Intermediate changes

commit_hash:78d308c309026e9488e5896412b56dc40cb67ed8
author: robot-piglet <[email protected]> 2026-01-21 14:56:31 +0300
committer: robot-piglet <[email protected]> 2026-01-21 15:25:33 +0300
commit: 772bcb8c73ca0e16e9d7e6eb160a71a307a9f782 (patch)
tree: 7bd2b3e2d10ea79cee26aeb80b236863b658296b /contrib/python
parent: 2c412ab837315b2641bf6b9e8000794aa34b6128 (diff)
9 files changed, 167 insertions, 37 deletions
diff --git a/contrib/python/hypothesis/py3/.dist-info/METADATA b/contrib/python/hypothesis/py3/.dist-info/METADATA
index 00267a4c202..5ad4e36bad2 100644
--- a/contrib/python/hypothesis/py3/.dist-info/METADATA
+++ b/contrib/python/hypothesis/py3/.dist-info/METADATA
@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: hypothesis
-Version: 6.149.1
+Version: 6.150.0
 Summary: The property-based testing library for Python
 Author-email: "David R. MacIver and Zac Hatfield-Dodds" <[email protected]>
 License-Expression: MPL-2.0
diff --git a/contrib/python/hypothesis/py3/hypothesis/strategies/_internal/core.py b/contrib/python/hypothesis/py3/hypothesis/strategies/_internal/core.py
index ac48b450cd3..1006fc792d6 100644
--- a/contrib/python/hypothesis/py3/hypothesis/strategies/_internal/core.py
+++ b/contrib/python/hypothesis/py3/hypothesis/strategies/_internal/core.py
@@ -1857,12 +1857,16 @@ def recursive(
     base: SearchStrategy[Ex],
     extend: Callable[[SearchStrategy[Any]], SearchStrategy[T]],
     *,
+    min_leaves: int = 1,
     max_leaves: int = 100,
 ) -> SearchStrategy[T | Ex]:
     """base: A strategy to start from.
 
     extend: A function which takes a strategy and returns a new strategy.
 
+    min_leaves: The minimum number of elements to be drawn from base on a given
+    run.
+
     max_leaves: The maximum number of elements to be drawn from base on a given
     run.
 
@@ -1881,7 +1885,7 @@ def recursive(
 
     """
 
-    return RecursiveStrategy(base, extend, max_leaves)
+    return RecursiveStrategy(base, extend, min_leaves, max_leaves)
 
 
 class PermutationStrategy(SearchStrategy):
diff --git a/contrib/python/hypothesis/py3/hypothesis/strategies/_internal/recursive.py b/contrib/python/hypothesis/py3/hypothesis/strategies/_internal/recursive.py
index aa665ce0b82..2621600cc40 100644
--- a/contrib/python/hypothesis/py3/hypothesis/strategies/_internal/recursive.py
+++ b/contrib/python/hypothesis/py3/hypothesis/strategies/_internal/recursive.py
@@ -9,10 +9,14 @@
 # obtain one at https://mozilla.org/MPL/2.0/.
 
 import threading
+import warnings
 from contextlib import contextmanager
 
-from hypothesis.errors import InvalidArgument
-from hypothesis.internal.reflection import get_pretty_function_description
+from hypothesis.errors import HypothesisWarning, InvalidArgument
+from hypothesis.internal.reflection import (
+    get_pretty_function_description,
+    is_identity_function,
+)
 from hypothesis.internal.validation import check_type
 from hypothesis.strategies._internal.strategies import (
     OneOfStrategy,
@@ -72,24 +76,36 @@ class LimitedStrategy(SearchStrategy):
 
 
 class RecursiveStrategy(SearchStrategy):
-    def __init__(self, base, extend, max_leaves):
+    def __init__(self, base, extend, min_leaves, max_leaves):
         super().__init__()
+        self.min_leaves = min_leaves
         self.max_leaves = max_leaves
         self.base = base
         self.limited_base = LimitedStrategy(base)
         self.extend = extend
 
+        if is_identity_function(extend):
+            warnings.warn(
+                "extend=lambda x: x is a no-op; you probably want to use a "
+                "different extend function, or just use the base strategy directly.",
+                HypothesisWarning,
+                stacklevel=5,
+            )
+
         strategies = [self.limited_base, self.extend(self.limited_base)]
         while 2 ** (len(strategies) - 1) <= max_leaves:
             strategies.append(extend(OneOfStrategy(tuple(strategies))))
+        # If min_leaves > 1, we can never draw from base directly
+        if min_leaves > 1:
+            strategies = strategies[1:]
         self.strategy = OneOfStrategy(strategies)
 
     def __repr__(self) -> str:
         if not hasattr(self, "_cached_repr"):
-            self._cached_repr = "recursive(%r, %s, max_leaves=%d)" % (
-                self.base,
-                get_pretty_function_description(self.extend),
-                self.max_leaves,
+            self._cached_repr = (
+                f"recursive({self.base!r}, "
+                f"{get_pretty_function_description(self.extend)}, "
+                f"min_leaves={self.min_leaves}, max_leaves={self.max_leaves})"
             )
         return self._cached_repr
 
@@ -99,20 +115,41 @@ class RecursiveStrategy(SearchStrategy):
         check_strategy(extended, f"extend({self.limited_base!r})")
         self.limited_base.validate()
         extended.validate()
+        check_type(int, self.min_leaves, "min_leaves")
         check_type(int, self.max_leaves, "max_leaves")
+        if self.min_leaves <= 0:
+            raise InvalidArgument(
+                f"min_leaves={self.min_leaves!r} must be greater than zero"
+            )
         if self.max_leaves <= 0:
             raise InvalidArgument(
                 f"max_leaves={self.max_leaves!r} must be greater than zero"
             )
+        if self.min_leaves > self.max_leaves:
+            raise InvalidArgument(
+                f"min_leaves={self.min_leaves!r} must be less than or equal to "
+                f"max_leaves={self.max_leaves!r}"
+            )
 
     def do_draw(self, data):
-        count = 0
+        min_leaves_retries = 0
         while True:
             try:
                 with self.limited_base.capped(self.max_leaves):
-                    return data.draw(self.strategy)
+                    result = data.draw(self.strategy)
+                    leaves_drawn = self.max_leaves - self.limited_base.marker
+                    if leaves_drawn < self.min_leaves:
+                        data.events[
+                            f"Draw for {self!r} had fewer than "
+                            f"min_leaves={self.min_leaves} and had to be retried"
+                        ] = ""
+                        min_leaves_retries += 1
+                        if min_leaves_retries < 5:
+                            continue
+                        data.mark_invalid(f"min_leaves={self.min_leaves} unsatisfied")
+                    return result
             except LimitReached:
-                if count == 0:
-                    msg = f"Draw for {self!r} exceeded max_leaves and had to be retried"
-                    data.events[msg] = ""
-                count += 1
+                data.events[
+                    f"Draw for {self!r} exceeded "
+                    f"max_leaves={self.max_leaves} and had to be retried"
+                ] = ""
diff --git a/contrib/python/hypothesis/py3/hypothesis/version.py b/contrib/python/hypothesis/py3/hypothesis/version.py
index 41812a39d47..2ac8a20a828 100644
--- a/contrib/python/hypothesis/py3/hypothesis/version.py
+++ b/contrib/python/hypothesis/py3/hypothesis/version.py
@@ -8,5 +8,5 @@
 # v. 2.0. If a copy of the MPL was not distributed with this file, You can
 # obtain one at https://mozilla.org/MPL/2.0/.
 
-__version_info__ = (6, 149, 1)
+__version_info__ = (6, 150, 0)
 __version__ = ".".join(map(str, __version_info__))
diff --git a/contrib/python/hypothesis/py3/ya.make b/contrib/python/hypothesis/py3/ya.make
index 89ea7a2df29..e949f9b0fa8 100644
--- a/contrib/python/hypothesis/py3/ya.make
+++ b/contrib/python/hypothesis/py3/ya.make
@@ -2,7 +2,7 @@
 
 PY3_LIBRARY()
 
-VERSION(6.149.1)
+VERSION(6.150.0)
 
 LICENSE(MPL-2.0)
 
diff --git a/contrib/python/scramp/.dist-info/METADATA b/contrib/python/scramp/.dist-info/METADATA
index a2a7c0edb45..0699f73b120 100644
--- a/contrib/python/scramp/.dist-info/METADATA
+++ b/contrib/python/scramp/.dist-info/METADATA
@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: scramp
-Version: 1.4.7
+Version: 1.4.8
 Summary: An implementation of the SCRAM protocol.
 Project-URL: Homepage, https://codeberg.org/tlocke/scramp
 Author: The Contributors
@@ -22,7 +22,7 @@ Description-Content-Type: text/markdown
 # Scramp
 
 A Python implementation of the [SCRAM authentication protocol](
-https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism>).
+https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism).
 Scramp supports the following mechanisms:
 
 - SCRAM-SHA-1
@@ -34,6 +34,45 @@ Scramp supports the following mechanisms:
 - SCRAM-SHA3-512
 - SCRAM-SHA3-512-PLUS
 
+## Table Of Contents
+<!-- mtoc-start -->
+
+* [Installation](#installation)
+* [Examples](#examples)
+  * [Client and Server](#client-and-server)
+  * [Client only](#client-only)
+  * [Server only](#server-only)
+  * [Server Error](#server-error)
+* [Standards](#standards)
+* [API Docs](#api-docs)
+  * [scramp.MECHANISMS](#scrampmechanisms)
+  * [scramp.ScramClient](#scrampscramclient)
+  * [scramp.ScramMechanism](#scrampscrammechanism)
+  * [scramp.ScramServer](#scrampscramserver)
+  * [scramp.make\_channel\_binding(name, ssl\_socket)](#scrampmake_channel_bindingname-ssl_socket)
+* [Testing](#testing)
+* [OpenSSF Scorecard](#openssf-scorecard)
+* [Doing A Release Of Scramp](#doing-a-release-of-scramp)
+* [Release Notes](#release-notes)
+  * [Version 1.4.8, 2026-01-06](#version-148-2026-01-06)
+  * [Version 1.4.7, 2026-01-04](#version-147-2026-01-04)
+  * [Version 1.4.6, 2025-07-05](#version-146-2025-07-05)
+  * [Version 1.4.5, 2024-04-13](#version-145-2024-04-13)
+  * [Version 1.4.4, 2022-11-01](#version-144-2022-11-01)
+  * [Version 1.4.3, 2022-10-26](#version-143-2022-10-26)
+  * [Version 1.4.2, 2022-10-22](#version-142-2022-10-22)
+  * [Version 1.4.1, 2021-08-25](#version-141-2021-08-25)
+  * [Version 1.4.0, 2021-03-28](#version-140-2021-03-28)
+  * [Version 1.3.0, 2021-03-28](#version-130-2021-03-28)
+  * [Version 1.2.2, 2021-02-13](#version-122-2021-02-13)
+  * [Version 1.2.1, 2021-02-07](#version-121-2021-02-07)
+  * [Version 1.2.0, 2020-05-30](#version-120-2020-05-30)
+  * [Version 1.1.1, 2020-03-28](#version-111-2020-03-28)
+  * [Version 1.1.0, 2019-02-24](#version-110-2019-02-24)
+  * [Version 1.0.0, 2019-02-17](#version-100-2019-02-17)
+  * [Version 0.0.0, 2019-02-10](#version-000-2019-02-10)
+
+<!-- mtoc-end -->
 
 ## Installation
 
@@ -240,14 +279,14 @@ e=channel-binding-not-supported
 ```
 
 
-### Standards
+## Standards
 
-- [RFC 5802](https://tools.ietf.org/html/rfc5802>) Describes SCRAM.
-- [RFC 7677](https://datatracker.ietf.org/doc/html/rfc7677>) Registers SCRAM-SHA-256 and SCRAM-SHA-256-PLUS.
+- [RFC 5802](https://tools.ietf.org/html/rfc5802) Describes SCRAM.
+- [RFC 7677](https://datatracker.ietf.org/doc/html/rfc7677) Registers SCRAM-SHA-256 and SCRAM-SHA-256-PLUS.
 - [draft-melnikov-scram-sha-512-02](https://datatracker.ietf.org/doc/html/draft-melnikov-scram-sha-512) Registers SCRAM-SHA-512 and SCRAM-SHA-512-PLUS.
 - [draft-melnikov-scram-sha3-512](https://datatracker.ietf.org/doc/html/draft-melnikov-scram-sha3-512) Registers SCRAM-SHA3-512 and SCRAM-SHA3-512-PLUS.
 - [RFC 5929](https://datatracker.ietf.org/doc/html/rfc5929) Channel Bindings for TLS.
-- [draft-ietf-kitten-tls-channel-bindings-for-tls13](https://datatracker.ietf.org/doc/html/draft-ietf-kitten-tls-channel-bindings-for-tls13>) Defines the `tls-exporter` channel binding, which is [not yet supported by Scramp](https://github.com/tlocke/scramp/issues/9).
+- [draft-ietf-kitten-tls-channel-bindings-for-tls13](https://datatracker.ietf.org/doc/html/draft-ietf-kitten-tls-channel-bindings-for-tls13) Defines the `tls-exporter` channel binding, which is [not yet supported by Scramp](https://codeberg.org/tlocke/scramp/issues/9).
 
 
 ## API Docs
@@ -295,7 +334,7 @@ The `ScramMechanism` object has the following methods and properties:
   - `salt` - It's sometimes useful to set this binary parameter when testing / debugging, but in production this should be omitted, in which case a salt will be generated.
 - `make_server(auth_fn, channel_binding=None, s_nonce=None)` - returns a `ScramServer` object. It takes the following parameters:
   - `auth_fn` This is a function provided by the programmer that has one parameter, a username of type `str` and returns returns the tuple `(salt, stored_key, server_key, iteration_count)`. Where `salt`, `stored_key` and `server_key` are of a binary type, and `iteration_count` is an `int`.
-  - `channel_binding` - Providing a value for this parameter allows channel binding to be used (ie. it lets you use mechanisms ending in `-PLUS`). The value for `channel_binding` is a tuple consisting of the channel binding name and the channel binding data. For example, if the channel binding name is 'tls-unique', the `channel_binding` parameter would be `('tls-unique', data)`, where `data` is obtained by calling [SSLSocket.get\_channel\_binding()](https://docs.python.org/3/library/ssl.html#ssl.SSLSocket.get_channel_binding>). The convenience function `scramp.make_channel_binding()` can be used to create a channel binding tuple. If `channel_binding` is provided and the mechanism isn't a `-PLUS` variant, then the server will negotiate with the client to use the `-PLUS` variant if the client supports it, or otherwise to use the mechanism without channel binding.
+  - `channel_binding` - Providing a value for this parameter allows channel binding to be used (ie. it lets you use mechanisms ending in `-PLUS`). The value for `channel_binding` is a tuple consisting of the channel binding name and the channel binding data. For example, if the channel binding name is 'tls-unique', the `channel_binding` parameter would be `('tls-unique', data)`, where `data` is obtained by calling [SSLSocket.get\_channel\_binding()](https://docs.python.org/3/library/ssl.html#ssl.SSLSocket.get_channel_binding). The convenience function `scramp.make_channel_binding()` can be used to create a channel binding tuple. If `channel_binding` is provided and the mechanism isn't a `-PLUS` variant, then the server will negotiate with the client to use the `-PLUS` variant if the client supports it, or otherwise to use the mechanism without channel binding.
   - `s_nonce` - The server nonce as a `str`. It's sometimes useful to set this when testing / debugging, but in production this should be omitted, in which case `ScramServer` will generate a server nonce.
   - `salted_password` - A binary object representing the hashed password.
 - `iteration_count` - The minimum iteration count recommended for this mechanism.
@@ -344,6 +383,12 @@ Run `tox` to make sure all tests pass, then update the release notes, then do:
 
 ## Release Notes
 
+### Version 1.4.8, 2026-01-06
+
+- Use the [`secrets`](https://docs.python.org/3/library/secrets.html) module from
+  the Standard Library for generating the salt and nonce.
+
+
 ### Version 1.4.7, 2026-01-04
 
 - The main change in this release is that we now use
@@ -351,7 +396,7 @@ Run `tox` to make sure all tests pass, then update the release notes, then do:
   from the standard library, rather than our own Python implementation.
   Since this is fast, we no longer need to provide a way of using a custom
   key derivation function, and so `make_stored_server_keys()` has been removed.
-* To avoid timing attacks we now use
+- To avoid timing attacks we now use
   [`hmac.compare_digest()`](https://docs.python.org/3/library/hmac.html#hmac.compare_digest)
   for digest comparisons.
 
diff --git a/contrib/python/scramp/README.md b/contrib/python/scramp/README.md
index 81c9e41037d..dc6707f325d 100644
--- a/contrib/python/scramp/README.md
+++ b/contrib/python/scramp/README.md
@@ -1,7 +1,7 @@
 # Scramp
 
 A Python implementation of the [SCRAM authentication protocol](
-https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism>).
+https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism).
 Scramp supports the following mechanisms:
 
 - SCRAM-SHA-1
@@ -13,6 +13,45 @@ Scramp supports the following mechanisms:
 - SCRAM-SHA3-512
 - SCRAM-SHA3-512-PLUS
 
+## Table Of Contents
+<!-- mtoc-start -->
+
+* [Installation](#installation)
+* [Examples](#examples)
+  * [Client and Server](#client-and-server)
+  * [Client only](#client-only)
+  * [Server only](#server-only)
+  * [Server Error](#server-error)
+* [Standards](#standards)
+* [API Docs](#api-docs)
+  * [scramp.MECHANISMS](#scrampmechanisms)
+  * [scramp.ScramClient](#scrampscramclient)
+  * [scramp.ScramMechanism](#scrampscrammechanism)
+  * [scramp.ScramServer](#scrampscramserver)
+  * [scramp.make\_channel\_binding(name, ssl\_socket)](#scrampmake_channel_bindingname-ssl_socket)
+* [Testing](#testing)
+* [OpenSSF Scorecard](#openssf-scorecard)
+* [Doing A Release Of Scramp](#doing-a-release-of-scramp)
+* [Release Notes](#release-notes)
+  * [Version 1.4.8, 2026-01-06](#version-148-2026-01-06)
+  * [Version 1.4.7, 2026-01-04](#version-147-2026-01-04)
+  * [Version 1.4.6, 2025-07-05](#version-146-2025-07-05)
+  * [Version 1.4.5, 2024-04-13](#version-145-2024-04-13)
+  * [Version 1.4.4, 2022-11-01](#version-144-2022-11-01)
+  * [Version 1.4.3, 2022-10-26](#version-143-2022-10-26)
+  * [Version 1.4.2, 2022-10-22](#version-142-2022-10-22)
+  * [Version 1.4.1, 2021-08-25](#version-141-2021-08-25)
+  * [Version 1.4.0, 2021-03-28](#version-140-2021-03-28)
+  * [Version 1.3.0, 2021-03-28](#version-130-2021-03-28)
+  * [Version 1.2.2, 2021-02-13](#version-122-2021-02-13)
+  * [Version 1.2.1, 2021-02-07](#version-121-2021-02-07)
+  * [Version 1.2.0, 2020-05-30](#version-120-2020-05-30)
+  * [Version 1.1.1, 2020-03-28](#version-111-2020-03-28)
+  * [Version 1.1.0, 2019-02-24](#version-110-2019-02-24)
+  * [Version 1.0.0, 2019-02-17](#version-100-2019-02-17)
+  * [Version 0.0.0, 2019-02-10](#version-000-2019-02-10)
+
+<!-- mtoc-end -->
 
 ## Installation
 
@@ -219,14 +258,14 @@ e=channel-binding-not-supported
 ```
 
 
-### Standards
+## Standards
 
-- [RFC 5802](https://tools.ietf.org/html/rfc5802>) Describes SCRAM.
-- [RFC 7677](https://datatracker.ietf.org/doc/html/rfc7677>) Registers SCRAM-SHA-256 and SCRAM-SHA-256-PLUS.
+- [RFC 5802](https://tools.ietf.org/html/rfc5802) Describes SCRAM.
+- [RFC 7677](https://datatracker.ietf.org/doc/html/rfc7677) Registers SCRAM-SHA-256 and SCRAM-SHA-256-PLUS.
 - [draft-melnikov-scram-sha-512-02](https://datatracker.ietf.org/doc/html/draft-melnikov-scram-sha-512) Registers SCRAM-SHA-512 and SCRAM-SHA-512-PLUS.
 - [draft-melnikov-scram-sha3-512](https://datatracker.ietf.org/doc/html/draft-melnikov-scram-sha3-512) Registers SCRAM-SHA3-512 and SCRAM-SHA3-512-PLUS.
 - [RFC 5929](https://datatracker.ietf.org/doc/html/rfc5929) Channel Bindings for TLS.
-- [draft-ietf-kitten-tls-channel-bindings-for-tls13](https://datatracker.ietf.org/doc/html/draft-ietf-kitten-tls-channel-bindings-for-tls13>) Defines the `tls-exporter` channel binding, which is [not yet supported by Scramp](https://github.com/tlocke/scramp/issues/9).
+- [draft-ietf-kitten-tls-channel-bindings-for-tls13](https://datatracker.ietf.org/doc/html/draft-ietf-kitten-tls-channel-bindings-for-tls13) Defines the `tls-exporter` channel binding, which is [not yet supported by Scramp](https://codeberg.org/tlocke/scramp/issues/9).
 
 
 ## API Docs
@@ -274,7 +313,7 @@ The `ScramMechanism` object has the following methods and properties:
   - `salt` - It's sometimes useful to set this binary parameter when testing / debugging, but in production this should be omitted, in which case a salt will be generated.
 - `make_server(auth_fn, channel_binding=None, s_nonce=None)` - returns a `ScramServer` object. It takes the following parameters:
   - `auth_fn` This is a function provided by the programmer that has one parameter, a username of type `str` and returns returns the tuple `(salt, stored_key, server_key, iteration_count)`. Where `salt`, `stored_key` and `server_key` are of a binary type, and `iteration_count` is an `int`.
-  - `channel_binding` - Providing a value for this parameter allows channel binding to be used (ie. it lets you use mechanisms ending in `-PLUS`). The value for `channel_binding` is a tuple consisting of the channel binding name and the channel binding data. For example, if the channel binding name is 'tls-unique', the `channel_binding` parameter would be `('tls-unique', data)`, where `data` is obtained by calling [SSLSocket.get\_channel\_binding()](https://docs.python.org/3/library/ssl.html#ssl.SSLSocket.get_channel_binding>). The convenience function `scramp.make_channel_binding()` can be used to create a channel binding tuple. If `channel_binding` is provided and the mechanism isn't a `-PLUS` variant, then the server will negotiate with the client to use the `-PLUS` variant if the client supports it, or otherwise to use the mechanism without channel binding.
+  - `channel_binding` - Providing a value for this parameter allows channel binding to be used (ie. it lets you use mechanisms ending in `-PLUS`). The value for `channel_binding` is a tuple consisting of the channel binding name and the channel binding data. For example, if the channel binding name is 'tls-unique', the `channel_binding` parameter would be `('tls-unique', data)`, where `data` is obtained by calling [SSLSocket.get\_channel\_binding()](https://docs.python.org/3/library/ssl.html#ssl.SSLSocket.get_channel_binding). The convenience function `scramp.make_channel_binding()` can be used to create a channel binding tuple. If `channel_binding` is provided and the mechanism isn't a `-PLUS` variant, then the server will negotiate with the client to use the `-PLUS` variant if the client supports it, or otherwise to use the mechanism without channel binding.
   - `s_nonce` - The server nonce as a `str`. It's sometimes useful to set this when testing / debugging, but in production this should be omitted, in which case `ScramServer` will generate a server nonce.
   - `salted_password` - A binary object representing the hashed password.
 - `iteration_count` - The minimum iteration count recommended for this mechanism.
@@ -323,6 +362,12 @@ Run `tox` to make sure all tests pass, then update the release notes, then do:
 
 ## Release Notes
 
+### Version 1.4.8, 2026-01-06
+
+- Use the [`secrets`](https://docs.python.org/3/library/secrets.html) module from
+  the Standard Library for generating the salt and nonce.
+
+
 ### Version 1.4.7, 2026-01-04
 
 - The main change in this release is that we now use
@@ -330,7 +375,7 @@ Run `tox` to make sure all tests pass, then update the release notes, then do:
   from the standard library, rather than our own Python implementation.
   Since this is fast, we no longer need to provide a way of using a custom
   key derivation function, and so `make_stored_server_keys()` has been removed.
-* To avoid timing attacks we now use
+- To avoid timing attacks we now use
   [`hmac.compare_digest()`](https://docs.python.org/3/library/hmac.html#hmac.compare_digest)
   for digest comparisons.
 
diff --git a/contrib/python/scramp/scramp/core.py b/contrib/python/scramp/scramp/core.py
index 3b2169b8311..0c645a8cba9 100644
--- a/contrib/python/scramp/scramp/core.py
+++ b/contrib/python/scramp/scramp/core.py
@@ -4,7 +4,7 @@ from enum import IntEnum, unique
 from functools import wraps
 from hmac import compare_digest
 from operator import attrgetter
-from os import urandom
+from secrets import token_bytes, token_hex
 from stringprep import (
     in_table_a1,
     in_table_b1,
@@ -20,7 +20,6 @@ from stringprep import (
     in_table_d1,
     in_table_d2,
 )
-from uuid import uuid4
 
 from asn1crypto.x509 import Certificate
 
@@ -160,7 +159,7 @@ class ScramMechanism:
 
 def _make_auth_info(hf, password, i, salt=None):
     if salt is None:
-        salt = urandom(16)
+        salt = token_bytes()
 
     salted_password = _make_salted_password(hf, password, salt, i)
     _, stored_key, server_key = _c_key_stored_key_s_key(hf, salted_password)
@@ -352,7 +351,7 @@ class ScramServer:
 
 
 def _make_nonce():
-    return str(uuid4()).replace("-", "")
+    return token_hex()
 
 
 def _make_auth_message(client_first_bare, server_first, client_final_without_proof):
diff --git a/contrib/python/scramp/ya.make b/contrib/python/scramp/ya.make
index b51585bc31f..74bbaca906b 100644
--- a/contrib/python/scramp/ya.make
+++ b/contrib/python/scramp/ya.make
@@ -2,7 +2,7 @@
 
 PY3_LIBRARY()
 
-VERSION(1.4.7)
+VERSION(1.4.8)
 
 LICENSE(MIT-0)
author	robot-piglet <[email protected]>	2026-01-21 14:56:31 +0300
committer	robot-piglet <[email protected]>	2026-01-21 15:25:33 +0300
commit	772bcb8c73ca0e16e9d7e6eb160a71a307a9f782 (patch)
tree	7bd2b3e2d10ea79cee26aeb80b236863b658296b /contrib/python
parent	2c412ab837315b2641bf6b9e8000794aa34b6128 (diff)