Bump the python group across 1 directory with 17 updates by dependabot[bot] · Pull Request #328 · mfosterw/cookiestocracy

dependabot · 2026-04-06T00:09:27Z

Bumps the python group with 17 updates in the / directory:

Package	From	To
pillow	`12.1.1`	`12.2.0`
redis	`7.3.0`	`7.4.0`
hiredis	`3.3.0`	`3.3.1`
celery	`5.6.2`	`5.6.3`
pygithub	`2.8.1`	`2.9.0`
types-requests	`2.32.4.20260107`	`2.33.0.20260402`
django-allauth	`65.15.0`	`65.15.1`
djangorestframework	`3.16.1`	`3.17.1`
gunicorn	`25.1.0`	`25.3.0`
werkzeug	`3.1.6`	`3.1.8`
django-stubs	`5.2.9`	`6.0.2`
djangorestframework-stubs	`3.16.8`	`3.16.9`
ruff	`0.15.6`	`0.15.9`
pytest-cov	`7.0.0`	`7.1.0`
django-debug-toolbar	`6.2.0`	`6.3.0`
django-coverage-plugin	`3.2.0`	`3.2.2`
rust-just	`1.47.0`	`1.48.1`

Updates pillow from 12.1.1 to 12.2.0

Release notes

Sourced from pillow's releases.

12.2.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html

Documentation

Update 12.2.0 release notes #9522 [@hugovk]

Add loader plugins: AMOS abk, Atari Degas, 40+ more obscure formats via Netpbm #9482 [@bitplane]

Update Python versions #9515 [@radarhere]

Jeffrey A. Clark -> Jeffrey 'Alex' Clark #9513 [@aclark4life]

Add release notes for #9394, #9419 and #9456 #9467 [@radarhere]

Add Amiga Workbench .info loader to 3rd party plugins list #9459 [@bitplane]

Merge PFM documentation into PPM #9434 [@radarhere]

Update macOS tested Pillow versions #9431 [@radarhere]

Fix CVE number #9430 [@hugovk]

Dependencies

Update xz to 5.8.3 #9523 [@radarhere]

Update libjpeg-turbo to 3.1.4.1 #9507 [@radarhere]

Update libpng to 1.6.56 #9499 [@radarhere]

Update freetype to 2.14.3 #9485 [@radarhere]

Updated libavif to 1.4.1 #9479 [@radarhere]

Updated harfbuzz to 13.2.1 #9461 [@radarhere]

Update Ghostscript to 10.7.0 #9469 [@radarhere]

Update harfbuzz to 13.0.1 #9453 [@radarhere]

Update libavif to 1.4.0 #9460 [@radarhere]

Update freetype to 2.14.2 #9449 [@radarhere]

Update actions/download-artifact action to v8 #9451 [@renovate[bot]]

Updated libpng to 1.6.55 #9425 [@radarhere]

Testing

Cleanup .spider extension in the same test where it is added #9517 [@radarhere]

Run tests in parallel via tox for 3.5x speedup #9516 [@hugovk]

Enable colour in CI logs #9486 [@hugovk]

Update Ghostscript to 10.7.0 #9469 [@radarhere]

Simplify TGA test code #9477 [@radarhere]

Update tests to check for ValueError when encoding an empty image #9464 [@radarhere]

Upgrade CI from macos-15-intel to macos-26-intel #9454 [@hugovk]

Add check-case-conflict hook #9446 [@radarhere]

Specify platform when pulling docker image #9440 [@radarhere]

GHA: Cache libavif and webp builds for Ubuntu #9437 [@hugovk]

Update macOS tested Pillow versions #9431 [@radarhere]

Other changes

Check calloc return value #9527 [@radarhere]

Check all allocs in the Arrow tree #9488 [@wiredfool]

Reject non-numeric elements inside list coords #9526 [@hugovk]

Move variable declaration inside define #9525 [@radarhere]

... (truncated)

Commits

3c41c09 12.2.0 version bump
cdaa29e Check calloc return value (#9527)
585b2f5 Check calloc return value
ecf011e Check all allocs in the Arrow tree (#9488)
cf6de8c Reject non-numeric elements inside list coords (#9526)
ffdcede Update 12.2.0 release notes (#9522)
7929d77 Added security release notes (#149)
c4f7aa5 Added security release notes
22cdb5f Move variable declaration inside define (#9525)
fc15b3b Resize tall images vertically first (#9524)
Additional commits viewable in compare view

Updates redis from 7.3.0 to 7.4.0

Release notes

Sourced from redis's releases.

7.4.0

Changes

🐛 Bug Fixes

Fix AttributeError in cluster metrics recording when connection is None or ClusterNode object instance is used to extract the connection info (#3999)

Fixing security concern in repr methods for ConnectionPools - passwords might leak in plain text logs (#3998)

Refactored connection count and SCH metric collection (#4001)

🧪 Experimental Features

-Refactored health check logic for MultiDBClient (#3994)

🧰 Maintenance

Expose basic Otel classes and functions to be importable through redis.observability to match the examples in the readthedocs (#3996)

We'd like to thank all the contributors who worked on this release! @vladvildanov @petyaslavova

Commits

b72f24a Updating lib version to 7.4.0
0a4e0af Refactored health check logic for MultiDBClient (#3994)
15492c9 Refactored connection count and SCH metric collection (#4001)
cd964ac Expose basic Otel classes and funtions to be importable through redis.observa...
46ab74d Fixing security concern in repr methods for ConnectionPools - passwords m...
26482db Fix AttributeError in cluster metrics recording when connection is None or Cl...
See full diff in compare view

Updates hiredis from 3.3.0 to 3.3.1

Release notes

Sourced from hiredis's releases.

3.3.1

Changes

This release fixes a compatibility issue with Python 3.15:

MNT: do not use deprecated load_module method (redis/hiredis-py#218)

Contributors

We'd like to thank all the contributors who worked on this release!

@tacaswell

Commits

3cb8f06 Version 3.3.1
2836c96 MNT: do not use deprecated load_module method (#218)
See full diff in compare view

Updates celery from 5.6.2 to 5.6.3

Release notes

Sourced from celery's releases.

v5.6.3

What's Changed

Fix Django worker recursion bug + defensive checks for pool_cls.module by @maycuatroi1 in celery/celery#10048

Docs: Update user_preload_options example to use click. by @jorsyk in celery/celery#10056

Fix invalid configuration key "bootstrap_servers" in Kafka demo by @jorsyk in celery/celery#10060

Fix broken images on PyPI page by @Timour-Ilyas in celery/celery#10066

Remove broken reference. by @sueannioanis in celery/celery#10071

Removed --dist=loadscope from smoke tests by @Nusnus in celery/celery#10073

Docs: Clarify task_retry signal args may be None by @GangEunzzang in celery/celery#10076

Update example for Django by @sbc-khacnha in celery/celery#10081

Make tests compatible with pymongo >= 4.16 by @cjwatson in celery/celery#10074

fix: source install of cassandra-driver by @Izzette in celery/celery#10105

fix: register task cross-reference role in Sphinx extension by @veeceey in celery/celery#10100

fix: avoid cycle detection in native delayed delivery by @Izzette in celery/celery#10095

fix(asynpool): avoid AttributeError when proc lacks _sentinel_poll by @mriddle in celery/celery#10086

fix dusk_astronomical horizon sign (+18 -> -18) by @Mr-Neutr0n in celery/celery#10121

Fix/10106 onupdate col use lambda func by @ChickenBenny in celery/celery#10108

Fix warm shutdown RuntimeError with eventlet>=0.37.0 (#10083) by @ChickenBenny in celery/celery#10123

Fix 10109 db backend connection health by @ChickenBenny in celery/celery#10124

Database Backend filter unsupport sql engine arguments with nullpool #7355 by @ChickenBenny in celery/celery#10134

fix(beat): correct argument order in Service.reduce by @bysiber in celery/celery#10137

ci: declare explicit read-only token permissions in workflow jobs by @Rohan5commit in celery/celery#10139

chore: 'boto3to' to 'boto3 to' by @cuiweixie in celery/celery#10133

Database Backend: Add missing index on date_done (Fixes #10097) by @ChickenBenny in celery/celery#10098

docs: fix typo in CONTRIBUTING.rst by @Rohan5commit in celery/celery#10141

Refer to Flower / Prometheus for monitoring by @WilliamDEdwards in celery/celery#10140

docs: remove duplicated words in broker and routing docs by @Rohan5commit in celery/celery#10146

docs: fix stale version reference and grammar in README by @kelsonbrito50 in celery/celery#10145

docs: fix wording in Celery 5.3 worker pool notes by @Rohan5commit in celery/celery#10149

docs: fix duplicated wording in 3.1 changelog entry by @Rohan5commit in celery/celery#10152

docs: fix changelog typo in context manager wording by @Rohan5commit in celery/celery#10144

Fix/10096 worker fails to reconnect after redis failover by @ChickenBenny in celery/celery#10151

Improve on_after_finalize signal documentation by @Br1an67 in celery/celery#10155

Add non-commutative example to clarify partial arg ordering in canvas docs by @Br1an67 in celery/celery#10157

Remove redundant test_isa_mapping test (fixes #10077) by @daniel7an in celery/celery#10103

Upgrade pytest-celery to >=1.3.0 and adopt PYTEST_CELERY_PKG build arg by @Nusnus in celery/celery#10162

Remove deprecated args from redis get_connection call by @JaeHyuckSa in celery/celery#10036

Fix #6912 rpc backend reconnection error by @ChickenBenny in celery/celery#10179

Fix NameError with TYPE_CHECKING annotations on Python 3.14+ (PEP 649) by @drichardson in celery/celery#10165

docs: Add elaboration on prefetch multiplier settings (worker_prefetch_multiplier) and worker_eta_task_limit by @tsangwailam in celery/celery#10181

Fix O(K²) message bloat in a chain of chords by @Borzik in celery/celery#10171

Fix mock connection interfaces to prevent TypeError during exception handling by @ChickenBenny in celery/celery#10178

fix(trace): dispatch chain/callbacks on dedup fast-path for redelivered tasks by @aurangzaib048 in celery/celery#10159

Extract reconnect_on_error to BaseResultConsumer by @ChickenBenny in celery/celery#10189

pep 649 by @ericbuehl in celery/celery#10187

Fix#9722 friendly status errors for CLI by @ChickenBenny in celery/celery#10190

docs: clarify after_return behavior for retried tasks by @KianAnbarestani in celery/celery#10192

Add compression header to message protocol docs by @Br1an67 in celery/celery#10156

docs: fix duplicated word in bootsteps comment by @Rohan5commit in celery/celery#10153

Remove outdated autoreloader section from extending docs by @Br1an67 in celery/celery#10154

... (truncated)

Changelog

Sourced from celery's changelog.

5.6.3

:release-date: 2026-03-26 :release-by: Tomer Nosrati

What's Changed


- Fix Django worker recursion bug + defensive checks for pool_cls.__module__ ([#10048](https://github.com/celery/celery/issues/10048))
- Docs: Update user_preload_options example to use click. ([#10056](https://github.com/celery/celery/issues/10056))
- Fix invalid configuration key "bootstrap_servers" in Kafka demo ([#10060](https://github.com/celery/celery/issues/10060))
- Fix broken images on PyPI page ([#10066](https://github.com/celery/celery/issues/10066))
- Remove broken reference. ([#10071](https://github.com/celery/celery/issues/10071))
- Removed --dist=loadscope from smoke tests ([#10073](https://github.com/celery/celery/issues/10073))
- Docs: Clarify task_retry signal args may be None ([#10076](https://github.com/celery/celery/issues/10076))
- Update example for Django ([#10081](https://github.com/celery/celery/issues/10081))
- Make tests compatible with pymongo >= 4.16 ([#10074](https://github.com/celery/celery/issues/10074))
- fix: source install of cassandra-driver ([#10105](https://github.com/celery/celery/issues/10105))
- fix: register task cross-reference role in Sphinx extension ([#10100](https://github.com/celery/celery/issues/10100))
- fix: avoid cycle detection in native delayed delivery ([#10095](https://github.com/celery/celery/issues/10095))
- fix(asynpool): avoid AttributeError when proc lacks _sentinel_poll ([#10086](https://github.com/celery/celery/issues/10086))
- fix dusk_astronomical horizon sign (+18 -> -18) ([#10121](https://github.com/celery/celery/issues/10121))
- Fix/10106 onupdate col use lambda func ([#10108](https://github.com/celery/celery/issues/10108))
- Fix warm shutdown RuntimeError with eventlet>=0.37.0 ([#10083](https://github.com/celery/celery/issues/10083)) ([#10123](https://github.com/celery/celery/issues/10123))
- Fix 10109 db backend connection health ([#10124](https://github.com/celery/celery/issues/10124))
- Database Backend filter unsupport sql engine arguments with nullpool [#7355](https://github.com/celery/celery/issues/7355) ([#10134](https://github.com/celery/celery/issues/10134))
- fix(beat): correct argument order in Service.__reduce__ ([#10137](https://github.com/celery/celery/issues/10137))
- ci: declare explicit read-only token permissions in workflow jobs ([#10139](https://github.com/celery/celery/issues/10139))
- chore: 'boto3to' to 'boto3 to' ([#10133](https://github.com/celery/celery/issues/10133))
- Database Backend: Add missing index on date_done (Fixes [#10097](https://github.com/celery/celery/issues/10097)) ([#10098](https://github.com/celery/celery/issues/10098))
- docs: fix typo in CONTRIBUTING.rst ([#10141](https://github.com/celery/celery/issues/10141))
- Refer to Flower / Prometheus for monitoring ([#10140](https://github.com/celery/celery/issues/10140))
- docs: remove duplicated words in broker and routing docs ([#10146](https://github.com/celery/celery/issues/10146))
- docs: fix stale version reference and grammar in README ([#10145](https://github.com/celery/celery/issues/10145))
- docs: fix wording in Celery 5.3 worker pool notes ([#10149](https://github.com/celery/celery/issues/10149))
- docs: fix duplicated wording in 3.1 changelog entry ([#10152](https://github.com/celery/celery/issues/10152))
- docs: fix changelog typo in context manager wording ([#10144](https://github.com/celery/celery/issues/10144))
- Fix/10096 worker fails to reconnect after redis failover ([#10151](https://github.com/celery/celery/issues/10151))
- Improve on_after_finalize signal documentation ([#10155](https://github.com/celery/celery/issues/10155))
- Add non-commutative example to clarify partial arg ordering in canvas docs ([#10157](https://github.com/celery/celery/issues/10157))
- Remove redundant test_isa_mapping test (fixes [#10077](https://github.com/celery/celery/issues/10077)) ([#10103](https://github.com/celery/celery/issues/10103))
- Upgrade pytest-celery to >=1.3.0 and adopt PYTEST_CELERY_PKG build arg ([#10162](https://github.com/celery/celery/issues/10162))
- Remove deprecated args from redis get_connection call ([#10036](https://github.com/celery/celery/issues/10036))
- Fix [#6912](https://github.com/celery/celery/issues/6912) rpc backend reconnection error ([#10179](https://github.com/celery/celery/issues/10179))
- Fix NameError with TYPE_CHECKING annotations on Python 3.14+ (PEP 649) ([#10165](https://github.com/celery/celery/issues/10165))
- docs: Add elaboration on prefetch multiplier settings (worker_prefetch_multiplier) and worker_eta_task_limit ([#10181](https://github.com/celery/celery/issues/10181))
- Fix O(K²) message bloat in a chain of chords ([#10171](https://github.com/celery/celery/issues/10171))
- Fix mock connection interfaces to prevent `TypeError` during exception handling ([#10178](https://github.com/celery/celery/issues/10178))
- fix(trace): dispatch chain/callbacks on dedup fast-path for redelivered tasks ([#10159](https://github.com/celery/celery/issues/10159))
</tr></table>

... (truncated)

Commits

3f4d8d7 Prepare for release: v5.6.3 (#10221)
a989e8c fix: clear the timer while catch the exception (#10218)
d06de5f Chore(deps): Bump nick-fields/retry from 3 to 4 (#10213)
c3c19c3 Fix: prioritize request ignore_result over task definition (#10184)
d23be53 Remove outdated autoreloader section from extending docs (#10154)
ada2da7 docs: fix duplicated word in bootsteps comment\n\nSigned-off-by: Rohan Santho...
f45f62b Add compression header to message protocol docs (#10156)
9a27092 docs: clarify after_return behavior for retried tasks (#10192)
6ee6230 Fix#9722 friendly status errors for CLI (#10190)
a9a2d4c [pre-commit.ci] pre-commit autoupdate (#10186)
Additional commits viewable in compare view

Updates pygithub from 2.8.1 to 2.9.0

Release notes

Sourced from pygithub's releases.

v2.9.0

Notable changes

Lazy PyGithub objects

The notion of lazy objects has been added to some PyGithub classes in version 2.6.0. This release now makes all CompletableGithubObjects optionally lazy (if useful). See PyGithub/PyGithub#3403 for a complete list.

In lazy mode, getting a PyGithub object does not send a request to the GitHub API. Only accessing methods and properties sends the necessary requests to the GitHub API:
# Use lazy mode
g = Github(auth=auth, lazy=True)
these method calls do not send requests to the GitHub API
user = g.get_user("PyGithub")    # get the user
repo = user.get_repo("PyGithub") # get the user's repo
pull = repo.get_pull(3403)       # get a known pull request
issue = pull.as_issue()          # turn the pull request into an issue
these method and property calls send requests to Github API
issue.create_reaction("rocket")  # create a reaction
created = repo.created_at        # get property of lazy object repo
once a lazy object has been fetched, all properties are available (no more requests)
licence = repo.license
All PyGithub classes that implement CompletableGithubObject support lazy mode (if useful). This is only useful for classes that have methods creating, changing, or getting objects.

By default, PyGithub objects are not lazy.

PyGithub objects with a paginated property

The GitHub API has the "feature" of paginated properties. Some objects returned by the API have a property that allows for pagination. Fetching subsequent pages of that property means fetching the entire object (with all other properties) and the specified page of the paginated property. Iterating over the paginated property means fetching all other properties multiple times. Fortunately, the allowed size of each page (per_page is usually 300, in contrast to the "usual" per_page maximum of 100).

Objects with paginated properties:

Commit.files

Comparison.commits

EnterpriseConsumedLicenses.users

This PR makes iterating those paginated properties use the configured per_page setting.

It further allows to specify an individual per_page when either retrieving such objects, or fetching paginated properties.

See Classes with paginated properties for details.

Drop Python 3.8 support due to End-of-Life

Python 3.8 reached its end-of-life September 6, 2024. Support has been removed with this release.

... (truncated)

Changelog

Sourced from pygithub's changelog.

Version 2.9.0 (March 22, 2026)

Notable changes ^^^^^^^^^^^^^^^

Lazy PyGithub objects """""""""""""""""""""

The notion of lazy objects has been added to some PyGithub classes in version 2.6.0. This release now makes all CompletableGithubObject\s optionally lazy (if useful). See [#3403](https://github.com/pygithub/pygithub/issues/3403) <https://github.com/PyGithub/PyGithub/pull/3403>_ for a complete list.

In lazy mode, getting a PyGithub object does not send a request to the GitHub API. Only accessing methods and properties sends the necessary requests to the GitHub API:

.. code-block:: python
# Use lazy mode
g = Github(auth=auth, lazy=True)
these method calls do not send requests to the GitHub API
user = g.get_user("PyGithub")    # get the user
repo = user.get_repo("PyGithub") # get the user's repo
pull = repo.get_pull(3403)       # get a known pull request
issue = pull.as_issue()          # turn the pull request into an issue
these method and property calls send requests to Github API
issue.create_reaction("rocket")  # create a reaction
created = repo.created_at        # get property of lazy object repo
once a lazy object has been fetched, all properties are available (no more requests)
licence = repo.license
All PyGithub classes that implement CompletableGithubObject support lazy mode (if useful). This is only useful for classes that have methods creating, changing, or getting objects.

By default, PyGithub objects are not lazy.

PyGithub objects with a paginated property """"""""""""""""""""""""""""""""""""""""""

The GitHub API has the "feature" of paginated properties. Some objects returned by the API have a property that allows for pagination. Fetching subsequent pages of that property means fetching the entire object (with all other properties) and the specified page of the paginated property. Iterating over the paginated property means fetching all other properties multiple times. Fortunately, the allowed size of each page (per_page is usually 300, in contrast to the "usual" per_page maximum of 100).

Objects with paginated properties:

... (truncated)

Commits

3a17ecf Release 2.9.0 (#3465)
b1a9b7e Consider per-page settings when iterating paginated properties (#3377)
24305f6 Update test key pair (#3453)
f2540db Deprecate Reaction.delete (#3435)
19e1c50 Add throw option to Workflow.create_dispatch to raise exceptions (#2966)
6461909 Add Secret Scanning Alerts and Improve Code Scan Alerts (#3307)
95648db Add Python 3.14 to CI and tox (#3429)
3716bab Use GET url or _links.self as object url (#3421)
61dcf49 Allow for enterprise base url prefixed with api. (#3419)
ae23d60 Restrict PyPi release workflow permissions (#3418)
Additional commits viewable in compare view

Updates types-requests from 2.32.4.20260107 to 2.33.0.20260402

Commits

See full diff in compare view

Updates django-allauth from 65.15.0 to 65.15.1

Commits

See full diff in compare view

Updates djangorestframework from 3.16.1 to 3.17.1

Release notes

Sourced from djangorestframework's releases.

3.17.1

What's Changed

Bug fixes

Fix HTMLFormRenderer with empty datetime values by @p-r-a-v-i-n in encode/django-rest-framework#9928

Full Changelog: encode/django-rest-framework@3.17.0...3.17.1

3.17.0

What's Changed

Breaking changes

Drop support for Python 3.9 by @auvipy in encode/django-rest-framework#9781

Drop deprecated coreapi support by @browniebroke in encode/django-rest-framework#9895

Features

Add ability to specify output format for DurationField by @sevdog in encode/django-rest-framework#8532

Add missing decorators: @versioning_class(), @content_negotiation_class(), @metadata_class() for function-based views by @qqii in encode/django-rest-framework#9719

Add support for Python 3.14 by @cclauss in encode/django-rest-framework#9780

Support violation_error_code and violation_error_message from UniqueConstraint in UniqueTogetherValidator by @s-aleshin in encode/django-rest-framework#9766

Add support for ipaddress objects in JSONEncoder by @corenting in encode/django-rest-framework#9087

Add optional support to serialize BigInteger to string by @HoodyH in encode/django-rest-framework#9775

Add Django 6.0 support by @MehrazRumman in encode/django-rest-framework#9819

Bug fixes

Prevent small risk of Token overwrite by @mahdirahimi1999 in encode/django-rest-framework#9754

Fix UniqueTogetherValidator validation when condition references a read-only field by @ticosax in encode/django-rest-framework#9764

Fix validation on many to many field when default=None by @Genarito in encode/django-rest-framework#9790

Fix invalid SPDX license expression in __init__.py by @TheFunctionalGuy in encode/django-rest-framework#9799

Fix HTMLFormRenderer to ensure a valid datetime-local format by @mgaligniana in encode/django-rest-framework#9365

Fix mutable default arguments in OrderingFilter methods by @killerdevildog in encode/django-rest-framework#9742

Update TokenAdmin to respect USERNAME_FIELD of the user model by @m000 in encode/django-rest-framework#9836

Preserve ordering in MultipleChoiceField by @fbozhang in encode/django-rest-framework#9735

Translations

Update French translation by @SebCorbin in encode/django-rest-framework#9770

Update Brazilian Portuguese translations by @JVPinheiroReis in encode/django-rest-framework#9828

Fix and improve French translations by @deronnax in encode/django-rest-framework#9896

Add missing Russian translation by @minorytanaka in encode/django-rest-framework#9903

Packaging

Migrate packaging to pyproject.toml by @deronnax in encode/django-rest-framework#9056

Move package data rules from MANIFEST.in to pyproject.toml by @p-r-a-v-i-n in encode/django-rest-framework#9825

Set up release workflow with trusted publisher by @browniebroke in encode/django-rest-framework#9852

Other changes

Refactor token generation to use the secrets module by @mahdirahimi1999 in encode/django-rest-framework#9760

Add validation for decorator out-of-order with @api_view by @kernelshard in encode/django-rest-framework#9821

Switch to mkdocs material theme for documentation by @browniebroke in encode/django-rest-framework#9849

New Contributors

@khaledsukkar2 made their first contribution in encode/django-rest-framework#9717

... (truncated)

Commits

22e231c Prepare bug fix release 3.17.1 (#9931)
8e99b53 Add condition to skip pushed tags from forks (#9924)
c0407de Fix HTMLFormRenderer with empty datetime values (#9928)
30d58a7 Fix the book sizing in the documentation (#9926)
6f03b79 Tweak order of changes in release notes
021ab56 Bump version and update release notes for 3.17.0 (#9921)
19ebad7 Bump mkdocs-material[imaging] from 9.7.4 to 9.7.5 (#9923)
f222c55 Correct requires-python key in pyproject.toml
7e7de6f Remove code fences from release checklist
c599d30 Update release process
Additional commits viewable in compare view

Updates gunicorn from 25.1.0 to 25.3.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 25.3.0

Bug Fixes

HTTP/2 ASGI Body Duplication: Fix request body being received twice in HTTP/2 ASGI requests, causing JSON parsing errors with "Extra data" messages (#3558)

ASGI Chunked EOF Handling: Add finish() method to callback parser to handle chunked encoding edge case where connection closes before final CRLF after zero-chunk

HTTP/2 Documentation: Fix http_protocols examples to use comma-separated string instead of list syntax (#3561)

Chunked Encoding: Reject chunk extensions containing bare CR bytes per RFC 9112 (#3556)

Request Line Limit: Fix --limit-request-line 0 to mean unlimited as documented, instead of using default maximum. Works with both Python and fast C parser. (#3563)

Security

ASGI Parser Header Validation: Add security checks per RFC 9110/9112:

Reject duplicate Content-Length headers

Reject requests with both Content-Length and Transfer-Encoding

Reject chunked transfer encoding in HTTP/1.0

Reject stacked chunked encoding

Validate Transfer-Encoding values

Strict chunk size validation

Changes

Fast HTTP Parser: Update to gunicorn_h1c >= 0.6.3 for asgi_headers property and InvalidChunkExtension validation for bare CR rejection

ASGI PROXY Protocol: Add PROXY protocol v1/v2 support to callback parser

Docker Images: Update to Python 3.14

Gunicorn 25.2.0

New Features

Fast HTTP Parser (gunicorn_h1c 0.4.1): Integrate new exception types and limit parameters from gunicorn_h1c 0.4.1 for both WSGI and ASGI workers

Requires gunicorn_h1c >= 0.4.1 for http_parser='fast'

Falls back to Python parser in auto mode if version not met

Proper HTTP status codes for limit errors (414, 431)

Bug Fixes

uWSGI Async Workers: Fix InvalidUWSGIHeader: incomplete header error when using gevent or gthread workers with uwsgi protocol behind nginx. (#3552, [PR #3554](benoitc/gunicorn#3554))

... (truncated)

Commits

9bce72c Update changelog with missing 25.3.0 changes
2a15fdb Fix pylint isinstance-second-argument-not-valid-type warning
8d08aaa Fix --limit-request-line 0 to mean unlimited
d40a374 Fix pytest-asyncio configuration and treq_asgi hex escapes
da8bd48 Remove unused AsyncRequest class
b00f125 Integrate gunicorn_h1c 0.6.3 with InvalidChunkExtension support
bdb2ebd Reject chunk extensions with bare CR bytes (RFC 9112)
7057fc9 Fix http_protocols documentation to use string syntax
d43acb8 Update to gunicorn_h1c >= 0.6.2 for asgi_headers support
cbd27e8 Merge pull request #3559 from benleembruggen/fix/http2-asgi-body-duplication
Additional commits viewable in compare view

Updates werkzeug from 3.1.6 to 3.1.8

Release notes

Sourced from werkzeug's releases.

3.1.8

This is the Werkzeug 3.1.8 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.8/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-8 Milestone: https://github.com/pallets/werkzeug/milestone/45?closed=1

Request.host and get_host return the empty string if the header is missing or has invalid characters. #3142

3.1.7

This is the Werkzeug 3.1.7 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.7/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-7 Milestone: https://github.com/pallets/werkzeug/milestone/44?closed=1

parse_list_header preserves partially quoted items, discards empty items, and returns empty for unclosed quoted values. #3128

WWWAuthenticate.to_header does not produce a trailing space when there are no parameters. #3127

Transfer-Encoding is parsed as a set. #3134

Request.host, get_host, and host_is_trusted validate the characters of the value. An empty value is no longer allowed. A Unix socket server address is ignored. The trusted_list argument to host_is_trusted is optional. #3113

Fix multipart form parser handling of newline at boundary. #3088

Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. #3108

merge_slashes merges any number of consecutive slashes. #3121

Changelog

Sourced from werkzeug's changelog.

Version 3.1.8

Released 2026-04-02

Request.host and get_host return the empty string if the header is missing or has invalid characters. :issue:3142

Version 3.1.7

Released 2026-03-23

parse_list_header preserves partially quoted items, discards empty items, and returns empty for unclosed quoted values. :pr:3128

WWWAuthenticate.to_header does not produce a trailing space when there are no parameters. :issue:3127

Transfer-Encoding is parsed as a set. :pr:3134

Request.host, get_host, and host_is_trusted validate the characters of the value. An empty value is no longer allowed. A Unix socket server address is ignored. The trusted_list argument to host_is_trusted is optional. :pr:3113
Description has been truncated

Bumps the python group with 17 updates in the / directory: | Package | From | To | | --- | --- | --- | | [pillow](https://github.com/python-pillow/Pillow) | `12.1.1` | `12.2.0` | | [redis](https://github.com/redis/redis-py) | `7.3.0` | `7.4.0` | | [hiredis](https://github.com/redis/hiredis-py) | `3.3.0` | `3.3.1` | | [celery](https://github.com/celery/celery) | `5.6.2` | `5.6.3` | | [pygithub](https://github.com/pygithub/pygithub) | `2.8.1` | `2.9.0` | | [types-requests](https://github.com/python/typeshed) | `2.32.4.20260107` | `2.33.0.20260402` | | [django-allauth](https://github.com/sponsors/pennersr) | `65.15.0` | `65.15.1` | | [djangorestframework](https://github.com/encode/django-rest-framework) | `3.16.1` | `3.17.1` | | [gunicorn](https://github.com/benoitc/gunicorn) | `25.1.0` | `25.3.0` | | [werkzeug](https://github.com/pallets/werkzeug) | `3.1.6` | `3.1.8` | | [django-stubs](https://github.com/typeddjango/django-stubs) | `5.2.9` | `6.0.2` | | [djangorestframework-stubs](https://github.com/typeddjango/djangorestframework-stubs) | `3.16.8` | `3.16.9` | | [ruff](https://github.com/astral-sh/ruff) | `0.15.6` | `0.15.9` | | [pytest-cov](https://github.com/pytest-dev/pytest-cov) | `7.0.0` | `7.1.0` | | [django-debug-toolbar](https://github.com/django-commons/django-debug-toolbar) | `6.2.0` | `6.3.0` | | [django-coverage-plugin](https://github.com/coveragepy/django_coverage_plugin) | `3.2.0` | `3.2.2` | | [rust-just](https://github.com/gnpaone/rust-just) | `1.47.0` | `1.48.1` | Updates `pillow` from 12.1.1 to 12.2.0 - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](python-pillow/Pillow@12.1.1...12.2.0) Updates `redis` from 7.3.0 to 7.4.0 - [Release notes](https://github.com/redis/redis-py/releases) - [Changelog](https://github.com/redis/redis-py/blob/master/CHANGES) - [Commits](redis/redis-py@v7.3.0...v7.4.0) Updates `hiredis` from 3.3.0 to 3.3.1 - [Release notes](https://github.com/redis/hiredis-py/releases) - [Changelog](https://github.com/redis/hiredis-py/blob/master/CHANGELOG.md) - [Commits](redis/hiredis-py@v3.3.0...v3.3.1) Updates `celery` from 5.6.2 to 5.6.3 - [Release notes](https://github.com/celery/celery/releases) - [Changelog](https://github.com/celery/celery/blob/v5.6.3/Changelog.rst) - [Commits](celery/celery@v5.6.2...v5.6.3) Updates `pygithub` from 2.8.1 to 2.9.0 - [Release notes](https://github.com/pygithub/pygithub/releases) - [Changelog](https://github.com/PyGithub/PyGithub/blob/main/doc/changes.rst) - [Commits](PyGithub/PyGithub@v2.8.1...v2.9.0) Updates `types-requests` from 2.32.4.20260107 to 2.33.0.20260402 - [Commits](https://github.com/python/typeshed/commits) Updates `django-allauth` from 65.15.0 to 65.15.1 - [Commits](https://github.com/sponsors/pennersr/commits) Updates `djangorestframework` from 3.16.1 to 3.17.1 - [Release notes](https://github.com/encode/django-rest-framework/releases) - [Commits](encode/django-rest-framework@3.16.1...3.17.1) Updates `gunicorn` from 25.1.0 to 25.3.0 - [Release notes](https://github.com/benoitc/gunicorn/releases) - [Commits](benoitc/gunicorn@25.1.0...25.3.0) Updates `werkzeug` from 3.1.6 to 3.1.8 - [Release notes](https://github.com/pallets/werkzeug/releases) - [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst) - [Commits](pallets/werkzeug@3.1.6...3.1.8) Updates `django-stubs` from 5.2.9 to 6.0.2 - [Release notes](https://github.com/typeddjango/django-stubs/releases) - [Commits](typeddjango/django-stubs@5.2.9...6.0.2) Updates `djangorestframework-stubs` from 3.16.8 to 3.16.9 - [Release notes](https://github.com/typeddjango/djangorestframework-stubs/releases) - [Commits](typeddjango/djangorestframework-stubs@3.16.8...3.16.9) Updates `ruff` from 0.15.6 to 0.15.9 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](astral-sh/ruff@0.15.6...0.15.9) Updates `pytest-cov` from 7.0.0 to 7.1.0 - [Changelog](https://github.com/pytest-dev/pytest-cov/blob/master/CHANGELOG.rst) - [Commits](pytest-dev/pytest-cov@v7.0.0...v7.1.0) Updates `django-debug-toolbar` from 6.2.0 to 6.3.0 - [Release notes](https://github.com/django-commons/django-debug-toolbar/releases) - [Changelog](https://github.com/django-commons/django-debug-toolbar/blob/main/docs/changes.rst) - [Commits](django-commons/django-debug-toolbar@6.2.0...6.3.0) Updates `django-coverage-plugin` from 3.2.0 to 3.2.2 - [Release notes](https://github.com/coveragepy/django_coverage_plugin/releases) - [Commits](coveragepy/django_coverage_plugin@v3.2.0...v3.2.2) Updates `rust-just` from 1.47.0 to 1.48.1 - [Release notes](https://github.com/gnpaone/rust-just/releases) - [Changelog](https://github.com/gnpaone/rust-just/blob/master/CHANGELOG.md) - [Commits](gnpaone/rust-just@1.47.0...1.48.1) --- updated-dependencies: - dependency-name: pillow dependency-version: 12.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python - dependency-name: redis dependency-version: 7.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python - dependency-name: hiredis dependency-version: 3.3.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python - dependency-name: celery dependency-version: 5.6.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python - dependency-name: pygithub dependency-version: 2.9.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python - dependency-name: types-requests dependency-version: 2.33.0.20260402 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python - dependency-name: django-allauth dependency-version: 65.15.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python - dependency-name: djangorestframework dependency-version: 3.17.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python - dependency-name: gunicorn dependency-version: 25.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python - dependency-name: werkzeug dependency-version: 3.1.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python - dependency-name: django-stubs dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: python - dependency-name: djangorestframework-stubs dependency-version: 3.16.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python - dependency-name: ruff dependency-version: 0.15.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python - dependency-name: pytest-cov dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python - dependency-name: django-debug-toolbar dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python - dependency-name: django-coverage-plugin dependency-version: 3.2.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python - dependency-name: rust-just dependency-version: 1.48.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python ... Signed-off-by: dependabot[bot] <support@github.com>

codecov · 2026-04-06T00:12:17Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (873a048) to head (2885d67).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #328   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           49        49           
  Lines         2017      1931   -86     
=========================================
- Hits          2017      1931   -86

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

dependabot · 2026-04-13T00:08:39Z

Looks like these dependencies are updatable in another way, so this is no longer needed.

dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Apr 6, 2026

dependabot Bot closed this Apr 13, 2026

dependabot Bot deleted the dependabot/pip/python-7fcd521922 branch April 13, 2026 00:08

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the python group across 1 directory with 17 updates#328

Bump the python group across 1 directory with 17 updates#328
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/python-7fcd521922

dependabot Bot commented on behalf of github Apr 6, 2026 •

edited

Loading

these method calls do not send requests to the GitHub API

these method and property calls send requests to Github API

once a lazy object has been fetched, all properties are available (no more requests)

Uh oh!

codecov Bot commented Apr 6, 2026 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github Apr 13, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Apr 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

12.2.0

Documentation

Dependencies

Testing

Other changes

7.4.0

Changes

🐛 Bug Fixes

🧪 Experimental Features

🧰 Maintenance

3.3.1

Changes

Contributors

v5.6.3

What's Changed

5.6.3

v2.9.0

Notable changes

Lazy PyGithub objects

PyGithub objects with a paginated property

Drop Python 3.8 support due to End-of-Life

Version 2.9.0 (March 22, 2026)

these method calls do not send requests to the GitHub API

these method and property calls send requests to Github API

once a lazy object has been fetched, all properties are available (no more requests)

3.17.1

What's Changed

Bug fixes

3.17.0

What's Changed

Breaking changes

Features

Bug fixes

Translations

Packaging

Other changes

New Contributors

Gunicorn 25.3.0

Bug Fixes

Security

Changes

Gunicorn 25.2.0

New Features

Bug Fixes

3.1.8

3.1.7

Version 3.1.8

Version 3.1.7

Uh oh!

codecov Bot commented Apr 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

dependabot Bot commented on behalf of github Apr 13, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github Apr 6, 2026 •

edited

Loading

codecov Bot commented Apr 6, 2026 •

edited

Loading