• 1

  Redirection error

  1. On the profile page , once we wish to discard our changes the url we are redirected to is http://127.0.0.1:5000/username/profile/ instead of https://mindspace.cf/username/profile/

  2. This issue also exists when I wish to discard my blog.

  

• 2

  Images for blogs

  Images for blogs 1] 1 blog can have only 1 image 2] By default there would be an image for blogs which dont have any images attached by the user 3] Will add multiple images for blogs feature later 4] Images can be updated later after posting the blog 5] CRUD Operations for images

• 3

  Multi-User Authentication

  1] Multiple users can signin and signout 2] Users can view each others profiles 3] Can be done using global variables in flask 4] Going to another users profile shouldn't affect the current users profile 5] session data should be timed and logged out after 3 hrs of inactivity

• 4

  Bump scrapy from 2.6.0 to 2.6.3

  Bumps scrapy from 2.6.0 to 2.6.3.

  Release notes

  Sourced from scrapy's releases.

  2.6.3

  Makes pip install Scrapy work again.

  It required making changes to support pyOpenSSL 22.1.0. We had to drop support for SSLv3 as a result.

  We also upgraded the minimum versions of some dependencies.

  See the changelog.

  2.6.2

  Fixes a security issue around HTTP proxy usage, and addresses a few regressions introduced in Scrapy 2.6.0.

  See the changelog.

  2.6.1

  Fixes a regression introduced in 2.6.0 that would unset the request method when following redirects.

  Changelog

  Sourced from scrapy's changelog.

  Scrapy 2.6.3 (2022-09-27)

  • Added support for pyOpenSSL_ 22.1.0, removing support for SSLv3 (:issue:5634, :issue:5635, :issue:5636).

  • Upgraded the minimum versions of the following dependencies:

    • cryptography_: 2.0 → 3.3

    • pyOpenSSL_: 16.2.0 → 21.0.0

    • service_identity_: 16.0.0 → 18.1.0

    • Twisted_: 17.9.0 → 18.9.0

    • zope.interface_: 4.1.3 → 5.0.0

    (:issue:5621, :issue:5632)

  • Fixes test and documentation issues (:issue:5612, :issue:5617, :issue:5631).

  .. _release-2.6.2:

  Scrapy 2.6.2 (2022-07-25)

  Security bug fix:

  • When :class:~scrapy.downloadermiddlewares.httpproxy.HttpProxyMiddleware processes a request with :reqmeta:proxy metadata, and that :reqmeta:proxy metadata includes proxy credentials, :class:~scrapy.downloadermiddlewares.httpproxy.HttpProxyMiddleware sets the Proxy-Authentication header, but only if that header is not already set.

    There are third-party proxy-rotation downloader middlewares that set different :reqmeta:proxy metadata every time they process a request.

    Because of request retries and redirects, the same request can be processed by downloader middlewares more than once, including both :class:~scrapy.downloadermiddlewares.httpproxy.HttpProxyMiddleware and any third-party proxy-rotation downloader middleware.

    These third-party proxy-rotation downloader middlewares could change the :reqmeta:proxy metadata of a request to a new value, but fail to remove the Proxy-Authentication header from the previous value of the :reqmeta:proxy metadata, causing the credentials of one proxy to be sent

  ... (truncated)

  Commits

  • 4dc8e77 Bump version: 2.6.2 → 2.6.3
  • fa5945b 2.6.3: set a release date
  • e5ed046 Merge pull request #5637 from Gallaecio/support-latest-openssl
  • aec2d3a 2.6.3: update the release notes
  • fcc224f tox.ini cleanup
  • b00f312 Limit minium versions of mitmproxy
  • d3f82aa Merge pull request #5617 from Laerte/fix/tests-w3lib
  • efc11b3 zope.interface: 4.4.2 → 5.0.0 (setuptools #2017)
  • edd7cfe Update test-standard link in contributing docs (#5631)
  • 9f443e8 zope.interface: 4.1.3 → 4.4.2
  • Additional commits viewable in compare view

  
  

  

  Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

  ---

  Dependabot commands and options

  
  

  You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

  You can disable automated security fix PRs for this repo from the Security Alerts page.

• 5

  Bump joblib from 1.0.1 to 1.2.0

  Bumps joblib from 1.0.1 to 1.2.0.

  Changelog

  Sourced from joblib's changelog.

  Release 1.2.0

  • Fix a security issue where eval(pre_dispatch) could potentially run arbitrary code. Now only basic numerics are supported. joblib/joblib#1327

  • Make sure that joblib works even when multiprocessing is not available, for instance with Pyodide joblib/joblib#1256

  • Avoid unnecessary warnings when workers and main process delete the temporary memmap folder contents concurrently. joblib/joblib#1263

  • Fix memory alignment bug for pickles containing numpy arrays. This is especially important when loading the pickle with mmap_mode != None as the resulting numpy.memmap object would not be able to correct the misalignment without performing a memory copy. This bug would cause invalid computation and segmentation faults with native code that would directly access the underlying data buffer of a numpy array, for instance C/C++/Cython code compiled with older GCC versions or some old OpenBLAS written in platform specific assembly. joblib/joblib#1254

  • Vendor cloudpickle 2.2.0 which adds support for PyPy 3.8+.

  • Vendor loky 3.3.0 which fixes several bugs including:

    • robustly forcibly terminating worker processes in case of a crash (joblib/joblib#1269);

    • avoiding leaking worker processes in case of nested loky parallel calls;

    • reliability spawn the correct number of reusable workers.

  Release 1.1.0

  • Fix byte order inconsistency issue during deserialization using joblib.load in cross-endian environment: the numpy arrays are now always loaded to use the system byte order, independently of the byte order of the system that serialized the pickle. joblib/joblib#1181

  • Fix joblib.Memory bug with the ignore parameter when the cached function is a decorated function.

  ... (truncated)

  Commits

  • 5991350 Release 1.2.0
  • 3fa2188 MAINT cleanup numpy warnings related to np.matrix in tests (#1340)
  • cea26ff CI test the future loky-3.3.0 branch (#1338)
  • 8aca6f4 MAINT: remove pytest.warns(None) warnings in pytest 7 (#1264)
  • 067ed4f XFAIL test_child_raises_parent_exits_cleanly with multiprocessing (#1339)
  • ac4ebd5 MAINT add back pytest warnings plugin (#1337)
  • a23427d Test child raises parent exits cleanly more reliable on macos (#1335)
  • ac09691 [MAINT] various test updates (#1334)
  • 4a314b1 Vendor loky 3.2.0 (#1333)
  • bdf47e9 Make test_parallel_with_interactively_defined_functions_default_backend timeo...
  • Additional commits viewable in compare view

  
  

  

  Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

  ---

  Dependabot commands and options

  
  

  You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

  You can disable automated security fix PRs for this repo from the Security Alerts page.

• 6

  Bump numpy from 1.21.0 to 1.22.0

  Bumps numpy from 1.21.0 to 1.22.0.

  Release notes

  Sourced from numpy's releases.

  v1.22.0

  NumPy 1.22.0 Release Notes

  NumPy 1.22.0 is a big release featuring the work of 153 contributors spread over 609 pull requests. There have been many improvements, highlights are:

  • Annotations of the main namespace are essentially complete. Upstream is a moving target, so there will likely be further improvements, but the major work is done. This is probably the most user visible enhancement in this release.
  • A preliminary version of the proposed Array-API is provided. This is a step in creating a standard collection of functions that can be used across application such as CuPy and JAX.
  • NumPy now has a DLPack backend. DLPack provides a common interchange format for array (tensor) data.
  • New methods for quantile, percentile, and related functions. The new methods provide a complete set of the methods commonly found in the literature.
  • A new configurable allocator for use by downstream projects.

  These are in addition to the ongoing work to provide SIMD support for commonly used functions, improvements to F2PY, and better documentation.

  The Python versions supported in this release are 3.8-3.10, Python 3.7 has been dropped. Note that 32 bit wheels are only provided for Python 3.8 and 3.9 on Windows, all other wheels are 64 bits on account of Ubuntu, Fedora, and other Linux distributions dropping 32 bit support. All 64 bit wheels are also linked with 64 bit integer OpenBLAS, which should fix the occasional problems encountered by folks using truly huge arrays.

  Expired deprecations

  Deprecated numeric style dtype strings have been removed

  Using the strings "Bytes0", "Datetime64", "Str0", "Uint32", and "Uint64" as a dtype will now raise a TypeError.

  (gh-19539)

  Expired deprecations for loads, ndfromtxt, and mafromtxt in npyio

  numpy.loads was deprecated in v1.15, with the recommendation that users use pickle.loads instead. ndfromtxt and mafromtxt were both deprecated in v1.17 - users should use numpy.genfromtxt instead with the appropriate value for the usemask parameter.

  (gh-19615)

  ... (truncated)

  Commits

  • 4adc87d Merge pull request #20685 from charris/prepare-for-1.22.0-release
  • fd66547 REL: Prepare for the NumPy 1.22.0 release.
  • 125304b wip
  • c283859 Merge pull request #20682 from charris/backport-20416
  • 5399c03 Merge pull request #20681 from charris/backport-20954
  • f9c45f8 Merge pull request #20680 from charris/backport-20663
  • 794b36f Update armccompiler.py
  • d93b14e Update test_public_api.py
  • 7662c07 Update init.py
  • 311ab52 Update armccompiler.py
  • Additional commits viewable in compare view

  
  

  

  Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

  ---

  Dependabot commands and options

  
  

  You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

  You can disable automated security fix PRs for this repo from the Security Alerts page.

• 7

  Bump twisted from 22.2.0 to 22.4.0

  Bumps twisted from 22.2.0 to 22.4.0.

  Release notes

  Sourced from twisted's releases.

  Twisted 22.4.0 (2022-04-11)

  Features

  • twisted.python.failure.Failure tracebacks now capture module information, improving compatibility with the Raven Sentry client. (#7796)
  • twisted.python.failure.Failure objects are now compatible with dis.distb, improving compatibility with post-mortem debuggers. (#9599)

  Bugfixes

  • twisted.internet.interfaces.IReactorSSL.listenSSL now has correct type annotations. (#10274)
  • twisted.internet.test.test_glibbase.GlibReactorBaseTests now passes. (#10317)

  Conch

  Features

  
  - twisted.conch.ssh now supports using RSA keys with SHA-2 signatures (RFC 8332) when acting as a server.  The rsa-sha2-512 and rsa-sha2-256 public key signature algorithms are automatically preferred over ssh-rsa if the client advertises support for them; the actual public keys do not need to change. ([#9765](https://github.com/twisted/twisted/issues/9765))
  - twisted.conch.ssh now has an alternative Ed25519 implementation using PyNaCl, in order to support platforms that lack OpenSSL >= 1.1.1b.  The new "conch_nacl" extra has the necessary dependency. ([#10208](https://github.com/twisted/twisted/issues/10208))
  Misc
  
  -  ([#10313](https://github.com/twisted/twisted/issues/10313))
  Web
  Features
  </code></pre>
  <ul>
  <li>Twisted is now compatible with h2 4.x.x. (<a href="https://github-redirect.dependabot.com/twisted/twisted/issues/10182">#10182</a>)</li>
  </ul>
  <p>Bugfixes</p>
  <pre><code>
  
  twisted.web.http had several several defects in HTTP request parsing that could permit HTTP request smuggling. It now disallows signed Content-Length headers, forbids illegal characters in chunked extensions, forbids a 0x prefix to chunk lengths, and only strips spaces and horizontal tab characters from header values. These changes address CVE-2022-24801 and GHSA-c2jg-hw38-jrqq. (#10323)
  
  Mail
  &lt;/tr&gt;&lt;/table&gt;
  </code></pre>
  </blockquote>
  <p>... (truncated)</p>
  </details>
  <details>
  <summary>Changelog</summary>
  <p><em>Sourced from <a href="https://github.com/twisted/twisted/blob/trunk/NEWS.rst">twisted's changelog</a>.</em></p>
  <blockquote>
  <h1>Twisted 22.4.0 (2022-04-11)</h1>
  <h2>Features</h2>
  <ul>
  <li>twisted.python.failure.Failure tracebacks now capture module information, improving compatibility with the Raven Sentry client. (<a href="https://github-redirect.dependabot.com/twisted/twisted/issues/7796">#7796</a>)</li>
  <li>twisted.python.failure.Failure objects are now compatible with dis.distb, improving compatibility with post-mortem debuggers. (<a href="https://github-redirect.dependabot.com/twisted/twisted/issues/9599">#9599</a>)</li>
  </ul>
  <h2>Bugfixes</h2>
  <ul>
  <li>twisted.internet.interfaces.IReactorSSL.listenSSL now has correct type annotations. (<a href="https://github-redirect.dependabot.com/twisted/twisted/issues/10274">#10274</a>)</li>
  <li>twisted.internet.test.test_glibbase.GlibReactorBaseTests now passes. (<a href="https://github-redirect.dependabot.com/twisted/twisted/issues/10317">#10317</a>)</li>
  </ul>
  <h2>Conch</h2>
  <p>Features</p>
  <pre><code>
  
  twisted.conch.ssh now supports using RSA keys with SHA-2 signatures (RFC 8332) when acting as a server.  The rsa-sha2-512 and rsa-sha2-256 public key signature algorithms are automatically preferred over ssh-rsa if the client advertises support for them; the actual public keys do not need to change. (#9765)
  twisted.conch.ssh now has an alternative Ed25519 implementation using PyNaCl, in order to support platforms that lack OpenSSL &gt;= 1.1.1b.  The new &quot;conch_nacl&quot; extra has the necessary dependency. (#10208)
  
  Misc
  
  
  (#10313)
  
  Web
  Features
  

  • Twisted is now compatible with h2 4.x.x. (#10182)

  Bugfixes

  
  - twisted.web.http had several several defects in HTTP request parsing that could permit HTTP request smuggling. It now disallows signed Content-Length headers, forbids illegal characters in chunked extensions, forbids a ``0x`` prefix to chunk lengths, and only strips spaces and horizontal tab characters from header values. These changes address CVE-2022-24801 and GHSA-c2jg-hw38-jrqq. ([#10323](https://github.com/twisted/twisted/issues/10323))
  Mail
  </tr></table>
  

  ... (truncated)

  Commits

  • ed86633 Mark as misc.
  • c894617 Update format for release notes item.
  • 5c5c046 Revert coverage reporting changes.
  • 682f2c3 Manual fix the news.
  • dd98e9c python -m incremental.update Twisted --newversion 22.4.0
  • 3eabae5 Fix coverage reporting as codecov v1 was removed.
  • a265267 Update after review.
  • efac92c tox -e towncrier
  • 5ece2d4 python -m incremental.update Twisted --rc
  • 592217e Merge pull request from GHSA-c2jg-hw38-jrqq
  • Additional commits viewable in compare view

  
  

  

  Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

  ---

  Dependabot commands and options

  
  

  You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

  You can disable automated security fix PRs for this repo from the Security Alerts page.

• 8

  Bump twisted from 22.1.0 to 22.2.0

  Bumps twisted from 22.1.0 to 22.2.0.

  Release notes

  Sourced from twisted's releases.

  Twisted 22.2.0 (2022-03-01)

  Bugfixes

  • twisted.internet.gireactor.PortableGIReactor.simulate and twisted.internet.gtk2reactor.PortableGtkReactor.simulate no longer raises TypeError when there are no delayed called. This was a regression introduced with the migration to Python 3 in which the builtin min function no longer accepts None as an argument. (#9660)
  • twisted.conch.ssh.transport.SSHTransportBase now disconnects the remote peer if the SSH version string is not sent in the first 4096 bytes. (#10284, CVE-2022-21716, GHSA-rv6r-3f5q-9rgx)

  Improved Documentation

  • Add type annotations for twisted.web.http.Request.getHeader. (#10270)

  Deprecations and Removals

  • Support for Python 3.6, which is EoL as of 2021-09-04, has been deprecated. (#10303)

  Misc

  • #10216, #10299, #10300

  Conch

  Misc

  
  - [#10298](https://github.com/twisted/twisted/issues/10298)
  Web
  No significant changes.
  Mail
  No significant changes.
  </tr></table>
  

  ... (truncated)

  Changelog

  Sourced from twisted's changelog.

  Twisted 22.2.0 (2022-03-01)

  Bugfixes

  • twisted.internet.gireactor.PortableGIReactor.simulate and twisted.internet.gtk2reactor.PortableGtkReactor.simulate no longer raises TypeError when there are no delayed called. This was a regression introduced with the migration to Python 3 in which the builtin min function no longer accepts None as an argument. (#9660)
  • twisted.conch.ssh.transport.SSHTransportBase now disconnects the remote peer if the SSH version string is not sent in the first 4096 bytes. (#10284, CVE-2022-21716, GHSA-rv6r-3f5q-9rgx)

  Improved Documentation

  • Add type annotations for twisted.web.http.Request.getHeader. (#10270)

  Deprecations and Removals

  • Support for Python 3.6, which is EoL as of 2021-09-04, has been deprecated. (#10303)

  Misc

  • #10216, #10299, #10300

  Conch

  Misc

  
  - [#10298](https://github.com/twisted/twisted/issues/10298)
  Web
  No significant changes.
  Mail
  No significant changes.
  </tr></table>
  

  ... (truncated)

  Commits

  • 89c395e Update the release date.
  • 2b2af4d python -m incremental.update Twisted --newversion 22.2.0
  • 5246003 Apply suggestions from code review from twm.
  • 766bcd3 tox -e towncrier
  • 7cbf195 python -m incremental.update Twisted --rc
  • 98387b3 Merge pull request from GHSA-rv6r-3f5q-9rgx
  • a4523b4 Fix typo.
  • a6849d4 Merge pull request #1693 from twisted/10303-deprecate-py36
  • bce8e81 Merge branch 'trunk' into 10303-deprecate-py36
  • 9045ef7 Merge pull request #1679 from doadin/patch-3
  • Additional commits viewable in compare view

  
  

  

  Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

  ---

  Dependabot commands and options

  
  

  You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

  You can disable automated security fix PRs for this repo from the Security Alerts page.

• 9

  Bump scrapy from 2.5.1 to 2.6.0

  Bumps scrapy from 2.5.1 to 2.6.0.

  Release notes

  Sourced from scrapy's releases.

  2.6.0

  • Security fixes for cookie handling (see details below)
  • Python 3.10 support
  • asyncio support is no longer considered experimental, and works out-of-the-box on Windows regardless of your Python version
  • Feed exports now support pathlib.Path output paths and per-feed item filtering and post-processing

  See the full changelog

  Security bug fixes

  • When a Request object with cookies defined gets a redirect response causing a new Request object to be scheduled, the cookies defined in the original Request object are no longer copied into the new Request object.

    If you manually set the Cookie header on a Request object and the domain name of the redirect URL is not an exact match for the domain of the URL of the original Request object, your Cookie header is now dropped from the new Request object.

    The old behavior could be exploited by an attacker to gain access to your cookies. Please, see the cjvr-mfj7-j4j8 security advisory for more information.

    Note: It is still possible to enable the sharing of cookies between different domains with a shared domain suffix (e.g. example.com and any subdomain) by defining the shared domain suffix (e.g. example.com) as the cookie domain when defining your cookies. See the documentation of the Request class for more information.

  • When the domain of a cookie, either received in the Set-Cookie header of a response or defined in a Request object, is set to a public suffix <https://publicsuffix.org/>_, the cookie is now ignored unless the cookie domain is the same as the request domain.

    The old behavior could be exploited by an attacker to inject cookies from a controlled domain into your cookiejar that could be sent to other domains not controlled by the attacker. Please, see the mfjm-vh54-3f96 security advisory for more information.

  Changelog

  Sourced from scrapy's changelog.

  Scrapy 2.6.0 (2022-03-01)

  Highlights:

  • :ref:Security fixes for cookie handling <2.6-security-fixes>

  • Python 3.10 support

  • :ref:asyncio support <using-asyncio> is no longer considered experimental, and works out-of-the-box on Windows regardless of your Python version

  • Feed exports now support :class:pathlib.Path output paths and per-feed :ref:item filtering <item-filter> and :ref:post-processing <post-processing>

  .. _2.6-security-fixes:

  Security bug fixes

  
  -   When a :class:`~scrapy.http.Request` object with cookies defined gets a
      redirect response causing a new :class:`~scrapy.http.Request` object to be
      scheduled, the cookies defined in the original
      :class:`~scrapy.http.Request` object are no longer copied into the new
      :class:`~scrapy.http.Request` object.
  If you manually set the ``Cookie`` header on a
  :class:`~scrapy.http.Request` object and the domain name of the redirect
  URL is not an exact match for the domain of the URL of the original
  :class:`~scrapy.http.Request` object, your ``Cookie`` header is now dropped
  from the new :class:`~scrapy.http.Request` object.
  The old behavior could be exploited by an attacker to gain access to your
  cookies. Please, see the cjvr-mfj7-j4j8 security advisory_ for more
  information.
  .. _cjvr-mfj7-j4j8 security advisory: https://github.com/scrapy/scrapy/security/advisories/GHSA-cjvr-mfj7-j4j8
  .. note:: It is still possible to enable the sharing of cookies between
  different domains with a shared domain suffix (e.g.
  example.com and any subdomain) by defining the shared domain
  suffix (e.g. example.com) as the cookie domain when defining
  your cookies. See the documentation of the
  :class:~scrapy.http.Request class for more information.
  
  
  When the domain of a cookie, either received in the Set-Cookie header
  of a response or defined in a :class:~scrapy.http.Request object, is set
  to a public suffix <https://publicsuffix.org/>_, the cookie is now
  </tr></table>
  

... (truncated)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.