Bump octoprint from 1.8.3 to 1.9.3

[dependabot]

Bumps octoprint from 1.8.3 to 1.9.3.

Release notes

Sourced from octoprint's releases.

1.9.3

✋ Heads-ups

The heads-ups from 1.9.0 still apply, please read this release's release notes as well for a full picture of what you should be aware of and what changed!

⛈ Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

♻ Changes

🔒 Security fixes

• Severity Medium (6.4): It was possible for a malicious admin to configure a specially crafted GCODE script through the Settings that would allow code execution during rendering of that script. An attacker could have used this to extract data managed by OctoPrint, or manipulate data managed by OctoPrint, as well as execute arbitrary commands with the rights of the OctoPrint process on the server system.

  Please note that GCODE files uploaded to be printed were not affected! This vulnerability exclusively affected GCODE Scripts to be executed on connection to the printer, print pause, resume etc, as described in the documentation, to be found under Settings > GCODE Scripts and configurable only by users with the ADMIN permission.

  See also the GitHub Security Advisory and CVE-2023-41047.

🐛 Bug fixes

• #4849 & PR#4860: Fix for not being able to extrude/retract from the control panel in the UI after editing the extrusion speed in the printer profile.
• #4893: Pin pydantic dependency to 1.10.12. This works around an issue existing in some environments with pydantic version 1.10.13, which was released on September 26 2023. Said issue causes OctoPrint to no longer be able to start. See also pydantic/pydantic#7689.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this bugfix release, especially to @​srLinux for their PR!

Also a big thank you to tianxin Wu (Bearcat), Vulnerability Researcher at Numen Cyber Labs, Singapore, for responsibly disclosing the security vulnerability that was fixed in this release.

🔗 More information

• Commits
• As this is a bugfix release, there were no release candidates

1.9.2

✋ Heads-ups

The heads-ups from 1.9.0 still apply, please read this release's release notes as well for a full picture of what you should be aware of and what changed!

⛈ Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

♻ Changes

... (truncated)

Commits

• 506648c 🔖 Preparing release of 1.9.3
• d0072cf Merge branch 'bug/gcode_script_vuln' into staging/bugfix
• 2b7c015 📌 Pin pydantic to 1.10.12
• 7bfd77d Merge branch 'master' into staging/bugfix
• 5ca7f07 👷 Include server run in test install workflow
• 25d9c44 Bump actions/checkout from 3 to 4 (#4884)
• 3bde48a 🔒️ Use sandboxed jinja env for gcode scripts
• 87bea3c 🐛 Fix extrusion rate not being converted to int (#4860)
• ed4a264 Update bug_report.yml
• c59c161 🔖 staging/bugfix is now 1.9.3.dev
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.