PyPI - marshmallow - Versions diffs - 4.1.0__tar.gz → 4.1.2__tar.gz - Mend

marshmallow 4.1.0tar.gz → 4.1.2tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (92) hide show

{marshmallow-4.1.0 → marshmallow-4.1.2}/CHANGELOG.rst RENAMED Viewed

@@ -1,6 +1,22 @@
 Changelog
 ---------
+4.1.2 (2025-12-19)
+++++++++++++++++++
+Bug fixes:
+- :cve:`CVE-2025-68480`: Merge error store messages without rebuilding collections.
+  Thanks 카푸치노 for reporting and :user:`deckar01` for the fix.
+4.1.1 (2025-11-05)
+++++++++++++++++++
+Bug fixes:
+- Ensure ``URL`` validator is case-insensitive when using custom schemes (:pr:`2874`).
+  Thanks :user:`T90REAL` for the PR.
 4.1.0 (2025-11-01)
 ++++++++++++++++++
@@ -10,8 +26,7 @@ Other changes:
   `validate.Length <marshmallow.validate.Length>` (:pr:`2861`).
   Thanks :user:`agentgodzilla` for the PR.
 - Drop support for Python 3.9 (:pr:`2363`).
-- Test against Python 3.14.
+- Test against Python 3.14 (:pr:`2864`).
 4.0.1 (2025-08-28)
 ++++++++++++++++++

{marshmallow-4.1.0 → marshmallow-4.1.2}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: marshmallow
-Version: 4.1.0
+Version: 4.1.2
 Summary: A lightweight library for converting complex datatypes to and from native Python datatypes.
 Author-email: Steven Loria <oss@stevenloria.com>
 Maintainer-email: Steven Loria <oss@stevenloria.com>, Jérôme Lafréchoux <jerome@jolimont.fr>, Jared Deckard <jared@shademaps.com>

{marshmallow-4.1.0 → marshmallow-4.1.2}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "marshmallow"
-version = "4.1.0"
+version = "4.1.2"
 description = "A lightweight library for converting complex datatypes to and from native Python datatypes."
 readme = "README.rst"
 license = { file = "LICENSE" }

{marshmallow-4.1.0 → marshmallow-4.1.2}/src/marshmallow/error_store.py RENAMED Viewed

@@ -18,6 +18,7 @@ class ErrorStore:
         # field error  -> store/merge error messages under field name key
         # schema error -> if string or list, store/merge under _schema key
         #              -> if dict, store/merge with other top-level keys
+        messages = copy_containers(messages)
         if field_name != SCHEMA or not isinstance(messages, dict):
             messages = {field_name: messages}
         if index is not None:
@@ -25,6 +26,14 @@ class ErrorStore:
         self.errors = merge_errors(self.errors, messages)
+def copy_containers(errors):
+    if isinstance(errors, list):
+        return [copy_containers(val) for val in errors]
+    if isinstance(errors, dict):
+        return {key: copy_containers(val) for key, val in errors.items()}
+    return errors
 def merge_errors(errors1, errors2):  # noqa: PLR0911
     """Deeply merge two error messages.
@@ -37,24 +46,26 @@ def merge_errors(errors1, errors2):  # noqa: PLR0911
         return errors1
     if isinstance(errors1, list):
         if isinstance(errors2, list):
-            return errors1 + errors2
+            errors1.extend(errors2)
+            return errors1
         if isinstance(errors2, dict):
-            return dict(errors2, **{SCHEMA: merge_errors(errors1, errors2.get(SCHEMA))})
-        return [*errors1, errors2]
+            errors2[SCHEMA] = merge_errors(errors1, errors2.get(SCHEMA))
+            return errors2
+        errors1.append(errors2)
+        return errors1
     if isinstance(errors1, dict):
-        if isinstance(errors2, list):
-            return dict(errors1, **{SCHEMA: merge_errors(errors1.get(SCHEMA), errors2)})
         if isinstance(errors2, dict):
-            errors = dict(errors1)
             for key, val in errors2.items():
-                if key in errors:
-                    errors[key] = merge_errors(errors[key], val)
+                if key in errors1:
+                    errors1[key] = merge_errors(errors1[key], val)
                 else:
-                    errors[key] = val
-            return errors
-        return dict(errors1, **{SCHEMA: merge_errors(errors1.get(SCHEMA), errors2)})
+                    errors1[key] = val
+            return errors1
+        errors1[SCHEMA] = merge_errors(errors1.get(SCHEMA), errors2)
+        return errors1
     if isinstance(errors2, list):
         return [errors1, *errors2]
     if isinstance(errors2, dict):
-        return dict(errors2, **{SCHEMA: merge_errors(errors1, errors2.get(SCHEMA))})
+        errors2[SCHEMA] = merge_errors(errors1, errors2.get(SCHEMA))
+        return errors2
     return [errors1, errors2]

{marshmallow-4.1.0 → marshmallow-4.1.2}/src/marshmallow/validate.py RENAMED Viewed

@@ -187,7 +187,7 @@ class URL(Validator):
         self.relative = relative
         self.absolute = absolute
         self.error: str = error or self.default_message
-        self.schemes = schemes or self.default_schemes
+        self.schemes = {s.lower() for s in schemes} if schemes else self.default_schemes
         self.require_tld = require_tld
     def _repr_args(self) -> str:
@@ -623,8 +623,7 @@ class OneOf(Validator):
         :param valuegetter: Can be a callable or a string. In the former case, it must
             be a one-argument callable which returns the value of a
             choice. In the latter case, the string specifies the name
-            of an attribute of the choice objects. Defaults to `str()`
-            or `str()`.
+            of an attribute of the choice objects. Defaults to `str()`.
         """
         valuegetter = valuegetter if callable(valuegetter) else attrgetter(valuegetter)
         pairs = zip_longest(self.choices, self.labels, fillvalue="")

{marshmallow-4.1.0 → marshmallow-4.1.2}/tests/test_error_store.py RENAMED Viewed

@@ -1,7 +1,7 @@
 from typing import NamedTuple
 from marshmallow import missing
-from marshmallow.error_store import merge_errors
+from marshmallow.error_store import ErrorStore, merge_errors
 def test_missing_is_falsy():
@@ -149,3 +149,19 @@ class TestMergeErrors:
         assert merge_errors(
             {"field1": {"field2": "error1"}}, {"field1": {"field2": "error2"}}
         ) == {"field1": {"field2": ["error1", "error2"]}}
+    def test_list_not_changed(self):
+        store = ErrorStore()
+        message = ["foo"]
+        store.store_error(message)
+        store.store_error(message)
+        assert message == ["foo"]
+        assert store.errors == {"_schema": ["foo", "foo"]}
+    def test_dict_not_changed(self):
+        store = ErrorStore()
+        message = {"foo": ["bar"]}
+        store.store_error(message)
+        store.store_error(message)
+        assert message == {"foo": ["bar"]}
+        assert store.errors == {"foo": ["bar", "bar"]}

{marshmallow-4.1.0 → marshmallow-4.1.2}/tests/test_validate.py RENAMED Viewed

@@ -205,6 +205,14 @@ def test_url_custom_scheme():
     assert validator(url) == url
+def test_url_custom_scheme_case_insensitive():
+    validator = validate.URL(schemes={"HTTP"})
+    assert validator("http://example.com") == "http://example.com"
+    validator = validate.URL(schemes={"HtTp"})
+    assert validator("hTtP://example.com") == "hTtP://example.com"
 @pytest.mark.parametrize(
     "valid_url",
     (