Bump the python group across 1 directory with 16 updates

[dependabot]

Bumps the python group with 16 updates in the / directory:

Package	From	To
certifi	2024.7.4	2024.8.30
charset-normalizer	3.3.2	3.4.0
idna	3.7	3.10
markupsafe	2.1.5	3.0.2
pyparsing	3.1.2	3.2.0
urllib3	2.2.2	2.2.3
werkzeug	3.0.3	3.0.4
wtforms	3.1.2	3.2.1
zipp	3.19.2	3.20.2
gunicorn	22.0.0	23.0.0
coverage	7.6.1	7.6.4
pytest	8.3.2	8.3.3
pylint	3.2.6	3.3.1
bandit	1.7.9	1.7.10
mypy	1.11.1	1.13.0
types-setuptools	71.1.0.20240806	75.2.0.20241019

Updates certifi from 2024.7.4 to 2024.8.30

Commits

• 325c2fd 2024.08.30 (#304)
• d66bf5f Bump actions/upload-artifact from 4.3.5 to 4.3.6 (#302)
• 2150f23 Bump actions/upload-artifact from 4.3.4 to 4.3.5 (#301)
• fc9b771 Bump actions/setup-python from 5.1.0 to 5.1.1 (#300)
• 965b239 Bump actions/download-artifact from 4.1.7 to 4.1.8 (#297)
• c1f50cc Bump actions/upload-artifact from 4.3.3 to 4.3.4 (#296)
• See full diff in compare view

Updates charset-normalizer from 3.3.2 to 3.4.0

Release notes

Sourced from charset-normalizer's releases.

Version 3.4.0

🚀 charset-normalizer is raising awareness around HTTP/2, and HTTP/3!

Did you know that Internet Explorer 11 shipped with an optional HTTP/2 support back in 2013? also libcurl did ship it in 2014[...] All of this while our community is still struggling to make a firm advancement in HTTP clients. Now, many of you use Requests as the defacto http client, now, and for many years now, Requests has been frozen. Being left in a vegetative state and not evolving, this blocked millions of developers from using more advanced features.

We promptly invite Python developers to look at the drop-in replacement for Requests, namely Niquests. It leverage charset-normalizer in a better way! Check it out, you will be positively surprised! Don't wait another decade.

We are thankful to @​microsoft and involved parties for funding our work through the Microsoft FOSS Fund program.

3.4.0 (2024-10-08)

Added

• Argument --no-preemptive in the CLI to prevent the detector to search for hints.
• Support for Python 3.13 (#512)

Fixed

• Relax the TypeError exception thrown when trying to compare a CharsetMatch with anything else than a CharsetMatch.
• Improved the general reliability of the detector based on user feedbacks. (#520) (#509) (#498) (#407) (#537)
• Declared charset in content (preemptive detection) not changed when converting to utf-8 bytes. (#381)

Changelog

Sourced from charset-normalizer's changelog.

3.4.0 (2024-10-08)

Added

• Argument --no-preemptive in the CLI to prevent the detector to search for hints.
• Support for Python 3.13 (#512)

Fixed

• Relax the TypeError exception thrown when trying to compare a CharsetMatch with anything else than a CharsetMatch.
• Improved the general reliability of the detector based on user feedbacks. (#520) (#509) (#498) (#407) (#537)
• Declared charset in content (preemptive detection) not changed when converting to utf-8 bytes. (#381)

Commits

• f3118e3 🔧 change download/upload artifact version to last working version
• 33e67e8 🔧 set compile-generator in generator_generic_slsa3 action
• 73dd24c 🔧 add explicit build deps to setuptools
• 78f1e9b 🔧 attempt to fix cd.yml *3
• 56ae702 🔧 attempt to fix cd.yml *2
• 9720055 🔧 attempt to fix cd.yml (macos part)
• 1e10d06 Update CHANGELOG.md
• 36c103a 🔖 Release 3.4.0 (#545)
• 7658dfc ⬆️ Bump github/codeql-action from 3.26.11 to 3.26.12 (#544)
• ca2535d ⬆️ Bump github/codeql-action from 3.26.9 to 3.26.11 (#542)
• Additional commits viewable in compare view

Updates idna from 3.7 to 3.10

Release notes

Sourced from idna's releases.

v3.10

No release notes provided.

v3.9

No release notes provided.

v3.8

What's Changed

• Fix regression where IDNAError exception was not being produced for certain inputs.
• Add support for Python 3.13, drop support for Python 3.5 as it is no longer testable.
• Documentation improvements
• Updates to package testing using Github actions

Thanks to Hugo van Kemenade for contributions to this release.

Full Changelog: kjd/idna@v3.7...v3.8

Changelog

Sourced from idna's changelog.

3.10 (2024-09-15) +++++++++++++++++

• Reverted to Unicode 15.1.0 data. Unicode 16 has some significant changes to UTS46 processing that will require more work to properly implement.

3.9 (2024-09-13) ++++++++++++++++

• Update to Unicode 16.0.0
• Deprecate setup.cfg in favour of pyproject.toml
• Use ruff for code formatting

Thanks to Waket Zheng for contributions to this release.

3.8 (2024-08-23) ++++++++++++++++

• Fix regression where IDNAError exception was not being produced for certain inputs.
• Add support for Python 3.13, drop support for Python 3.5 as it is no longer testable.
• Documentation improvements
• Updates to package testing using Github actions

Thanks to Hugo van Kemenade for contributions to this release.

Commits

• 729225d Release v3.10
• 3eef168 Merge pull request #194 from kjd/revert-unicode-16
• ceca619 Revert Unicode 16.0.0 data updates
• c43ac75 Merge pull request #191 from kjd/release-3.9
• 1b8800a Release v3.9
• a1fd168 Merge pull request #190 from kjd/unicode-16
• 7732c61 Merge branch 'master' into unicode-16
• 4ed183d Refactor membership test
• 762216b Format with ruff
• 580ece9 Implement changes to UTS46 algorithm
• Additional commits viewable in compare view

Updates markupsafe from 2.1.5 to 3.0.2

Release notes

Sourced from markupsafe's releases.

3.0.2

This is the MarkupSafe 3.0.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/MarkupSafe/3.0.2/ Changes: https://markupsafe.palletsprojects.com/page/changes/#version-3-0-2 Milestone: https://github.com/pallets/markupsafe/milestone/14?closed=1

• Fix compatibility when __str__ returns a str subclass. #472
• Build requires setuptools >= 70.1. #475

3.0.1

This is the MarkupSafe 3.0.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/MarkupSafe/3.0.1/ Changes: https://markupsafe.palletsprojects.com/page/changes/#version-3-0-1 Milestone: https://github.com/pallets/markupsafe/milestone/13?closed=1

• Address compiler warnings that became errors in GCC 14. #466
• Fix compatibility with proxy objects. #467

3.0.0

This is the MarkupSafe 3.0.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecations, or introduce potentially breaking changes. The 3.0.x branch is now the supported fix branch, the 2.1.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

PyPI: https://pypi.org/project/MarkupSafe/3.0.0/ Changes: https://markupsafe.palletsprojects.com/en/3.0.x/changes/#version-3-0-0 Milestone: https://github.com/pallets/markupsafe/milestone/10?closed=1

• Support Python 3.13 and its experimental free-threaded build. #461
• Drop support for Python 3.7 and 3.8.
• Use modern packaging metadata with pyproject.toml instead of setup.cfg. #348
• Change distutils imports to setuptools. #399
• Use deferred evaluation of annotations. #400
• Update signatures for Markup methods to match str signatures. Use positional-only arguments. #400
• Some str methods on Markup no longer escape their argument: strip, lstrip, rstrip, removeprefix, removesuffix, partition, and rpartition; replace only escapes its new argument. These methods are conceptually linked to search methods such as in, find, and index, which already do not escape their argument. #401
• The __version__ attribute is deprecated. Use feature detection, or importlib.metadata.version("markupsafe"), instead. #402
• Speed up escaping plain strings by 40%. #434
• Simplify speedups implementation. #437

Changelog

Sourced from markupsafe's changelog.

Version 3.0.2

Released 2024-10-18

• Fix compatibility when __str__ returns a str subclass. :issue:472
• Build requires setuptools >= 70.1. :issue:475

Version 3.0.1

Released 2024-10-08

• Address compiler warnings that became errors in GCC 14. :issue:466
• Fix compatibility with proxy objects. :issue:467

Version 3.0.0

Released 2024-10-07

• Support Python 3.13 and its experimental free-threaded build. :pr:461
• Drop support for Python 3.7 and 3.8.
• Use modern packaging metadata with pyproject.toml instead of setup.cfg. :pr:348
• Change distutils imports to setuptools. :pr:399
• Use deferred evaluation of annotations. :pr:400
• Update signatures for Markup methods to match str signatures. Use positional-only arguments. :pr:400
• Some str methods on Markup no longer escape their argument: strip, lstrip, rstrip, removeprefix, removesuffix, partition, and rpartition; replace only escapes its new argument. These methods are conceptually linked to search methods such as in, find, and index, which already do not escape their argument. :issue:401
• The __version__ attribute is deprecated. Use feature detection, or importlib.metadata.version("markupsafe"), instead. :pr:402
• Speed up escaping plain strings by 40%. :pr:434
• Simplify speedups implementation. :pr:437

Commits

• 28ace20 release version 3.0.2
• 6b51fd8 build requires at least setuptools 70.1 (#478)
• 99dda9f build requires at least setuptools 70.1
• 3d8fd8c fix version
• 1933c4b fix version
• e85aff4 relax speedups str check (#477)
• 8cb1691 relax speedups str check
• 4dafb7c start version 3.1.0
• 9c44ecf update docs build
• 275c769 Merge branch '2.1.x' into 3.0.x
• Additional commits viewable in compare view

Updates pyparsing from 3.1.2 to 3.2.0

Changelog

Sourced from pyparsing's changelog.

Version 3.2.0 - October, 2024

• Discontinued support for Python 3.6, 3.7, and 3.8. Adopted new Python features from Python versions 3.7-3.9:

  • Updated type annotations to use built-in container types instead of names imported from the typing module (e.g., list[str] vs List[str]).
  • Reworked portions of the packrat cache to leverage insertion-preserving ordering in dicts (including removal of uses of OrderedDict).
  • Changed pdb.set_trace() call in ParserElement.set_break() to breakpoint().
  • Converted typing.NamedTuple to dataclasses.dataclass in railroad diagramming code.
  • Added from __future__ import annotations to clean up some type annotations. (with assistance from ISyncWithFoo, issue #535, thanks for the help!)

• POSSIBLE BREAKING CHANGES

  The following bugfixes may result in subtle changes in the results returned or exceptions raised by pyparsing.

  • Fixed code in ParseElementEnhance subclasses that replaced detailed exception messages raised in contained expressions with a less-specific and less-informative generic exception message and location.

    If your code has conditional logic based on the message content in raised ParseExceptions, this bugfix may require changes in your code.

  • Fixed bug in transform_string() where whitespace in the input string was not properly preserved in the output string.

    If your code uses transform_string, this bugfix may require changes in your code.

  • Fixed bug where an IndexError raised in a parse action was incorrectly handled as an IndexError raised as part of the ParserElement parsing methods, and reraised as a ParseException. Now an IndexError that raises inside a parse action will properly propagate out as an IndexError. (Issue #573, reported by August Karlstedt, thanks!)

    If your code raises IndexErrors in parse actions, this bugfix may require changes in your code.

• FIXES AND NEW FEATURES

  • Added type annotations to remainder of pyparsing package, and added mypy run to tox.ini, so that type annotations are now run as part of pyparsing's CI. Addresses Issue #373, raised by Iwan Aucamp, thanks!

  • Exception message format can now be customized, by overriding ParseBaseException.format_message:

... (truncated)

Commits

• 36fc04b Fix docstring with invalid esc sequence
• a46066d Prep for 3.2.0 release
• a0c219b Docs cleanup; added new whats_new_* docs for 3.1 and 3.2
• d9b1f14 Rewrite _collapse_string_to_ranges to use _GroupConsecutive class instead of ...
• 0d3c2d7 Fix minor internal bug in one_of building regex when all choices are single c...
• 2165ab2 Cleanup ambiguous "contains" vs "in" usage in mongodb_query_expression.py
• 25ddb02 Prep for dev before final release
• 08846ae Prep for release
• 9ee042b Remove deprecated utcnow()
• a2b2f25 Final cleanup on mongodb_query_expression.py and mongodb_query_expression_ste...
• Additional commits viewable in compare view

Updates urllib3 from 2.2.2 to 2.2.3

Release notes

Sourced from urllib3's releases.

2.2.3

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support for 2023. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Features

• Added support for Python 3.13. (#3473)

Bugfixes

• Fixed the default encoding of chunked request bodies to be UTF-8 instead of ISO-8859-1. All other methods of supplying a request body already use UTF-8 starting in urllib3 v2.0. (#3053)
• Fixed ResourceWarning on CONNECT with Python < 3.11.4 by backporting python/cpython#103472. (`#3252)
• Adjust tolerance for floating-point comparison on Windows to avoid flakiness in CI (#3413)
• Fixed a crash where certain standard library hash functions were absent in restricted environments. (#3432)
• Fixed mypy error when adding to HTTPConnection.default_socket_options. (#3448)

HTTP/2 (experimental)

HTTP/2 support is still in early development.

• Excluded Transfer-Encoding: chunked from HTTP/2 request body (#3425)
• Added version checking for h2 (https://pypi.org/project/h2/) usage. Now only accepting supported h2 major version 4.x.x. (#3290)
• Added a probing mechanism for determining whether a given target origin supports HTTP/2 via ALPN. (#3301)
• Add support for sending a request body with HTTP/2 (#3302)

Full Changelog: urllib3/urllib3@2.2.2...2.2.3

Changelog

Sourced from urllib3's changelog.

2.2.3 (2024-09-12)

Features

• Added support for Python 3.13. ([#3473](https://github.com/urllib3/urllib3/issues/3473) <https://github.com/urllib3/urllib3/issues/3473>__)

Bugfixes

• Fixed the default encoding of chunked request bodies to be UTF-8 instead of ISO-8859-1. All other methods of supplying a request body already use UTF-8 starting in urllib3 v2.0. ([#3053](https://github.com/urllib3/urllib3/issues/3053) <https://github.com/urllib3/urllib3/issues/3053>__)
• Fixed ResourceWarning on CONNECT with Python `__)
• Adjust tolerance for floating-point comparison on Windows to avoid flakiness in CI ([#3413](https://github.com/urllib3/urllib3/issues/3413) <https://github.com/urllib3/urllib3/issues/3413>__)
• Fixed a crash where certain standard library hash functions were absent in restricted environments. ([#3432](https://github.com/urllib3/urllib3/issues/3432) <https://github.com/urllib3/urllib3/issues/3432>__)
• Fixed mypy error when adding to HTTPConnection.default_socket_options. ([#3448](https://github.com/urllib3/urllib3/issues/3448) <https://github.com/urllib3/urllib3/issues/3448>__)

HTTP/2 (experimental)

HTTP/2 support is still in early development.

• Excluded Transfer-Encoding: chunked from HTTP/2 request body ([#3425](https://github.com/urllib3/urllib3/issues/3425) <https://github.com/urllib3/urllib3/issues/3425>__)

• Added version checking for h2 (https://pypi.org/project/h2/) usage.

  Now only accepting supported h2 major version 4.x.x. ([#3290](https://github.com/urllib3/urllib3/issues/3290) <https://github.com/urllib3/urllib3/issues/3290>__)

• Added a probing mechanism for determining whether a given target origin supports HTTP/2 via ALPN. ([#3301](https://github.com/urllib3/urllib3/issues/3301) <https://github.com/urllib3/urllib3/issues/3301>__)

• Add support for sending a request body with HTTP/2 ([#3302](https://github.com/urllib3/urllib3/issues/3302) <https://github.com/urllib3/urllib3/issues/3302>__)

Deprecations and Removals

• Note for downstream distributors: the _version.py file has been removed and is now created at build time by hatch-vcs. ([#3412](https://github.com/urllib3/urllib3/issues/3412) <https://github.com/urllib3/urllib3/issues/3412>__)
• Drop support for end-of-life PyPy3.8 and PyPy3.9. ([#3475](https://github.com/urllib3/urllib3/issues/3475) <https://github.com/urllib3/urllib3/issues/3475>__)

Commits

• 2458bfc Release 2.2.3
• 9b25db6 Only attempt to publish for upstream
• b9adeef Drop support for EOL PyPy3.8 and PyPy3.9
• b1d4649 Add explicit support for Python 3.13
• cc42860 Bump cryptography from 42.0.4 to 43.0.1 (#3470)
• 3dae2e9 Bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1 (#3469)
• 1e94feb Revert "Add TLS settings for HTTP/2 (#3456)" (#3466)
• aa73abc Bump actions/setup-python from 5.1.0 to 5.2.0 (#3468)
• abbfbcb Add 1.26.20 to changelog and make the publish workflow the same (#3464)
• d480615 Add TLS settings for HTTP/2 (#3456)
• Additional commits viewable in compare view

Updates werkzeug from 3.0.3 to 3.0.4

Release notes

Sourced from werkzeug's releases.

3.0.4

This is the Werkzeug 3.0.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.4/ Changes: https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-4 Milestone: https://github.com/pallets/werkzeug/milestone/36?closed=1

• Restore behavior where parsing multipart/x-www-form-urlencoded data with invalid UTF-8 bytes in the body results in no form data parsed rather than a 413 error. #2930
• Improve parse_options_header performance when parsing unterminated quoted string values. #2904
• Debugger pin auth is synchronized across threads/processes when tracking failed entries. #2916
• Dev server handles unexpected SSLEOFError due to issue in Python < 3.13. #2926
• Debugger pin auth works when the URL already contains a query string. #2918

Changelog

Sourced from werkzeug's changelog.

Version 3.0.4

Released 2024-08-21

• Restore behavior where parsing multipart/x-www-form-urlencoded data with invalid UTF-8 bytes in the body results in no form data parsed rather than a 413 error. :issue:2930
• Improve parse_options_header performance when parsing unterminated quoted string values. :issue:2904
• Debugger pin auth is synchronized across threads/processes when tracking failed entries. :issue:2916
• Dev server handles unexpected SSLEOFError due to issue in Python < 3.13. :issue:2926
• Debugger pin auth works when the URL already contains a query string. :issue:2918

Commits

• b933ccb release version 3.0.4
• c09de73 debugger works on urls with query string (#2942)
• 1d1d987 debugger works on urls with query string
• 32a77a0 treat SSLEOFError as dropped connection (#2941)
• cf18d03 treat SSLEOFError as dropped connection
• a1db120 synchronize failed pin entry (#2940)
• 6504819 synchronize failed pin entry
• 7abec4b improve parse_options_header performance (#2939)
• 3a893d2 improve parse_options_header performance
• 3a52597 restore invalid bytes behavior for form parser (#2938)
• Additional commits viewable in compare view

Updates wtforms from 3.1.2 to 3.2.1

Release notes

Sourced from wtforms's releases.

3.2.1

Released 2024-10-21

• Fix SelectMultipleBase import. #861 #862

3.2.0

Released 2024-10-20

• Translations update: korean, chinese (traditional), portugese, russian, dutch, kazakh, swedish, turkish, slovak, ukranian, spanish, french.
• Move the repository to the pallets-eco organization. #854
• Stop supporting Python 3.9 and start supporting Python 3.13 #855
• Removed required flag support from HiddenWidget, RangeWidget and SelectWidget to conform to W3C #810
• NoneOf and AnyOf can validate multiple valued fields like SelectMultipleField #538 #807
• Use GHA and pre-commit workflows inspired from Flask. #856 #860

[!WARNING] Some deprecated code was removed (#859):

• Flags can no longer be tuples. #467
• iter_choices needs a tuple of 4 items #816

[!WARNING] The key for form errors moved from :data:None to empty string "". #829 #858

[!NOTE]
If you need to keep the old behavior you can set the _form_error_key parameter of your form to :data:None.

Changelog

Sourced from wtforms's changelog.

Version 3.2.1

Released 2024-10-21

• Fix :class:~fields.SelectMultipleBase import. :issue:861 :pr:862

Version 3.2.0

Released 2024-10-20

• Translations update: korean, chinese (traditional), portugese, russian, dutch, kazakh, swedish, turkish, slovak, ukranian, spanish, french.

• Move the repository to the pallets-eco organization. :pr:854

• Stop supporting Python 3.9 and start supporting Python 3.13 :pr:855

• Removed required flag support from :class:~fields.HiddenWidget, :class:~fields.RangeWidget and :class:~fields.SelectWidget to conform to W3C :pr:810

• :class:~wtforms.validators.NoneOf and :class:~wtforms.validators.AnyOf can validate multiple valued fields like :class:~fields.SelectMultipleField :pr:538 :pr:807

• Use GHA and pre-commit workflows inspired from Flask. :pr:856 :pr:860

• ⚠️Breaking change⚠️: Some deprecated code was removed (:pr:859):

  • :class:~wtforms.Flags can no longer be tuples. :issue:467
  • iter_choices needs a tuple of 4 items :issue:816

• ⚠️Breaking change⚠️: The key for form errors moved from :data:None to empty string "". :issue:829 :pr:858

.. note:: If you need to keep the old behavior you can set the _form_error_key parameter of your form to :data:None.

Commits

• f9a999e chore: bump to 3.2.1
• 6565960 Merge pull request #862 from azmeuk/issue-861-selectfieldbase
• ffccfed fix: SelectFieldBase import
• 6ff08ce chore: install 'build' dependency for the release GHA workflow
• 2ce93f2 chore: bump to 3.2.0
• ba21823 docs: changelog update
• 05ad5da Merge pull request #860 from azmeuk/flask-gha
• 6867ba9 chore: bump to pallets-sphinx-themes 2.2.0
• a09d53c chore: use Flask inspired GHA workflow
• 3ba396e tests: remove useless flake8 related dependency in the style tox env
• Additional commits viewable in compare view

Updates zipp from 3.19.2 to 3.20.2

Changelog

Sourced from zipp's changelog.

v3.20.2

Bugfixes

• Make zipp.compat.overlay.zipfile hashable. (#126)

v3.20.1

Bugfixes

• python/cpython#123270

v3.20.0

Features

• Made the zipfile compatibility overlay available as zipp.compat.overlay.

v3.19.3

Bugfixes

• Also match directories in Path.glob. (#121)

Commits

• a575660 Make no assertions about the number. It could be negative.
• 0b3a1b9 Finalize
• a4c7961 Make zipp.compat.overlay.zipfile hashable.
• d66007a Merge https://github.com/jaraco/skeleton
• 3fe8c5bjaraco/skeleton#146
• 81b766c Fix an incompatibility (and source of merge conflicts) with projects using Ru...
• b8a63ca Merge pull request #125 from saschanaz/patch-1
• 0b95ec7 Suppress F821
• 5d2fa66 Merge https://github.com/jaraco/skeleton
• a675458 Allow the workflow to be triggered manually.
• Additional commits viewable in compare view

Updates gunicorn from 22.0.0 to 23.0.0

Release notes

Sourced from gunicorn's releases.

23.0.0

Gunicorn 23.0.0 has been released. This version improve HTTP 1.1. support and which improve safety

You're invited to upgrade asap your own installation.

23.0.0 - 2024-08-10

• minor docs fixes (:pr:3217, :pr:3089, :pr:3167)
• worker_class parameter accepts a class (:pr:3079)
• fix deadlock if request terminated during chunked parsing (:pr:2688)
• permit receiving Transfer-Encodings: compress, deflate, gzip (:pr:3261)
• permit Transfer-Encoding headers specifying multiple encodings. note: no parameters, still (:pr:3261)
• sdist generation now explicitly excludes sphinx build folder (:pr:3257)
• decode bytes-typed status (as can be passed by gevent) as utf-8 instead of raising TypeError (:pr:2336)
• raise correct Exception when encounting invalid chunked requests (:pr:3258)
• the SCRIPT_NAME and PATH_INFO headers, when received from allowed forwarders, are no longer restricted for containing an underscore (:pr:3192)
• include IPv6 loopback address [::1] in default for :ref:forwarded-allow-ips and :ref:proxy-allow-ips (:pr:3192)

** NOTE **

• The SCRIPT_NAME change mitigates a regression that appeared first in the 22.0.0 release
• Review your :ref:forwarded-allow-ips setting if you are still not seeing the SCRIPT_NAME transmitted
• Review your :ref:forwarder-headers setting if you are missing headers after upgrading from a version prior to 22.0.0

** Breaking changes **

• refuse requests where the uri field is empty (:pr:3255)
• refuse requests with invalid CR/LR/NUL in heade field values (:pr:3253)
• remove temporary --tolerate-dangerous-framing switch from 22.0 (:pr:3260)
• If any of the breaking changes affect you, be aware that now refused requests can post a security problem, especially so in setups involving request pipe-lining and/or proxies.

Fix CVE-2024-1135

Commits

• 411986d fix doc
• 334392e Merge pull request #2559 from laggardkernel/bugfix/reexec-env
• e75c353 Merge pull request #3189 from pajod/patch-py36
• 9357b28 keep document user in access_log_format setting
• 79fdef0 bump to 23.0.0
• 3acd9fb Merge pull request #2620 from talkerbox/improve-access-log-format-docs
• 3f56d76 Merge pull request #3192 from pajod/patch-allowed-script-name
• 256d474 docs: revert duped directive
• ffa48b5 test: default change was intentional
• 52538ca docs: recommend SCRIPT_NAME=/subfolder
• Additional commits viewable in compare view

Updates coverage from 7.6.1 to 7.6.4

Changelog

Sourced from coverage's changelog.

Version 7.6.4 — 2024-10-20

• fix: multi-line with statements could cause contained branches to be incorrectly marked as missing (issue 1880_). This is now fixed.

.. _issue 1880: nedbat/coveragepy#1880

.. _changes_7-6-3:

Version 7.6.3 — 2024-10-13

• Fix: nested context managers could incorrectly be analyzed to flag a missing branch on the last context manager, as described in issue 1876_. This is now fixed.

• Fix: the missing branch message about not exiting a module had an extra "didn't," as described in issue 1873_. This is now fixed.

.. _issue 1873: nedbat/coveragepy#1873 .. _issue 1876: nedbat/coveragepy#1876

.. _changes_7-6-2:

Version 7.6.2 — 2024-10-09

• Dropped support for Python 3.8 and PyPy 3.8.

• Fix: a final wildcard match/case clause assigning to a name (case _ as value) was incorrectly marked as a missing branch. This is now fixed, closing issue 1860_.

• Fewer things are considered branches now. Lambdas, comprehensions, and generator expressions are no longer marked as missing branches if they don't complete execution. Closes issue 1852_.

• Fix: the HTML report didn't properly show multi-line f-strings that end with a backslash continuation. This is now fixed, closing issue 1836, thanks to LiuYinCarl and Marco Ricci <pull 1838_>.

• Fix: the LCOV report now has correct line numbers (fixing issue 1846) and better branch descriptions for BRDA records (fixing issue 1850). There are other changes to lcov also, including a new configuration option :ref:line_checksums <config_lcov_line_checksums> to control whether line checksums are included in the lcov report. The default is false. To keep checksums set it to true. All this work is thanks to Zack Weinberg

... (truncated)

Commits

• f24f76b docs: sample HTML for 7.6.4
• 96e10f7 docs: prep for 7.6.4
• b8c236a fix: multi-line with-statements exit correctly. #1880
• 64b7a45 docs: another discord reference
• 68d7427 docs: Python Discord
• 43adcea build: include 3.14 in the usual Pythons
• fb2b49f build: github_releases can update older releases, and pauses to get the sorti...
• ca550ca 3.0b2 wasn't correctly titled
• debcc77 build: bump version
• 342a4cb docs: sample HTML for 7.6.3
• Additional commits viewable in compare view

Updates pytest from 8.3.2 to 8.3.3

Release notes

Sourced from pytest's releases.

8.3.3

pytest 8.3.3 (2024-09-09)

Bug fixes

• #12446: Avoid calling @property (and other instance descriptors) during fixture discovery -- by asottile{.interpreted-text role="user"}

• #12659: Fixed the issue of not displaying assertion failure differences when using the parameter --import-mode=importlib in pytest>=8.1.

• #12667: Fixed a regression where type change in [ExceptionInfo.errisinstance]{.title-ref} caused [mypy]{.title-ref} to fail.

• #12744: Fixed typing compatibility with Python 3.9 or less -- replaced [typing.Self]{.title-ref} with [typing_extensions.Self]{.title-ref} -- by Avasam{.interpreted-text role="user"}

• #12745: Fixed an issue with backslashes being incorrectly converted in nodeid paths on Windows, ensuring consistent path handling across environments.

• #6682: Fixed bug where the verbosity levels where not being respected when printing the "msg" part of failed assertion (as in assert condition, msg).

• #9422: Fix bug where disabling the terminal plugin via -p no:terminal would cause crashes related to missing the verbose option.

  -- by GTowers1{.interpreted-text role="user"}

Improved documentation

• #12663: Clarify that the [pytest_deselected]{.title-ref} hook should be called from [pytest_collection_modifyitems]{.title-ref} hook implementations when items are deselected.
• #12678: Remove erroneous quotes from [tmp_path_retention_policy]{.title-ref} example in docs.

Miscellaneous internal changes

• #12769: Fix typos discovered by codespell and add codespell to pre-commit hooks.

Commits

• d0f136f build(deps): Bump pypa/gh-action-pypi-publish from 1.10.0 to 1.10.1 (#12790)
• 972f307 Prepare release version 8.3.3
• 0dabdcf Include co-authors in release announcement (#12795) (#12797)
• a9910a4 Do not discover properties when iterating fixtures (#12781) (#12788)
• 0f10b6b Fix issue with slashes being turned into backslashes on Windows (#12760) (#12...
• 300d13d Merge pull request #12785 from pytest-dev/patchback/backports/8.3.x/57cccf7f4...
• e5d32c7 Merge pull request #12784 from svenevs/fix/docs-example-parametrize-minor-typo
• bc913d1 Streamline checks for verbose option (#12706) (#12778)
• 01cfcc9 Fix typos and introduce codespell pre-commit hook (#12769) (#12774)
• 4873394 doc: Remove past training (#12772) (

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.