Skip to content

Bump the pip group across 1 directory with 6 updates#1

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/pip/pip-f5d3e4da82
Open

Bump the pip group across 1 directory with 6 updates#1
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/pip/pip-f5d3e4da82

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github May 17, 2025

Bumps the pip group with 6 updates in the / directory:

Package From To
flask-cors 4.0.0 6.0.0
requests 2.31.0 2.32.2
werkzeug 3.0.1 3.0.6
jinja2 3.1.3 3.1.6
waitress 3.0.0 3.0.1
webob 1.8.7 1.8.8

Updates flask-cors from 4.0.0 to 6.0.0

Release notes

Sourced from flask-cors's releases.

6.0.0

Breaking

Path specificity ordering has changed to improve specificity. This may break users who expected the previous incorrect ordering.

What's Changed

Full Changelog: corydolphin/flask-cors@5.0.1...6.0.0

5.0.1

What's Changed

This primarily changes packaging to use uv and a new release pipeline, along with some small documentation improvements

New Contributors

Full Changelog: corydolphin/flask-cors@5.0.0...5.0.01

5.0.0

What's Changed

Full Changelog: corydolphin/flask-cors@4.0.2...5.0.0

4.0.2

What's Changed

New Contributors

Full Changelog: corydolphin/flask-cors@4.0.1...4.0.2

... (truncated)

Changelog

Sourced from flask-cors's changelog.

Change Log

4.0.1

Security

Commits

Updates requests from 2.31.0 to 2.32.2

Release notes

Sourced from requests's releases.

v2.32.2

2.32.2 (2024-05-21)

Deprecations

  • To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

    A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

v2.32.1

2.32.1 (2024-05-20)

Bugfixes

  • Add missing test certs to the sdist distributed on PyPI.

v2.32.0

2.32.0 (2024-05-20)

🐍 PYCON US 2024 EDITION 🐍

Security

  • Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (GHSA-9wx4-h78v-vm56)

Improvements

  • verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
  • Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

  • Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
  • Fixed deserialization bug in JSONDecodeError. (#6629)
  • Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

... (truncated)

Changelog

Sourced from requests's changelog.

2.32.2 (2024-05-21)

Deprecations

  • To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

    A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

2.32.1 (2024-05-20)

Bugfixes

  • Add missing test certs to the sdist distributed on PyPI.

2.32.0 (2024-05-20)

Security

  • Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (GHSA-9wx4-h78v-vm56)

Improvements

  • verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
  • Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

  • Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
  • Fixed deserialization bug in JSONDecodeError. (#6629)
  • Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

Deprecations

... (truncated)

Commits
  • 88dce9d v2.32.2
  • c98e4d1 Merge pull request #6710 from nateprewitt/api_rename
  • 92075b3 Add deprecation warning
  • aa1461b Move _get_connection to get_connection_with_tls_context
  • 970e8ce v2.32.1
  • d6ebc4a v2.32.0
  • 9a40d12 Avoid reloading root certificates to improve concurrent performance (#6667)
  • 0c030f7 Merge pull request #6702 from nateprewitt/no_char_detection
  • 555b870 Allow character detection dependencies to be optional in post-packaging steps
  • d6dded3 Merge pull request #6700 from franekmagiera/update-redirect-to-invalid-uri-test
  • Additional commits viewable in compare view

Updates werkzeug from 3.0.1 to 3.0.6

Release notes

Sourced from werkzeug's releases.

3.0.6

This is the Werkzeug 3.0.6 security fix release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.6/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-0-6

  • Fix how max_form_memory_size is applied when parsing large non-file fields. GHSA-q34m-jh98-gwm2
  • safe_join catches certain paths on Windows that were not caught by ntpath.isabs on Python < 3.11. GHSA-f9vj-2wh5-fj8j

3.0.5

This is the Werkzeug 3.0.5 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.5/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-0-5 Milestone: https://github.com/pallets/werkzeug/milestone/37?closed=1

  • The Watchdog reloader ignores file closed no write events. #2945
  • Logging works with client addresses containing an IPv6 scope. #2952
  • Ignore invalid authorization parameters. #2955
  • Improve type annotation fore SharedDataMiddleware. #2958
  • Compatibility with Python 3.13 when generating debugger pin and the current UID does not have an associated name. #2957

3.0.4

This is the Werkzeug 3.0.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.4/ Changes: https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-4 Milestone: https://github.com/pallets/werkzeug/milestone/36?closed=1

  • Restore behavior where parsing multipart/x-www-form-urlencoded data with invalid UTF-8 bytes in the body results in no form data parsed rather than a 413 error. #2930
  • Improve parse_options_header performance when parsing unterminated quoted string values. #2904
  • Debugger pin auth is synchronized across threads/processes when tracking failed entries. #2916
  • Dev server handles unexpected SSLEOFError due to issue in Python < 3.13. #2926
  • Debugger pin auth works when the URL already contains a query string. #2918

3.0.3

This is the Werkzeug 3.0.3 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.3/ Changes: https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-3 Milestone: https://github.com/pallets/werkzeug/milestone/35?closed=1

  • Only allow localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger UI makes requests using the full URL rather than only the path. GHSA-2g68-c3qc-8985
  • Make reloader more robust when "" is in sys.path. #2823

... (truncated)

Changelog

Sourced from werkzeug's changelog.

Version 3.0.6

Released 2024-10-25

  • Fix how max_form_memory_size is applied when parsing large non-file fields. :ghsa:q34m-jh98-gwm2
  • safe_join catches certain paths on Windows that were not caught by ntpath.isabs on Python < 3.11. :ghsa:f9vj-2wh5-fj8j

Version 3.0.5

Released 2024-10-24

  • The Watchdog reloader ignores file closed no write events. :issue:2945
  • Logging works with client addresses containing an IPv6 scope :issue:2952
  • Ignore invalid authorization parameters. :issue:2955
  • Improve type annotation fore SharedDataMiddleware. :issue:2958
  • Compatibility with Python 3.13 when generating debugger pin and the current UID does not have an associated name. :issue:2957

Version 3.0.4

Released 2024-08-21

  • Restore behavior where parsing multipart/x-www-form-urlencoded data with invalid UTF-8 bytes in the body results in no form data parsed rather than a 413 error. :issue:2930
  • Improve parse_options_header performance when parsing unterminated quoted string values. :issue:2904
  • Debugger pin auth is synchronized across threads/processes when tracking failed entries. :issue:2916
  • Dev server handles unexpected SSLEOFError due to issue in Python < 3.13. :issue:2926
  • Debugger pin auth works when the URL already contains a query string. :issue:2918

Version 3.0.3

Released 2024-05-05

  • Only allow localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger

... (truncated)

Commits

Updates jinja2 from 3.1.3 to 3.1.6

Release notes

Sourced from jinja2's releases.

3.1.6

This is the Jinja 3.1.6 security release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.6/ Changes: https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6

  • The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. GHSA-cpwx-vrp4-4pq7

3.1.5

This is the Jinja 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.5/ Changes: https://jinja.palletsprojects.com/changes/#version-3-1-5 Milestone: https://github.com/pallets/jinja/milestone/16?closed=1

  • The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. GHSA-q2x7-8rv6-6q7h
  • Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. #1792, GHSA-gmj6-6f8f-6699
  • Sandbox does not allow clear and pop on known mutable sequence types. #2032
  • Calling sync render for an async template uses asyncio.run. #1952
  • Avoid unclosed auto_aiter warnings. #1960
  • Return an aclose-able AsyncGenerator from Template.generate_async. #1960
  • Avoid leaving root_render_func() unclosed in Template.generate_async. #1960
  • Avoid leaving async generators unclosed in blocks, includes and extends. #1960
  • The runtime uses the correct concat function for the current environment when calling block references. #1701
  • Make |unique async-aware, allowing it to be used after another async-aware filter. #1781
  • |int filter handles OverflowError from scientific notation. #1921
  • Make compiling deterministic for tuple unpacking in a {% set ... %} call. #2021
  • Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. #2025
  • Fix copy/pickle support for the internal missing object. #2027
  • Environment.overlay(enable_async) is applied correctly. #2061
  • The error message from FileSystemLoader includes the paths that were searched. #1661
  • PackageLoader shows a clearer error message when the package does not contain the templates directory. #1705
  • Improve annotations for methods returning copies. #1880
  • urlize does not add mailto: to values like @a@b. #1870
  • Tests decorated with @pass_context can be used with the |select filter. #1624
  • Using set for multiple assignment (a, b = 1, 2) does not fail when the target is a namespace attribute. #1413
  • Using set in all branches of {% if %}{% elif %}{% else %} blocks does not cause the variable to be considered initially undefined. #1253

3.1.4

This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Jinja2/3.1.4/ Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

  • The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj
Changelog

Sourced from jinja2's changelog.

Version 3.1.6

Released 2025-03-05

  • The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. :ghsa:cpwx-vrp4-4pq7

Version 3.1.5

Released 2024-12-21

  • The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. :ghsa:q2x7-8rv6-6q7h
  • Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. :issue:1792, :ghsa:gmj6-6f8f-6699
  • Sandbox does not allow clear and pop on known mutable sequence types. :issue:2032
  • Calling sync render for an async template uses asyncio.run. :pr:1952
  • Avoid unclosed auto_aiter warnings. :pr:1960
  • Return an aclose-able AsyncGenerator from Template.generate_async. :pr:1960
  • Avoid leaving root_render_func() unclosed in Template.generate_async. :pr:1960
  • Avoid leaving async generators unclosed in blocks, includes and extends. :pr:1960
  • The runtime uses the correct concat function for the current environment when calling block references. :issue:1701
  • Make |unique async-aware, allowing it to be used after another async-aware filter. :issue:1781
  • |int filter handles OverflowError from scientific notation. :issue:1921
  • Make compiling deterministic for tuple unpacking in a {% set ... %} call. :issue:2021
  • Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. :issue:2025
  • Fix copy/pickle support for the internal missing object. :issue:2027
  • Environment.overlay(enable_async) is applied correctly. :pr:2061
  • The error message from FileSystemLoader includes the paths that were searched. :issue:1661
  • PackageLoader shows a clearer error message when the package does not contain the templates directory. :issue:1705
  • Improve annotations for methods returning copies. :pr:1880
  • urlize does not add mailto: to values like @a@b. :pr:1870

... (truncated)

Commits

Updates waitress from 3.0.0 to 3.0.1

Release notes

Sourced from waitress's releases.

v3.0.1

3.0.1 (2024-10-28)

Backward Incompatibilities

Features

Security

  • Fix a bug that would lead to Waitress busy looping on select() on a half-open socket due to a race condition that existed when creating a new HTTPChannel. See Pylons/waitress#435, Pylons/waitress#418 and GHSA-3f84-rpwh-47g6

    With thanks to Dylan Jay and Dieter Maurer for their extensive debugging and helping track this down.

  • No longer strip the header values before passing them to the WSGI environ. See Pylons/waitress#434 and Pylons/waitress#432

  • Fix a race condition in Waitress when channel_request_lookahead is enabled that could lead to HTTP request smuggling.

    See GHSA-9298-4cf8-g4wj

Changelog

Sourced from waitress's changelog.

3.0.1 (2024-10-28)

Backward Incompatibilities


- Python 3.8 is no longer supported.
  See https://github.com/Pylons/waitress/pull/445.

Features



- Added support for Python 3.13.
  See https://github.com/Pylons/waitress/pull/445.

Security




    

  • 

    Fix a bug that would lead to Waitress busy looping on select() on a half-open
    
socket due to a race condition that existed when creating a new HTTPChannel.
    
See Pylons/waitress#435,
    
Pylons/waitress#418 and
    
GHSA-3f84-rpwh-47g6
    

    With thanks to Dylan Jay and Dieter Maurer for their extensive debugging and
    
helping track this down.
    

    • 

  • 

    No longer strip the header values before passing them to the WSGI environ.
    
See Pylons/waitress#434 and
    
Pylons/waitress#432
    

    • 

  • 

    Fix a race condition in Waitress when channel_request_lookahead is enabled
    
that could lead to HTTP request smuggling.
    

    See GHSA-9298-4cf8-g4wj

Commits
  • ae949bb Ready for 3.0.1
  • e435901 Merge commit from fork
  • 810a435 Add documentation for channel_request_lookahead
  • f4ba1c2 Fix a race condition on recv_bytes boundary when request is invalid
  • 7e7f11e Add a new test to validate the lookahead race condition
  • 6943dcf Make DummySock() look more like an actual socket
  • fdd2ecf Merge pull request #445 from Pylons/feature/support-py-3-13
  • dcd18e7 Update exclude matrix
  • 4633ea6 Drop Python 3.8 and add Python 3.13
  • 4584936 Merge pull request #440 from Pylons/fix/ci
  • Additional commits viewable in compare view

Updates webob from 1.8.7 to 1.8.8

Changelog

Sourced from webob's changelog.

Unreleased

Security Fix


- The use of WebOb's Response object to redirect a request to a new location
  can lead to an open redirect if the Location header is not a full URI.

See GHSA-mg3v-6m49-jhp3

and CVE-2024-42353


Thanks to Sara Gao for the report


(This fix was released in WebOb 1.8.8)


Feature



- Rename &quot;master&quot; git branch to &quot;main&quot;


Compatibility

</code></pre>

<p>Backwards Incompatibilities</p>

<pre><code>


    

  • Drop support for Python 2.7, 3.4, 3.5, 3.6, and 3.7.
    • 



Experimental Features

... (truncated)

Commits
  • f2bdd83 Merge commit from fork
  • 913fa2c Update CHANGES.txt
  • f2e92f3 WebOb version revised to 1.8.8
  • a06856a Build the latest version from tox
  • 819f43c Add MANIFEST.in to build source tarball
  • 411df96 s/isAlive/is_alive/
  • 5ae9b5d Update for newer versions of tox/sphinx
  • 2a2da92 Support for Python 2.7 requires an old version of virtualenv
  • f689bcf Add fix for open redirect
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the pip group across 1 directory with 6 updates
941a753 
Bumps the pip group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [flask-cors](https://github.com/corydolphin/flask-cors) | `4.0.0` | `6.0.0` |
| [requests](https://github.com/psf/requests) | `2.31.0` | `2.32.2` |
| [werkzeug](https://github.com/pallets/werkzeug) | `3.0.1` | `3.0.6` |
| [jinja2](https://github.com/pallets/jinja) | `3.1.3` | `3.1.6` |
| [waitress](https://github.com/Pylons/waitress) | `3.0.0` | `3.0.1` |
| [webob](https://github.com/Pylons/webob) | `1.8.7` | `1.8.8` |



Updates `flask-cors` from 4.0.0 to 6.0.0
- [Release notes](https://github.com/corydolphin/flask-cors/releases)
- [Changelog](https://github.com/corydolphin/flask-cors/blob/main/CHANGELOG.md)
- [Commits](corydolphin/flask-cors@4.0.0...6.0.0)

Updates `requests` from 2.31.0 to 2.32.2
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.31.0...v2.32.2)

Updates `werkzeug` from 3.0.1 to 3.0.6
- [Release notes](https://github.com/pallets/werkzeug/releases)
- [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst)
- [Commits](pallets/werkzeug@3.0.1...3.0.6)

Updates `jinja2` from 3.1.3 to 3.1.6
- [Release notes](https://github.com/pallets/jinja/releases)
- [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst)
- [Commits](pallets/jinja@3.1.3...3.1.6)

Updates `waitress` from 3.0.0 to 3.0.1
- [Release notes](https://github.com/Pylons/waitress/releases)
- [Changelog](https://github.com/Pylons/waitress/blob/main/CHANGES.txt)
- [Commits](Pylons/waitress@v3.0.0...v3.0.1)

Updates `webob` from 1.8.7 to 1.8.8
- [Changelog](https://github.com/Pylons/webob/blob/main/CHANGES.txt)
- [Commits](Pylons/webob@1.8.7...1.8.8)

---
updated-dependencies:
- dependency-name: flask-cors
  dependency-version: 6.0.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: requests
  dependency-version: 2.32.2
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: werkzeug
  dependency-version: 3.0.6
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: jinja2
  dependency-version: 3.1.6
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: waitress
  dependency-version: 3.0.1
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: webob
  dependency-version: 1.8.8
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels May 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants