Bump internetarchive from 3.5.0 to 5.5.1 in /setup_env

[dependabot]

Bumps internetarchive from 3.5.0 to 5.5.1.

Release notes

Sourced from internetarchive's releases.

Version 5.5.1

Security

• Fixed a critical directory traversal vulnerability in File.download(). All users are urged to upgrade immediately. This prevents malicious filenames from writing files outside the target directory, a risk especially critical for Windows users.
• Added automatic filename sanitization with platform-specific rules.
• Added path resolution checks to block directory traversal attacks.
• Introduced warnings when filenames are sanitized to maintain user awareness.

Please see the security advisory for more details.

Bugfixes

• Fixed bug in JSON parsing for ia upload --file-metadata ....

Version 5.5.0

Features and Improvements

• Added --parameters option to ia metadata.

Version 5.4.1

Features and Improvements

• Stop setting scanner on upload per policy change.

Bugfixes

• Fixed bug where REMOVE_TAG was not working with indexed keys.
• Fixed argument validation and option parsing in ia download.

Version 5.4.0

Features and Improvements

• Added --print-auth-header option to ia configure.

Bugfixes

• Corrected behavior of ia_copy to avoid dropping path prefixes, fixing ia_move to properly delete moved files in subdirectories (via :gh:693).
• Fixed bug where hardcoded test comment was being sent with every request.
• Fixed issue where ia reviews --index/--noindex only worked for configured user.

Version 5.3.0

Features and Improvements

• Added ia configure --show to print config to stdout.
• Added ia configure --check for validating credentials.
• Added ia configure --whoami for retrieving info about the configured user.
• Added ia simplelists command for managing simplelists.
• Added ia flag command for managing flags.

Bugfixes

• Fixed bugs in ia copy and ia move where an AttributeError was being raised.

... (truncated)

Changelog

Sourced from internetarchive's changelog.

5.5.1 (2025-09-05) ++++++++++++++++++

Security

• Fixed a critical directory traversal vulnerability in File.download(). All users are urged to upgrade immediately. This prevents malicious filenames from writing files outside the target directory, a risk especially critical for Windows users.
• Added automatic filename sanitization with platform-specific rules.
• Added path resolution checks to block directory traversal attacks.
• Introduced warnings when filenames are sanitized to maintain user awareness.

Bugfixes

• Fixed bug in JSON parsing for ia upload --file-metadata ....

5.5.0 (2025-07-17) ++++++++++++++++++

Features and Improvements

• Added --parameters option to ia metadata.

5.4.1 (2025-07-16) ++++++++++++++++++

Features and Improvements

• Stop setting scanner on upload per policy change.

Bugfixes

• Fixed bug where REMOVE_TAG was not working with indexed keys.
• Fixed argument validation and option parsing in ia download.

5.4.0 (2025-04-29) ++++++++++++++++++

Features and Improvements

• Added --print-auth-header option to ia configure.

Bugfixes

• Corrected behavior of ia_copy to avoid dropping path prefixes, fixing ia_move to properly delete moved files in subdirectories (via :gh:693).
• Fixed bug where hardcoded test comment was being sent with every request.
• Fixed issue where ia reviews --index/--noindex only worked for configured user.

5.3.1 (2025-03-26) ++++++++++++++++++

Bugfixes

• Fixed bug where ia reviews --index/--noindex was only working for the configured user.

... (truncated)

Commits

• 73141db v5.5.1
• cba2d45 Merge branch 'sanitize-filename-downloads'
• be94ff7 v5.5.1
• d578c53 v5.5.1
• 00c2c20 Updated README with temporary security notice
• ccf95b0 Added tests for file sanitization
• e676fc5 Added tests for file sanitization
• d05d2bb fixed typo
• d583bd5 Added directory traversal attack check to download
• eceef89 Encode % in sanitize_filename_windows to ensure the encoding is reliably reve...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.