From 170c5f427c14c6ab544c984993cef9565a33272f Mon Sep 17 00:00:00 2001 From: Christopher MacGown Date: Wed, 18 Sep 2024 17:07:23 +0000 Subject: [PATCH 1/4] typing: remove types-pkg-resources package The package has been yanked on pypi as it has been superceded by types-setuptools. However, setuptools now provides type-hints for the pkg-resources package, so it is no longer needed. Additionally, it does not appear to be used in the project at all, so it appears vestigial. --- poetry.lock | 15 +++------------ pyproject.toml | 1 - 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/poetry.lock b/poetry.lock index 63f7ad4f..86ae13f6 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1548,6 +1548,8 @@ files = [ {file = "orjson-3.10.6-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:960db0e31c4e52fa0fc3ecbaea5b2d3b58f379e32a95ae6b0ebeaa25b93dfd34"}, {file = "orjson-3.10.6-cp312-none-win32.whl", hash = "sha256:a6ea7afb5b30b2317e0bee03c8d34c8181bc5a36f2afd4d0952f378972c4efd5"}, {file = "orjson-3.10.6-cp312-none-win_amd64.whl", hash = "sha256:874ce88264b7e655dde4aeaacdc8fd772a7962faadfb41abe63e2a4861abc3dc"}, + {file = "orjson-3.10.6-cp313-none-win32.whl", hash = "sha256:efdf2c5cde290ae6b83095f03119bdc00303d7a03b42b16c54517baa3c4ca3d0"}, + {file = "orjson-3.10.6-cp313-none-win_amd64.whl", hash = "sha256:8e190fe7888e2e4392f52cafb9626113ba135ef53aacc65cd13109eb9746c43e"}, {file = "orjson-3.10.6-cp38-cp38-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:66680eae4c4e7fc193d91cfc1353ad6d01b4801ae9b5314f17e11ba55e934183"}, {file = "orjson-3.10.6-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:caff75b425db5ef8e8f23af93c80f072f97b4fb3afd4af44482905c9f588da28"}, {file = "orjson-3.10.6-cp38-cp38-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:3722fddb821b6036fd2a3c814f6bd9b57a89dc6337b9924ecd614ebce3271394"}, @@ -2599,17 +2601,6 @@ files = [ {file = "types_orjson-3.6.2-py3-none-any.whl", hash = "sha256:22ee9a79236b6b0bfb35a0684eded62ad930a88a56797fa3c449b026cf7dbfe4"}, ] -[[package]] -name = "types-pkg-resources" -version = "0.1.3" -description = "Typing stubs for pkg_resources" -optional = false -python-versions = "*" -files = [ - {file = "types-pkg_resources-0.1.3.tar.gz", hash = "sha256:834a9b8d3dbea343562fd99d5d3359a726f6bf9d3733bccd2b4f3096fbab9dae"}, - {file = "types_pkg_resources-0.1.3-py2.py3-none-any.whl", hash = "sha256:0cb9972cee992249f93fff1a491bf2dc3ce674e5a1926e27d4f0866f7d9b6d9c"}, -] - [[package]] name = "types-pymysql" version = "1.1.0.20240524" @@ -3192,4 +3183,4 @@ sqlite = ["aiosqlite"] [metadata] lock-version = "2.0" python-versions = "^3.8.0" -content-hash = "17f2772ae4d107b690ea9a950c9a54cdeb2093a8762d242866c946dbf6467b9d" +content-hash = "d2fdd34ae098d8f4e441bbc5550965ab606f506454eaa8cbec616adcda593061" diff --git a/pyproject.toml b/pyproject.toml index 8ea8b616..d961427c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -102,7 +102,6 @@ types-enum34 = "^1.1.1" types-cryptography = "^3.3.23" types-orjson = "^3.6.1" types-aiofiles = "^23.2.0" -types-pkg-resources = "^0.1.3" types-requests = "^2.31.0" types-toml = "^0.10.8" From 4b6fc18a302c4c4e3c454e09dbfa79ca1656e957 Mon Sep 17 00:00:00 2001 From: Christopher MacGown Date: Wed, 18 Sep 2024 17:12:52 +0000 Subject: [PATCH 2/4] fix: recursive_guard is a KW_ONLY arg in 3.12.4+ Python 3.9 added recursive_guard to ForwardRef._evaluate to prevent infinite recursion of recursive types. This is a private method, and no API contract is provided. So, when the API changed in the 3.12.4 release they did not bother to document it, or highlight that it is a breaking release. --- ormar/fields/foreign_key.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ormar/fields/foreign_key.py b/ormar/fields/foreign_key.py index 4c8f602c..8590fae5 100644 --- a/ormar/fields/foreign_key.py +++ b/ormar/fields/foreign_key.py @@ -432,7 +432,7 @@ def _evaluate_forward_ref( if sys.version_info.minor <= 8: # pragma: no cover evaluated = target_obj._evaluate(globalns, localns) else: # pragma: no cover - evaluated = target_obj._evaluate(globalns, localns, set()) + evaluated = target_obj._evaluate(globalns, localns, recursive_guard=set()) setattr(self, target, evaluated) def evaluate_forward_ref(self, globalns: Any, localns: Any) -> None: From ae0f5c303a37571f02e73ebfb73031efb325a27f Mon Sep 17 00:00:00 2001 From: Christopher MacGown Date: Wed, 18 Sep 2024 17:23:44 +0000 Subject: [PATCH 3/4] deps: bump setuptools to ^75.1.0 Versions of setuptools prior to 70.0.0 were vulnerable to a remote execution exploit documented in CVE-2024-6345-setuptools. --- poetry.lock | 18 +++++++++++------- pyproject.toml | 1 + 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/poetry.lock b/poetry.lock index 86ae13f6..29d176f3 100644 --- a/poetry.lock +++ b/poetry.lock @@ -2374,19 +2374,23 @@ files = [ [[package]] name = "setuptools" -version = "69.2.0" +version = "75.1.0" description = "Easily download, build, install, upgrade, and uninstall Python packages" optional = false python-versions = ">=3.8" files = [ - {file = "setuptools-69.2.0-py3-none-any.whl", hash = "sha256:c21c49fb1042386df081cb5d86759792ab89efca84cf114889191cd09aacc80c"}, - {file = "setuptools-69.2.0.tar.gz", hash = "sha256:0ff4183f8f42cd8fa3acea16c45205521a4ef28f73c6391d8a25e92893134f2e"}, + {file = "setuptools-75.1.0-py3-none-any.whl", hash = "sha256:35ab7fd3bcd95e6b7fd704e4a1539513edad446c097797f2985e0e4b960772f2"}, + {file = "setuptools-75.1.0.tar.gz", hash = "sha256:d59a21b17a275fb872a9c3dae73963160ae079f1049ed956880cd7c09b120538"}, ] [package.extras] -docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "rst.linker (>=1.9)", "sphinx (<7.2.5)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-inline-tabs", "sphinx-lint", "sphinx-notfound-page (>=1,<2)", "sphinx-reredirects", "sphinxcontrib-towncrier"] -testing = ["build[virtualenv]", "filelock (>=3.4.0)", "importlib-metadata", "ini2toml[lite] (>=0.9)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "mypy (==1.9)", "packaging (>=23.2)", "pip (>=19.1)", "pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-home (>=0.5)", "pytest-mypy (>=0.9.1)", "pytest-perf", "pytest-ruff (>=0.2.1)", "pytest-timeout", "pytest-xdist (>=3)", "tomli", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel"] -testing-integration = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "packaging (>=23.2)", "pytest", "pytest-enabler", "pytest-xdist", "tomli", "virtualenv (>=13.0.0)", "wheel"] +check = ["pytest-checkdocs (>=2.4)", "pytest-ruff (>=0.2.1)", "ruff (>=0.5.2)"] +core = ["importlib-metadata (>=6)", "importlib-resources (>=5.10.2)", "jaraco.collections", "jaraco.functools", "jaraco.text (>=3.7)", "more-itertools", "more-itertools (>=8.8)", "packaging", "packaging (>=24)", "platformdirs (>=2.6.2)", "tomli (>=2.0.1)", "wheel (>=0.43.0)"] +cover = ["pytest-cov"] +doc = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "pyproject-hooks (!=1.1)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-inline-tabs", "sphinx-lint", "sphinx-notfound-page (>=1,<2)", "sphinx-reredirects", "sphinxcontrib-towncrier", "towncrier (<24.7)"] +enabler = ["pytest-enabler (>=2.2)"] +test = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "ini2toml[lite] (>=0.14)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "jaraco.test", "packaging (>=23.2)", "pip (>=19.1)", "pyproject-hooks (!=1.1)", "pytest (>=6,!=8.1.*)", "pytest-home (>=0.5)", "pytest-perf", "pytest-subprocess", "pytest-timeout", "pytest-xdist (>=3)", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel (>=0.44.0)"] +type = ["importlib-metadata (>=7.0.2)", "jaraco.develop (>=7.21)", "mypy (==1.11.*)", "pytest-mypy"] [[package]] name = "shellingham" @@ -3183,4 +3187,4 @@ sqlite = ["aiosqlite"] [metadata] lock-version = "2.0" python-versions = "^3.8.0" -content-hash = "d2fdd34ae098d8f4e441bbc5550965ab606f506454eaa8cbec616adcda593061" +content-hash = "c10b8555f73c72b5630a2c135ce4d57e7a6fdb4b07cb9721b30eb52a719b2181" diff --git a/pyproject.toml b/pyproject.toml index d961427c..a0761719 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -55,6 +55,7 @@ asyncpg = { version = ">=0.28,<0.30", optional = true } psycopg2-binary = { version = "^2.9.1", optional = true } mysqlclient = { version = "^2.1.0", optional = true } PyMySQL = { version = "^1.1.0", optional = true } +setuptools = "^75.1.0" [tool.poetry.dependencies.orjson] From 0b768c12435f85770d7ed5e5c3878d9abfdde729 Mon Sep 17 00:00:00 2001 From: Christopher MacGown Date: Wed, 25 Sep 2024 14:20:24 -0700 Subject: [PATCH 4/4] Add python-3.12 to CI test matrix. --- .github/workflows/test-package.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-package.yml b/.github/workflows/test-package.yml index 7ecd5b28..7b1f4978 100644 --- a/.github/workflows/test-package.yml +++ b/.github/workflows/test-package.yml @@ -17,7 +17,7 @@ jobs: if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != 'collerek/ormar' strategy: matrix: - python-version: [3.8, 3.9, "3.10", 3.11] + python-version: [3.8, 3.9, "3.10", 3.11, 3.12] fail-fast: false services: mysql: