Skip to content

v2.5.4
Compare
Choose a tag to compare
@maresb maresb released this 11 Feb 11:51
· 301 commits to main since this release
v2.5.4
4bac435
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

What's Changed

⚠️ If you use private pip repositories, then check your lockfiles for leaked credentials and upgrade as soon as possible! ⚠️

This release fixes #594 which involves credentials leaking into lockfiles when using certain private pip repositories like AWS CodeArtifact. Specifically, some servers may echo the basic authentication credentials in their response. Conda-lock previously failed to sanitize these echoed credentials when writing the lockfile. This was identified and fixed by @wholtz in #594 and #600.

Bugfix

  • Remove credentials from response URLs by @wholtz in #600
  • Fix broken --pypi_to_conda_lookup_file option by @ianpye in #588

New feature

  • The PyPI mapping can now be specified as a local file (in addition to an http[s] URL) by @maresb in #588

Infrastructure

  • Save mock private pypi package to temp directory by @maresb in #601
  • Minor improvements to pytest configuration by @maresb in #602
  • Improve docs related to contribution by @maresb in #603
  • Catch CalledProcessErrors from both subprocess and Poetry by @maresb in #604
  • Add explanation and minor improvement to #581 by @tadeu in #586

New Contributors

Full Changelog: v2.5.3...v2.5.4

Contributors

tadeu, wholtz, and 2 other contributors
Assets 2
Loading