Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency idna to v3.7 [security] #1301

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

plural-renovate[bot]
Copy link
Contributor

@plural-renovate plural-renovate bot commented Apr 12, 2024

This PR contains the following updates:

Package Update Change
idna (changelog) minor ==3.4 -> ==3.7

GitHub Vulnerability Alerts

CVE-2024-3651

Impact

A specially crafted argument to the idna.encode() function could consume significant resources. This may lead to a denial-of-service.

Patches

The function has been refined to reject such strings without the associated resource consumption in version 3.7.

Workarounds

Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the idna.encode() function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.

References


Release Notes

kjd/idna (idna)

v3.7

Compare Source

What's Changed

  • Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: kjd/idna@v3.6...v3.7

v3.6

Compare Source

v3.5

Compare Source


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@plural-renovate plural-renovate bot added the dependencies Pull requests that update a dependency file label Apr 12, 2024
Copy link

stoat-app bot commented Apr 12, 2024

Easy and customizable dashboards for your build system. Learn more about Stoat ↗︎

Static Hosting

Name Link Commit Status
api-coverage Visit ce02baf
rtc-coverage Visit ce02baf
core-coverage Visit ce02baf
cron-coverage Visit ce02baf
email-coverage Visit ce02baf
worker-coverage Visit ce02baf
api-test-results Visit ce02baf
graphql-coverage Visit ce02baf
rtc-test-results Visit ce02baf
core-test-results Visit ce02baf
cron-test-results Visit ce02baf
email-test-results Visit ce02baf
worker-test-results Visit ce02baf
graphql-test-results Visit ce02baf

Job Runtime

job runtime chart

debug

@plural-renovate plural-renovate bot force-pushed the renovate/pypi-idna-vulnerability branch 2 times, most recently from 75244a2 to 7c2e820 Compare May 7, 2024 21:43
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-idna-vulnerability branch from 7c2e820 to e7b1585 Compare May 10, 2024 23:05
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-idna-vulnerability branch from e7b1585 to 80ab792 Compare June 5, 2024 16:51
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-idna-vulnerability branch 4 times, most recently from 9717340 to 781f806 Compare June 24, 2024 22:11
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-idna-vulnerability branch 2 times, most recently from c063302 to ad27573 Compare July 3, 2024 16:01
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-idna-vulnerability branch from ad27573 to ce02baf Compare July 4, 2024 00:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants