Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update all minor versions (master) (minor) #11559

Merged
merged 2 commits into from
Dec 5, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 1, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence Type Update
@eslint/eslintrc 3.1.0 -> 3.2.0 age adoption passing confidence devDependencies minor
@eslint/js (source) 9.14.0 -> 9.16.0 age adoption passing confidence devDependencies minor
@sentry/browser (source) 8.37.1 -> 8.42.0 age adoption passing confidence devDependencies minor
GeoAlchemy2 (source) 0.15.2 -> 0.16.0 age adoption passing confidence dependencies minor
azure-storage-blob (source) 12.23.1 -> 12.24.0 age adoption passing confidence dependencies minor
camptocamp/tilecloud-chain 1.21 -> 1.22 age adoption passing confidence minor
eslint-plugin-jsdoc 50.4.3 -> 50.6.0 age adoption passing confidence devDependencies minor
prospector-profile-duplicated 1.6.0 -> 1.9.0 age adoption passing confidence dependencies minor
prospector-profile-duplicated 1.6.0 -> 1.9.0 age adoption passing confidence dev-dependencies minor
prospector-profile-utils 1.9.1 -> 1.14.1 age adoption passing confidence dependencies minor
prospector-profile-utils 1.9.1 -> 1.14.1 age adoption passing confidence dev-dependencies minor
puppeteer (source) 23.7.1 -> 23.9.0 age adoption passing confidence dependencies minor
pyramid_tm (changelog) 2.5 -> 2.6 age adoption passing confidence dependencies minor
sass 1.80.7 -> 1.81.1 age adoption passing confidence devDependencies minor
tilecloud-chain 1.21.0 -> 1.22.0 age adoption passing confidence dependencies minor
types-setuptools (changelog) 75.3.0.20241112 -> 75.6.0.20241126 age adoption passing confidence dev minor
webpack 5.96.1 -> 5.97.0 age adoption passing confidence devDependencies minor

Release Notes

eslint/eslintrc (@​eslint/eslintrc)

v3.2.0

Compare Source

Features
  • merge rule.meta.defaultOptions before validation (#​166) (d02f914)
eslint/eslint (@​eslint/js)

v9.16.0

Compare Source

v9.15.0

Compare Source

getsentry/sentry-javascript (@​sentry/browser)

v8.42.0

Compare Source

Important Changes
Deprecations
  • feat: Warn about source-map generation (#​14533)

    In the next major version of the SDK we will change how source maps are generated when the SDK is added to an application.
    Currently, the implementation varies a lot between different SDKs and can be difficult to understand.
    Moving forward, our goal is to turn on source maps for every framework, unless we detect that they are explicitly turned off.
    Additionally, if we end up enabling source maps, we will emit a log message that we did so.

    With this particular release, we are emitting warnings that source map generation will change in the future and we print instructions on how to prepare for the next major.

  • feat(nuxt): Deprecate tracingOptions in favor of vueIntegration (#​14530)

    Currently it is possible to configure tracing options in two places in the Sentry Nuxt SDK:

    • In Sentry.init()
    • Inside tracingOptions in Sentry.init()

    For tree-shaking purposes and alignment with the Vue SDK, it is now recommended to instead use the newly exported vueIntegration() and its tracingOptions option to configure tracing options in the Nuxt SDK:

    // sentry.client.config.ts
    import * as Sentry from '@​sentry/nuxt';
    
    Sentry.init({
      // ...
      integrations: [
        Sentry.vueIntegration({
          tracingOptions: {
            trackComponents: true,
          },
        }),
      ],
    });
Other Changes
  • feat(browser-utils): Update web-vitals to v4.2.4 (#​14439)
  • feat(nuxt): Expose vueIntegration (#​14526)
  • fix(feedback): Handle css correctly in screenshot mode (#​14535)

Bundle size 📦

Path Size
@​sentry/browser 23.1 KB
@​sentry/browser - with treeshaking flags 21.84 KB
@​sentry/browser (incl. Tracing) 35.61 KB
@​sentry/browser (incl. Tracing, Replay) 72.47 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags 62.96 KB
@​sentry/browser (incl. Tracing, Replay with Canvas) 76.79 KB
@​sentry/browser (incl. Tracing, Replay, Feedback) 89.28 KB
@​sentry/browser (incl. Feedback) 39.86 KB
@​sentry/browser (incl. sendFeedback) 27.72 KB
@​sentry/browser (incl. FeedbackAsync) 32.53 KB
@​sentry/react 25.8 KB
@​sentry/react (incl. Tracing) 38.49 KB
@​sentry/vue 27.25 KB
@​sentry/vue (incl. Tracing) 37.38 KB
@​sentry/svelte 23.25 KB
CDN Bundle 24.32 KB
CDN Bundle (incl. Tracing) 37.29 KB
CDN Bundle (incl. Tracing, Replay) 72.15 KB
CDN Bundle (incl. Tracing, Replay, Feedback) 77.49 KB
CDN Bundle - uncompressed 71.45 KB
CDN Bundle (incl. Tracing) - uncompressed 110.76 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed 223.83 KB
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 237.05 KB
@​sentry/nextjs (client) 38.78 KB
@​sentry/sveltekit (client) 36.14 KB
@​sentry/node 135.08 KB
@​sentry/node - without tracing 97.13 KB
@​sentry/aws-serverless 109.43 KB

v8.41.0

Compare Source

Important Changes
  • meta(nuxt): Require minimum Nuxt v3.7.0 (#​14473)

    We formalized that the Nuxt SDK is at minimum compatible with Nuxt version 3.7.0 and above.
    Additionally, the SDK requires the implicit nitropack dependency to satisfy version ^2.10.0 and ofetch to satisfy ^1.4.0.
    It is recommended to check your lock-files and manually upgrade these dependencies if they don't match the version ranges.

Deprecations

We are deprecating a few APIs which will be removed in the next major.

The following deprecations will potentially affect you:

  • feat(core): Update & deprecate undefined option handling (#​14450)

    In the next major version we will change how passing undefined to tracesSampleRate / tracesSampler / enableTracing will behave.

    Currently, doing the following:

    Sentry.init({
      tracesSampleRate: undefined,
    });

    Will result in tracing being enabled (although no spans will be generated) because the tracesSampleRate key is present in the options object.
    In the next major version, this behavior will be changed so that passing undefined (or rather having a tracesSampleRate key) will result in tracing being disabled, the same as not passing the option at all.
    If you are currently relying on undefined being passed, and and thus have tracing enabled, it is recommended to update your config to set e.g. tracesSampleRate: 0 instead, which will also enable tracing in v9.

    The same applies to tracesSampler and enableTracing.

  • feat(core): Log warnings when returning null in beforeSendSpan (#​14433)

    Currently, the beforeSendSpan option in Sentry.init() allows you to drop individual spans from a trace by returning null from the hook.
    Since this API lends itself to creating "gaps" inside traces, we decided to change how this API will work in the next major version.

    With the next major version the beforeSendSpan API can only be used to mutate spans, but no longer to drop them.
    With this release the SDK will warn you if you are using this API to drop spans.
    Instead, it is recommended to configure instrumentation (i.e. integrations) directly to control what spans are created.

    Additionally, with the next major version, root spans will also be passed to beforeSendSpan.

  • feat(utils): Deprecate @sentry/utils (#​14431)

    With the next major version the @sentry/utils package will be merged into the @sentry/core package.
    It is therefore no longer recommended to use the @sentry/utils package.

  • feat(vue): Deprecate configuring Vue tracing options anywhere else other than through the vueIntegration's tracingOptions option (#​14385)

    Currently it is possible to configure tracing options in various places in the Sentry Vue SDK:

    • In Sentry.init()
    • Inside tracingOptions in Sentry.init()
    • In the vueIntegration() options
    • Inside tracingOptions in the vueIntegration() options

    Because this is a bit messy and confusing to document, the only recommended way to configure tracing options going forward is through the tracingOptions in the vueIntegration().
    The other means of configuration will be removed in the next major version of the SDK.

  • feat: Deprecate registerEsmLoaderHooks.include and registerEsmLoaderHooks.exclude (#​14486)

    Currently it is possible to define registerEsmLoaderHooks.include and registerEsmLoaderHooks.exclude options in Sentry.init() to only apply ESM loader hooks to a subset of modules.
    This API served as an escape hatch in case certain modules are incompatible with ESM loader hooks.

    Since this API was introduced, a way was found to only wrap modules that there exists instrumentation for (meaning a vetted list).
    To only wrap modules that have instrumentation, it is recommended to instead set registerEsmLoaderHooks.onlyIncludeInstrumentedModules to true.

    Note that onlyIncludeInstrumentedModules: true will become the default behavior in the next major version and the registerEsmLoaderHooks will no longer accept fine-grained options.

The following deprecations will most likely not affect you unless you are building an SDK yourself:

  • feat(core): Deprecate arrayify (#​14405)
  • feat(core): Deprecate flatten (#​14454)
  • feat(core): Deprecate urlEncode (#​14406)
  • feat(core): Deprecate validSeverityLevels (#​14407)
  • feat(core/utils): Deprecate getNumberOfUrlSegments (#​14458)
  • feat(utils): Deprecate memoBuilder, BAGGAGE_HEADER_NAME, and makeFifoCache (#​14434)
  • feat(utils/core): Deprecate addRequestDataToEvent and extractRequestData (#​14430)
Other Changes
  • feat: Streamline sentry-trace, baggage and DSC handling (#​14364)
  • feat(core): Further optimize debug ID parsing (#​14365)
  • feat(node): Add openTelemetryInstrumentations option (#​14484)
  • feat(nuxt): Add filter for not found source maps (devtools) (#​14437)
  • feat(nuxt): Only delete public source maps (#​14438)
  • fix(nextjs): Don't report NEXT_REDIRECT from browser (#​14440)
  • perf(opentelemetry): Bucket spans for cleanup (#​14154)

Work in this release was contributed by @​NEKOYASAN and @​fmorett. Thank you for your contributions!

Bundle size 📦

Path Size
@​sentry/browser 23.12 KB
@​sentry/browser - with treeshaking flags 21.84 KB
@​sentry/browser (incl. Tracing) 35.53 KB
@​sentry/browser (incl. Tracing, Replay) 72.44 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags 62.81 KB
@​sentry/browser (incl. Tracing, Replay with Canvas) 76.76 KB
@​sentry/browser (incl. Tracing, Replay, Feedback) 89.21 KB
@​sentry/browser (incl. Feedback) 39.86 KB
@​sentry/browser (incl. sendFeedback) 27.73 KB
@​sentry/browser (incl. FeedbackAsync) 32.53 KB
@​sentry/react 25.8 KB
@​sentry/react (incl. Tracing) 38.36 KB
@​sentry/vue 27.28 KB
@​sentry/vue (incl. Tracing) 37.33 KB
@​sentry/svelte 23.27 KB
CDN Bundle 24.29 KB
CDN Bundle (incl. Tracing) 37.17 KB
CDN Bundle (incl. Tracing, Replay) 72.06 KB
CDN Bundle (incl. Tracing, Replay, Feedback) 77.41 KB
CDN Bundle - uncompressed 71.37 KB
CDN Bundle (incl. Tracing) - uncompressed 110.4 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed 223.47 KB
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 236.69 KB
@​sentry/nextjs (client) 38.68 KB
@​sentry/sveltekit (client) 36.05 KB
@​sentry/node 135.06 KB
@​sentry/node - without tracing 96.89 KB
@​sentry/aws-serverless 107.09 KB

v8.40.0

Compare Source

Important Changes
  • feat(angular): Support Angular 19 (#​14398)

    The @sentry/angular SDK can now be used with Angular 19. If you're upgrading to the new Angular version, you might want to migrate from the now deprecated APP_INITIALIZER token to provideAppInitializer.
    In this case, change the Sentry TraceService initialization in app.config.ts:

    // Angular 18
    export const appConfig: ApplicationConfig = {
      providers: [
        // other providers
        {
          provide: TraceService,
          deps: [Router],
        },
        {
          provide: APP_INITIALIZER,
          useFactory: () => () => {},
          deps: [TraceService],
          multi: true,
        },
      ],
    };
    
    // Angular 19
    export const appConfig: ApplicationConfig = {
      providers: [
        // other providers
        {
          provide: TraceService,
          deps: [Router],
        },
        provideAppInitializer(() => {
          inject(TraceService);
        }),
      ],
    };
  • feat(core): Deprecate debugIntegration and sessionTimingIntegration (#​14363)

    The debugIntegration was deprecated and will be removed in the next major version of the SDK.
    To log outgoing events, use Hook Options (beforeSend, beforeSendTransaction, ...).

    The sessionTimingIntegration was deprecated and will be removed in the next major version of the SDK.
    To capture session durations alongside events, use Context (Sentry.setContext()).

  • feat(nestjs): Deprecate @WithSentry in favor of @SentryExceptionCaptured (#​14323)

    The @WithSentry decorator was deprecated. Use @SentryExceptionCaptured instead. This is a simple renaming and functionality stays identical.

  • feat(nestjs): Deprecate SentryTracingInterceptor, SentryService, SentryGlobalGenericFilter, SentryGlobalGraphQLFilter (#​14371)

    The SentryTracingInterceptor was deprecated. If you are using @sentry/nestjs you can safely remove any references to the SentryTracingInterceptor. If you are using another package migrate to @sentry/nestjs and remove the SentryTracingInterceptor afterwards.

    The SentryService was deprecated and its functionality was added to Sentry.init. If you are using @sentry/nestjs you can safely remove any references to the SentryService. If you are using another package migrate to @sentry/nestjs and remove the SentryService afterwards.

    The SentryGlobalGenericFilter was deprecated. Use the SentryGlobalFilter instead which is a drop-in replacement.

    The SentryGlobalGraphQLFilter was deprecated. Use the SentryGlobalFilter instead which is a drop-in replacement.

  • feat(node): Deprecate nestIntegration and setupNestErrorHandler in favor of using @sentry/nestjs (#​14374)

    The nestIntegration and setupNestErrorHandler functions from @sentry/node were deprecated and will be removed in the next major version of the SDK. If you're using @sentry/node in a NestJS application, we recommend switching to our new dedicated @sentry/nestjs package.

Other Changes
  • feat(browser): Send additional LCP timing info (#​14372)
  • feat(replay): Clear event buffer when full and in buffer mode (#​14078)
  • feat(core): Ensure normalizedRequest on sdkProcessingMetadata is merged (#​14315)
  • feat(core): Hoist everything from @sentry/utils into @sentry/core (#​14382)
  • fix(core): Do not throw when trying to fill readonly properties (#​14402)
  • fix(feedback): Fix __self and __source attributes on feedback nodes (#​14356)
  • fix(feedback): Fix non-wrapping form title (#​14355)
  • fix(nextjs): Update check for not found navigation error (#​14378)

Bundle size 📦

Path Size
@​sentry/browser 22.88 KB
@​sentry/browser - with treeshaking flags 21.57 KB
@​sentry/browser (incl. Tracing) 35.46 KB
@​sentry/browser (incl. Tracing, Replay) 72.22 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags 62.53 KB
@​sentry/browser (incl. Tracing, Replay with Canvas) 76.52 KB
@​sentry/browser (incl. Tracing, Replay, Feedback) 89.02 KB
@​sentry/browser (incl. Feedback) 39.63 KB
@​sentry/browser (incl. sendFeedback) 27.51 KB
@​sentry/browser (incl. FeedbackAsync) 32.32 KB
@​sentry/react 25.58 KB
@​sentry/react (incl. Tracing) 38.32 KB
@​sentry/vue 27.04 KB
@​sentry/vue (incl. Tracing) 37.27 KB
@​sentry/svelte 23.03 KB
CDN Bundle 24.04 KB
CDN Bundle (incl. Tracing) 37.02 KB
CDN Bundle (incl. Tracing, Replay) 71.81 KB
CDN Bundle (incl. Tracing, Replay, Feedback) 77.16 KB
CDN Bundle - uncompressed 70.9 KB
CDN Bundle (incl. Tracing) - uncompressed 110.25 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed 223.05 KB
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 236.27 KB
@​sentry/nextjs (client) 38.42 KB
@​sentry/sveltekit (client) 35.97 KB
@​sentry/node 134.48 KB
@​sentry/node - without tracing 96.32 KB
@​sentry/aws-serverless 106.57 KB

v8.39.0

Compare Source

Important Changes
  • feat(nestjs): Instrument event handlers (#​14307)

The @sentry/nestjs SDK will now capture performance data for NestJS Events (@nestjs/event-emitter)

Other Changes
  • feat(nestjs): Add alias @SentryExceptionCaptured for @WithSentry (#​14322)
  • feat(nestjs): Duplicate SentryService behaviour into @sentry/nestjs SDK init() (#​14321)
  • feat(nestjs): Handle GraphQL contexts in SentryGlobalFilter (#​14320)
  • feat(node): Add alias childProcessIntegration for processThreadBreadcrumbIntegration and deprecate it (#​14334)
  • feat(node): Ensure request bodies are reliably captured for http requests (#​13746)
  • feat(replay): Upgrade rrweb packages to 2.29.0 (#​14160)
  • fix(cdn): Ensure _sentryModuleMetadata is not mangled (#​14344)
  • fix(core): Set sentry.source attribute to custom when calling span.updateName on SentrySpan (#​14251)
  • fix(mongo): rewrite Buffer as ? during serialization (#​14071)
  • fix(replay): Remove replay id from DSC on expired sessions (#​14342)
  • ref(profiling) Fix electron crash (#​14216)
  • ref(types): Deprecate Request type in favor of RequestEventData (#​14317)
  • ref(utils): Stop setting transaction in requestDataIntegration (#​14306)
  • ref(vue): Reduce bundle size for starting application render span (#​14275)

Bundle size 📦

Path Size
@​sentry/browser 22.77 KB
@​sentry/browser - with treeshaking flags 21.53 KB
@​sentry/browser (incl. Tracing) 35.27 KB
@​sentry/browser (incl. Tracing, Replay) 72 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags 62.38 KB
@​sentry/browser (incl. Tracing, Replay with Canvas) 76.31 KB
@​sentry/browser (incl. Tracing, Replay, Feedback) 89.17 KB
@​sentry/browser (incl. Feedback) 39.93 KB
@​sentry/browser (incl. sendFeedback) 27.42 KB
@​sentry/browser (incl. FeedbackAsync) 32.23 KB
@​sentry/react 25.52 KB
@​sentry/react (incl. Tracing) 38.23 KB
@​sentry/vue 26.92 KB
@​sentry/vue (incl. Tracing) 37.1 KB
@​sentry/svelte 22.91 KB
CDN Bundle 24.13 KB
CDN Bundle (incl. Tracing) 37.05 KB
CDN Bundle (incl. Tracing, Replay) 71.72 KB
CDN Bundle (incl. Tracing, Replay, Feedback) 77.07 KB
CDN Bundle - uncompressed 70.73 KB
CDN Bundle (incl. Tracing) - uncompressed 109.94 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed 222.46 KB
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 235.68 KB
@​sentry/nextjs (client) 38.35 KB
@​sentry/sveltekit (client) 35.85 KB
@​sentry/node 134.33 KB
@​sentry/node - without tracing 96.2 KB
@​sentry/aws-serverless 106.48 KB

v8.38.0

Compare Source

  • docs: Improve docstrings for node otel integrations (#​14217)
  • feat(browser): Add moduleMetadataIntegration lazy loading support (#​13817)
  • feat(core): Add trpc path to context in trpcMiddleware (#​14218)
  • feat(deps): Bump @​opentelemetry/instrumentation-amqplib from 0.42.0 to 0.43.0 (#​14230)
  • feat(deps): Bump @​sentry/cli from 2.37.0 to 2.38.2 (#​14232)
  • feat(node): Add knex integration (#​13526)
  • feat(node): Add tedious integration (#​13486)
  • feat(utils): Single implementation to fetch debug ids (#​14199)
  • fix(browser): Avoid recording long animation frame spans starting before their parent span (#​14186)
  • fix(node): Include debug_meta with ANR events (#​14203)
  • fix(nuxt): Fix dynamic import rollup plugin to work with latest nitro (#​14243)
  • fix(react): Support wildcard routes on React Router 6 (#​14205)
  • fix(spotlight): Export spotlightBrowserIntegration from the main browser package (#​14208)
  • ref(browser): Ensure start time of interaction root and child span is aligned (#​14188)
  • ref(nextjs): Make build-time value injection turbopack compatible (#​14081)

Work in this release was contributed by @​grahamhency, @​Zen-cronic, @​gilisho and @​phuctm97. Thank you for your contributions!

geoalchemy/geoalchemy2 (GeoAlchemy2)

v0.16.0

Compare Source

Azure/azure-sdk-for-python (azure-storage-blob)

v12.24.0

Compare Source

12.24.0 (2024-11-13)

Features Added
  • Stable release of features from 12.24.0b1
gajus/eslint-plugin-jsdoc (eslint-plugin-jsdoc)

v50.6.0

Compare Source

Features
  • lines-before-block: move start-of-block checking behind off-by-default checkBlockStarts option (#​1341) (f9b102d)

v50.5.0

Compare Source

Features
sbrunner/prospector-profile-duplicated (prospector-profile-duplicated)

v1.9.0

Compare Source

1.9.0 (2024-12-03)

New feature

v1.8.1

Compare Source

1.8.1 (2024-12-03)

New feature

Dependency update

v1.8.0

Compare Source

1.8.0 (2024-11-15)

New feature

v1.7.0

Compare Source

1.7.0 (2024-11-14)

New feature

Dependency update

sbrunner/prospector-profile-utils (prospector-profile-utils)

v1.14.1

Compare Source

1.14.1 (2024-12-03)
New feature
  • #​94 Disable Consider possible security implications associated with the s… (@​sbrunner)

v1.14.0

Compare Source

1.14.0 (2024-12-03)
New feature

v1.13.0

Compare Source

1.13.0 (2024-12-02)
Fixed bugs
Dependency update

v1.12.2

Compare Source

1.12.2 (2024-11-18)

New feature

v1.11.1

Compare Source

1.11.1 (2024-11-14)

Fixed bugs

v1.11.0

Compare Source

1.11.0 (2024-11-14)

Fixed bugs


Configuration

📅 Schedule: Branch creation - "after 5pm on the first day of the month" in timezone Europe/Zurich, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Update the dependencies label Dec 1, 2024
@renovate renovate bot enabled auto-merge (squash) December 1, 2024 18:59
@renovate renovate bot force-pushed the renovate/master-all-minor-versions branch 5 times, most recently from 3455f93 to 0dc34bd Compare December 2, 2024 16:22
@sbrunner sbrunner force-pushed the renovate/master-all-minor-versions branch 5 times, most recently from 4bda994 to 346178b Compare December 3, 2024 12:00
@@ -324,7 +324,7 @@
@staticmethod
def __encrypt_password_legacy(password: str) -> str:
"""Hash the given password with SHA1."""
return sha1(password.encode("utf8")).hexdigest() # nosec
return sha1(password.encode("utf8")).hexdigest() # noqa: S324

Check failure

Code scanning / CodeQL

Use of a broken or weak cryptographic hashing algorithm on sensitive data High

Sensitive data (password)
is used in a hashing algorithm (SHA1) that is insecure for password hashing, since it is not a computationally expensive hash function.
Sensitive data (password)
is used in a hashing algorithm (SHA1) that is insecure for password hashing, since it is not a computationally expensive hash function.

Copilot Autofix AI 12 days ago

To fix the problem, we need to replace the use of the SHA-1 hashing algorithm in the __encrypt_password_legacy method with a more secure algorithm. Since the __encrypt_password method already uses SHA-512, we can update the legacy method to use the same algorithm. This ensures that all password hashing in the system is done using a secure algorithm.

  • Replace the SHA-1 hashing algorithm in the __encrypt_password_legacy method with SHA-512.
  • Update the import statements to include the necessary modules for SHA-512 if not already present.
Suggested changeset 1
commons/c2cgeoportal_commons/models/static.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/commons/c2cgeoportal_commons/models/static.py b/commons/c2cgeoportal_commons/models/static.py
--- a/commons/c2cgeoportal_commons/models/static.py
+++ b/commons/c2cgeoportal_commons/models/static.py
@@ -325,4 +325,4 @@
     def __encrypt_password_legacy(password: str) -> str:
-        """Hash the given password with SHA1."""
-        return sha1(password.encode("utf8")).hexdigest()  # noqa: S324
+        """Hash the given password with SHA-512."""
+        return crypt.crypt(password, crypt.METHOD_SHA512)
 
EOF
@@ -325,4 +325,4 @@
def __encrypt_password_legacy(password: str) -> str:
"""Hash the given password with SHA1."""
return sha1(password.encode("utf8")).hexdigest() # noqa: S324
"""Hash the given password with SHA-512."""
return crypt.crypt(password, crypt.METHOD_SHA512)

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@sbrunner sbrunner force-pushed the renovate/master-all-minor-versions branch from 346178b to bfa0279 Compare December 3, 2024 13:02
@sbrunner sbrunner force-pushed the renovate/master-all-minor-versions branch 5 times, most recently from 7a74e6f to c5e0d9f Compare December 3, 2024 16:10
@renovate renovate bot force-pushed the renovate/master-all-minor-versions branch from c5e0d9f to 5c446f2 Compare December 3, 2024 16:31
Copy link
Contributor Author

renovate bot commented Dec 3, 2024

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@@ -254,7 +214,7 @@
resp = requests.get(
self.project["checker_url"],
headers=self.project.get("checker_headers"),
verify=False, # nosec
verify=False, # noqa: S501

Check failure

Code scanning / SonarCloud

Server certificates should be verified during SSL/TLS connections High

Enable server certificate validation on this SSL/TLS connection. See more on SonarQube Cloud
@sbrunner sbrunner force-pushed the renovate/master-all-minor-versions branch 3 times, most recently from c485c04 to 4469d33 Compare December 4, 2024 13:59
@sbrunner sbrunner force-pushed the renovate/master-all-minor-versions branch 2 times, most recently from 6a6642c to 3aa1763 Compare December 4, 2024 15:56
@sbrunner sbrunner force-pushed the renovate/master-all-minor-versions branch 6 times, most recently from f1c19a7 to 65047cc Compare December 5, 2024 16:17
@sbrunner sbrunner force-pushed the renovate/master-all-minor-versions branch from 65047cc to ddfdc1e Compare December 5, 2024 17:02
@renovate renovate bot merged commit 04c4c6a into master Dec 5, 2024
14 of 17 checks passed
@renovate renovate bot deleted the renovate/master-all-minor-versions branch December 5, 2024 17:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Update the dependencies
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant