fix(security): Update dependency black to v24 [SECURITY] - autoclosed #25
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
23.11.0
->24.3.0
GitHub Vulnerability Alerts
CVE-2024-21503
Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.
Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.
Release Notes
psf/black (black)
v24.3.0
Compare Source
Highlights
This release is a milestone: it fixes Black's first CVE security vulnerability. If you
run Black on untrusted input, or if you habitually put thousands of leading tab
characters in your docstrings, you are strongly encouraged to upgrade immediately to fix
CVE-2024-21503.
This release also fixes a bug in Black's AST safety check that allowed Black to make
incorrect changes to certain f-strings that are valid in Python 3.12 and higher.
Stable style
of Black would incorrectly format the contents of certain unusual f-strings containing
nested strings with the same quote type. Now, Black will crash on such strings until
support for the new f-string syntax is implemented. (#4270)
(#4273)
Performance
characters. This fixes
CVE-2024-21503.
(#4278)
Documentation
--check
is used with--quiet
(#4236)v24.2.0
Compare Source
Stable style
(#4218)
Preview style
hug_parens_with_braces_and_square_brackets
feature to the unstable styledue to an outstanding crash and proposed formatting tweaks (#4198)
expression (#4154)
(#4185)
case
statementif
guards (#4214).Configuration
pyproject.toml
that is missing atool.black
section whendiscovering project root and configuration. Since Black continues to use version
control as an indicator of project root, this is expected to primarily change behavior
for users in a monorepo setup (desirably). If you wish to preserve previous behavior,
simply add an empty
[tool.black]
to the previously discoveredpyproject.toml
(#4204)
Output
SyntaxWarning
s orDeprecationWarning
s produced by theast
module when performing equivalence checks (#4189)
Integrations
v24.1.1
Compare Source
Bugfix release to fix a bug that made Black unusable on certain file systems with strict
limits on path length.
Preview style
Configuration
do not support long paths (#4176)
v24.1.0
Compare Source
Highlights
This release introduces the new 2024 stable style (#4106), stabilizing the following
changes:
if
-else
expressions (#2278)...
are formatted morecompactly (#3796)
(#3368)
with
statement(#3489)
entry (#3393)
--skip-magic-trailing-comma
or-C
, trailing commas are stripped fromsubscript expressions with more than 1 element (#3209)
# fmt: skip
with other comments (#3959)There are already a few improvements in the
--preview
style, which are slated for the2025 stable style. Try them out and
share your feedback. In the past, the preview
style has included some features that we were not able to stabilize. This year, we're
adding a separate
--unstable
style for features with known problems. Now, the--preview
style only includes features that we actually expect to make it into nextyear's stable style.
Stable style
Several bug fixes were made in features that are moved to the stable style in this
release:
unlike other binary operators (#4109)
blocks, except immediately before a docstring (#4130)
Preview style
--unstable
style, covering preview features that have known problems that wouldblock them from going into the stable style. Also add the
--enable-unstable-feature
flag; for example, use
--enable-unstable-feature hug_parens_with_braces_and_square_brackets
to apply thispreview feature throughout 2024, even if a later Black release downgrades the feature
to unstable (#4096)
# fmt: skip
comments (#4146)Configuration
pyproject.toml
contains an invalid key (#4165)--experimental-string-processing
flag. This feature cancurrently be enabled with
--preview --enable-unstable-feature string_processing
.(#4096)
Integrations
(#3940) for better compatibility with older versions of pre-commit (#4137)
v23.12.1
Compare Source
Packaging
d
extra by default (#4108)v23.12.0
Compare Source
Highlights
It's almost 2024, which means it's time for a new edition of Black's stable style!
Together with this release, we'll put out an alpha release 24.1a1 showcasing the draft
2024 stable style, which we'll finalize in the January release. Please try it out and
share your feedback.
This release (23.12.0) will still produce the 2023 style. Most but not all of the
changes in
--preview
mode will be in the 2024 stable style.Stable style
# fmt: off
automatically dedents when used with the--line-ranges
option, even when it is not within the specified line range. (#4084)
Preview style
indented less (#4012)
docstring (#4060)
--line-length
(#4086)functions or class definitions (#4066) (#4103)
Configuration
--line-ranges
now skips Black's internal stability check in--safe
mode. Thisavoids a crash on rare inputs that have many unformatted same-content lines. (#4034)
Packaging
Integrations
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.