[Security] Bump pydantic from 1.4 to 1.6.2

[dependabot-preview]

Bumps pydantic from 1.4 to 1.6.2. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Use of "infinity" as an input to datetime and date fields causes infinite loop in pydantic Impact

Passing either 'infinity', 'inf' or float('inf') (or their negatives) to datetime or date fields causes validation to run forever with 100% CPU usage (on one CPU). Patches

Pydantic is be patched with fixes available in the following versions:

v1.8.2
v1.7.4
v1.6.2

All these versions are available on pypi, and will be available on conda-forge soon.

See the changelog for details. Workarounds

If you absolutely can't upgrade, you can work around this risk using a validator to catch these values, brief demo:

from datetime import date from pydantic import BaseModel, validator

... (truncated)

Affected versions: < 1.6.2

Release notes

Sourced from pydantic's releases.

v1.6.2 (2021-05-11)

Security fix: Fix date and datetime parsing so passing either 'infinity' or float('inf') (or their negative values) does not cause an infinite loop, see security advisory CVE-2021-29510.

v1.6.1 (2020-07-15)

See Changelog.

Thank you to pydantic's sponsors: @​matin, @​tiangolo, @​chdsbd, @​jorgecarleitao, and 1 anonymous sponsor for their kind support.

changes:

• fix validation and parsing of nested models with default_factory, #1710 by @​PrettyWood

v1.6 (2020-07-11)

See Changelog.

Thank you to pydantic's sponsors: @​matin, @​tiangolo, @​chdsbd, @​jorgecarleitao, and 1 anonymous sponsor for their kind support.

changes:

• Modify validators for conlist and conset to not have always=True, #1682 by @​samuelcolvin
• add port check to AnyUrl (can't exceed 65536) ports are 16 insigned bits: 0 <= port <= 2**16-1 src: rfc793 header format, #1654 by @​flapili
• Document default regex anchoring semantics, #1648 by @​yurikhan
• Use chain.from_iterable in class_validators.py. This is a faster and more idiomatic way of using itertools.chain. Instead of computing all the items in the iterable and storing them in memory, they are computed one-by-one and never stored as a huge list. This can save on both runtime and memory space, #1642 by @​cool-RR
• Add conset(), analogous to conlist(), #1623 by @​patrickkwang
• make pydantic errors (un)pickable, #1616 by @​PrettyWood
• Allow custom encoding for dotenv files, #1615 by @​PrettyWood
• Ensure SchemaExtraCallable is always defined to get type hints on BaseConfig, #1614 by @​PrettyWood
• Update datetime parser to support negative timestamps, #1600 by @​mlbiche
• Update mypy, remove AnyType alias for Type[Any], #1598 by @​samuelcolvin
• Adjust handling of root validators so that errors are aggregated from all failing root validators, instead of reporting on only the first root validator to fail, #1586 by @​beezee
• Make __modify_schema__ on Enums apply to the enum schema rather than fields that use the enum, #1581 by @​therefromhere
• Fix behavior of __all__ key when used in conjunction with index keys in advanced include/exclude of fields that are sequences, #1579 by @​xspirus
• Subclass validators do not run when referencing a List field defined in a parent class when each_item=True. Added an example to the docs illustrating this, #1566 by @​samueldeklund
• change schema.field_class_to_schema to support frozenset in schema, #1557 by @​wangpeibao
• Call __modify_schema__ only for the field schema, #1552 by @​PrettyWood
• Move the assignment of field.validate_always in fields.py so the always parameter of validators work on inheritance, #1545 by @​dcHHH
• Added support for UUID instantiation through 16 byte strings such as b'\x12\x34\x56\x78' * 4. This was done to support BINARY(16) columns in sqlalchemy, #1541 by @​shawnwall
• Add a test assertion that default_factory can return a singleton, #1523 by @​therefromhere
• Add NameEmail.__eq__ so duplicate NameEmail instances are evaluated as equal, #1514 by @​stephen-bunn
• Add datamodel-code-generator link in pydantic document site, #1500 by @​koxudaxi
• Added a "Discussion of Pydantic" section to the documentation, with a link to "Pydantic Introduction" video by Alexander Hultnér, #1499 by @​hultner
• Avoid some side effects of default_factory by calling it only once if possible and by not setting a default value in the schema, #1491 by @​PrettyWood
• Added docs about dumping dataclasses to JSON, #1487 by @​mikegrima
• Make BaseModel.__signature__ class-only, so getting __signature__ from model instance will raise AttributeError, #1466 by @​MrMrRobat
• include 'format': 'password' in the schema for secret types, #1424 by @​atheuz
• Modify schema constraints on ConstrainedFloat so that exclusiveMinimum and minimum are not included in the schema if they are equal to -math.inf and exclusiveMaximum and maximum are not included if they are equal to math.inf, #1417 by @​vdwees
• Squash internal __root__ dicts in .dict() (and, by extension, in .json()), #1414 by @​patrickkwang

... (truncated)

Changelog

Sourced from pydantic's changelog.

v1.6.2 (2021-05-11)

• Security fix: Fix date and datetime parsing so passing either 'infinity' or float('inf') (or their negative values) does not cause an infinite loop, See security advisory CVE-2021-29510

v1.6.1 (2020-07-15)

• fix validation and parsing of nested models with default_factory, #1710 by @​PrettyWood

v1.6 (2020-07-11)

Thank you to pydantic's sponsors: @​matin, @​tiangolo, @​chdsbd, @​jorgecarleitao, and 1 anonymous sponsor for their kind support.

• Modify validators for conlist and conset to not have always=True, #1682 by @​samuelcolvin
• add port check to AnyUrl (can't exceed 65536) ports are 16 insigned bits: 0 <= port <= 2**16-1 src: rfc793 header format, #1654 by @​flapili
• Document default regex anchoring semantics, #1648 by @​yurikhan
• Use chain.from_iterable in class_validators.py. This is a faster and more idiomatic way of using itertools.chain. Instead of computing all the items in the iterable and storing them in memory, they are computed one-by-one and never stored as a huge list. This can save on both runtime and memory space, #1642 by @​cool-RR
• Add conset(), analogous to conlist(), #1623 by @​patrickkwang
• make pydantic errors (un)pickable, #1616 by @​PrettyWood
• Allow custom encoding for dotenv files, #1615 by @​PrettyWood
• Ensure SchemaExtraCallable is always defined to get type hints on BaseConfig, #1614 by @​PrettyWood
• Update datetime parser to support negative timestamps, #1600 by @​mlbiche
• Update mypy, remove AnyType alias for Type[Any], #1598 by @​samuelcolvin
• Adjust handling of root validators so that errors are aggregated from all failing root validators, instead of reporting on only the first root validator to fail, #1586 by @​beezee
• Make __modify_schema__ on Enums apply to the enum schema rather than fields that use the enum, #1581 by @​therefromhere
• Fix behavior of __all__ key when used in conjunction with index keys in advanced include/exclude of fields that are sequences, #1579 by @​xspirus
• Subclass validators do not run when referencing a List field defined in a parent class when each_item=True. Added an example to the docs illustrating this, #1566 by @​samueldeklund
• change schema.field_class_to_schema to support frozenset in schema, #1557 by @​wangpeibao
• Call __modify_schema__ only for the field schema, #1552 by @​PrettyWood
• Move the assignment of field.validate_always in fields.py so the always parameter of validators work on inheritance, #1545 by @​dcHHH
• Added support for UUID instantiation through 16 byte strings such as b'\x12\x34\x56\x78' * 4. This was done to support BINARY(16) columns in sqlalchemy, #1541 by @​shawnwall
• Add a test assertion that default_factory can return a singleton, #1523 by @​therefromhere
• Add NameEmail.__eq__ so duplicate NameEmail instances are evaluated as equal, #1514 by @​stephen-bunn
• Add datamodel-code-generator link in pydantic document site, #1500 by @​koxudaxi
• Added a "Discussion of Pydantic" section to the documentation, with a link to "Pydantic Introduction" video by Alexander Hultnér, #1499 by @​hultner
• Avoid some side effects of default_factory by calling it only once if possible and by not setting a default value in the schema, #1491 by @​PrettyWood
• Added docs about dumping dataclasses to JSON, #1487 by @​mikegrima
• Make BaseModel.__signature__ class-only, so getting __signature__ from model instance will raise AttributeError, #1466 by @​MrMrRobat
• include 'format': 'password' in the schema for secret types, #1424 by @​atheuz
• Modify schema constraints on ConstrainedFloat so that exclusiveMinimum and minimum are not included in the schema if they are equal to -math.inf and exclusiveMaximum and maximum are not included if they are equal to math.inf, #1417 by @​vdwees
• Squash internal __root__ dicts in .dict() (and, by extension, in .json()), #1414 by @​patrickkwang
• Move const validator to post-validators so it validates the parsed value, #1410 by @​selimb
• Fix model validation to handle nested literals, e.g. Literal['foo', Literal['bar']], #1364 by @​DBCerigo
• Remove user_required = True from RedisDsn, neither user nor password are required, #1275 by @​samuelcolvin

... (truncated)

Commits

• acf7783 tweak history
• 829528c comment out broken tests
• cf9a417 hack tests into passing
• b37a922 fix formatting
• ac360c5 prepare for release
• bdde15b Merge pull request from GHSA-5jqp-qgf6-3pvh
• d2b0501 uprev
• e2fcab5 fix: validate and parse nested models properly with default_factory (#1712)
• ba56a67 Bump pytest-mock from 3.1.1 to 3.2.0 (#1719)
• f1f944f Update datamode_code_generator:typo in pip install (#1713)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

If all status checks pass Dependabot will automatically merge this pull request.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in the .dependabot/config.yml file in this repo:

• Update frequency
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Dependabot tried to add @eolme as a reviewer to this PR, but received the following error from GitHub:

POST https://api.github.com/repos/algorithm-ssau/coursework/pulls/31/requested_reviewers: 422 - Reviews may only be requested from collaborators. One or more of the users or teams you specified is not a collaborator of the algorithm-ssau/coursework repository. // See: https://docs.github.com/rest/reference/pulls#request-reviewers-for-a-pull-request

[dependabot-preview]

Dependabot tried to automerge this PR, but received the following error from GitHub:

At least 1 approving review is required by reviewers with write access.