[Security] Bump tortoise-orm from 0.15.1 to 0.16.3

[dependabot-preview]

Bumps tortoise-orm from 0.15.1 to 0.16.3.

Release notes

Sourced from tortoise-orm's releases.

v0.16.3

• Fixed invalid var IN () SQL generated using __in= and __not_in filters.
• Fix bug with order_by on nested fields
• Fix joining with self by reverse-foreign-key for filtering and annotation

v0.16.2

• Default values() & values_list() now includes annotations.
• Annotations over joins now work correctly with values() & values_list()
• Ensure GROUP BY precedes HAVING to ensure that filtering by aggregates work correctly.
• Fix bug with join query with aggregation
• Cast BooleanField values correctly on SQLite & MySQL

v0.16.1

• QuerySetSingle now has better code completion

• Created Pydantic models will now have the basic validation elements:

  • required is correctly populated for required fields
  • nullable is added to the schema where nulls are accepted
  • maxLength for CharFields
  • minimum & maximum values for integer fields

  To get Pydantic to handle nullable/defaulted fields correctly one should do a **user.dict(exclude_unset=True) when passing values to a Model class.

• Added FastAPI helper that is based on the starlette helper but optionally adds helpers to catch and report with proper error DoesNotExist and IntegrityError Tortoise exceptions.

• Allows a Pydantic model to exclude all read-only fields by setting exclude_readonly=True when calling pydantic_model_creator.

• a Tortoise PydanticModel now provides two extra helper functions:

  • from_queryset: Returns a List[PydanticModel] which is the format that e.g. FastAPI expects
  • from_queryset_single: allows one to avoid calling await multiple times to get the object and all its related items.

v0.16.0

This release drops support for Python 3.6: Tortoise ORM now requires a minimum of CPython 3.7

New features:

• Model docstrings and #: comments directly preceding Field definitions are now used as docstrings and DDL descriptions.

  This is now cleaned and carried as part of the docstring parameter in describe_model(...)

  If one doesn't explicitly specify a Field description= or Model Meta.table_description= then we default to the first line as the description. This is done because a description is submitted to the DB, and needs to be short (depending on DB, 63 chars) in size.

• Early Partial Init of models.

  We now have an early init of models, which can be useful when needing Models that are not bound to a DB, but otherwise complete. e.g. Schema generation without needing to be properly set up.

• Pydantic serialisation.

  We now include native support for automatically building a Pydantic model from Tortoise ORM models.

... (truncated)

Changelog

Sourced from tortoise-orm's changelog.

0.16.3

• Fixed invalid var IN () SQL generated using __in= and __not_in filters.
• Fix bug with order_by on nested fields
• Fix joining with self by reverse-foreign-key for filtering and annotation

0.16.2

• Default values() & values_list() now includes annotations.
• Annotations over joins now work correctly with values() & values_list()
• Ensure GROUP BY precedes HAVING to ensure that filtering by aggregates work correctly.
• Fix bug with join query with aggregation
• Cast BooleanField values correctly on SQLite & MySQL

0.16.1

• QuerySetSingle now has better code completion

• Created Pydantic models will now have the basic validation elements:

  • required is correctly populated for required fields
  • nullable is added to the schema where nulls are accepted
  • maxLength for CharFields
  • minimum & maximum values for integer fields

  To get Pydantic to handle nullable/default fields correctly one should do a **user.dict(exclude_unset=True) when passing values to a Model class.

• Added FastAPI helper that is based on the starlette helper but optionally adds helpers to catch and report with proper error DoesNotExist and IntegrityError Tortoise exceptions.

• Allows a Pydantic model to exclude all read-only fields by setting exclude_readonly=True when calling pydantic_model_creator.

• a Tortoise PydanticModel now provides two extra helper functions:

  • from_queryset: Returns a List[PydanticModel] which is the format that e.g. FastAPI expects
  • from_queryset_single: allows one to avoid calling await multiple times to get the object and all its related items.

0.16.0

This release drops support for Python 3.6:

Tortoise ORM now requires a minimum of CPython 3.7

New features:

• Model docstrings and #: comments directly preceding Field definitions are now used as docstrings and DDL descriptions.

... (truncated)

Commits

• 4c6a09c v0.16.3
• 8a29356 Fix joining with self by reverse-foreign-key for filtering and annotation (#333)
• 9a48cec minor doc fix & bump deps
• 7788165 Nested order_by path + unittest (#330)
• 3452958 Correctness fix of previous hotfix
• 6ad40e0 hotfix filter function with postgres
• ed587d9 Hotfix for invalid __in and __not filter
• 90a9242 Fixed invalid 'var IN ()' SQL generated using '__in=' and '__not_in' filters....
• a3f0ff6 v0.16.2
• 5444452 Cast BooleanField values correctly on SQLite & MySQL (#325)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

SQL injection in Tortoise ORM

Impact

Various forms of SQL injection have been found for MySQL and when filtering or doing mass-updates on char/text fields.
SQLite & PostgreSQL are only affected when filtering with contains, starts_with, or ends_with filters (and their case-insensitive counterparts).

Patches

Please upgrade to 0.15.23+ or 0.16.6+

For more information

If you have any questions or comments about this advisory:

• Open an issue in Github
  ... (truncated)

Affected versions: ["< 0.15.23"]

[dependabot-preview]

Superseded by #77.