Skip to content

Bump blacksheep from 2.0.8 to 2.4.6 in /nazo_api#6

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/nazo_api/blacksheep-2.4.6
Open

Bump blacksheep from 2.0.8 to 2.4.6 in /nazo_api#6
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/nazo_api/blacksheep-2.4.6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jan 14, 2026

Copy link
Copy Markdown
Contributor

Bumps blacksheep from 2.0.8 to 2.4.6.

Release notes

Sourced from blacksheep's releases.

v2.4.6

  • Fix CRLF injection vulnerability in the BlackSheep HTTP Client, reported by Jinho Ju (@​tr4ce-ju).
  • Add a SECURITY.md file.
  • Fix #646.
  • Modify the Cookie repr to not include the value in full, as it can contain secrets that would leak in logs.
  • Improve type annotations for several modules, by @​tyzhnenko.

v2.4.5

  • Fix regression #636.

v2.4.4

  • Add support for annotated types in OpenAPIHandler return types, by @​tyzhnenko. This feature is important to support automatic generation of OpenAPI Documentation when returning instances of Response (e.g. Annotated[Response, ProductDetails]).
  • Introduce MiddlewareList and MiddlewareCategory to simplify middleware management and ordering of middlewares (see #620). Middlewares are now automatically sorted by category (INIT, SESSION, AUTH, AUTHZ, BUSINESS, MESSAGE) and optional priority within each category. This ensures proper execution order (e.g., CORS before authentication, authentication before authorization) without requiring developers to manually manage middleware insertion order. The system maintains backward compatibility while providing a more intuitive and error-resistant approach to middleware configuration. The same improvement is applied both to the Application and to the ClientSession classes.
  • Add support for list[str] as a value for no-cache and private directives in code handling cache control headers, by @​karpetrosyan.
  • Fix bug #619, that caused surprising behavior (requiring an explicit fallback or catch-all route to handle web requests that didn't match any route, otherwise middlewares would be bypassed for the defined NotFound exception handler).
  • Change the text of Bad Request response body when the input from the client causes a TypeError when trying to bind to an instance of the expected type (it reduces the amount of details sent to the client).
  • Improve the user experience by ignoring extra properties in request body by default, when mapping to user-defined dataclasses, Pydantic v2 models, or classes (see #614). Previously, extra properties were not ignored by default and required the user to explicitly code their input classes to allow extra properties. This is also done for sub-properties, lists, and dictionaries. The user can still control how exactly input bodies from clients are converted using custom binders or altering blacksheep.server.bindings.class_converters.
  • Add support for specifying OpenAPI tags for controllers. This simplifies handling tags for documentation (#616).
  • Improve the build matrix to build wheels for arm64 architecture for Linux and Windows, and use cibuildwheel for Ubuntu and Windows, by @​bymoye and @​RobertoPrevato.
  • Update type annotations to Python >= 3.10.
  • Fix bug that would prevent union types described using pipes from being properly represented in OpenAPI specification.
  • Add support for alternative programming-style naming for generic types in OpenAPI specification files. When enabled, type names use underscore notation closer to actual type annotations (e.g., PaginatedSet_Address instead of PaginatedSetOfAddress, Dict_str_int instead of DictOfstrAndint). This can be controlled via the programming_names parameter in DefaultSerializer or the APP_OPENAPI_PROGRAMMING_NAMES environment variable, setting it to a truthy value ('1' or 'true').
  • Make EnvironmentSettings read-only, refactor to not use dataclass.
  • Attach EnvironmentSettings to the Application object for runtime inspection, which is useful for: transparency and debugging, testing (assert app.env_settings.force_https is True), health check endpoints or admin tools can expose configuration.
  • Add HTTPSchemeMiddleware to set request scheme when running behind reverse proxies or load balancers with TLS termination. See #631.
  • Add support for APP_HTTP_SCHEME environment variable to explicitly set the request scheme to http or https.
  • Add support for APP_FORCE_HTTPS environment variable to force HTTPS scheme and automatically enable HSTS (HTTP Strict Transport Security) headers.
  • Add automatic scheme middleware configuration via configure_scheme_middleware() - applied during application startup when either APP_HTTP_SCHEME or APP_FORCE_HTTPS is set.
  • EnvironmentSettings now includes http_scheme and force_https properties that are automatically populated from environment variables.
  • Request scheme is now automatically configured based on environment settings, to simplify correct URL generation in proxied environments (e.g. OIDC redirections).
  • Improve the generate_secret to use secrets.token_urlsafe(48) by default.
  • Improve OpenIDSettings, CookieAuthentication, and AntiForgeryHandler to handle secrets using the Secret class from essentials.secrets. Passing secrets as str directly issues a deprecation warning and won't be supported in 2.5.x or 2.6.x.

Several issues were reported by @​ockan, including issues in the documentation.

v2.4.3

  • Add Python 3.14 and remove 3.9 from the build matrix.
  • Drop support for Python 3.9 (it reached EOL in October 2025).
  • Fix bug #605, that prevented the JWTBearerAuthentication scheme from being documented properly in OpenAPI Specification files.
  • Deprecate the auth_mode parameter for the JWTBearerAuthentication constructor, and add a new scheme parameter that will replace it.
  • Improve the code to not require returning an empty Identity() object in authentication handlers when authentication is not successful.
  • Upgrade GuardPost to 1.0.4, as it includes improved features and a built-in strategy to protect against brute-force authentication attempts (opt-in).
  • Upgrade pydantic to a version supported by Python 3.14.
  • Remove support for Pydantic v1 in Python 3.14. Support for Pydantic v1 will be removed soon.
  • Fix regression causing an import error when trying to use OpenAPI features without installing dependencies for JWT validation #606.
  • Add verification step to the main workflow to verify that basic functionalities work without optional dependencies.

v2.4.2

  • Add significant improvements to authentication and authorization features.

... (truncated)

Changelog

Sourced from blacksheep's changelog.

[2.4.6] - 2026-01-13

  • Fix CRLF injection vulnerability in the BlackSheep HTTP Client, reported by Jinho Ju (@​tr4ce-ju).
  • Add a SECURITY.md file.
  • Fix #646.
  • Modify the Cookie repr to not include the value in full, as it can contain secrets that would leak in logs.
  • Improve type annotations for several modules, by @​tyzhnenko.

[2.4.5] - 2025-11-15 🗻

[2.4.4] - 2025-11-15 🗻

  • Introduce MiddlewareList and MiddlewareCategory to simplify middleware management and ordering of middlewares (see #620). Middlewares are now automatically sorted by category (INIT, SESSION, AUTH, AUTHZ, BUSINESS, MESSAGE) and optional priority within each category. This ensures proper execution order (e.g., CORS before authentication, authentication before authorization) without requiring developers to manually manage middleware insertion order. The system maintains backward compatibility while providing a more intuitive and error-resistant approach to middleware configuration. The same improvement is applied both to the Application and to the ClientSession classes.
  • Add support for list[str] as a value for no-cache and private directives in code handling cache control headers, by @​karpetrosyan.
  • Fix bug #619, that caused surprising behavior (requiring an explicit fallback or catch-all route to handle web requests that didn't match any route, otherwise middlewares would be bypassed for the defined NotFound exception handler).
  • Change the text of Bad Request response body when the input from the client causes a TypeError when trying to bind to an instance of the expected type (it reduces the amount of details sent to the client).
  • Improve the user experience by ignoring extra properties in request body by default, when mapping to user-defined dataclasses, Pydantic v2 models, or classes (see #614). Previously, extra properties were not ignored by default and required the user to explicitly code their input classes to allow extra properties. This is also done for sub-properties, lists, and dictionaries. The user can still control how exactly input bodies from clients are converted using custom binders or altering blacksheep.server.bindings.class_converters.
  • Add support for specifying OpenAPI tags for controllers. This simplifies handling tags for documentation (#616).
  • Improve the build matrix to build wheels for arm64 architecture for Linux and Windows, and use cibuildwheel for Ubuntu and Windows, by @​bymoye and @​RobertoPrevato.
  • Update type annotations to Python >= 3.10.
  • Fix bug that would prevent union types described using pipes from being properly represented in OpenAPI specification.
  • Add support for alternative programming-style naming for generic types in OpenAPI specification files. When enabled, type names use underscore notation closer to

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump blacksheep from 2.0.8 to 2.4.6 in /nazo_api
8d37c33 
Bumps [blacksheep](https://github.com/Neoteroi/BlackSheep) from 2.0.8 to 2.4.6.
- [Release notes](https://github.com/Neoteroi/BlackSheep/releases)
- [Changelog](https://github.com/Neoteroi/BlackSheep/blob/main/CHANGELOG.md)
- [Commits](Neoteroi/BlackSheep@v2.0.8...v2.4.6)

---
updated-dependencies:
- dependency-name: blacksheep
  dependency-version: 2.4.6
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jan 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants