Sourced from danielpalme/ReportGenerator-GitHub-Action's releases.

5.2.3

#656 Changed handling of files which are not found in source directory

• 7a0988e 5.2.3
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Sourced from ruff's releases.

v0.3.5

Changes

Preview features

• [pylint] Implement modified-iterating-set (E4703) (#10473)
• [refurb] Implement for-loop-set-mutations (FURB142) (#10583)
• [refurb] Implement unnecessary-from-float (FURB164) (#10647)
• [refurb] Implement verbose-decimal-constructor (FURB157) (#10533)

Rule changes

• [flake8-comprehensions] Handled special case for C401 which also matches C416 (#10596)
• [flake8-pyi] Mark unaliased-collections-abc-set-import fix as "safe" for more cases in stub files (PYI025) (#10547)
• [numpy] Add row_stack to NumPy 2.0 migration rule (#10646)
• [pycodestyle] Allow cell magics before an import (E402) (#10545)
• [pycodestyle] Avoid blank line rules for the first logical line in cell (#10291)

Configuration

• Respected nested namespace packages (#10541)
• [flake8-boolean-trap] Add setting for user defined allowed boolean trap (#10531)

Bug fixes

• Correctly handle references in __all__ definitions when renaming symbols in autofixes (#10527)
• Track ranges of names inside __all__ definitions (#10525)
• [flake8-bugbear] Avoid false positive for usage after continue (B031) (#10539)
• [flake8-copyright] Accept commas in default copyright pattern (#9498)
• [flake8-datetimez] Allow f-strings with %z for DTZ007 (#10651)
• [flake8-pytest-style] Fix PT014 autofix for last item in list (#10532)
• [flake8-quotes] Ignore Q000, Q001 when string is inside forward ref (#10585)
• [isort] Always place non-relative imports after relative imports (#10669)
• [isort] Respect Unicode characters in import sorting (#10529)
• [pyflakes] Fix F821 false negatives when from __future__ import annotations is active (attempt 2) (#10524)
• [pyflakes] Make unnecessary-lambda an always-unsafe fix (#10668)
• [pylint] Fixed false-positive on the rule PLW1641 (eq-without-hash) (#10566)
• [ruff] Fix panic in unused # noqa removal with multi-byte space (RUF100) (#10682)

Documentation

• Add PR title format to CONTRIBUTING.md (#10665)
• Fix list markup to include blank lines required (#10591)
• Put flake8-logging next to the other flake8 plugins in registry (#10587)
• [flake8-bandit] Update warning message for rule S305 to address insecure block cipher mode use (#10602)
• [flake8-bugbear] Document use of anonymous assignment in useless-expression (#10551)
• [flake8-datetimez] Clarify error messages and docs for DTZ rules (#10621)
• [pycodestyle] Use same before vs. after numbers for space-around-operator (#10640)
• [ruff] Change quadratic-list-summation docs to use iadd consistently (#10666)

... (truncated)

Sourced from ruff's changelog.

0.3.5

Preview features

• [pylint] Implement modified-iterating-set (E4703) (#10473)
• [refurb] Implement for-loop-set-mutations (FURB142) (#10583)
• [refurb] Implement unnecessary-from-float (FURB164) (#10647)
• [refurb] Implement verbose-decimal-constructor (FURB157) (#10533)

Rule changes

• [flake8-comprehensions] Handled special case for C401 which also matches C416 (#10596)
• [flake8-pyi] Mark unaliased-collections-abc-set-import fix as "safe" for more cases in stub files (PYI025) (#10547)
• [numpy] Add row_stack to NumPy 2.0 migration rule (#10646)
• [pycodestyle] Allow cell magics before an import (E402) (#10545)
• [pycodestyle] Avoid blank line rules for the first logical line in cell (#10291)

Configuration

• Respected nested namespace packages (#10541)
• [flake8-boolean-trap] Add setting for user defined allowed boolean trap (#10531)

Bug fixes

• Correctly handle references in __all__ definitions when renaming symbols in autofixes (#10527)
• Track ranges of names inside __all__ definitions (#10525)
• [flake8-bugbear] Avoid false positive for usage after continue (B031) (#10539)
• [flake8-copyright] Accept commas in default copyright pattern (#9498)
• [flake8-datetimez] Allow f-strings with %z for DTZ007 (#10651)
• [flake8-pytest-style] Fix PT014 autofix for last item in list (#10532)
• [flake8-quotes] Ignore Q000, Q001 when string is inside forward ref (#10585)
• [isort] Always place non-relative imports after relative imports (#10669)
• [isort] Respect Unicode characters in import sorting (#10529)
• [pyflakes] Fix F821 false negatives when from __future__ import annotations is active (attempt 2) (#10524)
• [pyflakes] Make unnecessary-lambda an always-unsafe fix (#10668)
• [pylint] Fixed false-positive on the rule PLW1641 (eq-without-hash) (#10566)
• [ruff] Fix panic in unused # noqa removal with multi-byte space (RUF100) (#10682)

Documentation

• Add PR title format to CONTRIBUTING.md (#10665)
• Fix list markup to include blank lines required (#10591)
• Put flake8-logging next to the other flake8 plugins in registry (#10587)
• [flake8-bandit] Update warning message for rule S305 to address insecure block cipher mode use (#10602)
• [flake8-bugbear] Document use of anonymous assignment in useless-expression (#10551)
• [flake8-datetimez] Clarify error messages and docs for DTZ rules (#10621)
• [pycodestyle] Use same before vs. after numbers for space-around-operator (#10640)
• [ruff] Change quadratic-list-summation docs to use iadd consistently (#10666)

0.3.4

... (truncated)

• 200ebee Bump version to v0.3.5 (#10717)
• 23e8279 chore(deps): update npm development dependencies (#10716)
• 221b323 chore(deps): update strum to 0.26.0 (#10715)
• a0e1544 chore(deps): update rust crate pep440_rs to 0.5.0 (#10703)
• 2740fab Renovate: group all strum dependencies together (#10714)
• 7042b9b fix(deps): update rust crate similar to v2.5.0 (#10711)
• 4047d45 chore(deps): update rust crate insta to v1.38.0 (#10701)
• 20d69ea chore(deps): update npm development dependencies (#10697)
• d021cac chore(deps): update rust crate tracing-tree to 0.3.0 (#10709)
• 46369d4 chore(deps): update rust crate uuid to v1.8.0 (#10710)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Sourced from transformers's releases.

Release v4.39.3

The AWQ issue persisted, and there was a regression reported with beam search and input embeddings.

Changes

• Fix BC for AWQ quant #29965
• generate fix breaking change for patch #29976

Patch release v4.39.2

Series of fixes for backwards compatibility (AutoAWQ and other quantization libraries, imports from trainer_pt_utils) and functionality (LLaMA tokenizer conversion)

• Safe import of LRScheduler #29919
• [BC] Fix BC for other libraries #29934
• [LlamaSlowConverter] Slow to Fast better support #29797

Patch release v4.39.1

Patch release to fix some breaking changes to LLaVA model, fixes/cleanup for Cohere & Gemma and broken doctest

• Correct llava mask & fix missing setter for vocab_size #29389
• [cleanup] vestiges of causal mask #29806
• [SuperPoint] Fix doc example (huggingface/transformers#29816)

Release v4.39.0

v4.39.0

🚨 VRAM consumption 🚨

The Llama, Cohere and the Gemma model both no longer cache the triangular causal mask unless static cache is used. This was reverted by #29753, which fixes the BC issues w.r.t speed , and memory consumption, while still supporting compile and static cache. Small note, fx is not supported for both models, a patch will be brought very soon!

New model addition

Cohere open-source model

Command-R is a generative model optimized for long context tasks such as retrieval augmented generation (RAG) and using external APIs and tools. It is designed to work in concert with Cohere's industry-leading Embed and Rerank models to provide best-in-class integration for RAG applications and excel at enterprise use cases. As a model built for companies to implement at scale, Command-R boasts:

• Strong accuracy on RAG and Tool Use
• Low latency, and high throughput
• Longer 128k context and lower pricing
• Strong capabilities across 10 key languages
• Model weights available on HuggingFace for research and evaluation

• Cohere Model Release by @​saurabhdash2512 in #29622

LLaVA-NeXT (llava v1.6)

Llava next is the next version of Llava, which includes better support for non padded images, improved reasoning, OCR, and world knowledge. LLaVA-NeXT even exceeds Gemini Pro on several benchmarks.

Compared with LLaVA-1.5, LLaVA-NeXT has several improvements:

• Increasing the input image resolution to 4x more pixels. This allows it to grasp more visual details. It supports three aspect ratios, up to 672x672, 336x1344, 1344x336 resolution.
• Better visual reasoning and OCR capability with an improved visual instruction tuning data mixture.
• Better visual conversation for more scenarios, covering different applications.
• Better world knowledge and logical reasoning.
• Along with performance improvements, LLaVA-NeXT maintains the minimalist design and data efficiency of LLaVA-1.5. It re-uses the pretrained connector of LLaVA-1.5, and still uses less than 1M visual instruction tuning samples. The largest 34B variant finishes training in ~1 day with 32 A100s.*

... (truncated)

• 09f9f56 add version 4.39.3
• ac6a350 [generate] fix breaking change for patch (#29976)
• 839c2a1 [BC] Fix BC for AWQ quant (#29965)
• 97c00cd Release: v4.39.2
• e40fe39 [LlamaSlowConverter] Slow to Fast better support (#29797)
• 02b1012 [BC] Fix BC for other libraries (#29934)
• 1b6d501 Safe import of LRScheduler (#29919)
• cbe58b4 Release: v4.39.1
• 056df1d [SuperPoint] Fix doc example (#29816)
• e49ebae [cleanup] vestiges of causal mask (#29806)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Sourced from pytest's releases.

8.2.0

pytest 8.2.0 (2024-04-27)

Deprecations

• #12069: A deprecation warning is now raised when implementations of one of the following hooks request a deprecated py.path.local parameter instead of the pathlib.Path parameter which replaced it:

  • pytest_ignore_collect{.interpreted-text role="hook"} - the path parameter - use collection_path instead.
  • pytest_collect_file{.interpreted-text role="hook"} - the path parameter - use file_path instead.
  • pytest_pycollect_makemodule{.interpreted-text role="hook"} - the path parameter - use module_path instead.
  • pytest_report_header{.interpreted-text role="hook"} - the startdir parameter - use start_path instead.
  • pytest_report_collectionfinish{.interpreted-text role="hook"} - the startdir parameter - use start_path instead.

  The replacement parameters are available since pytest 7.0.0. The old parameters will be removed in pytest 9.0.0.

  See legacy-path-hooks-deprecated{.interpreted-text role="ref"} for more details.

Features

• #11871: Added support for reading command line arguments from a file using the prefix character @, like e.g.: pytest @tests.txt. The file must have one argument per line.

  See Read arguments from file <args-from-file>{.interpreted-text role="ref"} for details.

Improvements

• #11523: pytest.importorskip{.interpreted-text role="func"} will now issue a warning if the module could be found, but raised ImportError{.interpreted-text role="class"} instead of ModuleNotFoundError{.interpreted-text role="class"}.

  The warning can be suppressed by passing exc_type=ImportError to pytest.importorskip{.interpreted-text role="func"}.

  See import-or-skip-import-error{.interpreted-text role="ref"} for details.

• #11728: For unittest-based tests, exceptions during class cleanup (as raised by functions registered with TestCase.addClassCleanup <unittest.TestCase.addClassCleanup>{.interpreted-text role="meth"}) are now reported instead of silently failing.

• #11777: Text is no longer truncated in the short test summary info section when -vv is given.

• #12112: Improved namespace packages detection when consider_namespace_packages{.interpreted-text role="confval"} is enabled, covering more situations (like editable installs).

• #9502: Added PYTEST_VERSION{.interpreted-text role="envvar"} environment variable which is defined at the start of the pytest session and undefined afterwards. It contains the value of pytest.__version__, and among other things can be used to easily check if code is running from within a pytest run.

Bug Fixes

• #12065: Fixed a regression in pytest 8.0.0 where test classes containing setup_method and tests using @staticmethod or @classmethod would crash with AttributeError: 'NoneType' object has no attribute 'setup_method'.

  Now the request.instance <pytest.FixtureRequest.instance>{.interpreted-text role="attr"} attribute of tests using @staticmethod and @classmethod is no longer None, but a fresh instance of the class, like in non-static methods.

... (truncated)

• 6bd3f31 Tweak changelog for 8.2.0
• 9b6219b Prepare release version 8.2.0
• 835765c Merge pull request #12130 from bluetech/fixtures-inline
• 7e7503c unittest: report class cleanup exceptions (#12250)
• 882c4da fixtures: inline fail_fixturefunc
• 2e8fb9f fixtures: extract a _check_fixturedef method
• acf2971 fixtures: inline _getnextfixturedef into _get_active_fixturedef
• 3c77aec fixtures: move "request" check early
• d217d68 fixtures: inline _compute_fixture_value
• 530be28 fixtures: use early return in _get_active_fixturedef
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Sourced from regex's changelog.

Version: 2024.5.15

Git issue 530: hangs with fuzzy and optionals
It's not hanging, it'll finish eventually. It's just an example of catastrophic backtracking.
The error printed when Ctrl+C is pressed does show a bug, though, which is now fixed.

Version: 2024.5.10

Updated for Python 3.13.
<time.h> now needs to be included explicitly because Python.h no longer includes it.

Version: 2024.4.28

Git issue 527: `VERBOSE`/`X` flag breaks `\N` escapes

Version: 2024.4.16

Git issue 525: segfault when fuzzy matching empty list

Version: 2023.12.25

Cannot get release notification action in main.yml to work. Commenting it out for now.

Version: 2023.12.24

Fixed invalid main.yml.

Version: 2023.12.23

The escape function no longer escapes \x00. It's not necessary.
Inline flags can now be turned off and apply to what follows.
Added \R to match line endings.

Version: 2023.10.3

Updated to Unicode 15.1.0.

Version: 2023.8.8

Git issue 508: Regex doesn't build using CPython main (3.13.0a0)
Removed usage of _PyBytes_Join and did a little tidying of the code that makes the result string.

Version: 2023.6.3

Git issue 498: Conditional negative lookahead inside positive lookahead fails to match

... (truncated)

• 8eabb42 Git issue 530: hangs with fuzzy and optionals
• be139ff Updated for Python 3.13.
• 2e3272b Git issue 527: VERBOSE/X flag breaks \N escapes
• 9c950f2 Updated changelog.
• 5d65c8a Git issue 525: segfault when fuzzy matching empty list
• 4f2ed52 Cannot get release notification action in main.yml to work. Commenting it out...
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

• 🟡 General issues: 1 issue found
• 🟡 Security: 1 issue found
• 🟢 Testing: all looks good
• 🟢 Complexity: all looks good

• X
• Mastodon
• LinkedIn
• Facebook

Sourced from transformers's releases.

v4.38: Gemma, Depth Anything, Stable LM; Static Cache, HF Quantizer, AQLM

New model additions

💎 Gemma 💎

Gemma is a new opensource Language Model series from Google AI that comes with a 2B and 7B variant. The release comes with the pre-trained and instruction fine-tuned versions and you can use them via AutoModelForCausalLM, GemmaForCausalLM or pipeline interface!

Read more about it in the Gemma release blogpost: https://hf.co/blog/gemma

from transformers import AutoTokenizer, AutoModelForCausalLM
tokenizer = AutoTokenizer.from_pretrained("google/gemma-2b")
model = AutoModelForCausalLM.from_pretrained("google/gemma-2b", device_map="auto", torch_dtype=torch.float16)
input_text = "Write me a poem about Machine Learning."
input_ids = tokenizer(input_text, return_tensors="pt").to("cuda")
outputs = model.generate(**input_ids)

You can use the model with Flash Attention, SDPA, Static cache and quantization API for further optimizations !

• Flash Attention 2

from transformers import AutoTokenizer, AutoModelForCausalLM
tokenizer = AutoTokenizer.from_pretrained("google/gemma-2b")
model = AutoModelForCausalLM.from_pretrained(
"google/gemma-2b", device_map="auto", torch_dtype=torch.float16, attn_implementation="flash_attention_2"
)
input_text = "Write me a poem about Machine Learning."
input_ids = tokenizer(input_text, return_tensors="pt").to("cuda")
outputs = model.generate(**input_ids)

• bitsandbytes-4bit

from transformers import AutoTokenizer, AutoModelForCausalLM
tokenizer = AutoTokenizer.from_pretrained("google/gemma-2b")
model = AutoModelForCausalLM.from_pretrained(
"google/gemma-2b", device_map="auto", load_in_4bit=True
)
</tr></table>

... (truncated)

• 08ab54a [ gemma] Adds support for Gemma 💎 (#29167)
• 2de9314 [Maskformer] safely get backbone config (#29166)
• 476957b 🚨 Llama: update rope scaling to match static cache changes (#29143)
• 7a4bec6 Release: 4.38.0
• ee3af60 Add support for fine-tuning CLIP-like models using contrastive-image-text exa...
• 0996a10 Revert low cpu mem tie weights (#29135)
• 15cfe38 [Core tokenization] add_dummy_prefix_space option to help with latest is...
• efdd436 FIX [PEFT / Trainer ] Handle better peft + quantized compiled models (#29...
• 5e95dca [cuda kernels] only compile them when initializing (#29133)
• a7755d2 Generate: unset GenerationConfig parameters do not raise warning (#29119)
• Additional commits viewable in compare view

Sourced from dnspython's releases.

dnspython 2.6.1

See What's New for details.

This is a bug fix release for 2.6.0 where the "TuDoor" fix erroneously suppressed legitimate Truncated exceptions. This caused the stub resolver to timeout instead of failing over to TCP when a legitimate truncated response was received over UDP.

This release addresses the potential DoS issue discussed in the "TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.

Thank you to all the contributors to this release, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.

dnspython 2.6.0

See What's New for details.

This release addresses the potential DoS issue discussed in the "TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.

Thank you to all the contributors to this release, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.

dnspython 2.5.0

See the What's New page for a summary of this release.

Thanks to all the contributors, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.

Sourced from dnspython's changelog.

2.6.1

• The Tudoor fix ate legitimate Truncated exceptions, preventing the resolver from failing over to TCP and causing the query to timeout #1053.

2.6.0

• As mentioned in the "TuDoor" paper and the associated CVE-2023-29483, the dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query.

  This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.

• Added support for the NSID EDNS option.

• Dnspython now looks for version metadata for optional packages and will not use them if they are too old. This prevents possible exceptions when a feature like DoH is not desired in dnspython, but an old httpx is installed along with dnspython for some other purpose.

• The DoHNameserver class now allows GET to be used instead of the default POST, and also passes source and source_port correctly to the underlying query methods.

2.5.0

• Dnspython now uses hatchling for builds.

• Asynchronous destinationless sockets now work on Windows.

• Cython is no longer supported due to various typing issues.

• Dnspython now explicitly canonicalizes IPv4 and IPv6 addresses. Previously it was possible for non-canonical IPv6 forms to be stored in a AAAA address, which would work correctly but possibly cause problmes if the address were used as a key in a dictionary.

• The number of messages in a section can be retrieved with section_count().

• Truncation preferences for messages can be specified.

• The length of a message can be automatically prepended when rendering.

... (truncated)

• 0a742b9 update CI
• 0ea5ad0 The Tudoor fix should not eat valid Truncated exceptions #1053 (#1054)
• f12d398 2.6.1 version prep
• cecb853 Further improve CVE fix coverage to 100% for sync and async.
• 7952e31 test IgnoreErrors
• e093299 For the Tudoor fix, we also need the UDP nameserver to ignore_unexpected.
• 3af9f78 2.6.0 versioning
• ca63d95 Require cryptography >=41 instead of 42.
• 902cbf3 Create CODE_OF_CONDUCT.md
• ed9795f github contributing and pull request template
• Additional commits viewable in compare view

Sourced from idna's releases.

v3.7

What's Changed

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: kjd/idna@v3.6...v3.7

Sourced from idna's changelog.

3.7 (2024-04-11) ++++++++++++++++

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

• 1d365e1 Release v3.7
• c1b3154 Merge pull request #172 from kjd/optimize-contextj
• 0394ec7 Merge branch 'master' into optimize-contextj
• cd58a23 Merge pull request #152 from elliotwutingfeng/dev
• 5beb28b More efficient resolution of joiner contexts
• 1b12148 Update ossf/scorecard-action to v2.3.1
• d516b87 Update Github actions/checkout to v4
• c095c75 Merge branch 'master' into dev
• 60a0a4c Fix typo in GitHub Actions workflow key
• 5918a0e Merge branch 'master' into dev
• Additional commits viewable in compare view

Sourced from pillow's releases.

10.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html

Changes

• CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [@​hugovk]
• Use functools.lru_cache for hopper() #7912 [@​hugovk]
• Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [@​radarhere]
• Improve speed of loading QOI images #7925 [@​radarhere]
• Added RGB to I;16N conversion #7920 [@​radarhere]
• Add --report argument to main.py to omit supported formats #7818 [@​nulano]
• Added RGB to I;16, I;16L and I;16B conversion #7918 [@​radarhere]
• Fix editable installation with custom build backend and configuration options #7658 [@​nulano]
• Fix putdata() for I;16N on big-endian #7209 [@​Yay295]
• Determine MPO size from markers, not EXIF data #7884 [@​radarhere]
• Improved conversion from RGB to RGBa, LA and La #7888 [@​radarhere]
• Support FITS images with GZIP_1 compression #7894 [@​radarhere]
• Use I;16 mode for 9-bit JPEG 2000 images #7900 [@​scaramallion]
• Raise ValueError if kmeans is negative #7891 [@​radarhere]
• Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [@​radarhere]
• Raise ValueError for negative values when loading P1-P3 PPM images #7882 [@​radarhere]
• Added reading of JPEG2000 palettes #7870 [@​radarhere]
• Added alpha_quality argument when saving WebP images #7872 [@​radarhere]
• Fixed joined corners for ImageDraw rounded_rectangle() non-integer dimensions #7881 [@​radarhere]
• Removed Python and NumPy pinning on Cygwin #7880 [@​radarhere]
• Update UnidentifiedImageError and version imports #7644 [@​radarhere]
• Stop reading EPS image at EOF marker #7753 [@​radarhere]
• PSD layer co-ordinates may be negative #7706 [@​radarhere]
• Use subprocess with CREATE_NO_WINDOW flag in ImageShow WindowsViewer #7791 [@​radarhere]
• When saving GIF frame that restores to background color, do not fill identical pixels #7788 [@​radarhere]
• Fixed reading PNG iCCP compression method #7823 [@​radarhere]
• Allow writing IFDRational to UNDEFINED tag #7840 [@​radarhere]
• Fix logged tag name when loading Exif data #7842 [@​radarhere]
• Use maximum frame size in IHDR chunk when saving APNG images #7821 [@​radarhere]
• Prevent opening P TGA images without a palette #7797 [@​radarhere]
• Use palette when loading ICO images #7798 [@​radarhere]
• Use consistent arguments for load_read and load_seek #7713 [@​radarhere]
• Turn off nullability warnings for macOS SDK #7827 [@​radarhere]
• Fix shift-sign issue in Convert.c #7838 [@​r-barnes]
• winbuild: Refactor dependency versions into constants #7843 [@​hugovk]
• Build macOS arm64 wheels natively #7852 [@​radarhere]
• Fixed typo #7855 [@​radarhere]
• Open 16-bit grayscale PNGs as I;16 #7849 [@​radarhere]
• Handle truncated chunks at the end of PNG images #7709 [@​lajiyuan]
• Match mask size to pasted image size in GifImagePlugin #7779 [@​radarhere]
• Changed SupportsGetMesh protocol to be public #7841 [@​radarhere]
• Release GIL while calling WebPAnimDecoderGetNext #7782 [@​evanmiller]
• Fixed reading FLI/FLC images with a prefix chunk #7804 [@​twolife]
• Updated package name for Tidelift #7810 [@​radarhere]
• Removed unused code #7744 [@​radarhere]

... (truncated)

Sourced from pillow's changelog.

10.3.0 (2024-04-01)

• CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [radarhere, hugovk]

• Deprecate eval(), replacing it with lambda_eval() and unsafe_eval() #7927 [radarhere, hugovk]

• Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [radarhere]

• Add --report argument to __main__.py to omit supported formats #7818 [nulano, radarhere, hugovk]

• Added RGB to I;16, I;16L, I;16B and I;16N conversion #7918, #7920 [radarhere]

• Fix editable installation with custom build backend and configuration options #7658 [nulano, radarhere]

• Fix putdata() for I;16N on big-endian #7209 [Yay295, hugovk, radarhere]

• Determine MPO size from markers, not EXIF data #7884 [radarhere]

• Improved conversion from RGB to RGBa, LA and La #7888 [radarhere]

• Support FITS images with GZIP_1 compression #7894 [radarhere]

• Use I;16 mode for 9-bit JPEG 2000 images #7900 [scaramallion, radarhere]

• Raise ValueError if kmeans is negative #7891 [radarhere]

• Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [radarhere]

• Raise ValueError for negative values when loading P1-P3 PPM images #7882 [radarhere]

• Added reading of JPEG2000 palettes #7870 [radarhere]

• Added alpha_quality argument when saving WebP images #7872 [radarhere]

... (truncated)

• 5c89d88 10.3.0 version bump
• 63cbfcf Update CHANGES.rst [ci skip]
• 2776126 Merge pull request #7928 from python-pillow/lcms
• aeb51cb Merge branch 'main' into lcms
• 5beb0b6 Update CHANGES.rst [ci skip]
• cac6ffa Merge pull request #7927 from python-pillow/imagemath
• f5eeeac Name as 'options' in lambda_eval and unsafe_eval, but '_dict' in deprecated eval
• facf3af Added release notes
• 2a93aba Use strncpy to avoid buffer overflow
• a670597 Update CHANGES.rst [ci skip]
• Additional commits viewable in compare view

Sourced from pymongo's releases.

PyMongo 4.6.2

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-2-released/267404

Sourced from pymongo's changelog.

Changelog

Changes in Version 4.7

PyMongo 4.7 brings a number of improvements including:

• Added the :class:pymongo.hello.Hello.connection_id, :attr:pymongo.monitoring.CommandStartedEvent.server_connection_id, :attr:pymongo.monitoring.CommandSucceededEvent.server_connection_id, and :attr:pymongo.monitoring.CommandFailedEvent.server_connection_id properties.

• Fixed a bug where inflating a :class:~bson.raw_bson.RawBSONDocument containing a :class:~bson.code.Code would cause an error.

• Significantly improved the performance of encoding BSON documents to JSON.

• Support for named KMS providers for client side field level encryption. Previously supported KMS providers were only: aws, azure, gcp, kmip, and local. The KMS provider is now expanded to support name suffixes (e.g. local:myname). Named KMS providers enables more than one of each KMS provider type to be configured. See the docstring for :class:~pymongo.encryption_options.AutoEncryptionOpts. Note that named KMS providers requires pymongocrypt >=1.9 and libmongocrypt >=1.9.

• :meth:~pymongo.encryption.ClientEncryption.encrypt and :meth:~pymongo.encryption.ClientEncryption.encrypt_expression now allow key_id to be passed in as a :class:uuid.UUID.

• Fixed a bug where :class:~bson.int64.Int64 instances could not always be encoded by orjson_. The following now works::

  import orjson from bson import json_util orjson.dumps({'a': Int64(1)}, default=json_util.default, option=orjson.OPT_PASSTHROUGH_SUBCLASS)

.. _orjson: https://github.com/ijl/orjson

• Fixed a bug appearing in Python 3.12 where "RuntimeError: can't create new thread at interpreter shutdown" could be written to stderr when a MongoClient's thread starts as the python interpreter is shutting down.
• Added a warning when connecting to DocumentDB and CosmosDB clusters. For more information regarding feature compatibility and support please visit mongodb.com/supportability/documentdb <https://mongodb.com/supportability/documentdb>_ and mongodb.com/supportability/cosmosdb <https://mongodb.com/supportability/cosmosdb>_.
• Added the :attr:pymongo.monitoring.ConnectionCheckedOutEvent.duration, :attr:pymongo.monitoring.ConnectionCheckOutFailedEvent.duration, and :attr:pymongo.monitoring.ConnectionReadyEvent.duration properties.
• Added the type and kwargs arguments to :class:~pymongo.operations.SearchIndexModel to enable creating vector search indexes in MongoDB Atlas.
• Fixed a bug where read_concern and write_concern were improperly added to :meth:~pymongo.collection.Collection.list_search_indexes queries.

Unavoidable breaking changes ............................

... (truncated)

• 8da192f BUMP 4.6.3
• 56b6b6d PYTHON-4305 Fix bson size check (#1564)
• 449d0f3 BUMP to 4.6.3.dev0
• e04576d DEVPROD-3871 Use teardown_task when there is one function/command (#1533)
• cf1c6a1 PYTHON-4219 Prep for 4.6.2 Release (#1530)
• d29b2b7 PYTHON-4147 [v4.6]: Silence noisy thread.start() RuntimeError at shutdown (#1...
• 0477b9b PYTHON-4077 [v4.6]: Ensure there is a MacOS wheel for Python 3.7 (#1527)
• ecad17d BUMP 4.6.2.dev0
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from google-generativeai's releases.

v0.4.1 - Bugfix

Bugfix

• The send_message_async method should call the asynchronous method generate_content_async by @​xnny in google/generative-ai-python#229

Docs

• Fix wrong arg name in README by @​lll-lll-lll-lll in google/generative-ai-python#228

New Contributors

• @​lll-lll-lll-lll made their first contribution in google/generative-ai-python#228
• @​xnny made their first contribution in google/generative-ai-python#229

Full Changelog: google-gemini/generative-ai-python@v0.4.0...v0.4.1

v0.4.0

What's new

Features

• Update notebook magics to work with Gemini by @​markmcd in google/generative-ai-python#109
• Semantic retriever by @​shilpakancharla in google/generative-ai-python#168
• Attributed question answering (genai.generate_answer) by @​shilpakancharla in google/generative-ai-python#169
• Automatic function calling. by @​MarkDaoust in google/generative-ai-python#201

   model = genai.GenerativeModel(..., tools=[my_function])
   chat = model.start_chat(enable_automatic_function_calling=True)
  

• Request options (timeouts, retry, ...) by @​aidoskanapyanov in google/generative-ai-python#204

  Model.generate_content(..., 
      request_options={'timeout': 100, 'retry': google.api_core.retry.Retry()})
  

• Permissions module by @​mayureshagashe2105 in google/generative-ai-python#205

More updates

• Lock google-auth version to fix #114 by @​yihong0618 in google/generative-ai-python#115
• Update code in README.md and generate_content documentation by @​Hamza-nabil in google/generative-ai-python#149
• Make error message more readable by @​ftnext in google/generative-ai-python#163
• Python 3.12 support. by @​MarkDaoust in google/generative-ai-python#165
• Rename model defaults to use gemini-pro by @​markmcd in google/generative-ai-python#175
• Add a more explicit error when no parts are returned by @​markmcd in google/generative-ai-python#180
• Add embed_content_async implementation by @​mayureshagashe2105 in google/generative-ai-python#189
• Link embed_content reference page to model details page by @​kaycebasques in google/generative-ai-python#194
• Implement __repr__ for GenerateContentResponse and ChatSession by @​aidoskanapyanov in google/generative-ai-python#202
• Fixed #166. Thanks @​piresramon. by @​MarkDaoust in google/generative-ai-python#208

New Contributors

... (truncated)

• 3704fa8 Update version (#237)
• 84b1a3e The send_message_async method should call the asynchronous method generate_co...
• 4f1ea10 fix: sample code (#228)
• 69cb0ea Update README.md (#217)
• 9ce53e0 Update version to 0.4.0 (#222)
• d894807 Automatic function calling. (#201)
• b28f2d1 Remove init, PEP420PackageFinder handles this + it's breaking local dev insta...
• 607ca14 Fixes #166. Thanks @​piresramon. (#208)
• c3c90f8 Add ability to configure timeouts (#204)
• bcec1b5 Match docs (#197)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

• 🟡 General issues: 15 issues found
• 🟢 Security: all looks good
• 🟢 Testing: all looks good
• 🟢 Complexity: all looks good

• X
• Mastodon
• LinkedIn
• Facebook

Sourced from openapi-core's releases.

0.19.0

This version focuses on OpenAPI app and support for binary requests and responses.

Features

• FastAPI integration #738
• Mimetype parameters (i.e. charset) handling #678
• Parameter deserializers renamed to Style deserializers #676
• Unmarshalling processor enhancement #625
  • Option to skip response validation in Django, Falcon and Flask integrations #667
• use explicit arguments (instead of kwargs) in Spec.from_dict and add short note in documentation how to use base_url for Spec.from_dict
• Parameter and header get value refactor #677
• Python 3.12 support #684
• Bump openapi-spec-validator from 0.6.0 to 0.7.0 #685
  • Use openapi-spec-validator spec version finder #691
• Move to SchemaPath from jsonschema-path package #690
• Specification validation as part of shortcuts #686
• Style deserializing reimplementation with support for all styles #694
• Media type encoding support #646
• Replace mimetype with content_type to include content parameters #699
• Suport for primitive properties casting of urlencoded objects. #701
• Request response binary format support #710
• Starlette middleware #680
• OpenAPI app and high level integration #716

Bug fixes

• aiohttp request host_url include scheme #673
• aiohttp response body check none #674
• Validate empty request body fix #713
• Path finder returns default server #648
• OpenAPI config passed to validators and unmarshallers fix #779
• milti types schema format unmarshal fix #562

Deprecations

• Spec class is deprecated. Use SchemaPath from jsonschema-path package.

Breaking changes

• request_class/response_class renamed to request_cls/response_cls in unmarshalling processors (Django, Falcon and Flask integrations) #667
• ParameterDeserializersFactory renamed to StyleDeserializersFactory #676
• Specification validation is no longer part of Spec object creation and moved to be part of OpenAPI object creation. #686 #716
• Request and Response protocols' mimetype attribute replaced with content_type #699
• Request protocol's body attribute returns bytes instead of str #710
• Response protocol's data attribute returns bytes instead of str #710
• Unmarshalling no longer raises FormatUnmarshalError

0.19.0a2

This version focuses on OpenAPI app and support for binary requests and responses.

Bug fixes

• Path finder returns default server #648
• OpenAPI config passed to validators and unmarshallers fix #779

... (truncated)

• 46d94e9 Version 0.19.0
• 3221983 FastAPI docs formatting fix
• fcddf6b Merge pull request #738 from python-openapi/feature/fastapi-integration
• 383d097 Merge pull request #783 from python-openapi/dependabot/pip/jsonschema-4.21.1
• 38e67d3 Merge pull request #784 from python-openapi/dependabot/pip/black-24.2.0
• f732b16 Merge pull request #785 from python-openapi/dependabot/pip/parse-1.20.1
• 9d31ee8 Merge pull request #786 from python-openapi/dependabot/pip/python-multipart-0...
• 89836a0 Bump python-multipart from 0.0.6 to 0.0.9
• dab8ff9 Bump parse from 1.20.0 to 1.20.1
• 80befca Bump black from 24.1.1 to 24.2.0
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)