chore(deps): update dependency sqlparse to v0.5.4 [security] - autoclosed

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
sqlparse (changelog)	==0.5.3 → ==0.5.4

---

sqlparse: formatting list of tuples leads to denial of service

GHSA-27jp-wm6q-gp25

More information

Details

Summary

The below gist hangs while attempting to format a long list of tuples.

This was found while drafting a regression test for Dja
ngo 5.2's composite primary key feature, which allows querying composite fields with tuples.

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-27jp-wm6q-gp25
• https://github.com/andialbrecht/sqlparse/commit/40ed3aa958657fa4a82055927fa9de70ab903360
• https://github.com/andialbrecht/sqlparse/releases/tag/0.5.4
• https://github.com/advisories/GHSA-27jp-wm6q-gp25

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

andialbrecht/sqlparse (sqlparse)

v0.5.4

Compare Source

Enhancements

• Add support for Python 3.14.
• Add type annotations to top-level API functions and include py.typed marker
  for PEP 561 compliance, enabling type checking with mypy and other tools
  (issue756).
• Add pre-commit hook support. sqlparse can now be used as a pre-commit hook
  to automatically format SQL files. The CLI now supports multiple files and
  an --in-place flag for in-place editing (issue537).
• Add ATTACH and DETACH to PostgreSQL keywords (pr808).
• Add INTERSECT to close keywords in WHERE clause (pr820).
• Support REGEXP BINARY comparison operator (pr817).

Bug Fixes

• Add additional protection against denial of service attacks when parsing
  very large lists of tuples. This enhances the existing recursion protections
  with configurable limits for token processing to prevent DoS through
  algorithmic complexity attacks. The new limits (MAX_GROUPING_DEPTH=100,
  MAX_GROUPING_TOKENS=10000) can be adjusted or disabled (by setting to None)
  if needed for legitimate large SQL statements.
• Remove shebang from cli.py and remove executable flag (pr818).
• Fix strip_comments not removing all comments when input contains only
  comments (issue801, pr803 by stropysh).
• Fix splitting statements with IF EXISTS/IF NOT EXISTS inside BEGIN...END
  blocks (issue812).
• Fix splitting on semicolons inside BEGIN...END blocks (issue809).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Code Review

This pull request updates the sqlparse dependency in packages/sqlalchemy-spanner/requirements.txt from version 0.5.3 to 0.5.4, including the corresponding hash updates. I have no feedback to provide.