Thank you!

⚠️ Dependabot is rebasing this PR ⚠️

If you make any changes to it yourself then they will take precedence over the rebase.

Bumps cryptography from 2.6.1 to 3.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst">cryptography's changelog</a>.</em></p> <blockquote> <p>3.2 - 2020-10-25</p> <pre><code>

• SECURITY ISSUE: Attempted to make RSA PKCS#1v1.5 decryption more constant time, to protect against Bleichenbacher vulnerabilities. Due to limitations imposed by our API, we cannot completely mitigate this vulnerability and a future release will contain a new API which is designed to be resilient to these for contexts where it is required. Credit to Hubert Kario for reporting the issue. CVE-2020-25659
• Support for OpenSSL 1.0.2 has been removed. Users on older version of OpenSSL will need to upgrade.
• Added basic support for PKCS7 signing (including SMIME) via :class:~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder. <p>.. _v3-1-1:</p> <p>3.1.1 - 2020-09-22 </code></pre></p> <ul> <li>Updated Windows, macOS, and <code>manylinux</code> wheels to be compiled with OpenSSL 1.1.1h.</li> </ul> <p>.. _v3-1:</p> <p>3.1 - 2020-08-26</p> <pre><code>
• BACKWARDS INCOMPATIBLE: Removed support for idna based :term:U-label parsing in various X.509 classes. This support was originally deprecated in version 2.1 and moved to an extra in 2.5.
• Deprecated OpenSSL 1.0.2 support. OpenSSL 1.0.2 is no longer supported by the OpenSSL project. The next version of cryptography will drop support for it.
• Deprecated support for Python 3.5. This version sees very little use and will be removed in the next release.
• backend arguments to functions are no longer required and the default backend will automatically be selected if no backend is provided.
• Added initial support for parsing certificates from PKCS7 files with :func:~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates and :func:~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates .
• Calling update or update_into on :class:~cryptography.hazmat.primitives.ciphers.CipherContext with data longer than 2\ :sup:31 bytes no longer raises an OverflowError. This also resolves the same issue in :doc:/fernet. <p>.. _v3-0:</p> <p>3.0 - 2020-07-20 </tr></table> </code></pre></p> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pyca/cryptography/commit/c9e65222c91df8b6f61650a3460e30232962c1e0"><code>c9e6522</code></a> 3.2 release (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5508">#5508</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/58494b41d6ecb0f56b7c5f05d5f5e3ca0320d494"><code>58494b4</code></a> Attempt to mitigate Bleichenbacher attacks on RSA decryption (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5507">#5507</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/cf9bd6a36bc7b05abca114b76e216598d9ad9b16"><code>cf9bd6a</code></a> move blinding to <strong>init</strong> on both RSA public and private (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5506">#5506</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/bf4b962f4b92a1633835b2d17974f18de2d61620"><code>bf4b962</code></a> be more verbose in the 102 deprecation notice (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5505">#5505</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/ada53e7ca0f04a33711c330a130d34376e5ecc2b"><code>ada53e7</code></a> make the regexes for branches more strict (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5504">#5504</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/8be1d4b1113eabea306dd60ab64e7f00815d6a52"><code>8be1d4b</code></a> Stop using <a href="https://github.com/master">@master</a> for GH actions (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5503">#5503</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/08a97cca715ca0842d6792d0079e351efbb48ec9"><code>08a97cc</code></a> Bump actions/upload-artifact from v1 to v2.2.0 (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5502">#5502</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/52a0e44e97dd6e150509b14c9b1f76a261f12786"><code>52a0e44</code></a> Add a dependabot configuration to bump our github actions (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5501">#5501</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/611c4a340f6c53a7e28a9695a3248bd4e9f8558d"><code>611c4a3</code></a> PKCS7SignatureBuilder now supports new option NoCerts when signing (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5500">#5500</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/836a92a28fbe9df8c37121e340b91ed9cd519ddd"><code>836a92a</code></a> chunking didn't actually work (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5499">#5499</a>)</li> <li>Additional commits viewable in <a href="https://github.com/pyca/cryptography/compare/2.6.1...3.2">compare view</a></li> </ul> </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

@dependabot rebase

Bumps werkzeug from 0.15.2 to 0.15.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pallets/werkzeug/releases">werkzeug's releases</a>.</em></p> <blockquote> <h2>0.15.3</h2> <ul> <li>Blog: <a href="https://palletsprojects.com/blog/werkzeug-0-15-3-released/">https://palletsprojects.com/blog/werkzeug-0-15-3-released/</a></li> <li>Changes: <a href="https://werkzeug.palletsprojects.com/en/0.15.x/changes/#version-0-15-3">https://werkzeug.palletsprojects.com/en/0.15.x/changes/#version-0-15-3</a></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pallets/werkzeug/blob/master/CHANGES.rst">werkzeug's changelog</a>.</em></p> <blockquote> <h2>Version 0.15.3</h2> <p>Released 2019-05-14</p> <ul> <li>Properly handle multi-line header folding in development server in Python 2.7. (:issue:<code>1080</code>)</li> <li>Restore the <code>response</code> argument to :exc:<code>~exceptions.Unauthorized</code>. (:pr:<code>1527</code>)</li> <li>:exc:<code>~exceptions.Unauthorized</code> doesn't add the <code>WWW-Authenticate</code> header if <code>www_authenticate</code> is not given. (:issue:<code>1516</code>)</li> <li>The default URL converter correctly encodes bytes to string rather than representing them with <code>b''</code>. (:issue:<code>1502</code>)</li> <li>Fix the filename format string in :class:<code>~middleware.profiler.ProfilerMiddleware</code> to correctly handle float values. (:issue:<code>1511</code>)</li> <li>Update :class:<code>~middleware.lint.LintMiddleware</code> to work on Python 3. (:issue:<code>1510</code>)</li> <li>The debugger detects cycles in chained exceptions and does not time out in that case. (:issue:<code>1536</code>)</li> <li>When running the development server in Docker, the debugger security pin is now unique per container.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pallets/werkzeug/commit/9b1123a779e95b5c38ca911ce1329e87a3348a92"><code>9b1123a</code></a> release version 0.15.3</li> <li><a href="https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246"><code>00bc43b</code></a> unique debugger pin in Docker containers</li> <li><a href="https://github.com/pallets/werkzeug/commit/2cbdf2b02273daccf85845b1e1569096e65ffe58"><code>2cbdf2b</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pallets/werkzeug/issues/1542">#1542</a> from asottile/exceptions_arent_always_hashable</li> <li><a href="https://github.com/pallets/werkzeug/commit/0e669f6be532801267d35de23c5f5237b8406d8a"><code>0e669f6</code></a> Fix unhashable exception types</li> <li><a href="https://github.com/pallets/werkzeug/commit/bdc17e4cd10bbb17449006cef385ec953a11fc36"><code>bdc17e4</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pallets/werkzeug/issues/1540">#1540</a> from pallets/break-tb-cycle</li> <li><a href="https://github.com/pallets/werkzeug/commit/44e38c2985bcd3a7c17467bead901b8f36528f5f"><code>44e38c2</code></a> break cycle in chained exceptions</li> <li><a href="https://github.com/pallets/werkzeug/commit/777500b64647ea47b21e52e5e113ba1d86014c05"><code>777500b</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pallets/werkzeug/issues/1518">#1518</a> from NiklasMM/fix/1510_lint-middleware-python3-compa...</li> <li><a href="https://github.com/pallets/werkzeug/commit/e00c7c2cedcbcad3772e4522813c78bc9a860fbe"><code>e00c7c2</code></a> Make LintMiddleware Python 3 compatible and add tests</li> <li><a href="https://github.com/pallets/werkzeug/commit/d590cc7cf2fcb34ebc0783eb3c2913e8ce016ed8"><code>d590cc7</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pallets/werkzeug/issues/1539">#1539</a> from pallets/profiler-format</li> <li><a href="https://github.com/pallets/werkzeug/commit/0388fc95e696513bbefbde293f3f76cc482df8fa"><code>0388fc9</code></a> update filename_format for ProfilerMiddleware.</li> <li>Additional commits viewable in <a href="https://github.com/pallets/werkzeug/compare/0.15.2...0.15.3">compare view</a></li> </ul> </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Does anything on https://swagger.io/docs/specification/api-host-and-base-path/ help? I'm eager to support your use case as long as we play by the OpenAPI specification rules.

Well other than these issues I've opened, my entire codebase is agnostic to the location in which it's deployed and as I stated here the api explorer/yaml are unusable by apps in its current form and in #104 it's unable to validate the api endpoints relative to the app.

Fixing this issue would make the document and explorer usable - right now I have to hardcode into my openapi.yaml document that the server url is actually url: /prefix/api.

I think this is the correct approach? Looking from the API consumer/user perspective, I don't care what the backend configuration is, I expect the API to be at the exact URL given in the openapi.yaml file.

Or am I misunderstanding what you are trying to say?

The api explorer is great but it is not dealing with server urls well.

Let's say I have a document like

openapi: '3.0.3'
info:
servers:
  - url: /api
paths:
  /init-app:
    get:
      description: >
        Get some initial data for bootstrapping the static site.
      responses:
        '200':
          description: >
            Initial data for the static site.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/InitApp'
        '401':
          $ref: '#/components/responses/401'
        '403':
          $ref: '#/components/responses/403'

This document is effectively indicating that /api/init-app is an endpoint. Now if I mount my Pyramid application at /prefix (wsgi script_name) then I expect the api explorer and yaml file to be updated to reflect this situation.... for example the server url would be /prefix/api and the endpoint is /prefix/api/init-app.

Fixing this issue would make the document and explorer usable - right now I have to hardcode into my openapi.yaml document that the server url is actually url: /prefix/api.

I have an openapi.yaml defined with endpoints like /foo, /bar, etc. I then invoke

    config.pyramid_openapi3_spec(spec_path, route='/api/openapi.yaml')
    config.pyramid_openapi3_add_explorer('/api/')

and I mount my routes at /api/foo, /api/bar, etc. There doesn't seem to be a way to coordinate these such that everyone is happy because pyramid_openapi3 is expecting the api document paths to be relative to the root of the application and there's no way to tell pyramid_openapi3 that I'm actually mounting the routes/spec at a subpath inside the application.

Bumps ini from 1.3.5 to 1.3.8. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/npm/ini/commit/a2c5da86604bc2238fe393c5ff083bf23a9910eb"><code>a2c5da8</code></a> 1.3.8</li> <li><a href="https://github.com/npm/ini/commit/af5c6bb5dca6f0248c153aa87e25bddfc515ff6e"><code>af5c6bb</code></a> Do not use Object.create(null)</li> <li><a href="https://github.com/npm/ini/commit/8b648a1ac49e1b3b7686ea957e0b95e544bc6ec1"><code>8b648a1</code></a> don't test where our devdeps don't even work</li> <li><a href="https://github.com/npm/ini/commit/c74c8af35f32b801a7e82a8309eab792a95932f6"><code>c74c8af</code></a> 1.3.7</li> <li><a href="https://github.com/npm/ini/commit/024b8b55ac1c980c6225607b007714c54eb501ba"><code>024b8b5</code></a> update deps, add linting</li> <li><a href="https://github.com/npm/ini/commit/032fbaf5f0b98fce70c8cc380e0d05177a9c9073"><code>032fbaf</code></a> Use Object.create(null) to avoid default object property hazards</li> <li><a href="https://github.com/npm/ini/commit/2da90391ef70db41d10f013e3a87f9a8c5d01a72"><code>2da9039</code></a> 1.3.6</li> <li><a href="https://github.com/npm/ini/commit/cfea636f534b5ca7550d2c28b7d1a95d936d56c6"><code>cfea636</code></a> better git push script, before publish instead of after</li> <li><a href="https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1"><code>56d2805</code></a> do not allow invalid hazardous string as section name</li> <li>See full diff in <a href="https://github.com/isaacs/ini/compare/v1.3.5...v1.3.8">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~isaacs">isaacs</a>, a new releaser for ini since your current version.</p> </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

I've drafted how I want the "API" for this functionality to look & feel: https://github.com/Pylons/pyramid_openapi3/pull/103

Instead of requiring the openapi_responses.yaml file, I opted for sane defaults that can be overridden. In the case of the openapi_responses.yaml provided above, the configuration would look like this:

    config.endpoint_validation_overrides = 
    {
        "/user/logout": {"post": [202, 400, 500]},
        "/stores/{storeId}/backups/{backupId}/download:": {"post": [202, 400, 500]},
    }

It's not ideal to not be able to support endpoint_validation_overrides via .ini files. Anyone has a better idea?

A common pitfall when using this package is the following: you define an endpoint that can result in 400 Bad Request, but you forget to list 400 in the responses section of your endpoint in openapi.yaml. This package then instead returns 500 Internal Server error, because it keeps the promise that only defined responses will be allowed (unless you set enable_request_validation to False, that is).

With this PR, all endpoints, by default need to have 200, 400 and 500 on the list of responses in openapi.yaml, otherwise the app won't start. Additionally, all endpoints that accept a parameter, also need to have 404 on the list of responses.

You can skip this check by setting enable_endpoint_validation to False.

Refs https://github.com/Pylons/pyramid_openapi3/issues/22 Refs https://github.com/Pylons/pyramid_openapi3/issues/49#issuecomment-628699131 Refs https://github.com/Pylons/pyramid_openapi3/pull/36

• Python 3.8
• dev dependencies
• new-style pre-commit configuration