v3.0.2
Security
-
Dependency floor bumps for 13 CVEs flagged by Component Governance (#909) — bumped minimum versions for direct dependencies with known vulnerabilities, and added explicit minimum-version pins for vulnerable transitive dependencies to prevent silent downgrades:
Package Old Min New Min azure-core>=1.24.0>=1.38.0cryptography>=43.0.1>=48.0.0jinja2>=3.1.5>=3.1.6lxml>=4.6.5>=6.1.1pyjwt>=2.3.0>=2.13.0urllib3>=2.6.3>=2.7.0tornado>=6.4.2>=6.5.5aiohttp(unpinned) >=3.14.0h11(unpinned) >=0.16.0idna(unpinned) >=3.15jaraco.context(unpinned) >=6.1.0Pillow(unpinned) >=12.2.0filelock(dev)>=3.0.0>=3.29.1
Bug Fixes
- Cybereason driver: failsafe JSON parsing — added a try/except around response JSON parsing to avoid unhandled exceptions on malformed API responses. (#908)
azure-mgmt-resource26.0.0 compatibility — the 26.0.0 release movedResourceManagementClientto a new import path and introduced other breaking changes, which broke every Sentinel/Azure context provider import. Capped the dependency to<26.0.0.- mypy false positive on numpy 2.5 stubs — mypy was inferring its syntax-checking target from
setup.cfg's minimum supported Python version instead of the interpreter actually running it, causing a spurious failure on numpy's PEP 695 stub syntax. mypy now runs with an explicit--python-versionmatching the CI job. Also fixed 6 real (previously-masked) type errors this uncovered acrossnbinit.py,azure_ml_tools.py,pivot_magic_core.py,polling_detection.py,eventcluster.py, andfoliummap.py.
Removed
conda/requirements files andrequirements-all.txtare no longer tracked in the repository. These were unmaintained/unenforced duplicates of the dependency set already declared insetup.py's extras. Usepip install -e ".[test]"(or.[all]for just the optional extras) instead.tools/create_reqs_all.pyremains available as a manual, on-demand generator if you need a frozenrequirements-all.txtlocally.- Removed the
check_reqs_allpre-commit hook, which used to auto-rewriterequirements-all.txt(and strip its hand-maintained comments) on every commit touching a Python file. - Removed
tests/test_pkg_imports.py::test_conda_reqs; kept and simplifiedtest_missing_pkgs_req.
Internal / CI
- Fixed a stdlib-detection bug in
tools/toollib/import_analyzer.pythat misclassified standard-library modules as missing packages when run from auv-managed virtual environment (usedsys.prefixonly; now also checkssys.base_prefix). - Simplified GitHub Actions and Azure Pipelines CI installs to use
pip install -e ".[test]"in place of separaterequirements-all.txt+requirements-dev.txtsteps; updated pip cache keys accordingly and fixed a stray cache-key path typo in the docs job. - Updated
.devcontainer/Dockerfileto installmsticpy[test]directly. sphinxrequirement split by Python version (>=8.1.3for Python ≤3.11,>=9.1.0for Python ≥3.12). (#902)azure-storage-blobminimum bumped to>=12.28.0. (#903)
Dependency Updates
Development / CI
| Package | Old | New |
|---|---|---|
coverage
| >=7.13.5
| >=7.14.1
|
filelock
| >=3.0.0
| >=3.29.1
|
ruff
| >=0.15.12
| >=0.15.16
|
respx
| >=0.20.1
| >=0.22.0 (required for httpx>=0.28.0 compatibility)
|
sphinx
| >=5.0.1,<8.0.0
| >=8.1.3 (py≤3.11) / >=9.1.0 (py≥3.12)
|
Runtime
| Package | Old | New |
|---|---|---|
tldextract
| >=2.2.2
| >=5.3.1
|
python-dateutil
| >=2.8.1
| >=2.9.0.post0
|
azure-storage-blob
| >=12.5.0
| >=12.28.0
|
Full Changelog: v3.0.1...v3.0.2