Skip to content

Bump the minor-patch group across 1 directory with 9 updates#1419

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/backend/minor-patch-51c9376323
Open

Bump the minor-patch group across 1 directory with 9 updates#1419
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/backend/minor-patch-51c9376323

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 1, 2026

Bumps the minor-patch group with 9 updates in the /backend directory:

Package From To
requests 2.32.5 2.33.1
cachetools 7.0.1 7.0.5
pillow 12.1.1 12.2.0
gunicorn 25.0.3 25.3.0
apispec 6.9.0 6.10.0
sqlalchemy 2.0.37 2.0.48
tabulate 0.9.0 0.10.0
werkzeug 3.1.5 3.1.7
sentry-sdk 2.42.1 2.57.0

Updates requests from 2.32.5 to 2.33.1

Release notes

Sourced from requests's releases.

v2.33.1

2.33.1 (2026-03-30)

Bugfixes

  • Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
  • Fixed Content-Type header parsing for malformed values. (#7309)
  • Improved error consistency for malformed header values. (#7308)

New Contributors

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2331-2026-03-30

v2.33.0

2.33.0 (2026-03-25)

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

  • Various typo fixes and doc improvements.

New Contributors

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

Changelog

Sourced from requests's changelog.

2.33.1 (2026-03-30)

Bugfixes

  • Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
  • Fixed Content-Type header parsing for malformed values. (#7309)
  • Improved error consistency for malformed header values. (#7308)

2.33.0 (2026-03-25)

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

  • Various typo fixes and doc improvements.
Commits

Updates cachetools from 7.0.1 to 7.0.5

Changelog

Sourced from cachetools's changelog.

v7.0.5 (2026-03-09)

  • Minor @cachedmethod performance improvements.

v7.0.4 (2026-03-08)

  • Fix and properly document @cachedmethod.cache_key behavior.

  • Minor documentation improvements.

v7.0.3 (2026-03-05)

  • Fix DeprecationWarning when creating an autospec mock with @cachedmethod decorations.

v7.0.2 (2026-03-02)

  • Provide more efficient clear() implementation for all support Cache classes (courtesy Josep Pon Farreny).
Commits

Updates pillow from 12.1.1 to 12.2.0

Release notes

Sourced from pillow's releases.

12.2.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html

Documentation

Dependencies

Testing

Other changes

... (truncated)

Commits

Updates gunicorn from 25.0.3 to 25.3.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 25.3.0

Bug Fixes

  • HTTP/2 ASGI Body Duplication: Fix request body being received twice in HTTP/2 ASGI requests, causing JSON parsing errors with "Extra data" messages (#3558)

  • ASGI Chunked EOF Handling: Add finish() method to callback parser to handle chunked encoding edge case where connection closes before final CRLF after zero-chunk

  • HTTP/2 Documentation: Fix http_protocols examples to use comma-separated string instead of list syntax (#3561)

  • Chunked Encoding: Reject chunk extensions containing bare CR bytes per RFC 9112 (#3556)

  • Request Line Limit: Fix --limit-request-line 0 to mean unlimited as documented, instead of using default maximum. Works with both Python and fast C parser. (#3563)

Security

  • ASGI Parser Header Validation: Add security checks per RFC 9110/9112:
    • Reject duplicate Content-Length headers
    • Reject requests with both Content-Length and Transfer-Encoding
    • Reject chunked transfer encoding in HTTP/1.0
    • Reject stacked chunked encoding
    • Validate Transfer-Encoding values
    • Strict chunk size validation

Changes

  • Fast HTTP Parser: Update to gunicorn_h1c >= 0.6.3 for asgi_headers property and InvalidChunkExtension validation for bare CR rejection

  • ASGI PROXY Protocol: Add PROXY protocol v1/v2 support to callback parser

  • Docker Images: Update to Python 3.14

Gunicorn 25.2.0

New Features

  • Fast HTTP Parser (gunicorn_h1c 0.4.1): Integrate new exception types and limit parameters from gunicorn_h1c 0.4.1 for both WSGI and ASGI workers
    • Requires gunicorn_h1c >= 0.4.1 for http_parser='fast'
    • Falls back to Python parser in auto mode if version not met
    • Proper HTTP status codes for limit errors (414, 431)

Bug Fixes

  • uWSGI Async Workers: Fix InvalidUWSGIHeader: incomplete header error when using gevent or gthread workers with uwsgi protocol behind nginx. (#3552, [PR #3554](benoitc/gunicorn#3554))

... (truncated)

Commits
  • 9bce72c Update changelog with missing 25.3.0 changes
  • 2a15fdb Fix pylint isinstance-second-argument-not-valid-type warning
  • 8d08aaa Fix --limit-request-line 0 to mean unlimited
  • d40a374 Fix pytest-asyncio configuration and treq_asgi hex escapes
  • da8bd48 Remove unused AsyncRequest class
  • b00f125 Integrate gunicorn_h1c 0.6.3 with InvalidChunkExtension support
  • bdb2ebd Reject chunk extensions with bare CR bytes (RFC 9112)
  • 7057fc9 Fix http_protocols documentation to use string syntax
  • d43acb8 Update to gunicorn_h1c >= 0.6.2 for asgi_headers support
  • cbd27e8 Merge pull request #3559 from benleembruggen/fix/http2-asgi-body-duplication
  • Additional commits viewable in compare view

Updates apispec from 6.9.0 to 6.10.0

Changelog

Sourced from apispec's changelog.

6.10.0 (2026-03-06)

Features:

  • Support links (:issue:615). Thanks :user:kingdomOfIT for the PR (:pr:1014).

Bug fixes:

  • MarshmallowPlugin: Handle DateTime fields with the "iso8601" and "rfc822" formats (:issue:970). Thanks :user:matejsp for reporting and karthiksai109 for the PR (:pr:1013).
Commits
  • 450a56c Bump version and update changelog
  • 0f40e7a Merge pull request #1022 from marshmallow-code/tests_utils_get
  • 6784476 Rework test.utils.get_* methods
  • f86aa98 Merge pull request #1014 from kingdomOfIT/feature/openapi-links
  • fd962d9 docs: remove reference to removed validate_spec utility (#1021)
  • 6031276 Bump openapi-spec-validator from 0.8.1 to 0.8.4
  • 7278e0f [pre-commit.ci] pre-commit autoupdate
  • ad467c8 Bump actions/upload-artifact from 6 to 7
  • e7e6c80 Bump actions/download-artifact from 7 to 8
  • cc2c988 Bump openapi-spec-validator from 0.8.0 to 0.8.1
  • Additional commits viewable in compare view

Updates sqlalchemy from 2.0.37 to 2.0.48

Release notes

Sourced from sqlalchemy's releases.

2.0.48

Released: March 2, 2026

engine

  • [engine] [bug] Fixed a critical issue in Engine where connections created in conjunction with the DialectEvents.do_connect() event listeners would receive shared, mutable collections for the connection arguments, leading to a variety of potential issues including unlimited growth of the argument list as well as elements within the parameter dictionary being shared among concurrent connection calls. In particular this could impact do_connect routines making use of complex mutable authentication structures.

    References: #13144

2.0.47

Released: February 24, 2026

orm

  • [orm] [bug] Fixed issue when using ORM mappings with Python 3.14's PEP 649 feature that no longer requires "future annotations", where the ORM's introspection of the __init__ method of mapped classes would fail if non-present identifiers in annotations were present. The vendored getfullargspec() method has been amended to use Format.FORWARDREF under Python 3.14 to prevent resolution of names that aren't present.

    References: #13104

engine

  • [engine] [usecase] The connection object returned by _engine.Engine.raw_connection() now supports the context manager protocol, automatically returning the connection to the pool when exiting the context.

    References: #13116

postgresql

  • [postgresql] [bug] Fixed an issue in the PostgreSQL dialect where foreign key constraint reflection would incorrectly swap or fail to capture onupdate and ondelete values when these clauses appeared in a different order than expected in the constraint definition. This issue primarily affected

... (truncated)

Commits

Updates tabulate from 0.9.0 to 0.10.0

Changelog

Sourced from tabulate's changelog.

  • 0.10.0: Add support for Python 3.11, 3.12, 3.13, 3.14. Drop support for Python 3.7, 3.8, 3.9. PRESERVE_STERILITY global is replaced with preserve_sterility function argument. New formatting options: headersglobalalign, headersalign, colglobalalign. New output format: colon_grid (Pandoc grid_tables with alignment) Various bug fixes. Improved error messages.
Commits
  • 3b4cd50 update HOWTOPUBLISH
  • 35ee0f6 update mini-benchmark table
  • 37ac76e restore tabulate.version
  • 37e1ed0 move # nowa: E931 to a different line (flake8)
  • 7bacc90 run pre-commit hooks (black)
  • 1b69704 Remove spurious cast in string interpolation
  • 4d535af Use specific noqa directives
  • 76c3d37 Remove spurious space from error message
  • 13508e7 Unnecessary list call
  • 69f67cd Do not call getattr with a constant value
  • Additional commits viewable in compare view

Updates werkzeug from 3.1.5 to 3.1.7

Release notes

Sourced from werkzeug's releases.

3.1.7

This is the Werkzeug 3.1.7 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.7/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-7 Milestone: https://github.com/pallets/werkzeug/milestone/44?closed=1

  • parse_list_header preserves partially quoted items, discards empty items, and returns empty for unclosed quoted values. #3128
  • WWWAuthenticate.to_header does not produce a trailing space when there are no parameters. #3127
  • Transfer-Encoding is parsed as a set. #3134
  • Request.host, get_host, and host_is_trusted validate the characters of the value. An empty value is no longer allowed. A Unix socket server address is ignored. The trusted_list argument to host_is_trusted is optional. #3113
  • Fix multipart form parser handling of newline at boundary. #3088
  • Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. #3108
  • merge_slashes merges any number of consecutive slashes. #3121

3.1.6

This is the Werkzeug 3.1.6 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.6/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-6

  • safe_join on Windows does not allow special devices names in multi-segment paths. GHSA-29vq-49wr-vm6x
Changelog

Sourced from werkzeug's changelog.

Version 3.1.7

Released 2026-03-23

  • parse_list_header preserves partially quoted items, discards empty items, and returns empty for unclosed quoted values. :pr:3128
  • WWWAuthenticate.to_header does not produce a trailing space when there are no parameters. :issue:3127
  • Transfer-Encoding is parsed as a set. :pr:3134
  • Request.host, get_host, and host_is_trusted validate the characters of the value. An empty value is no longer allowed. A Unix socket server address is ignored. The trusted_list argument to host_is_trusted is optional. :pr:3113
  • Fix multipart form parser handling of newline at boundary. :issue:3088
  • Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. :issue:3108
  • merge_slashes merges any number of consecutive slashes. :issue:3121

Version 3.1.6

Released 2026-02-19

  • safe_join on Windows does not allow special devices names in multi-segment paths. :ghsa:29vq-49wr-vm6x
  • Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. :issue:3108
Commits
  • 005d93b release version 3.1.7
  • c328342 merge any number of slashes (#3136)
  • 23142a3 merge any number of slashes
  • b913d68 always set accept-ranges header
  • f282943 Correct 1049dd6b2a363e1ef302b4161c340fb8582f627a
  • d3d3df5 validate host characters
  • 2c6a3a5 parse transfer-encoding as set (#3134)
  • 63261cd parse transfer-encoding as set
  • dafe7f1 fix trailing whitespace in WWW-Authenticate bearer (#3129)
  • 051fd66 fix trailing whitespace in WWW-Authenticate bearer
  • Additional commits viewable in compare view

Updates sentry-sdk from 2.42.1 to 2.57.0

Release notes

Sourced from sentry-sdk's releases.

2.57.0

New Features ✨

Langchain

Other

Bug Fixes 🐛

Openai

Other

Internal Changes 🔧

Ai

Langchain

Openai

... (truncated)

Changelog

Sourced from sentry-sdk's changelog.

2.57.0

New Features ✨

Langchain

Other

Bug Fixes 🐛

Openai

Other

Internal Changes 🔧

Ai

Langchain

Openai

... (truncated)

Commits
  • 9790785 Update CHANGELOG.md
  • 21f5dc3 release: 2.57.0
  • ae28669 fix(openai): Only wrap types with _iterator for streamed responses (#5917)
  • 2d91800 build(deps): bump getsentry/craft/.github/workflows/changelog-preview.yml fro...
  • 9c97dac build(deps): bump getsentry/craft from 2.25.0 to 2.25.2 (#5911)
  • 7516309 fix: Add cycle detection to exceptions_from_error (#5880)
  • 2604409 feat: Add experimental async transport (port of PR #4572) (#5646)
  • 49a5978 fix(ci): Update validate-pr action to remove draft enforcement (#5918)
  • b8a4945 ref(ai): Remove unused GEN_AI_PIPELINE operation constant (#5886)
  • e231708 ci: 🤖 Update test matrix with new releases (03/30) (#5912)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the minor-patch group across 1 directory with 9 updates
df62766 
Bumps the minor-patch group with 9 updates in the /backend directory:

| Package | From | To |
| --- | --- | --- |
| [requests](https://github.com/psf/requests) | `2.32.5` | `2.33.1` |
| [cachetools](https://github.com/tkem/cachetools) | `7.0.1` | `7.0.5` |
| [pillow](https://github.com/python-pillow/Pillow) | `12.1.1` | `12.2.0` |
| [gunicorn](https://github.com/benoitc/gunicorn) | `25.0.3` | `25.3.0` |
| [apispec](https://github.com/marshmallow-code/apispec) | `6.9.0` | `6.10.0` |
| [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) | `2.0.37` | `2.0.48` |
| [tabulate](https://github.com/astanin/python-tabulate) | `0.9.0` | `0.10.0` |
| [werkzeug](https://github.com/pallets/werkzeug) | `3.1.5` | `3.1.7` |
| [sentry-sdk](https://github.com/getsentry/sentry-python) | `2.42.1` | `2.57.0` |



Updates `requests` from 2.32.5 to 2.33.1
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.32.5...v2.33.1)

Updates `cachetools` from 7.0.1 to 7.0.5
- [Changelog](https://github.com/tkem/cachetools/blob/master/CHANGELOG.rst)
- [Commits](tkem/cachetools@v7.0.1...v7.0.5)

Updates `pillow` from 12.1.1 to 12.2.0
- [Release notes](https://github.com/python-pillow/Pillow/releases)
- [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst)
- [Commits](python-pillow/Pillow@12.1.1...12.2.0)

Updates `gunicorn` from 25.0.3 to 25.3.0
- [Release notes](https://github.com/benoitc/gunicorn/releases)
- [Commits](benoitc/gunicorn@25.0.3...25.3.0)

Updates `apispec` from 6.9.0 to 6.10.0
- [Changelog](https://github.com/marshmallow-code/apispec/blob/dev/CHANGELOG.rst)
- [Commits](marshmallow-code/apispec@6.9.0...6.10.0)

Updates `sqlalchemy` from 2.0.37 to 2.0.48
- [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases)
- [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES.rst)
- [Commits](https://github.com/sqlalchemy/sqlalchemy/commits)

Updates `tabulate` from 0.9.0 to 0.10.0
- [Changelog](https://github.com/astanin/python-tabulate/blob/master/CHANGELOG)
- [Commits](astanin/python-tabulate@v0.9.0...v0.10.0)

Updates `werkzeug` from 3.1.5 to 3.1.7
- [Release notes](https://github.com/pallets/werkzeug/releases)
- [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst)
- [Commits](pallets/werkzeug@3.1.5...3.1.7)

Updates `sentry-sdk` from 2.42.1 to 2.57.0
- [Release notes](https://github.com/getsentry/sentry-python/releases)
- [Changelog](https://github.com/getsentry/sentry-python/blob/master/CHANGELOG.md)
- [Commits](getsentry/sentry-python@2.42.1...2.57.0)

---
updated-dependencies:
- dependency-name: requests
  dependency-version: 2.33.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: cachetools
  dependency-version: 7.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: pillow
  dependency-version: 12.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: gunicorn
  dependency-version: 25.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: apispec
  dependency-version: 6.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: sqlalchemy
  dependency-version: 2.0.48
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: tabulate
  dependency-version: 0.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: werkzeug
  dependency-version: 3.1.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: sentry-sdk
  dependency-version: 2.57.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Apr 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants