Merge pull request #250 from pusher/security/bump-python-deps

Bump Python 3.10+ dependencies to resolve known vulnerabilities (v3.3.4)

Author: Keith-wright

.github/workflows/release.yml

@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Prepare tag
@@ -26,7 +26,7 @@ jobs:
         id: release_output
         if: ${{ steps.prepare_tag.outcome == 'success' }}
         run: |
-          echo "::set-output name=tag::${{ env.TAG }}"
+          echo "tag=${{ env.TAG }}" >> $GITHUB_OUTPUT
     outputs:
       tag: ${{ steps.release_output.outputs.tag }}
 
@@ -35,7 +35,7 @@ jobs:
     needs: check-release-tag
     if: ${{ needs.check-release-tag.outputs.tag }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Prepare tag
         run: |
           export TAG=v$(awk '/VERSION =/ { gsub("'"\'"'",""); print $3 }' pusher/version.py)
@@ -49,22 +49,22 @@ jobs:
           csplit -s CHANGELOG.md "/##/" {1}
           cat xx01 > CHANGELOG.tmp
       - name: Create Release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        uses: softprops/action-gh-release@v2.6.1
         with:
           tag_name: ${{ env.TAG }}
-          release_name: ${{ env.TAG }}
+          name: ${{ env.TAG }}
           body_path: CHANGELOG.tmp
           draft: false
           prerelease: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   upload-to-PyPI:
     runs-on: ubuntu-latest
     needs: create-github-release
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
         with:
             python-version: '3.10'
       - name: Build package

.github/workflows/release_pr.yml

@@ -11,13 +11,13 @@ jobs:
     name: Prepare release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Get current version
         shell: bash
         run: |
           CURRENT_VERSION=$(awk '/VERSION =/ { gsub("'"\'"'",""); print $3 }' pusher/version.py)
           echo "CURRENT_VERSION=$CURRENT_VERSION" >> $GITHUB_ENV
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           repository: pusher/public_actions
           path: .github/actions

.github/workflows/test.yml

@@ -7,25 +7,25 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        python: [3.6, 3.7, 3.8, "3.10"]
+        python: ["3.10", "3.11", "3.12"]
 
     name: Python ${{ matrix.python }} Test
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Setup Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python }}
 
       - name: Install dependencies
         run: pip install -r requirements.txt
 
       - name: Run test suite
-        run: python setup.py test
+        run: python -m unittest discover -s pusher_tests --top-level-directory .

CHANGELOG.md

@@ -1,12 +1,16 @@
 # Changelog
 
+## 3.3.4
+
+- [FIXED] Bump Python 3.10+ dependencies to resolve known vulnerabilities: cryptography (41.0.0 → 46.0.5), requests (2.27.1 → 2.32.4), urllib3 (1.26.9 → 2.6.3), aiohttp (3.8.1 → 3.13.3), pynacl (1.5.0 → 1.6.2)
+
 ## 3.3.2
 
-- [CHANGED] Utilities no longer escape non ascii characters. 
+- [CHANGED] Utilities no longer escape non ascii characters. 
 
 ## 3.3.1
 
-- [ADDED] Allow Client to accept float as a timeout
+- [ADDED] Allow Client to accept float as a timeout
 - [CHANGED] the maximum event payload size permitted by this library has been increased. This change affects the library only: the Channels API still maintains a 10kb size limit and will return an error if the payload is too large.
 
 ## 3.3.0

pusher/aiohttp.py

@@ -7,7 +7,6 @@
     division)
 
 import aiohttp
-import asyncio
 
 from pusher.http import process_response
 
@@ -21,23 +20,22 @@ def __init__(self, client):
         self.client = client
 
 
-    @asyncio.coroutine
-    def send_request(self, request):
+    async def send_request(self, request):
         session = response = None
         try:
             session = aiohttp.ClientSession()
-            response = yield from session.request(
+            response = await session.request(
                 request.method,
                 "%s%s" % (request.base_url, request.path),
                 params=request.query_params,
                 data=request.body,
                 headers=request.headers,
                 timeout=self.client.timeout
             )
-            body = yield from response.text('utf-8')
+            body = await response.text('utf-8')
             return process_response(response.status, body)
         finally:
             if response is not None:
                 response.close()
             if session is not None:
-                yield from session.close()
+                await session.close()

pusher/version.py

@@ -1,2 +1,2 @@
 # Don't change the format of this line: the version is extracted by ../setup.py
-VERSION = '3.3.3'
+VERSION = '3.3.4'

requirements.txt

@@ -16,30 +16,31 @@ pyOpenSSL==19.0.0; python_version < '3.10'
 requests==2.22.0; python_version < '3.10'
 six==1.12.0; python_version < '3.10'
 urllib3==1.25.9; python_version < '3.10'
-aiohttp==3.5.4; python_version >= '3.5' and python_version < '3.10'
-aiohttp==3.8.1; python_version >= '3.10'
-aiosignal==1.2.0; python_version >= '3.10'
+aiohappyeyeballs==2.6.1; python_version >= '3.10'
+aiohttp==3.13.3; python_version >= '3.10'
+aiosignal==1.4.0; python_version >= '3.10'
 async-timeout==3.0.1; python_version >= '3.5' and python_version < '3.10'
-async-timeout==4.0.2; python_version >= '3.10'
+async-timeout==5.0.1; python_version >= '3.10'
 attrs==19.1.0; python_version >= '3.5' and python_version < '3.10'
-attrs==21.4.0; python_version >= '3.10'
-certifi==2021.10.8; python_version >= '3.10'
-charset-normalizer==2.0.12; python_version >= '3.10'
-cryptography==41.0.0; python_version >= '3.10'
-frozenlist==1.3.0; python_version >= '3.10'
+attrs==25.4.0; python_version >= '3.10'
+certifi==2026.2.25; python_version >= '3.10'
+charset-normalizer==3.4.6; python_version >= '3.10'
+cryptography==46.0.5; python_version >= '3.10'
+frozenlist==1.8.0; python_version >= '3.10'
 httpretty==1.1.4; python_version >= '3.10'
 idna-ssl==1.1.0; python_version >= '3.5' and python_version < '3.7'
-idna==3.3; python_version >= '3.10'
+idna==3.11; python_version >= '3.10'
 multidict==4.5.2; python_version >= '3.5' and python_version < '3.10'
-multidict==6.0.2; python_version >= '3.10'
+multidict==6.7.1; python_version >= '3.10'
+propcache==0.4.1; python_version >= '3.10'
 py==1.11.0; python_version >= '3.10'
-pycparser==2.21; python_version >= '3.10'
-PyNaCl==1.5.0; python_version >= '3.10'
+pycparser==2.23; python_version >= '3.10'
+PyNaCl==1.6.2; python_version >= '3.10'
 pyparsing==3.0.8; python_version >= '3.10'
-requests==2.27.1; python_version >= '3.10'
-six==1.16.0; python_version >= '3.10'
+requests==2.32.4; python_version >= '3.10'
+six==1.17.0; python_version >= '3.10'
 tornado==5.1.1; python_version < '3.5'
 tornado==6.0.2; python_version >= '3.5' and python_version < '3.10'
-urllib3==1.26.9; python_version >= '3.10'
+urllib3==2.6.3; python_version >= '3.10'
 yarl==1.3.0; python_version >= '3.5' and python_version < '3.10'
-yarl==1.7.2; python_version >= '3.10'
+yarl==1.22.0; python_version >= '3.10'