8000 Update dependency redis to v6 [SECURITY] by renovate[bot] · Pull Request #157 · palfrey/wharf · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Update dependency redis to v6 [SECURITY] #157

New issue

Have a question about this project? Sign up f 8000 or a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Update dependency redis to v6 [SECURITY] #157

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor
@renovate renovate bot commented May 28, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
redis (changelog) ==5.2.1 -> ==6.2.0 age adoption passing confidence

BIT-keydb-2021-31294 / BIT-redis-2021-31294 / BIT-valkey-2021-31294 / CVE-2021-31294 / PYSEC-2023-312

More information

Details

Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command (specifically, a SET command). NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were not intended to have safety guarantees related to this.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

Release Notes

redis/redis-py (redis)

v6.2.0: 6.2.0

Compare Source

Changes

🚀 New Features

  • Add dynamic_startup_nodes parameter to async RedisCluster (#​3646)
  • Support RESP3 with hiredis-py parser (#​3648)
  • [Async] Support for transactions in async RedisCluster client (#​3649)

🐛 Bug Fixes

  • Revert wrongly changed default value for check_hostname when instantiating RedisSSLContext (#​3655)
  • Fixed potential deadlock from unexpected __del__ call (#​3654)

🧰 Maintenance

  • Update search_json_examples.ipynb: Fix the old import indexDefinition -> index_definition (#​3652)
  • Remove mandatory update of the CHANGES file for new PRs. Changes file will be kept for history for versions < 4.0.0 (#​3645)
  • Dropping Python 3.8 support as it has reached end of life (#​3657)
  • fix(doc): update Python print output in json doctests (#​3658)
  • Update redis-entraid dependency (#​3661)

Contributors

We'd like to thank all the contributors who worked on this release!
@​JCornat @​ShubhamKaudewar @​uglide @​petyaslavova @​vladvildanov

v6.1.0: 6.1.0

Compare Source

Changes

🚀 New Features

  • Support for transactions in RedisCluster client (#​3611)
  • Add equality and hashability to Retry and backoff classes (#​3628)

🐛 Bug Fixes

  • Fix RedisCluster ssl_check_hostname not set to connections. For SSL verification with ssl_cert_reqs="none", check_hostname is set to False (#​3637)
  • Prevent RuntimeError while reinitializing clusters - sync and async (#​3633)
  • Add equality and hashability to Retry and backoff classes (#​3628) - fixes integration with Django RQ
  • Fix AttributeError on ClusterPipeline (#​3634)

🧰 Maintenance

  • Updating the readme and lib version to contain the changes from the latest stable release (#​3644)
  • Export REDIS_MAJOR_VERSION correctly in run-tests (#​3642)
  • Fix matrix in hiredis-py-integration.yaml (#​3641)
  • Test against unstable hiredis-py (#​3617)
  • Adding return types for the RedisModuleCommands class (#​3632)
  • Updating Redis 8 test image for GH pipeline (#​3639)
  • Allow newer PyJWT versions (#​3636)
  • Change type hints with possible None args or return types to be annotated with Optional - includes commands in core.py and json commands (#​3610)

🙏 Special Thanks

A big thank you to our collaborators at Scopely for their valuable contributions to this release! Your support and improvements help move the project forward — we appreciate it!

Contributors

We'd like to thank all the contributors who worked on this release!
@​robertosantamaria-scopely @​sentrivana @​terencehonles @​kesha1225 @​aberres @​uglide @​omerfeyzioglu @​petyaslavova @​vladvildanov @​andy-stark-redis

v6.0.0: 6.0.0

Compare Source

Changes

🚀 New Features

  • New hash commands with expiration options support are added - HGETDEL, HGETEX, HSETEX (#​3570)
  • Adds option not to raise an exception when leaving context manager after lock expiration (#​3531)
  • Add force_master_ip support to async Sentinel client (#​3524)

🧪 Experimental Features

  • Adding VectorSet commands support. (#​3584)

🔥 Breaking changes

  • Changing the default value for ssl_check_hostname to True, to ensure security validations are not skipped by default (#​3626)
    Important: W 8000 hen connecting to a Redis master via Sentinel, you may need to set ssl_check_hostname=False if the Sentinel service is not configured to return hostnames.
    Refer to issue #​3629 for more details.
  • Updated default value of 'require_full_coverage' argument to true for sync Cluster client to match sync/async cluster APIs (#​3434)
  • Adding default retry configuration changes for cluster clients (#​3622)
    Important: When instantiating a cluster client retry object becomes mandatory.
    • If retry object is not provided a default one is created with ExponentialWithJitterBackoff strategy and number of retries synced with 'cluster_error_retry_attempts'
    • In case a retry object is provided, its number of retries will be used for cluster operations number of retries and 'cluster_error_retry_attempts' will be ignored
    • Argument 'cluster_error_retry_attempts' is now deprecated
    • For Async Cluster Client the argument 'connection_error_retry_attempts' is completely removed
  • Updating default retry strategy for standalone clients. 3 retries with ExponentialWithJitterBackoff become the default config. (#​3614)
  • Removing 'charset' and 'errors' inputs from the Redis initialization arguments - deprecated 3 years ago. (#​3608)
  • Removing support for RedisGears module. (#​3553). For more info you can check the deprecated Redis features
  • Removing support for RedisGraph module. (#​3548). For more info you can check the deprecated Redis features
  • Fixing typing for FCALL commands to match PEP 484 (#​3537)
  • Moved ClusterParser exceptions to BaseParser class (#​3475)
  • Changed default dialect to 2 (#​3467) - This release introduces a client-side default dialect for Redis’ search and query capabilities. By default, the client now overrides the server-side dialect with version 2, automatically appending DIALECT 2to commands like FT.AGGREGATE and FT.SEARCH.
    Important: Be aware that the query dialect may impact the results returned. If needed, you can revert to a different dialect version by configuring the client accordingly. You can find further details in the query dialect documentation.

⚠️ Deprecations

  • Adding default retry configuration changes for cluster clients (#​3622)
  • Updating default retry strategy for standalone clients. 3 retries with ExponentialWithJitterBackoff become the default config. (#​3614)
  • Marks old RediSearch 1.0 commands as deprecated (#​3606)
  • Adding deprecation messages for the exposed in search module commands: FT.CONFIG GET and FT.CONFIG SET (#​3499 #​3500 )
  • Deprecating Search module config_set and config_get commands. Adding tests for modules ACL and modules config changes in 8.0 (#​3489)

🐛 Bug Fixes

  • Handling some special values when transforming response data into list (issue #​3573) (#​3586)
  • Fixed infinitely recursive health checks (#​3557)
  • Fixing search module dropindex function not to send invalid third parameter. Updating pipeline infra (#​3564)
  • Fixing async cluster pipeline execution when client is created with cluster_error_retry_attempts=0 (#​3545)
  • Fix client_list with multiple client ids (#​3539)
  • Add valid Exception type to Except in ClusterPipeline (#​3516)
  • Fix #​3130 TimeoutError during ClusterPipeline makes the client unrecoverable (#​3513)
  • Fix connection health check for protocol != 2 when auth credentials are provided and health check interval is configured (#​3477)
  • Fix AttributeError when client.get_default_node() returns None (#​3458)
  • fix: add TimeoutError handling in get_connection() (#​1485)
  • Avoid stacktrace on process exit in Client.del() (#​3397)

🧰 Maintenance

  • Updating pipeline tests to use test libs image with RC2. Updating timeseries tests. (#​3623)
  • Fixing flaky tests - part 2 (#​3592)
  • DOC-5107 added hash examples for index/query intro page (#​3609)
  • DOC-5073 vector set quantization and dimension reduction examples (#​3597)
  • Fixing some sporadically failing tests - part 1 (#​3589)
  • DOC-5073 added examples for vector sets intro page (#​3590)
  • Fix incorrect link to docs for fcall_ro command (#​3576)
  • Improvement: Use shutdown() Before close() in connection.py (#​3567)
  • Truncate pipeline exception message to a sane size (#​3530)
  • Docs/raae 724/remove redis ventures (#​3579)
  • Adding info for sentinel handling failover when Redis client is acquired with master_for() method. (#​3578)
  • Type hints improvements (#​3420 #​3480 #​3522 #​3526)
  • Increasing the operations-per-run for stale issues GH action (#​3556)
  • Got rid of time.time() everywhere (#​3551)
  • Removing deprecated usage of forbid_global_loop=True in pytest.mark.asyncio decorator (#​3542)
  • allow more recent pyopenssl (#​3541)
  • Bump rojopolis/spellcheck-github-actions from 0.38.0 to 0.47.0 (#​3538)
  • Fix LockError message when releasing a lock. (#​3534)
  • Fix readthedocs.yml integration(#​3527 #​3528 #​3529)
  • Adding vector search tests for types int8/uint8 (#​3525)
  • Adding requested resources into sdist. Fix for issue #​3057 (#​3511)
  • maintenance: Python 3.13 compatibility (#​3510)
  • Adding unit test for core info command related to modules info (#​3507)
  • Update connection_examples.ipynb (#​3504)
  • Update Python imports in doc examples (index_definition => indexDefinition) (#​3490)
  • DOC-4736 added geo indexing examples (#​3485)
  • Updated test infrastructure with latest versions (#​3484)
  • fix: update redis university url, the old link doesn't work (#​3481)
  • Fix #​3464: Correct misleading exception_handler example in docs (#​3474)
  • Added Redis 8.0 to test matrix (#​3469)
  • Added workflow_dispatch for pypi release workflow (#​3465)
  • Avoid the multiprocessing forkserver method in Python 3.14 (#​3442)
  • Fix inaccurate docstring for unwatch() (#​3424)
  • Update README.md - Fix 'Note' - bold (#​3413)
  • skip ssl import if not available (#​3078)
  • Replace flake8+isort+black with ruff (#​3147)
  • Fixes minor grammar nit in documentation. (#​3354)

Contributors

We'd like to thank all the contributors who worked on this release!
@​elena-kolevska @​petyaslavova @​vladvildanov @​andy-stark-redis @​JimNero009 @​donbowman @​julianolm @​666romeo @​three-kinds @​bssyousefi @​mbilski @​Yard1 @​bacchuswng @​noirbee @​nbertram @​birthdaysgift @​Perlence @​excitoon @​dimbleby @​shenxiangzhuang @​paololazzari @​dwdougherty @​niklasbec @​byeongjulee222 @​befeleme @​djroze @​BaseMax @​dicej @​akx @​cavemanpi @​lattwood @​rbs333 @​rohansingh @​allrob23

v5.3.0: 5.3.0

Compare Source

Changes

🚀 New Features

Token-based authentication:

  • Added StreamingCredentialProvider interface (#​3445)
  • Extended CredentialProvider class with get_credentials_async method (#​3445)
  • Added event-driven entities (Dispatcher, Listener, Events) (#​3445)

New StreamingCredentialProvider interface was added with an idea to integrate redis-py with credential providers that stream an events that should be handled by given listeners.

Check the documentation for the quick start guide.

CredentialProvider instance creation interface was enhanced. Feel free to check the updated documentation

Other features:

  • Exponential with jitter backoff (#​3550)
  • Adding load balancing strategy configuration to cluster clients(replacement for 'read_from_replicas' config) (#​3563)

⚠️ Deprecations

  • Deprecating unused arguments in connection pools's get_connection functions(#​3517 #​3625)
  • Adding load balancing strategy configuration to cluster clients(replacement for 'read_from_replicas' config) (#​3563)

🐛 Bug Fixes

  • When SlotNotCoveredError is raised, the cluster topology should be reinitialized as part of error handling and retrying of the commands. (#​3621)
  • Fixed Token-based authentication documentation
  • Fixed bug with missing PyJWT dependency (#​3462)
  • Fixed flacky TokenManager test (#​3468)
  • Fix incorrect attribute reuse in redis.connection.CacheProxyConnection (#​3456)
  • Moved self._lock initialisation to Pool constructor (#​3473)
  • Remove decreasing of created connections count when releasing not owned by connection pool connection(fixes issue #​2832). (#​3514)

🧰 Maintenance

  • Updated CredentialProvider test infrastructure (#​3502)
  • Expand type for EncodedT (#​3472)
  • DOC-4423: add TCEs for various command pages (#​3476)
  • DOC-4345 added testable JSON search examples for home page (#​3407)
  • DOC-4796 fixed capped lists example (#​3493)
  • Added unit test fix to improve compatibility with MacOS (#​3486)
  • Added missing type hints (#​3494 #​3495 #​3496 #​3357)
  • Replacing the redis and redis-stack-server images with redis-libs-tests image in test infrastructure (#​3505)

Contributors

We'd like to thank all the contributors who worked on this release!

@​uglide @​woutdenolf @​vladvildanov @​hauntsaninja @​dwdougherty @​patrick91 @​Vulwsztyn @​JimNero009 @​andy-stark-redis @​petyaslavova

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot enabled auto-merge May 28, 2025 18:29
@palfrey palfrey disabled auto-merge May 28, 2025 21:11
@palfrey palfrey closed this May 28, 2025
@renovate Renovate
Copy link
Contributor Author
renovate bot commented May 28, 2025

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 6.x releases. But if you manually upgrade to 6.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@palfrey
Copy link
Owner
palfrey commented May 28, 2025

pypa/advisory-database#237

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@palfrey
0