla/experimenter/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [es5-ext](https://github.com/medikoo/es5-ext) from 0.10.62 to
0.10.63.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/medikoo/es5-ext/releases">es5-ext's
releases</a>.</em></p>
<blockquote>
<h2>0.10.63 (2024-02-23)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>Do not rely on problematic regex (<a
href="3551cdd7b2">3551cdd</a>),
addresses <a
href="https://redirect.github.com/medikoo/es5-ext/issues/201">#201</a></li>
<li>Support ES2015+ function definitions in
<code>function#toStringTokens()</code> (<a
href="a52e957366">a52e957</a>),
addresses <a
href="https://redirect.github.com/medikoo/es5-ext/issues/021">#021</a></li>
<li>Ensure postinstall script does not crash on Windows, fixes <a
href="https://redirect.github.com/medikoo/es5-ext/issues/181">#181</a>
(<a
href="bf8ed799d5">bf8ed79</a>)</li>
</ul>
<h3>Maintenance Improvements</h3>
<ul>
<li>Simplify the manifest message (<a
href="7855319f41">7855319</a>)</li>
</ul>
<hr />
<p><a
href="https://github.com/medikoo/es5-ext/compare/v0.10.62...v0.10.63">Comparison
since last release</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/medikoo/es5-ext/blob/main/CHANGELOG.md">es5-ext's
changelog</a>.</em></p>
<blockquote>
<h3><a
href="https://github.com/medikoo/es5-ext/compare/v0.10.62...v0.10.63">0.10.63</a>
(2024-02-23)</h3>
<h3>Bug Fixes</h3>
<ul>
<li>Do not rely on problematic regex (<a
href="3551cdd7b2">3551cdd</a>),
addresses <a
href="https://redirect.github.com/medikoo/es5-ext/issues/201">#201</a></li>
<li>Support ES2015+ function definitions in
<code>function#toStringTokens()</code> (<a
href="a52e957366">a52e957</a>),
addresses <a
href="https://redirect.github.com/medikoo/es5-ext/issues/021">#021</a></li>
<li>Ensure postinstall script does not crash on Windows, fixes <a
href="https://redirect.github.com/medikoo/es5-ext/issues/181">#181</a>
(<a
href="bf8ed799d5">bf8ed79</a>)</li>
</ul>
<h3>Maintenance Improvements</h3>
<ul>
<li>Simplify the manifest message (<a
href="7855319f41">7855319</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="de4e03c477"><code>de4e03c</code></a>
chore: Release v0.10.63</li>
<li><a
href="3fd53b755e"><code>3fd53b7</code></a>
chore: Upgrade<code> lint-staged</code> to v13</li>
<li><a
href="bf8ed799d5"><code>bf8ed79</code></a>
chore: Ensure postinstall script does not crash on Windows</li>
<li><a
href="2cbbb0717b"><code>2cbbb07</code></a>
chore: Bump dependencies</li>
<li><a
href="22d0416ea1"><code>22d0416</code></a>
chore: Bump LICENSE year</li>
<li><a
href="a52e957366"><code>a52e957</code></a>
fix: Support ES2015+ function definitions in
<code>function#toStringTokens()</code></li>
<li><a
href="3551cdd7b2"><code>3551cdd</code></a>
fix: Do not rely on problematic regex</li>
<li><a
href="7855319f41"><code>7855319</code></a>
chore: Simplify the manifest message</li>
<li>See full diff in <a
href="https://github.com/medikoo/es5-ext/compare/v0.10.62...v0.10.63">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/mozilla/experimenter/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.2
to 42.0.4.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's
changelog</a>.</em></p>
<blockquote>
<p>42.0.4 - 2024-02-20</p>
<pre><code>
* Fixed a null-pointer-dereference and segfault that could occur when
creating
a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields
``SMIMECapabilities``
and ``SignatureAlgorithmIdentifier`` should now be correctly encoded
according to the
definitions in :rfc:`2633` :rfc:`3370`.
<p>.. _v42-0-3:</p>
<p>42.0.3 - 2024-02-15
</code></pre></p>
<ul>
<li>Fixed an initialization issue that caused key loading failures for
some
users.</li>
</ul>
<p>.. _v42-0-2:</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="fe18470f7d"><code>fe18470</code></a>
Bump for 42.0.4 release (<a
href="https://redirect.github.com/pyca/cryptography/issues/10445">#10445</a>)</li>
<li><a
href="aaa2dd06ed"><code>aaa2dd0</code></a>
Fix ASN.1 issues in PKCS#7 and S/MIME signing (<a
href="https://redirect.github.com/pyca/cryptography/issues/10373">#10373</a>)
(<a
href="https://redirect.github.com/pyca/cryptography/issues/10442">#10442</a>)</li>
<li><a
href="7a4d012991"><code>7a4d012</code></a>
Fixes <a
href="https://redirect.github.com/pyca/cryptography/issues/10422">#10422</a>
-- don't crash when a PKCS#12 key and cert don't match (<a
href="https://redirect.github.com/pyca/cryptography/issues/10423">#10423</a>)
...</li>
<li><a
href="df314bb182"><code>df314bb</code></a>
backport actions m1 switch to 42.0.x (<a
href="https://redirect.github.com/pyca/cryptography/issues/10415">#10415</a>)</li>
<li><a
href="c49a7a5271"><code>c49a7a5</code></a>
changelog and version bump for 42.0.3 (<a
href="https://redirect.github.com/pyca/cryptography/issues/10396">#10396</a>)</li>
<li><a
href="396bcf64c5"><code>396bcf6</code></a>
fix provider loading take two (<a
href="https://redirect.github.com/pyca/cryptography/issues/10390">#10390</a>)
(<a
href="https://redirect.github.com/pyca/cryptography/issues/10395">#10395</a>)</li>
<li><a
href="0e0e46f5f7"><code>0e0e46f</code></a>
backport: initialize openssl's legacy provider in rust (<a
href="https://redirect.github.com/pyca/cryptography/issues/10323">#10323</a>)
(<a
href="https://redirect.github.com/pyca/cryptography/issues/10333">#10333</a>)</li>
<li>See full diff in <a
href="https://github.com/pyca/cryptography/compare/42.0.2...42.0.4">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/mozilla/experimenter/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.0
to 42.0.2.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's
changelog</a>.</em></p>
<blockquote>
<p>42.0.2 - 2024-01-30</p>
<pre><code>
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL
3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol
objects in
``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with
``EllipticCurvePrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
``X25519PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
``X448PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
and ``DHPrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.
<p>.. _v42-0-1:</p>
<p>42.0.1 - 2024-01-24
</code></pre></p>
<ul>
<li>Fixed an issue with incorrect keyword-argument naming with
<code>EllipticCurvePrivateKey</code>
:meth:<code>~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign</code>.</li>
<li>Resolved compatibility issue with loading certain RSA public keys in
:func:<code>~cryptography.hazmat.primitives.serialization.load_pem_public_key</code>.</li>
</ul>
<p>.. _v42-0-0:</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="2202123b50"><code>2202123</code></a>
changelog and version bump 42.0.2 (<a
href="https://redirect.github.com/pyca/cryptography/issues/10268">#10268</a>)</li>
<li><a
href="f7032bdd40"><code>f7032bd</code></a>
bump openssl in CI (<a
href="https://redirect.github.com/pyca/cryptography/issues/10298">#10298</a>)
(<a
href="https://redirect.github.com/pyca/cryptography/issues/10299">#10299</a>)</li>
<li><a
href="002e886f16"><code>002e886</code></a>
Fixes <a
href="https://redirect.github.com/pyca/cryptography/issues/10294">#10294</a>
-- correct accidental change to exchange kwarg (<a
href="https://redirect.github.com/pyca/cryptography/issues/10295">#10295</a>)
(<a
href="https://redirect.github.com/pyca/cryptography/issues/10296">#10296</a>)</li>
<li><a
href="92fa9f2f60"><code>92fa9f2</code></a>
support bytes-like consistently across our asym sign/verify APIs (<a
href="https://redirect.github.com/pyca/cryptography/issues/10260">#10260</a>)
(<a
href="https://redirect.github.com/pyca/cryptography/issues/1">#1</a>...</li>
<li><a
href="6478f7e28b"><code>6478f7e</code></a>
explicitly support bytes-like for signature/data in RSA sign/verify (<a
href="https://redirect.github.com/pyca/cryptography/issues/10259">#10259</a>)
...</li>
<li><a
href="4bb8596ae0"><code>4bb8596</code></a>
fix the release script (<a
href="https://redirect.github.com/pyca/cryptography/issues/10233">#10233</a>)
(<a
href="https://redirect.github.com/pyca/cryptography/issues/10254">#10254</a>)</li>
<li><a
href="337437dc2e"><code>337437d</code></a>
42.0.1 bump (<a
href="https://redirect.github.com/pyca/cryptography/issues/10252">#10252</a>)</li>
<li><a
href="56255de6b2"><code>56255de</code></a>
allow SPKI RSA keys to be parsed even if they have an incorrect
delimiter (<a
href="https://redirect.github.com/pyca/cryptography/issues/1">#1</a>...</li>
<li><a
href="12f038b38a"><code>12f038b</code></a>
fixes <a
href="https://redirect.github.com/pyca/cryptography/issues/10237">#10237</a>
-- correct EC sign parameter name (<a
href="https://redirect.github.com/pyca/cryptography/issues/10239">#10239</a>)
(<a
href="https://redirect.github.com/pyca/cryptography/issues/10240">#10240</a>)</li>
<li>See full diff in <a
href="https://github.com/pyca/cryptography/compare/42.0.0...42.0.2">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/mozilla/experimenter/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.6
to 42.0.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's
changelog</a>.</em></p>
<blockquote>
<p>42.0.0 - 2024-01-22</p>
<pre><code>
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.7.
* **BACKWARDS INCOMPATIBLE:** Loading a PKCS7 with no content field
using
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates`
or
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates`
will now raise a ``ValueError`` rather than return an empty list.
* Parsing SSH certificates no longer permits malformed critical options
with
values, as documented in the 41.0.2 release notes.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL
3.2.0.
* Updated the minimum supported Rust version (MSRV) to 1.63.0, from
1.56.0.
* We now publish both ``py37`` and ``py39`` ``abi3`` wheels. This should
resolve some errors relating to initializing a module multiple times per
process.
* Support
:class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` for
X.509 certificate signing requests and certificate revocation lists with
the
keyword-only argument ``rsa_padding`` on the ``sign`` methods for
:class:`~cryptography.x509.CertificateSigningRequestBuilder` and
:class:`~cryptography.x509.CertificateRevocationListBuilder`.
* Added support for obtaining X.509 certificate signing request
signature
algorithm parameters (including PSS) via
:meth:`~cryptography.x509.CertificateSigningRequest.signature_algorithm_parameters`.
* Added support for obtaining X.509 certificate revocation list
signature
algorithm parameters (including PSS) via
:meth:`~cryptography.x509.CertificateRevocationList.signature_algorithm_parameters`.
* Added ``mgf`` property to
:class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`.
* Added ``algorithm`` and ``mgf`` properties to
:class:`~cryptography.hazmat.primitives.asymmetric.padding.OAEP`.
* Added the following properties that return timezone-aware ``datetime``
objects:
:meth:`~cryptography.x509.Certificate.not_valid_before_utc`,
:meth:`~cryptography.x509.Certificate.not_valid_after_utc`,
:meth:`~cryptography.x509.RevokedCertificate.revocation_date_utc`,
:meth:`~cryptography.x509.CertificateRevocationList.next_update_utc`,
:meth:`~cryptography.x509.CertificateRevocationList.last_update_utc`.
These are timezone-aware variants of existing properties that return
naïve
``datetime`` objects.
* Deprecated the following properties that return naïve ``datetime``
objects:
:meth:`~cryptography.x509.Certificate.not_valid_before`,
:meth:`~cryptography.x509.Certificate.not_valid_after`,
:meth:`~cryptography.x509.RevokedCertificate.revocation_date`,
:meth:`~cryptography.x509.CertificateRevocationList.next_update`,
:meth:`~cryptography.x509.CertificateRevocationList.last_update`
in favor of the new timezone-aware variants mentioned above.
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20`
on LibreSSL.
* Added support for RSA PSS signatures in PKCS7 with
</tr></table>
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="4e64baf360"><code>4e64baf</code></a>
42.0.0 version bump (<a
href="https://redirect.github.com/pyca/cryptography/issues/10232">#10232</a>)</li>
<li><a
href="7cb13a3bc9"><code>7cb13a3</code></a>
we'll ship 3.2.0 for 42 (<a
href="https://redirect.github.com/pyca/cryptography/issues/9951">#9951</a>)</li>
<li><a
href="605c74e41c"><code>605c74e</code></a>
Bump x509-limbo and/or wycheproof in CI (<a
href="https://redirect.github.com/pyca/cryptography/issues/10231">#10231</a>)</li>
<li><a
href="97578b98ff"><code>97578b9</code></a>
Bump BoringSSL and/or OpenSSL in CI (<a
href="https://redirect.github.com/pyca/cryptography/issues/10230">#10230</a>)</li>
<li><a
href="972a7b5896"><code>972a7b5</code></a>
verification: add test_verify_tz_aware (<a
href="https://redirect.github.com/pyca/cryptography/issues/10229">#10229</a>)</li>
<li><a
href="41daf2d86d"><code>41daf2d</code></a>
Migrate PKCS7 backend to Rust (<a
href="https://redirect.github.com/pyca/cryptography/issues/10228">#10228</a>)</li>
<li><a
href="d54093e62e"><code>d54093e</code></a>
Remove some skips in tests that aren't needed anymore (<a
href="https://redirect.github.com/pyca/cryptography/issues/10223">#10223</a>)</li>
<li><a
href="71929bd91f"><code>71929bd</code></a>
Remove binding that's not used anymore (<a
href="https://redirect.github.com/pyca/cryptography/issues/10224">#10224</a>)</li>
<li><a
href="7ea4b89cea"><code>7ea4b89</code></a>
fixed formatting in changelog (<a
href="https://redirect.github.com/pyca/cryptography/issues/10225">#10225</a>)</li>
<li><a
href="410f4a1ee4"><code>410f4a1</code></a>
Allow brainpool on libressl (<a
href="https://redirect.github.com/pyca/cryptography/issues/10222">#10222</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/pyca/cryptography/compare/41.0.6...42.0.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/mozilla/experimenter/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Herraj Luhano
Beth Rennie
dependabot[bot]
Beth Rennie
Herraj Luhano
Mike Williams