Skip to content

Update dependency sqlparse to v0.5.5#49

Open
ivan-flamingo wants to merge 1 commit into
developfrom
renovate/sqlparse-0.x
Open

Update dependency sqlparse to v0.5.5#49
ivan-flamingo wants to merge 1 commit into
developfrom
renovate/sqlparse-0.x

Conversation

@ivan-flamingo

@ivan-flamingo ivan-flamingo commented Jun 9, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Update Change
sqlparse (changelog) patch ==0.5.1==0.5.5

Release Notes

andialbrecht/sqlparse (sqlparse)

v0.5.5

Compare Source

Bug Fixes

  • Fix DoS protection to raise SQLParseError instead of silently returning None
    when grouping limits are exceeded (issue827).
  • Fix splitting of BEGIN TRANSACTION statements (issue826).

v0.5.4

Compare Source

Enhancements

  • Add support for Python 3.14.
  • Add type annotations to top-level API functions and include py.typed marker
    for PEP 561 compliance, enabling type checking with mypy and other tools
    (issue756).
  • Add pre-commit hook support. sqlparse can now be used as a pre-commit hook
    to automatically format SQL files. The CLI now supports multiple files and
    an --in-place flag for in-place editing (issue537).
  • Add ATTACH and DETACH to PostgreSQL keywords (pr808).
  • Add INTERSECT to close keywords in WHERE clause (pr820).
  • Support REGEXP BINARY comparison operator (pr817).

Bug Fixes

  • Add additional protection against denial of service attacks when parsing
    very large lists of tuples. This enhances the existing recursion protections
    with configurable limits for token processing to prevent DoS through
    algorithmic complexity attacks. The new limits (MAX_GROUPING_DEPTH=100,
    MAX_GROUPING_TOKENS=10000) can be adjusted or disabled (by setting to None)
    if needed for legitimate large SQL statements.
  • Remove shebang from cli.py and remove executable flag (pr818).
  • Fix strip_comments not removing all comments when input contains only
    comments (issue801, pr803 by stropysh).
  • Fix splitting statements with IF EXISTS/IF NOT EXISTS inside BEGIN...END
    blocks (issue812).
  • Fix splitting on semicolons inside BEGIN...END blocks (issue809).

v0.5.3

Compare Source

Bug Fixes

  • This version introduces a more generalized handling of potential denial of
    service attack (DOS) due to recursion errors for deeply nested statements.
    Brought up and fixed by @​living180. Thanks a lot!

v0.5.2

Compare Source

Bug Fixes

  • EXTENSION is now recognized as a keyword (issue785).
  • SQL hints are not removed when removing comments (issue262, by skryzh).

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@coderabbitai

coderabbitai Bot commented Jun 9, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The pull request updates the sqlparse package dependency pin in the requirements file from version 0.5.1 to 0.5.5. This is a single-line version bump with no other changes to the codebase.

Changes

sqlparse Dependency Update

Layer / File(s) Summary
sqlparse version bump
api/tacticalrmm/requirements.txt
The sqlparse dependency is pinned to version 0.5.5, updating from the previous 0.5.1 pin.

🎯 1 (Trivial) | ⏱️ ~2 minutes

🐰 A version hop, so small and neat,
From 0.5.1 to 0.5.5 complete,
sqlparse upgraded with care,
Dependencies fresh in the air! 🌱

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically summarizes the main change: updating the sqlparse dependency from v0.5.1 to v0.5.5, which is the sole focus of this pull request.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/sqlparse-0.x

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@api/tacticalrmm/requirements.txt`:
- Line 32: Update the dependency line to ensure sqlparse==0.5.5 is pinned (it
already is) and then search the codebase for any direct or indirect uses of the
sqlparse package (search for the token "sqlparse" and for likely SQL-parsing
callsites like functions named parse_*, format_*, or any migration/SQL rendering
helpers) and add exception handling for sqlparse.exceptions.SQLParseError around
those callsites; run smoke tests for any SQL parsing flows to confirm behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 6e9f291c-3200-43a9-8b84-26405f12d329

📥 Commits

Reviewing files that changed from the base of the PR and between dabd2f3 and ebf6454.

📒 Files selected for processing (1)
  • api/tacticalrmm/requirements.txt

requests==2.32.3
six==1.16.0
sqlparse==0.5.1
sqlparse==0.5.5

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify sqlparse 0.5.5 exists and check for security advisories

# Check PyPI for the specific version
curl -s https://pypi.org/pypi/sqlparse/0.5.5/json | jq -r '.info.version // "Version not found"'

# Check for security advisories
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: PIP, package: "sqlparse") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: flamingo-stack/tacticalrmm

Length of output: 1391


🏁 Script executed:

#!/bin/bash
# Description: Find sqlparse usage to verify exception handling

# Search for sqlparse imports and usage
rg -n --type=py 'import sqlparse|from sqlparse' -A 5

# Search for parse/format calls that might be affected
rg -n --type=py 'sqlparse\.(parse|format|split)' -C 5

Repository: flamingo-stack/tacticalrmm

Length of output: 52


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Find any mention/usages of sqlparse anywhere in the repo
rg -n "sqlparse" . || true

Repository: flamingo-stack/tacticalrmm

Length of output: 125


🌐 Web query:

sqlparse 0.5.5 DoS protection raises SQLParseError instead of returning None

💡 Result:

In sqlparse version 0.5.5, a change was implemented to address issue #827, ensuring that the library raises a SQLParseError instead of silently returning None when its Denial of Service (DoS) protection limits are exceeded [1][2]. Background and Reason for Change: Earlier versions (introduced in 0.5.4) added security guards—MAX_GROUPING_DEPTH and MAX_GROUPING_TOKENS—to prevent algorithmic complexity attacks during SQL parsing [1][3]. When these limits were initially hit, the parser would silently return None, which effectively suppressed error reporting and made it difficult for users to diagnose why certain large or complex SQL statements were failing to parse [2][4]. Version 0.5.5 corrected this behavior by explicitly raising a SQLParseError, providing clear feedback such as "Maximum grouping depth exceeded" or "Maximum number of tokens exceeded" [5][2]. Managing Limits: If you encounter these errors while processing legitimate, large SQL statements, you can adjust or disable the protections by modifying the constants in sqlparse.engine.grouping [3][4]. To increase or disable these limits, use: import sqlparse.engine.grouping # Increase limits (use with caution) sqlparse.engine.grouping.MAX_GROUPING_DEPTH = 200 sqlparse.engine.grouping.MAX_GROUPING_TOKENS = 50000 # Disable limits completely (use with extreme caution as this restores DoS vulnerability) sqlparse.engine.grouping.MAX_GROUPING_DEPTH = None sqlparse.engine.grouping.MAX_GROUPING_TOKENS = None It is highly recommended to keep these protections enabled if you are processing untrusted SQL input, as they are designed to prevent resource exhaustion attacks [3][4].

Citations:


Update sqlparse to 0.5.5: DoS handling now raises SQLParseError (check any indirect SQL parsing paths)

  • sqlparse==0.5.5 exists on PyPI; the known security advisories shown for sqlparse are patched by 0.5.5 (e.g., DoS limit issue patched in 0.5.4).
  • In sqlparse 0.5.5, when grouping limits are exceeded, DoS protection now raises SQLParseError instead of returning None.
  • This repo has no direct sqlparse usage (only the dependency entry), so breakage risk is mainly if SQL parsing is done indirectly via other dependencies—exercise a smoke test around any SQL-parsing flows.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/tacticalrmm/requirements.txt` at line 32, Update the dependency line to
ensure sqlparse==0.5.5 is pinned (it already is) and then search the codebase
for any direct or indirect uses of the sqlparse package (search for the token
"sqlparse" and for likely SQL-parsing callsites like functions named parse_*,
format_*, or any migration/SQL rendering helpers) and add exception handling for
sqlparse.exceptions.SQLParseError around those callsites; run smoke tests for
any SQL parsing flows to confirm behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants