Skip to content

build(deps): bump webob from 1.8.9 to 1.8.10 in /requirements#437

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/requirements/webob-1.8.10
Open

build(deps): bump webob from 1.8.9 to 1.8.10 in /requirements#437
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/requirements/webob-1.8.10

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 4, 2026
edited
Loading

Bumps webob from 1.8.9 to 1.8.10.

Changelog

Sourced from webob's changelog.

Unreleased

Security Fix


- The use of WebOb's Response object to redirect a request to a new location
  can lead to an open redirect if the Location header is not a full URI.

See https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3

and CVE-2024-42353


Thanks to Sara Gao for the report


(This fix was released in WebOb 1.8.8)


    

  • 

    The fix for CVE-2024-42353 was incomplete: a Location value containing
    
ASCII tab, carriage return, or line feed characters between consecutive
    
slashes could still be interpreted as a protocol-relative URL by
    
urllib.parse.urljoin on Python 3.10+, allowing an open redirect.
    

    See https://github.com/Pylons/webob/security/advisories/GHSA-fh3h-vg37-cc95
    

    Thanks to Caleb Brown of Google for the report.
    

    (Thix fix was released in WebOb 1.8.10)
    

    • 



Feature



- Rename "master" git branch to "main"

    

  • 

    Add support for Python 3.12.
    

    • 

  • 

    Add support for Python 3.13.
    

    • 

  • 

    Add support for Python 3.14.
    

    • 

  • 

    Add Request.remote_host, exposing REMOTE_HOST environment variable.
    

    • 

  • 

    Added acceptparse.Accept.parse_offer to codify what types of offers
    
are compatible with acceptparse.AcceptValidHeader.acceptable_offers,
    
acceptparse.AcceptMissingHeader.acceptable_offers, and
    
acceptparse.AcceptInvalidHeader.acceptable_offers. This API also
    
normalizes the offer with lowercased type/subtype and parameter names.
    
See https://github.com/Pylons/webob/pull/376 and
    
https://github.com/Pylons/webob/pull/379
    

    • 



Compatibility

</code></pre>

<!-- raw HTML omitted -->

</blockquote>

<p>... (truncated)</p>

</details>

<details>

<summary>Commits</summary>


<ul>

<li><a href="https://github.com/Pylons/webob/commit/b240857958df492ef71bb00fb4b5365ecd92480a&quot;&gt;&lt;code&gt;b240857&lt;/code&gt;&lt;/a> Merge commit from fork</li>

<li><a href="https://github.com/Pylons/webob/commit/57d78a3950a78a2d45cebefb477ad672165a15d9&quot;&gt;&lt;code&gt;57d78a3&lt;/code&gt;&lt;/a> Release 1.8.10</li>

<li><a href="https://github.com/Pylons/webob/commit/228fb77a8be61c006d6c20d9df9fd7c840b1cc9a&quot;&gt;&lt;code&gt;228fb77&lt;/code&gt;&lt;/a> Backport of 7121e8c from main to fix test suite on Python &gt;=3.10 which got a ...</li>

<li><a href="https://github.com/Pylons/webob/commit/21c1c582bff83dc6f95fdb055e31a36db6d26e89&quot;&gt;&lt;code&gt;21c1c58&lt;/code&gt;&lt;/a> Fix open redirect issue due to changes made in cPython &gt;=3.10</li>

<li><a href="https://github.com/Pylons/webob/commit/5e52ea46a171fbebcb04a70b2a6a0803fdcca0eb&quot;&gt;&lt;code&gt;5e52ea4&lt;/code&gt;&lt;/a> Allow docs to build again</li>

<li>See full diff in <a href="https://github.com/Pylons/webob/compare/1.8.9...1.8.10&quot;&gt;compare view</a></li>

</ul>

</details>


<br />

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jun 4, 2026
@dependabot
build(deps): bump webob from 1.8.9 to 1.8.10 in /requirements
8b40606 
Bumps [webob](https://github.com/Pylons/webob) from 1.8.9 to 1.8.10.
- [Changelog](https://github.com/Pylons/webob/blob/main/CHANGES.txt)
- [Commits](Pylons/webob@1.8.9...1.8.10)

---
updated-dependencies:
- dependency-name: webob
  dependency-version: 1.8.10
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/pip/requirements/webob-1.8.10 branch from 81a8e2f to 8b40606 Compare June 5, 2026 05:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants