Skip to content

chore(deps): bump cedarpy from 4.8.4 to 4.8.6#45

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/cedarpy-4.8.6
Open

chore(deps): bump cedarpy from 4.8.4 to 4.8.6#45
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/cedarpy-4.8.6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 4, 2026

Copy link
Copy Markdown

Bumps cedarpy from 4.8.4 to 4.8.6.

Release notes

Sourced from cedarpy's releases.

cedarpy v4.8.6

Added

  • Cedar policy template linking on the PolicySet handle. PolicySet.from_str already parses templates (policies with ?principal / ?resource slots); they authorize nothing until linked. policy_set.with_linked_batch(links) links one or more templates and returns a new PolicySet handle (the base is cloned once and left unchanged, mirroring with_added_str), so a batch of links pays a single clone rather than one per link; it is all-or-nothing (any failure raises and no handle is returned). with_linked(template_id, new_id, values) is the single-link convenience over it. Each slot value is a Cedar string ('User::"jane"') or a {"type": ..., "id": ...} dict — the two forms a request principal/resource already accept. A template_id resolves to a template's literal Cedar id first, then to the value of its @id annotation — but prefer the @id, since it is the stable key: the positional id (policy0, …) is reassigned per parse and renumbered by with_added_str, while the @id is invariant (the @id match must be unambiguous; @id is otherwise inert and is not the template's id — matching the Cedar CLI's linking convention). A linked PolicySet is still just a PolicySet, evaluating through is_authorized, is_authorized_batch, and is_authorized_partial; existing callers are untouched, so this is a pure, opt-in addition. The lifecycle is rounded out by templates() (a list of dicts, one per template, with its id, id_annotation, slots, and the links derived from it — each link's id and the values its slots were bound to) and without_linked(link_id) (a new handle with one linked policy removed). Regular template linking works on the pinned engine — no new Cargo feature (#29). Thanks @​Iamrodos!
  • A reusable, pre-parsed Entities handle, mirroring the PolicySet handle. Parse a stable entity graph once with Entities.from_json_str(entities_json, schema=None) and pass the handle to is_authorized, is_authorized_batch, or is_authorized_partial anywhere an entities string/list is accepted — skipping the per-call JSON deserialization and transitive-closure computation. For the common "stable base plus a small per-request delta" pattern, entities.with_added_json_str(delta_json, schema=None) clones the base and parses only the delta, returning a new handle (the base is immutable and reused). The merge is a disjoint union: a delta uid that duplicates a non-identical base uid raises ValueError, as does malformed JSON or a schema violation. The entities parameter widens from str | list to str | list | Entities; existing string/list callers are unchanged, so this is a pure, opt-in addition. The handle supports len() (entity count) and str() (rendered entities JSON), and on a successful evaluation the result metrics gain an entities_pre_parsed flag (1 for the handle path, 0 otherwise). Mirrors the cedar-java / cedar-policy-rb handle APIs (#83). Thanks @​Iamrodos!
  • PolicySet.with_added_str(fragment) returns a new PolicySet handle: the compiled base plus the policies parsed from fragment. The base is cloned, not re-parsed — only the (typically small) fragment is parsed — so a caller with a static base and small dynamic per-request fragments avoids re-parsing the base each call. The result is equivalent to authorizing against the concatenated base-plus-fragment text: because Cedar derives a positional PolicyId (policy0, policy1, …) per parse, the fragment's colliding ids are renumbered to follow the base (as concatenation would), and @id annotations are preserved. Raises ValueError on an unparseable fragment (#83).

Security

  • CI/release supply-chain hardening. Every GitHub Action in the build and release workflow is now pinned to a full commit SHA (with the human-readable version tag in a trailing comment), and actions/checkout runs with persist-credentials: false. A zizmor workflow-lint job and a repository action-allowlist that requires SHA-pinned actions enforce this on every change. Build provenance now produces a single combined attestation referencing all wheels (actions/attest-build-provenance@v4) instead of one attestation per wheel — relevant to anyone verifying SLSA provenance on the distributions. No change to the published package's code or behavior (#62).

Full Changelog: k9securityio/cedar-py@v4.8.5...v4.8.6

cedarpy v4.8.5

[4.8.5] - 2026-06-21

Added

  • is_authorized / is_authorized_batch now accept a structured {"type": ..., "id": ...} dict for principal, action, and resource, in addition to the existing Cedar surface-syntax string ('User::"alice"'). The dict form routes through EntityUid::from_json (mirroring cedar-java's JsonEUID) and accepts entity ids containing characters the surface parser rejects as "needs to be normalized" (e.g. embedded newlines). Pure addition — string-form callers are unchanged. Also adds a make corpus-tests target that runs the upstream fuzzer-generated corpus (7,462 files / 59,696 request cases); kept separate from make integration-tests because it takes several minutes (#87. Thanks @​geekphilosophy)!
  • A reusable, pre-parsed PolicySet handle. Parse policies once with PolicySet.from_str(...) (or PolicySet.from_json_str(...) for the Cedar JSON/EST format) and pass the handle to is_authorized, is_authorized_batch, or is_authorized_partial anywhere a policies string is accepted — skipping the re-parse on every call, which is the dominant per-call cost for static policy sets. The policies parameter widens from str to str | PolicySet; passing policies as a string is unchanged, so this is a pure, opt-in addition. The handle is immutable, releases its memory when the last Python reference is dropped, supports len() (policy count) and str() (rendered Cedar text), and raises ValueError at construction on unparseable policies. On a successful evaluation the result metrics gain a policies_pre_parsed flag (1 for the handle path, 0 for the string path). Mirrors the cedar-java / cedar-policy-rb handle APIs. Scoped to policies; reusable Entities / Schema handles are a possible follow-up (#83). Thanks @​Iamrodos!

Changed

  • Behavior change. is_authorized / is_authorized_batch now raise a KeyError when a request is missing principal, action, or resource, instead of triggering a Rust panic. The missing field name is named in the exception (#87)
  • Behavior change. Diagnostic errors during is_authorized / is_authorized_batch (policy-parse, per-request, and result-serialization errors) are no longer written to stdout unless verbose=True, matching the rest of the authorization path. The errors are still returned in the result's diagnostics (#83)
Changelog

Sourced from cedarpy's changelog.

[4.8.6] - 2026-06-27

Added

  • Cedar policy template linking on the PolicySet handle. PolicySet.from_str already parses templates (policies with ?principal / ?resource slots); they authorize nothing until linked. policy_set.with_linked_batch(links) links one or more templates and returns a new PolicySet handle (the base is cloned once and left unchanged, mirroring with_added_str), so a batch of links pays a single clone rather than one per link; it is all-or-nothing (any failure raises and no handle is returned). with_linked(template_id, new_id, values) is the single-link convenience over it. Each slot value is a Cedar string ('User::"jane"') or a {"type": ..., "id": ...} dict — the two forms a request principal/resource already accept. A template_id resolves to a template's literal Cedar id first, then to the value of its @id annotation — but prefer the @id, since it is the stable key: the positional id (policy0, …) is reassigned per parse and renumbered by with_added_str, while the @id is invariant (the @id match must be unambiguous; @id is otherwise inert and is not the template's id — matching the Cedar CLI's linking convention). A linked PolicySet is still just a PolicySet, evaluating through is_authorized, is_authorized_batch, and is_authorized_partial; existing callers are untouched, so this is a pure, opt-in addition. The lifecycle is rounded out by templates() (a list of dicts, one per template, with its id, id_annotation, slots, and the links derived from it — each link's id and the values its slots were bound to) and without_linked(link_id) (a new handle with one linked policy removed). Regular template linking works on the pinned engine — no new Cargo feature (#29). Thanks @​Iamrodos!
  • A reusable, pre-parsed Entities handle, mirroring the PolicySet handle. Parse a stable entity graph once with Entities.from_json_str(entities_json, schema=None) and pass the handle to is_authorized, is_authorized_batch, or is_authorized_partial anywhere an entities string/list is accepted — skipping the per-call JSON deserialization and transitive-closure computation. For the common "stable base plus a small per-request delta" pattern, entities.with_added_json_str(delta_json, schema=None) clones the base and parses only the delta, returning a new handle (the base is immutable and reused). The merge is a disjoint union: a delta uid that duplicates a non-identical base uid raises ValueError, as does malformed JSON or a schema violation. The entities parameter widens from str | list to str | list | Entities; existing string/list callers are unchanged, so this is a pure, opt-in addition. The handle supports len() (entity count) and str() (rendered entities JSON), and on a successful evaluation the result metrics gain an entities_pre_parsed flag (1 for the handle path, 0 otherwise). Mirrors the cedar-java / cedar-policy-rb handle APIs (#83). Thanks @​Iamrodos!
  • PolicySet.with_added_str(fragment) returns a new PolicySet handle: the compiled base plus the policies parsed from fragment. The base is cloned, not re-parsed — only the (typically small) fragment is parsed — so a caller with a static base and small dynamic per-request fragments avoids re-parsing the base each call. The result is equivalent to authorizing against the concatenated base-plus-fragment text: because Cedar derives a positional PolicyId (policy0, policy1, …) per parse, the fragment's colliding ids are renumbered to follow the base (as concatenation would), and @id annotations are preserved. Raises ValueError on an unparseable fragment (#83).

Security

  • CI/release supply-chain hardening. Every GitHub Action in the build and release workflow is now pinned to a full commit SHA (with the human-readable version tag in a trailing comment), and actions/checkout runs with persist-credentials: false. A zizmor workflow-lint job and a repository action-allowlist that requires SHA-pinned actions enforce this on every change. Build provenance now produces a single combined attestation referencing all wheels (actions/attest-build-provenance@v4) instead of one attestation per wheel — relevant to anyone verifying SLSA provenance on the distributions. No change to the published package's code or behavior (#62).

[4.8.5] - 2026-06-21

Added

  • is_authorized / is_authorized_batch now accept a structured {"type": ..., "id": ...} dict for principal, action, and resource, in addition to the existing Cedar surface-syntax string ('User::"alice"'). The dict form routes through EntityUid::from_json (mirroring cedar-java's JsonEUID) and accepts entity ids containing characters the surface parser rejects as "needs to be normalized" (e.g. embedded newlines). Pure addition — string-form callers are unchanged. Also adds a make corpus-tests target that runs the upstream fuzzer-generated corpus (7,462 files / 59,696 request cases); kept separate from make integration-tests because it takes several minutes (#87. Thanks @​geekphilosophy)!
  • A reusable, pre-parsed PolicySet handle. Parse policies once with PolicySet.from_str(...) (or PolicySet.from_json_str(...) for the Cedar JSON/EST format) and pass the handle to is_authorized, is_authorized_batch, or is_authorized_partial anywhere a policies string is accepted — skipping the re-parse on every call, which is the dominant per-call cost for static policy sets. The policies parameter widens from str to str | PolicySet; passing policies as a string is unchanged, so this is a pure, opt-in addition. The handle is immutable, releases its memory when the last Python reference is dropped, supports len() (policy count) and str() (rendered Cedar text), and raises ValueError at construction on unparseable policies. On a successful evaluation the result metrics gain a policies_pre_parsed flag (1 for the handle path, 0 for the string path). Mirrors the cedar-java / cedar-policy-rb handle APIs. Scoped to policies; reusable Entities / Schema handles are a possible follow-up (#83). Thanks @​Iamrodos!

Changed

  • Behavior change. is_authorized / is_authorized_batch now raise a KeyError when a request is missing principal, action, or resource, instead of triggering a Rust panic. The missing field name is named in the exception (#87)
  • Behavior change. Diagnostic errors during is_authorized / is_authorized_batch (policy-parse, per-request, and result-serialization errors) are no longer written to stdout unless verbose=True, matching the rest of the authorization path. The errors are still returned in the result's diagnostics (#83)
Commits
  • 075c866 Merge pull request #102 from k9securityio/release/4.8.6
  • 01270c8 release: bump version to 4.8.6
  • 5de5da4 Merge pull request #101 from k9securityio/chore/add-codeowners
  • cbe1ff9 chore: add CODEOWNERS for CI/CD trusted computing base
  • 6f66603 Merge pull request #100 from k9securityio/chore/consolidate-pin-github-actions
  • 55086ad docs: document GitHub Actions SHA-pinning + hardening conventions
  • a70e6f2 ci: pin actions to commit SHAs and harden CI workflow (GH #62)
  • aa698b1 docs: record GH #62 Phase B resolved SHA pins
  • 3f8717f docs: record GH #62 Phase A research findings
  • fb0c0eb docs: plan GH #62 as CI/release supply-chain hardening
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [cedarpy](https://github.com/k9securityio/cedar-py) from 4.8.4 to 4.8.6.
- [Release notes](https://github.com/k9securityio/cedar-py/releases)
- [Changelog](https://github.com/k9securityio/cedar-py/blob/main/CHANGELOG.md)
- [Commits](k9securityio/cedar-py@v4.8.4...v4.8.6)

---
updated-dependencies:
- dependency-name: cedarpy
  dependency-version: 4.8.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jul 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants