Update dependency black to v24 [SECURITY] #1142
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^22.8.0
->^24.0.0
GitHub Vulnerability Alerts
CVE-2024-21503
Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.
Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.
Release Notes
psf/black (black)
v24.3.0
Compare Source
Highlights
This release is a milestone: it fixes Black's first CVE security vulnerability. If you
run Black on untrusted input, or if you habitually put thousands of leading tab
characters in your docstrings, you are strongly encouraged to upgrade immediately to fix
CVE-2024-21503.
This release also fixes a bug in Black's AST safety check that allowed Black to make
incorrect changes to certain f-strings that are valid in Python 3.12 and higher.
Stable style
of Black would incorrectly format the contents of certain unusual f-strings containing
nested strings with the same quote type. Now, Black will crash on such strings until
support for the new f-string syntax is implemented. (#4270)
(#4273)
Performance
characters. This fixes
CVE-2024-21503.
(#4278)
Documentation
--check
is used with--quiet
(#4236)v24.2.0
Compare Source
Stable style
(#4218)
Preview style
hug_parens_with_braces_and_square_brackets
feature to the unstable styledue to an outstanding crash and proposed formatting tweaks (#4198)
expression (#4154)
(#4185)
case
statementif
guards (#4214).Configuration
pyproject.toml
that is missing atool.black
section whendiscovering project root and configuration. Since Black continues to use version
control as an indicator of project root, this is expected to primarily change behavior
for users in a monorepo setup (desirably). If you wish to preserve previous behavior,
simply add an empty
[tool.black]
to the previously discoveredpyproject.toml
(#4204)
Output
SyntaxWarning
s orDeprecationWarning
s produced by theast
module when performing equivalence checks (#4189)
Integrations
v24.1.1
Compare Source
Bugfix release to fix a bug that made Black unusable on certain file systems with strict
limits on path length.
Preview style
Configuration
do not support long paths (#4176)
v24.1.0
Compare Source
Highlights
This release introduces the new 2024 stable style (#4106), stabilizing the following
changes:
if
-else
expressions (#2278)...
are formatted morecompactly (#3796)
(#3368)
with
statement(#3489)
entry (#3393)
--skip-magic-trailing-comma
or-C
, trailing commas are stripped fromsubscript expressions with more than 1 element (#3209)
# fmt: skip
with other comments (#3959)There are already a few improvements in the
--preview
style, which are slated for the2025 stable style. Try them out and
share your feedback. In the past, the preview
style has included some features that we were not able to stabilize. This year, we're
adding a separate
--unstable
style for features with known problems. Now, the--preview
style only includes features that we actually expect to make it into nextyear's stable style.
Stable style
Several bug fixes were made in features that are moved to the stable style in this
release:
unlike other binary operators (#4109)
blocks, except immediately before a docstring (#4130)
Preview style
--unstable
style, covering preview features that have known problems that wouldblock them from going into the stable style. Also add the
--enable-unstable-feature
flag; for example, use
--enable-unstable-feature hug_parens_with_braces_and_square_brackets
to apply thispreview feature throughout 2024, even if a later Black release downgrades the feature
to unstable (#4096)
# fmt: skip
comments (#4146)Configuration
pyproject.toml
contains an invalid key (#4165)--experimental-string-processing
flag. This feature cancurrently be enabled with
--preview --enable-unstable-feature string_processing
.(#4096)
Integrations
(#3940) for better compatibility with older versions of pre-commit (#4137)
v23.12.1
Compare Source
Packaging
d
extra by default (#4108)v23.12.0
Compare Source
Highlights
It's almost 2024, which means it's time for a new edition of Black's stable style!
Together with this release, we'll put out an alpha release 24.1a1 showcasing the draft
2024 stable style, which we'll finalize in the January release. Please try it out and
share your feedback.
This release (23.12.0) will still produce the 2023 style. Most but not all of the
changes in
--preview
mode will be in the 2024 stable style.Stable style
# fmt: off
automatically dedents when used with the--line-ranges
option, even when it is not within the specified line range. (#4084)
Preview style
indented less (#4012)
docstring (#4060)
--line-length
(#4086)functions or class definitions (#4066) (#4103)
Configuration
--line-ranges
now skips Black's internal stability check in--safe
mode. Thisavoids a crash on rare inputs that have many unformatted same-content lines. (#4034)
Packaging
Integrations
v23.11.0
Compare Source
Highlights
--line-ranges
command-line option(#4020)
Stable style
await (a ** b)
(#3994)fixes a crash (#4019)
Preview style
less (#3964)
indented less (#3992)
now preserved (#4005)
case
blocks were not split into multiple lines. Also enablegeneral trailing comma rules on
case
blocks (#4024)class definition (#4028)
Configuration
--include
(#3976)Performance
Integrations
formatter (#3940)
v23.10.1
Compare Source
Highlights
Preview style
Packaging
Integrations
summary
parameter. (#3958)
Documentation
https://github.com/psf/black/issues/39683968
v23.10.0
Compare Source
Stable style
Preview style
multiple lines (#3899)
Configuration
BLACK_CACHE_DIR
is set (#3937)Parser
type
were not accepted insidematch
statements(#3950)
(#3949)
Output
code (#3933)
(#3938)
Integrations
v23.9.1
Compare Source
Due to various issues, the previous release (23.9.0) did not include compiled mypyc
wheels, which make Black significantly faster. These issues have now been fixed, and
this release should come with compiled wheels once again.
There will be no wheels for Python 3.12 due to a bug in mypyc. We will provide 3.12
wheels in a future release as soon as the mypyc bug is fixed.
Packaging
Performance
decreasing the size of the cache (#3877)
v23.9.0
Compare Source
Preview style
if sys.version_info > (3, x):
) and a function definition on the same level (#3862)Configuration
Performance
IPython
if notebook cells do not contain magics (#3782)Blackd
blackd
with single character input (#3558)Integrations
official pre-commit mirror. Swapping
https://github.com/psf/black
tohttps://github.com/psf/black-pre-commit-mirror
inyour
.pre-commit-config.yaml
will make Black about 2x faster (#3828).black.env
folder specified byENV_PATH
will now be removed on the completionof the GitHub Action (#3759)
v23.7.0
Compare Source
Highlights
supported until further notice (#3765)
Stable style
PEP 604 unions (#3735)
under some circumstances (#3745)
type: ignore
within parentheses(#3740)
(#3773)
Preview style
parentheses (#3640)
Configuration
--workers
argument to Black can now be specified via theBLACK_NUM_WORKERS
environment variable (#3743)
.pytest_cache
,.ruff_cache
and.vscode
are now excluded by default (#3691)pyproject.toml
settings when running--stdin-filename
and the
pyproject.toml
found isn't in the current working directory (#3719)exclude
andextend-exclude
have invalid data types inpyproject.toml
, instead of silently doing the wrong thing (#3764)Packaging
LANG=C
(#3768)Parser
Performance
IPython
in a case where we wouldn't need it (#3748)Output
Blackd
blackd
argument parser now shows the default values for options in their helptext (#3712)
Integrations
PYTHONWARNDEFAULTENCODING = 1
(#3763)
Documentation
cite this software (#3723)
the latest code base (#3755)
v23.3.0
Compare Source
Highlights
This release fixes a longstanding confusing behavior in Black's GitHub action, where the
version of the action did not determine the version of Black being run (issue #3382). In
addition, there is a small bug fix around imports and a number of improvements to the
preview style.
Please try out the
preview style
with
black --preview
and tell us your feedback. All changes in the preview style areexpected to become part of Black's stable style in January 2024.
Stable style
# fmt: skip
and# fmt: off
no longer have an extra blank lineadded when they are right after another import line (#3610)
Preview style
entry (#3393)
async def
,async for
, andasync with
statements are now formatted consistentlycompared to their non-async version. (#3609)
with
statements that contain two context managers will be consistently wrapped inparentheses (#3589)
(#3445)
、
U+3001IDEOGRAPHIC COMMA,
。
U+3002 IDEOGRAPHIC FULL STOP, &,
U+FF0C FULLWIDTH COMMA)besides before spaces (#3445)
...
(#3564)Parser
Integrations
version input is not specified (#3543)
Documentation
vulnerabilities should be reported through Tidelift (#3612)
v23.1.0
Compare Source
Highlights
This is the first release of 2023, and following our
stability policy,
it comes with a number of improvements to our stable style, including improvements to
empty line handling, removal of redundant parentheses in several contexts, and output
that highlights implicitly concatenated strings better.
There are also many changes to the preview style; try out
black --preview
and give usfeedback to help us set the stable style for next year.
In addition to style changes, Black now automatically infers the supported Python
versions from your
pyproject.toml
file, removing the need to set Black's targetversions separately.
Stable style
preview style (#3418). Specific changes:
(#3302) (22.12.0)
present) or as a single newline character (if a newline is present) (#3348)
(22.12.0)
parentheses (#3307) (22.12.0)
(#3370) (22.12.0)
--skip-string-normalization
/-S
now prevents docstring prefixes from beingnormalized as expected (#3168) (since 22.8.0)
--skip-magic-trailing-comma
or-C
, trailing commas are stripped fromsubscript expressions with more than 1 element (#3209) (22.8.0)
parentheses (#3162) (22.8.0)
implicitly concatenated strings on its own line (#3227) (22.8.0)
(#3044, #3430) (22.6.0)
with
statements (#2926) (22.6.0)#%%
are now standardised to# %%
(#2919) (22.3.0)except
statements (#2939) (22.3.0)for
loops (#2945) (22.3.0)# fmt: off
and# fmt: on
(#3439)Preview style
if
-else
expressions (#2278)and except clauses (#3423)
regular and f-strings start with an empty span (#3463)
before a dict's value (#3469)
# fmt: skip
applied or there is a standalone comment between decorators (#3470)
too long (#3430)
unnecessary parentheses around short values in dict literals are now removed; long
string lambda values are now wrapped in parentheses (#3440)
return type annotation is stringified and spans across multiple lines (#3462)
with
statementsor tuples (#3473)
code. Implicitly concatenated f-strings with different quotes can now be merged or
quote-normalized by changing the quotes used in expressions. (#3509)
await (yield)
when Black is compiled with mypyc (#3533)Configuration
--target-version
from the project metadata specified inpyproject.toml
(#3219)Packaging
0.971
to0.991
so mypycified Black can be built on armv7(#3380)
CPython
tomli
requirement on 3.11 alpha releases, workingaround a bug that would cause the requirement not to be installed on any non-final
Python releases (#3448)
packaging
version22.0
or later. This is required for newfunctionality that needs to parse part of the project metadata (#3219)
Output
black --help
multiple times will return the same help contents each time(#3516)
pyproject.toml
configuration variables(#3392)
relative path to the project root (#3385)
Integrations
latest_prerelease
tag automation to follow latest black alpharelease on docker images (#3465)
Documentation
vim-plug
installation instructions to offer more explicit options (#3468)Configuration
📅 Schedule: Branch creation - "" in timezone US/Eastern, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.