Commit graph

36 commits

Author SHA1 Message Date
dependabot[bot]
49de2bc0fb
Bump cryptography from 41.0.4 to 42.0.3
Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.4 to 42.0.3.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/41.0.4...42.0.3)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-19 02:44:29 +00:00
dependabot[bot]
7db0be7a90
Bump flask from 2.3.2 to 3.0.0 (#294)
Bumps [flask](https://github.com/pallets/flask) from 2.3.2 to 3.0.0.
- [Release notes](https://github.com/pallets/flask/releases)
- [Changelog](https://github.com/pallets/flask/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/flask/compare/2.3.2...3.0.0)

---
updated-dependencies:
- dependency-name: flask
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-12-22 14:08:29 -08:00
dependabot[bot]
b66b1e1bb2
Bump werkzeug from 2.3.3 to 3.0.1 (#295)
Bumps [werkzeug](https://github.com/pallets/werkzeug) from 2.3.3 to 3.0.1.
- [Release notes](https://github.com/pallets/werkzeug/releases)
- [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/werkzeug/compare/2.3.3...3.0.1)

---
updated-dependencies:
- dependency-name: werkzeug
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-12-22 14:00:16 -08:00
dependabot[bot]
1a9824d24d
Bump redis from 4.5.5 to 5.0.1
Bumps [redis](https://github.com/redis/redis-py) from 4.5.5 to 5.0.1.
- [Release notes](https://github.com/redis/redis-py/releases)
- [Changelog](https://github.com/redis/redis-py/blob/master/CHANGES)
- [Commits](https://github.com/redis/redis-py/compare/v4.5.5...v5.0.1)

---
updated-dependencies:
- dependency-name: redis
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-23 16:35:54 +00:00
Devin Lundberg
31ae18d57d
[Snyk] Security upgrade cryptography from 41.0.1 to 41.0.4 (#284)
fix: requirements.txt to reduce vulnerabilities


The following vulnerabilities are fixed by pinning transitive dependencies:
- https://snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-5914629

Co-authored-by: snyk-bot <snyk-bot@snyk.io>
2023-09-25 09:24:35 -07:00
dependabot[bot]
a34aaf8bb4
Bump redis from 4.5.3 to 4.5.5 (#253)
Bump redis from 4.3.3 to 4.5.5

Bumps [redis](https://github.com/redis/redis-py) from 4.3.3 to 4.5.5.
- [Release notes](https://github.com/redis/redis-py/releases)
- [Changelog](https://github.com/redis/redis-py/blob/master/CHANGES)
- [Commits](https://github.com/redis/redis-py/compare/v4.3.3...v4.5.5)

---
updated-dependencies:
- dependency-name: redis
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Yuru Shao <yshao@pinterest.com>
2023-06-09 13:38:27 -07:00
dependabot[bot]
147bdf390a
Bump flask from 2.1.2 to 2.3.2 (#250)
Bumps [flask](https://github.com/pallets/flask) from 2.1.2 to 2.3.2.
- [Release notes](https://github.com/pallets/flask/releases)
- [Changelog](https://github.com/pallets/flask/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/flask/compare/2.1.2...2.3.2)

---
updated-dependencies:
- dependency-name: flask
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-06-09 13:30:50 -07:00
dependabot[bot]
6f02f6e2b7
Bump cryptography from 39.0.2 to 41.0.1 (#260)
Bumps [cryptography](https://github.com/pyca/cryptography) from 39.0.2 to 41.0.1.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/39.0.2...41.0.1)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-06-09 13:01:50 -07:00
Yuru Shao
1e1b189d77
Remove py3.7 (#234)
* Remove py3.7

* Restore cache action
2023-06-09 12:54:41 -07:00
Devin Lundberg
0aaf1ec89b
[Snyk] Security upgrade werkzeug from 2.1.2 to 2.2.3 (#221)
fix: requirements.txt to reduce vulnerabilities


The following vulnerabilities are fixed by pinning transitive dependencies:
- https://snyk.io/vuln/SNYK-PYTHON-WERKZEUG-3319935
- https://snyk.io/vuln/SNYK-PYTHON-WERKZEUG-3319936

Co-authored-by: snyk-bot <snyk-bot@snyk.io>
2023-03-17 16:18:25 -07:00
dependabot[bot]
c251bffc89
Bump cryptography from 37.0.2 to 39.0.2 (#224)
Bumps [cryptography](https://github.com/pyca/cryptography) from 37.0.2 to 39.0.2.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/37.0.2...39.0.2)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-17 16:15:29 -07:00
dependabot[bot]
7da90b08a4
Bump markupsafe from 1.1.1 to 2.1.1 (#164)
Bumps [markupsafe](https://github.com/pallets/markupsafe) from 1.1.1 to 2.1.1.
- [Release notes](https://github.com/pallets/markupsafe/releases)
- [Changelog](https://github.com/pallets/markupsafe/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/markupsafe/compare/1.1.1...2.1.1)

---
updated-dependencies:
- dependency-name: markupsafe
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-08-16 13:26:48 -07:00
dependabot[bot]
2304a29e7c
Bump itsdangerous from 0.24 to 2.1.2
Bumps [itsdangerous](https://github.com/pallets/itsdangerous) from 0.24 to 2.1.2.
- [Release notes](https://github.com/pallets/itsdangerous/releases)
- [Changelog](https://github.com/pallets/itsdangerous/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/itsdangerous/compare/0.24...2.1.2)

---
updated-dependencies:
- dependency-name: itsdangerous
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-22 18:44:21 +00:00
dependabot[bot]
8f9ecb8a7a
Bump redis from 2.10.6 to 4.3.3
Bumps [redis](https://github.com/redis/redis-py) from 2.10.6 to 4.3.3.
- [Release notes](https://github.com/redis/redis-py/releases)
- [Changelog](https://github.com/redis/redis-py/blob/master/CHANGES)
- [Commits](https://github.com/redis/redis-py/compare/2.10.6...v4.3.3)

---
updated-dependencies:
- dependency-name: redis
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-22 18:36:08 +00:00
Yuru Shao
b2a41073de
Merge pull request #171 from pinterest/dependabot/pip/werkzeug-2.1.2
Bump werkzeug from 0.15.6 to 2.1.2
2022-06-22 11:34:39 -07:00
dependabot[bot]
ecdcb70470
Bump werkzeug from 0.15.6 to 2.1.2
Bumps [werkzeug](https://github.com/pallets/werkzeug) from 0.15.6 to 2.1.2.
- [Release notes](https://github.com/pallets/werkzeug/releases)
- [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/werkzeug/compare/0.15.6...2.1.2)

---
updated-dependencies:
- dependency-name: werkzeug
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-20 03:43:08 +00:00
dependabot[bot]
ca3ba14c21
Bump flask from 1.0.2 to 2.1.2
Bumps [flask](https://github.com/pallets/flask) from 1.0.2 to 2.1.2.
- [Release notes](https://github.com/pallets/flask/releases)
- [Changelog](https://github.com/pallets/flask/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/flask/compare/1.0.2...2.1.2)

---
updated-dependencies:
- dependency-name: flask
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-20 03:42:48 +00:00
dependabot[bot]
47f002ab2d
Bump jinja2 from 2.11.3 to 3.1.2
Bumps [jinja2](https://github.com/pallets/jinja) from 2.11.3 to 3.1.2.
- [Release notes](https://github.com/pallets/jinja/releases)
- [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/jinja/compare/2.11.3...3.1.2)

---
updated-dependencies:
- dependency-name: jinja2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-18 02:00:49 +00:00
Jon Parise
b8121166b7
Remove transitive dependencies (#167)
Given how we're currently managing our dependencies in this project, it
doesn't make sense to list transitive dependencies in this set of
requirements (i.e. it's not meant to act as a lock file).
2022-05-17 12:29:12 -07:00
dependabot[bot]
bdefc11a72
Bump idna from 2.9 to 3.3
Bumps [idna](https://github.com/kjd/idna) from 2.9 to 3.3.
- [Release notes](https://github.com/kjd/idna/releases)
- [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst)
- [Commits](https://github.com/kjd/idna/compare/v2.9...v3.3)

---
updated-dependencies:
- dependency-name: idna
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-17 18:58:15 +00:00
dependabot[bot]
cbbe67dcae
Merge pull request #159 from pinterest/dependabot/pip/cryptography-37.0.2 2022-05-17 18:57:29 +00:00
Jon Parise
68c5f14cd4
Remove dependency on six (#160)
We no longer need six now that we require Python 3.x.
2022-05-17 11:10:58 -07:00
dependabot[bot]
c491c621d2
Bump cryptography from 3.3.2 to 37.0.2
Bumps [cryptography](https://github.com/pyca/cryptography) from 3.3.2 to 37.0.2.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/3.3.2...37.0.2)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-17 18:05:11 +00:00
dependabot[bot]
188f0f6779
Bump jinja2 from 2.10.1 to 2.11.3
Bumps [jinja2](https://github.com/pallets/jinja) from 2.10.1 to 2.11.3.
- [Release notes](https://github.com/pallets/jinja/releases)
- [Changelog](https://github.com/pallets/jinja/blob/master/CHANGES.rst)
- [Commits](https://github.com/pallets/jinja/compare/2.10.1...2.11.3)

Signed-off-by: dependabot[bot] <support@github.com>
2021-03-19 21:58:30 +00:00
dependabot[bot]
5dc2161a5d
Bump cryptography from 3.2 to 3.3.2
Bumps [cryptography](https://github.com/pyca/cryptography) from 3.2 to 3.3.2.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/3.2...3.3.2)

Signed-off-by: dependabot[bot] <support@github.com>
2021-02-10 01:36:07 +00:00
dependabot[bot]
50ef7bef82
Bump cryptography from 2.3.1 to 3.2
Bumps [cryptography](https://github.com/pyca/cryptography) from 2.3.1 to 3.2.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/2.3.1...3.2)

Signed-off-by: dependabot[bot] <support@github.com>
2020-10-27 21:00:15 +00:00
Jeremiah Lee
2af7037feb
Adds option for two-week timeout. (#120)
Also includes:

- Updated the versions in the requirements, as MarkupSafe did not install cleanly.
- Integration test that sets a password via the website, and then
verifies the timeout on the backend.
- Basic Makefile, updates to the docs to use the Makefile.

The requirements file was updated using pip freeze after I had updated the version of MarkupSafe. I don't know what the usual process is for this repo, so please let me know if I should use a different process there (that is why there are a few additions).
2020-05-08 11:43:54 -07:00
Samuel Dion-Girardeau
f377aa3ed2 Add support for Python 3.8 (#115)
* Remove Travis Python 3.7 hack

No longer necessary: 3.7 is supported out-of-the-box

* Add support for Python 3.8

And explicitly document in setup.py

* "Upgrade base Docker image to Python 3.8"a

* Add entry about py38 support in WIP changelog

* Explicitly declare python versions in setup.py

* Bump Werkzeug to 0.15.6

This is the latest 0.15 version. 0.16 might be incompatible

The fix we are looking for is in [0.15.5](http://werkzeug.palletsprojects.com/en/0.15.x/changes/#version-0-15-5):

> Fix a TypeError due to changes to ast.Module in Python 3.8.
2019-11-25 08:58:29 -08:00
dependabot[bot]
b3e1068c01
Bump werkzeug from 0.14.1 to 0.15.3
Bumps [werkzeug](https://github.com/pallets/werkzeug) from 0.14.1 to 0.15.3.
- [Release notes](https://github.com/pallets/werkzeug/releases)
- [Changelog](https://github.com/pallets/werkzeug/blob/master/CHANGES.rst)
- [Commits](https://github.com/pallets/werkzeug/compare/0.14.1...0.15.3)

Signed-off-by: dependabot[bot] <support@github.com>
2019-08-21 16:50:22 +00:00
Jon Parise
2aa7272a59
Upgrade to Jinja2 2.10.1 (#101)
This patch release fixes a security issue (CVE-2019-10906) involving
str.format_map.
2019-04-12 13:26:46 -07:00
Jon Parise
30db653f14 Upgrade to cryptography 2.3.1
This addresses CVE-2018-10903:

    A flaw was found in python-cryptography versions between >=1.9.0 and
    <2.3. The finalize_with_tag API did not enforce a minimum tag
    length. If a user did not validate the input length prior to passing
    it to finalize_with_tag an attacker could craft an invalid payload
    with a shortened tag (e.g. 1 byte) such that they would have a 1 in
    256 chance of passing the MAC check. GCM tag forgeries can cause key
    leakage.

... although snappass isn't affected because we doesn't use the
vulnerable `finalize_with_tag` API.
2018-10-31 09:39:18 -07:00
Samuel Dion-Girardeau
5981884cd2 Update all Python requirements to latest stable
All PyPI packages now have the latest version available.
2018-07-12 21:23:25 -04:00
Nicholas Charriere
75b6a6919f Make mock a requirement, not dev-requirement 2018-05-07 08:23:30 -07:00
Samuel Dion-Girardeau
dc6054f09c Encrypt passwords stored in Redis
Using symmetric encryption in the `cryptography`'s `Fernet` class,
we can ensure that no one can snoop the passwords simply by having access
to the Redis store.

An encryption key is sent to the secret receiver, along with the 32 character
Redis key that identifies the secret, which is needed to decrypt the password.
2017-05-11 21:28:22 -04:00
Samuel Dion-Girardeau
a8401434cb Bump flask to 0.11.1
One of the main advantages is the easy debug mode,
with autoreload capabilities.

Several other fixes & features:
http://flask.pocoo.org/docs/0.11/changelog/#version-0-11
2016-08-22 20:32:22 -04:00
Dave Dash
eefe2bdc76 Prepare snappass for distribution. 2013-10-05 23:10:50 -07:00