Bump the pip group across 1 directory with 4 updates

[dependabot]

Bumps the pip group with 4 updates in the / directory: certifi, lxml, py and scrapy.

Updates certifi from 2019.9.11 to 2023.7.22

Commits

• 8fb96ed 2023.07.22
• afe7722 Bump actions/setup-python from 4.6.1 to 4.7.0 (#230)
• 2038739 Bump dessant/lock-threads from 3.0.0 to 4.0.1 (#229)
• 44df761 Hash pin Actions and enable dependabot (#228)
• 8b3d7ba 2023.05.07
• 53da240 ci: Add Python 3.12-dev to the testing (#224)
• c2fc3b1 Create a Security Policy (#222)
• c211ef4 Set up permissions to github workflows (#218)
• 2087de5 Don't let deprecation warning fail CI (#219)
• e0b9fc5 remove paragraphs about 1024-bit roots from README
• Additional commits viewable in compare view

Updates lxml from 4.4.1 to 4.9.1

Changelog

Sourced from lxml's changelog.

4.9.1 (2022-07-01)

Bugs fixed

• A crash was resolved when using iterwalk() (or canonicalize()) after parsing certain incorrect input. Note that iterwalk() can crash on valid input parsed with the same parser after failing to parse the incorrect input.

4.9.0 (2022-06-01)

Bugs fixed

• GH#341: The mixin inheritance order in lxml.html was corrected. Patch by xmo-odoo.

Other changes

• Built with Cython 0.29.30 to adapt to changes in Python 3.11 and 3.12.

• Wheels include zlib 1.2.12, libxml2 2.9.14 and libxslt 1.1.35 (libxml2 2.9.12+ and libxslt 1.1.34 on Windows).

• GH#343: Windows-AArch64 build support in Visual Studio. Patch by Steve Dower.

4.8.0 (2022-02-17)

Features added

• GH#337: Path-like objects are now supported throughout the API instead of just strings. Patch by Henning Janssen.

• The ElementMaker now supports QName values as tags, which always override the default namespace of the factory.

Bugs fixed

• GH#338: In lxml.objectify, the XSI float annotation "nan" and "inf" were spelled in lower case, whereas XML Schema datatypes define them as "NaN" and "INF" respectively.

... (truncated)

Commits

• d01872c Prevent parse failure in new test from leaking into later test runs.
• d65e632 Prepare release of lxml 4.9.1.
• 86368e9 Fix a crash when incorrect parser input occurs together with usages of iterwa...
• 50c2764 Delete unused Travis CI config and reference in docs (GH-345)
• 8f0bf2d Try to speed up the musllinux AArch64 build by splitting the different CPytho...
• b9f7074 Remove debug print from test.
• b224e0f Try to install 'xz' in wheel builds, if available, since it's now needed to e...
• 897ebfa Update macOS deployment target version from 10.14 to 10.15 since 10.14 starts...
• 853c9e9 Prepare release of 4.9.0.
• d3f77e6 Add a test for https://bugs.launchpad.net/lxml/+bug/1965070 leaving out the a...
• Additional commits viewable in compare view

Updates py from 1.10.0 to 1.11.0

Changelog

Sourced from py's changelog.

1.11.0 (2021-11-04)

• Support Python 3.11
• Support NO_COLOR environment variable
• Update vendored apipkg: 1.5 => 2.0

Commits

• 447bac5 Update CHANGELOG.rst
• 6d003d9 Update CHANGELOG.rst
• 9cf613f Declare support for Python 3.8-3.10
• d831150 Update python_requires: Python 3.4 was already dropped
• e68532e Update CHANGELOG for 1.11.0
• 2f03e5a Merge pull request #258 from blueyed/NO_COLOR
• e116b2b Merge pull request #275 from pytest-dev/upgrade-vendor-libs
• f3a1a59 remove build pin again
• f6cbf28 try to use pipx tox
• 3fe9ad7 try to use preinstalled tox
• Additional commits viewable in compare view

Updates scrapy from 1.8.1 to 2.11.2

Release notes

Sourced from scrapy's releases.

2.11.2

Mostly bug fixes, including security bug fixes.

See the full changelog.

2.11.1

• Security bug fixes.
• Support for Twisted >= 23.8.0.
• Documentation improvements.

See the full changelog.

2.11.0

• Spiders can now modify settings in their from_crawler methods, e.g. based on spider arguments.
• Periodic logging of stats.
• Bug fixes.

See the full changelog.

2.10.1

Marked Twisted >= 23.8.0 as unsupported.

2.10.0

• Added Python 3.12 support, dropped Python 3.7 support.
• The new add-ons framework simplifies configuring 3rd-party components that support it.
• Exceptions to retry can now be configured.
• Many fixes and improvements for feed exports.

See the full changelog.

2.9.0

• Per-domain download settings.
• Compatibility with new cryptography and new parsel.
• JMESPath selectors from the new parsel.
• Bug fixes.

See the full changelog.

2.8.0

This is a maintenance release, with minor features, bug fixes, and cleanups.

See the full changelog.

2.7.1

• Relaxed the restriction introduced in 2.6.2 so that the Proxy-Authentication header can again be set explicitly in certain cases, restoring compatibility with scrapy-zyte-smartproxy 2.1.0 and older
• Bug fixes

See the full changelog

2.7.0

... (truncated)

Changelog

Sourced from scrapy's changelog.

Scrapy 2.11.2 (2024-05-14)

Security bug fixes

-   Redirects to non-HTTP protocols are no longer followed. Please, see the
    `23j4-mw76-5v7h security advisory`_ for more information. (:issue:`457`)
.. _23j4-mw76-5v7h security advisory: https://github.com/scrapy/scrapy/security/advisories/GHSA-23j4-mw76-5v7h



The Authorization header is now dropped on redirects to a different
scheme (http:// or https://) or port, even if the domain is the
same. Please, see the 4qqq-9vqf-3h3f security advisory_ for more
information.
.. _4qqq-9vqf-3h3f security advisory: https://github.com/scrapy/scrapy/security/advisories/GHSA-4qqq-9vqf-3h3f


When using system proxy settings that are different for http:// and
https://, redirects to a different URL scheme will now also trigger the
corresponding change in proxy settings for the redirected request. Please,
see the jm3v-qxmh-hxwv security advisory_ for more information.
(:issue:767)
.. _jm3v-qxmh-hxwv security advisory: https://github.com/scrapy/scrapy/security/advisories/GHSA-jm3v-qxmh-hxwv


:attr:Spider.allowed_domains <scrapy.Spider.allowed_domains> is now
enforced for all requests, and not only requests from spider callbacks.
(:issue:1042, :issue:2241, :issue:6358)


:func:~scrapy.utils.iterators.xmliter_lxml no longer resolves XML
entities. (:issue:6265)


defusedxml_ is now used to make
:class:scrapy.http.request.rpc.XmlRpcRequest more secure.
(:issue:6250, :issue:6251)
.. _defusedxml: https://github.com/tiran/defusedxml


Bug fixes

-   Restored support for brotlipy_, which had been dropped in Scrapy 2.11.1 in
    favor of brotli_. (:issue:`6261`)
.. _brotli: https://github.com/google/brotli

.. note:: brotlipy is deprecated, both in Scrapy and upstream. Use brotli
    instead if you can.

</tr></table>

</code></pre>

</blockquote>

<p>... (truncated)</p>

</details>

<details>

<summary>Commits</summary>
<ul>

<li><a href="https://github.com/scrapy/scrapy/commit/e8cb5a03b382b98f2c8945355076390f708b918d&quot;&gt;&lt;code&gt;e8cb5a0&lt;/code&gt;&lt;/a> Bump version: 2.11.1 → 2.11.2</li>

<li><a href="https://github.com/scrapy/scrapy/commit/2c031f4061ae9bf486cc9e2a699355450638e8c2&quot;&gt;&lt;code&gt;2c031f4&lt;/code&gt;&lt;/a> Set the release date of 2.11.2</li>

<li><a href="https://github.com/scrapy/scrapy/commit/3ffa17c0204deb3bdf2c7c60f5a56c9f777698c6&quot;&gt;&lt;code&gt;3ffa17c&lt;/code&gt;&lt;/a> Use posargs for pypy3-pinned</li>

<li><a href="https://github.com/scrapy/scrapy/commit/c6a8f0e4d945622a7e71adf635e272b66eddbbd0&quot;&gt;&lt;code&gt;c6a8f0e&lt;/code&gt;&lt;/a> Update VERSION references</li>

<li><a href="https://github.com/scrapy/scrapy/commit/60d2577284128cd0cf4af54745730da4a9005177&quot;&gt;&lt;code&gt;60d2577&lt;/code&gt;&lt;/a> Merge remote-tracking branch '23j4/2.11.2-release-notes' into 2.11</li>

<li><a href="https://github.com/scrapy/scrapy/commit/36287cb665ab4b0c65fd53181c9a0ef04990ada6&quot;&gt;&lt;code&gt;36287cb&lt;/code&gt;&lt;/a> Merge branch 'redirect-protocols' into 2.11</li>

<li><a href="https://github.com/scrapy/scrapy/commit/f138d5d1450ef38ee077c2472c136c70d8d673e8&quot;&gt;&lt;code&gt;f138d5d&lt;/code&gt;&lt;/a> Merge branch 'environ-proxy-protocol' into 2.11</li>

<li><a href="https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8&quot;&gt;&lt;code&gt;1d0502f&lt;/code&gt;&lt;/a> Merge branch 'advisory-fix' into 2.11</li>

<li><a href="https://github.com/scrapy/scrapy/commit/bb948af00babe545a7fb52700f4ba1424d206677&quot;&gt;&lt;code&gt;bb948af&lt;/code&gt;&lt;/a> Release notes for 2.11.2 (<a href="https://redirect.github.com/scrapy/scrapy/issues/6359&quot;&gt;#6359&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/scrapy/scrapy/commit/5ad9433dd59cd8436ce33bf2c44796516eef4c3c&quot;&gt;&lt;code&gt;5ad9433&lt;/code&gt;&lt;/a> Merge remote-tracking branch 'scrapy/2.11' into 2.11</li>

<li>Additional commits viewable in <a href="https://github.com/scrapy/scrapy/compare/1.8.1...2.11.2&quot;&gt;compare view</a></li>

</ul>

</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options


You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Superseded by #74.