Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump packageurl-python from 0.15.4 to 0.15.6 #10633

Merged
merged 1 commit into from
Jul 25, 2024
Merged

Bump packageurl-python from 0.15.4 to 0.15.6 #10633

merged 1 commit into from
Jul 25, 2024

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jul 25, 2024

Bumps packageurl-python from 0.15.4 to 0.15.6.

Changelog

Sourced from packageurl-python's changelog.

0.15.6 (2024-07-25)

  • Refine support for GitHub /archive/refs/tags/ URLs in url2purl. The whole tag is now captured as the version. This allows to properly reconstruct valid URLs in purl2url.

0.15.5 (2024-07-24)

  • Capture the whole git tag as the version for GutHub URL in url2purl instead of adding a version_prefix qualifier. Note that the version_prefix qualifier is still supported in purl2url for backward compatibility. package-url/packageurl-python#159
Commits
  • 14a11b5 Bump version for 0.15.6 release
  • 81f50eb Forcing macos-13 as Python3.7 is not supported on macos-latest #160 (#162)
  • dee2720 Refine support for GitHub /archive/refs/tags/ URLs in url2purl (#161)
  • fc0f1a0 Bump version for 0.15.5 release
  • dd33e2d Capture the whole git tag as the version for GutHub URL in url2purl (#159)
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump packageurl-python from 0.15.4 to 0.15.6
9eb70ed 
Bumps [packageurl-python](https://github.com/package-url/packageurl-python) from 0.15.4 to 0.15.6.
- [Release notes](https://github.com/package-url/packageurl-python/releases)
- [Changelog](https://github.com/package-url/packageurl-python/blob/main/CHANGELOG.rst)
- [Commits](package-url/packageurl-python@v0.15.4...v0.15.6)

---
updated-dependencies:
- dependency-name: packageurl-python
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jul 25, 2024
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jul 25, 2024
edited
Loading

DryRun Security Summary

The pull request primarily updates the dependency versions listed in the requirements.txt file, with the most notable change being the update of the packageurl-python library from version 0.15.4 to 0.15.6, which is used for generating and parsing Package URLs (pURLs), and the rest of the changes involve updates to various Python libraries and frameworks used in the DefectDojo application.

Expand for full summary

Summary:

The changes made in this pull request primarily involve updating the dependency versions listed in the requirements.txt file. The most notable change is the update of the packageurl-python library from version 0.15.4 to 0.15.6. This library is used for generating and parsing Package URLs (pURLs), which are a standardized way of identifying software packages.

From an application security perspective, these updates are generally routine maintenance changes and do not raise any immediate security concerns. Version updates to dependency libraries often include bug fixes, performance improvements, or support for new package types, and unless the changelog or release notes indicate a specific security-related fix, these updates are typically not a cause for significant security review.

The rest of the changes in the requirements.txt file appear to be updates to various Python libraries and frameworks used in the DefectDojo application, such as Django, Celery, and various utility libraries. These types of updates are common in software projects and may include bug fixes, feature enhancements, or security improvements. As a general best practice, it's always a good idea to review the changelogs or release notes for any security-related fixes when updating dependencies, especially for libraries that handle sensitive data or are directly exposed to user input.

Files Changed:

  • requirements.txt: This file has been updated to include a new version of the packageurl-python library (from 0.15.4 to 0.15.6), as well as various other dependency updates for Python libraries and frameworks used in the DefectDojo application.

Code Analysis

We ran 9 analyzers against 1 file and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

mtesauro
mtesauro approved these changes Jul 25, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit 88409c6 into dev Jul 25, 2024
126 checks passed
@dependabot dependabot bot deleted the dependabot/pip/dev/packageurl-python-0.15.6 branch July 25, 2024 17:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cneill cneill cneill approved these changes

@mtesauro mtesauro mtesauro approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file python Pull requests that update Python code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cneill @mtesauro