chore(deps): bump the pip group across 4 directories with 6 updates

[dependabot]

Bumps the pip group with 6 updates in the /e2e/python directory:

Package	From	To
flask	3.1.0	3.1.3
orjson	3.9.15	3.11.6
black	24.10.0	26.3.1
protobuf	5.29.4	5.29.6
sqlparse	0.5.3	0.5.4
werkzeug	3.1.3	3.1.6

Bumps the pip group with 1 update in the /e2e/tests directory: black.
Bumps the pip group with 6 updates in the /sdk/@launchdarkly/observability-python directory:

Package	From	To
flask	3.1.1	3.1.3
orjson	3.9.15	3.11.6
black	25.1.0	26.3.1
protobuf	5.29.5	5.29.6
sqlparse	0.5.3	0.5.4
werkzeug	3.1.5	3.1.6

Bumps the pip group with 3 updates in the /sdk/highlight-py directory: flask, sqlparse and werkzeug.

Updates flask from 3.1.0 to 3.1.3

Release notes

Sourced from flask's releases.

3.1.3

This is the Flask 3.1.3 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.3/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-3

• The session is marked as accessed for operations that only access the keys but not the values, such as in and len. GHSA-68rp-wp8r-4726

3.1.2

This is the Flask 3.1.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.2/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-2 Milestone: https://github.com/pallets/flask/milestone/38?closed=1

• stream_with_context does not fail inside async views. #5774
• When using follow_redirects in the test client, the final state of session is correct. #5786
• Relax type hint for passing bytes IO to send_file. #5776

3.1.1

This is the Flask 3.1.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.1/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-1 Milestone https://github.com/pallets/flask/milestone/36?closed=1

• Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. GHSA-4grg-w6v8-c28g
• Fix type hint for cli_runner.invoke. #5645
• flask --help loads the app and plugins first to make sure all commands are shown. #5673
• Mark sans-io base class as being able to handle views that return AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. #5659

Changelog

Sourced from flask's changelog.

Version 3.1.3

Released 2026-02-18

• The session is marked as accessed for operations that only access the keys but not the values, such as in and len. :ghsa:68rp-wp8r-4726

Version 3.1.2

Released 2025-08-19

• stream_with_context does not fail inside async views. :issue:5774
• When using follow_redirects in the test client, the final state of session is correct. :issue:5786
• Relax type hint for passing bytes IO to send_file. :issue:5776

Version 3.1.1

Released 2025-05-13

• Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. :ghsa:4grg-w6v8-c28g
• Fix type hint for cli_runner.invoke. :issue:5645
• flask --help loads the app and plugins first to make sure all commands are shown. :issue:5673
• Mark sans-io base class as being able to handle views that return AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. :pr:5659

Commits

• 22d9247 release version 3.1.3
• 089cb86 Merge commit from fork
• c17f379 request context tracks session access
• 27be933 start version 3.1.3
• 4e652d3 Abort if the instance folder cannot be created (#5903)
• 3d03098 Abort if the instance folder cannot be created
• 407eb76 document using gevent for async (#5900)
• ac5664d document using gevent for async
• 4f79d5b Increase required flit_core version to 3.11 (#5865)
• fe3b215 Increase required flit_core version to 3.11
• Additional commits viewable in compare view

Updates orjson from 3.9.15 to 3.11.6

Release notes

Sourced from orjson's releases.

3.11.6

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

3.11.5

Changed

• Show simple error message instead of traceback when attempting to build on unsupported Python versions.

3.11.4

Changed

• ABI compatibility with CPython 3.15 alpha 1.
• Publish PyPI wheels for 3.14 and manylinux i686, manylinux arm7, manylinux ppc64le, manylinux s390x.
• Build now requires a C compiler.

3.11.3

Fixed

• Fix PyPI project metadata when using maturin 1.9.2 or later.

3.11.2

Fixed

• Fix build using Rust 1.89 on amd64.

Changed

• Build now depends on Rust 1.85 or later instead of 1.82.

3.11.1

Changed

• Publish PyPI wheels for CPython 3.14.

Fixed

• Fix str on big-endian architectures.

3.11.0

... (truncated)

Changelog

Sourced from orjson's changelog.

3.11.6 - 2026-01-29

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

3.11.5 - 2025-12-06

Changed

• Show simple error message instead of traceback when attempting to build on unsupported Python versions.

3.11.4 - 2025-10-24

Changed

• ABI compatibility with CPython 3.15 alpha 1.
• Publish PyPI wheels for 3.14 and manylinux i686, manylinux arm7, manylinux ppc64le, manylinux s390x.
• Build now requires a C compiler.

3.11.3 - 2025-08-26

Fixed

• Fix PyPI project metadata when using maturin 1.9.2 or later.

3.11.2 - 2025-08-12

Fixed

• Fix build using Rust 1.89 on amd64.

Changed

• Build now depends on Rust 1.85 or later instead of 1.82.

... (truncated)

Commits

• ec02024 3.11.6
• d581687 build, clippy misc
• 4105b29 writer::num
• 62bb185 Fix sporadic crash on serializing object close
• d860078 PyRef idiom refactors
• 343ae2f Deserializer, Utf8Buffer
• 7835f58 PyBytesRef and other input refactor
• 71e0516 PyStrRef
• 1096df4 MSRV 1.89
• b718e75 Drop support for python3.9
• Additional commits viewable in compare view

Updates black from 24.10.0 to 26.3.1

Release notes

Sourced from black's releases.

26.3.1

Stable style

• Prevent Jupyter notebook magic masking collisions from corrupting cells by using exact-length placeholders for short magics and aborting if a placeholder can no longer be unmasked safely (#5038)

Configuration

• Always hash cache filename components derived from --python-cell-magics so custom magic names cannot affect cache paths (#5038)

Blackd

• Disable browser-originated requests by default, add configurable origin allowlisting and request body limits, and bound executor submissions to improve backpressure (#5039)

26.3.0

Stable style

• Don't double-decode input, causing non-UTF-8 files to be corrupted (#4964)
• Fix crash on standalone comment in lambda default arguments (#4993)
• Preserve parentheses when # type: ignore comments would be merged with other comments on the same line, preventing AST equivalence failures (#4888)

Preview style

• Fix bug where if guards in case blocks were incorrectly split when the pattern had a trailing comma (#4884)
• Fix string_processing crashing on unassigned long string literals with trailing commas (one-item tuples) (#4929)
• Simplify implementation of the power operator "hugging" logic (#4918)

Packaging

• Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in frozen environments (#4930)

Performance

• Introduce winloop for windows as an alternative to uvloop (#4996)
• Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop() (#4996)
• Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop installation and creation of either a uvloop/winloop evenloop or default eventloop (#4996)

Output

... (truncated)

Changelog

Sourced from black's changelog.

26.3.1

Stable style

• Prevent Jupyter notebook magic masking collisions from corrupting cells by using exact-length placeholders for short magics and aborting if a placeholder can no longer be unmasked safely (#5038)

Configuration

• Always hash cache filename components derived from --python-cell-magics so custom magic names cannot affect cache paths (#5038)

Blackd

• Disable browser-originated requests by default, add configurable origin allowlisting and request body limits, and bound executor submissions to improve backpressure (#5039)

26.3.0

Stable style

• Don't double-decode input, causing non-UTF-8 files to be corrupted (#4964)
• Fix crash on standalone comment in lambda default arguments (#4993)
• Preserve parentheses when # type: ignore comments would be merged with other comments on the same line, preventing AST equivalence failures (#4888)

Preview style

• Fix bug where if guards in case blocks were incorrectly split when the pattern had a trailing comma (#4884)
• Fix string_processing crashing on unassigned long string literals with trailing commas (one-item tuples) (#4929)
• Simplify implementation of the power operator "hugging" logic (#4918)

Packaging

• Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in frozen environments (#4930)

Performance

• Introduce winloop for windows as an alternative to uvloop (#4996)
• Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop() (#4996)
• Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop installation and creation of either a uvloop/winloop evenloop or default eventloop (#4996)

... (truncated)

Commits

• c6755bb Prepare release 26.3.1 (#5046)
• 69973fd Harden blackd browser-facing request handling (#5039)
• 4937fe6 Fix some shenanigans with the cache file and IPython (#5038)
• 2e641d1 docs: remove outdated Black Playground references (#5044)
• c014b22 Remove unused internal code (#5041)
• 0dae20b Add new changelog (#5036)
• c5c1cbd Minor release patches (#5035)
• 7e5a828 docs: clarify relationship between Black style and PEP 8 (#5025)
• 69705de docs: add clearer pyproject configuration guidance (#5026)
• 35ea679 Prepare release 26.3.0 (#5032)
• Additional commits viewable in compare view

Updates protobuf from 5.29.4 to 5.29.6

Release notes

Sourced from protobuf's releases.

Protocol Buffers v34.0-rc1

Announcements

• This version includes breaking changes to: C++, Objective-C, PHP, Python.
• [Bazel] Remove deprecated ProtoInfo.transitive_imports. Use equivalent transitive_sources instead (protocolbuffers/protobuf@0a5c2f6)
• [C++] Make generator headers private (protocolbuffers/protobuf@3a2af35)
• [C++] Add a debug check that the target of CopyFrom is not a descendant of the source. (protocolbuffers/protobuf@7a75898)
• [C++] Add [[nodiscard]] to many APIs. (protocolbuffers/protobuf@a70115f)
• [C++] Make the arena-enabled constructors of RepeatedField, RepeatedPtrField, and Map private. (protocolbuffers/protobuf@ef890c3)
• [C++] Remove deprecated FieldDescriptor::label() in OSS. Use is_repeated() or is_required() instead (protocolbuffers/protobuf@b76faa9)
• [C++] Removes proto2::util::MessageDifferencer::AddIgnoreCriteria that takes a raw pointer as an argument in favor of the overload that takes a unique_ptr. Remove macro PROTOBUF_FUTURE_REMOVE_ADD_IGNORE_CRITERIA (protocolbuffers/protobuf@b115358)
• [C++] Remove deprecated FieldDescriptor::has_optional_keyword() in OSS. Use is_repeated() or has_presence() instead (protocolbuffers/protobuf@68346ec)
• [C++] Remove AddUnusedImportTrackFile() and ClearUnusedImportTrackFiles(). Remove PROTOBUF_FUTURE_RENAME_ADD_UNUSED_IMPORT (protocolbuffers/protobuf@837a2cd)
• [C++] Remove deprecated FieldDescriptor::is_optional() in OSS. Use (!is_required() && !is_repeated()) instead (protocolbuffers/protobuf@9dbc5d4)
• [C++] Remove deprecated UseDeprecatedLegacyJsonFieldConflicts() (protocolbuffers/protobuf@c301c2c)
• [C++] All entity names have length limit (2afb0dc)
• [ObjC] Remove generate_minimal_imports generation option warning (protocolbuffers/protobuf@45b1297)
• [ObjC] Fix nullability annotations on some GPB*Dictionary types. (protocolbuffers/protobuf@ea67d6d)
• [ObjC] Remove -[GPBFieldDescriptor optional] (protocolbuffers/protobuf@3414dc1)
• [Other] Remove deprecated flag for enabling MSVC support (protocolbuffers/protobuf@97c979b)
• [PHP] Remove deprecated PHP APIs (protocolbuffers/protobuf@9c45014)
• [PHP] Remove deprecated PHP APIs FieldDescriptor getLabel, use IsRepeated or isRequired instead. (protocolbuffers/protobuf@4208121, protocolbuffers/protobuf@cd76e67, protocolbuffers/protobuf@4208121)
• [PHP] Add PHP typehints for setters and remove redundant GPBUtil checks (protocolbuffers/protobuf#25296) (protocolbuffers/protobuf@aee03b7)
• [PHP] support default values for editions/proto2 (protocolbuffers/protobuf#25161) (protocolbuffers/protobuf@b01099d)
• [Python] Raise errors in OSS when assign bool to int/enum field in Python Proto. (protocolbuffers/protobuf@5b116fe)
• [Python] Remove float_format/double_format from python proto text_format (protocolbuffers/protobuf@e4854a1)
• [Python] Raise TypeError when convert non-timedelta to Duration, or convert non-datetime to Timestamp in python proto. (Original code may raise ArributeError) (protocolbuffers/protobuf@00aaca1)
• [Python] Remove float_precision from python proto json_format (protocolbuffers/protobuf@f027f1f)
• [Python] Remove deprecated FieldDescriptor::label() in OSS. Use is_repeated() or is_required() instead (protocolbuffers/protobuf@b76faa9)
• [Python] Remove deprecated FieldDescriptor.label (protocolbuffers/protobuf@0a8ff55)
• [Python] Remove deprecated UseDeprecatedLegacyJsonFieldConflicts() (protocolbuffers/protobuf@c301c2c)
• Protobuf News may include additional announcements or pre-announcements for upcoming changes.
• Migration Guide may include additional guidance for breaking changes.

Bazel

• Fix: cc_toolchain should prefer protoc when prebuilt flag is flipped. (#25168) (protocolbuffers/protobuf@8c857c3)
• Breaking change: Remove deprecated ProtoInfo.transitive_imports. Use equivalent transitive_sources instead (protocolbuffers/protobuf@0a5c2f6)
• Feat(bazel): wire up prebuilt protoc toolchain (#24115) (protocolbuffers/protobuf@cc23698)
• Migrate proto_descriptor_set (#23369) (protocolbuffers/protobuf@8d4dfdd)

Compiler

• Ruby codegen: support generation of rbs files (#15633) (protocolbuffers/protobuf@6ebdf85)
• Avoid collision name problems between a message named Xyz and a direct sibling enum named XyzView (protocolbuffers/protobuf@eba53e8)
• Generalizing and implementing ValidateFeatureSupport for both Options and Features during proto parsing (protocolbuffers/protobuf@ed3c571)
• Fix a bug with custom features outside of the pb package. (protocolbuffers/protobuf@872d3ce)
• Fix import option handling when include_imports isn't set. (protocolbuffers/protobuf@9ef9e80)
• Fix a bug in STRICT check of namespaced enums to properly check for 'reserved 1 to max' (protocolbuffers/protobuf@1229d4a)
• Prevent accidental stripping of debug_redact options via import option. (protocolbuffers/protobuf@f58b098)

C++

• Add EnumerateEnumValues function. (protocolbuffers/protobuf@397d5d9)

... (truncated)

Commits

• See full diff in compare view

Updates sqlparse from 0.5.3 to 0.5.4

Changelog

Sourced from sqlparse's changelog.

Release 0.5.4 (Nov 28, 2025)

Enhancements

• Add support for Python 3.14.
• Add type annotations to top-level API functions and include py.typed marker for PEP 561 compliance, enabling type checking with mypy and other tools (issue756).
• Add pre-commit hook support. sqlparse can now be used as a pre-commit hook to automatically format SQL files. The CLI now supports multiple files and an --in-place flag for in-place editing (issue537).
• Add ATTACH and DETACH to PostgreSQL keywords (pr808).
• Add INTERSECT to close keywords in WHERE clause (pr820).
• Support REGEXP BINARY comparison operator (pr817).

Bug Fixes

• Add additional protection against denial of service attacks when parsing very large lists of tuples. This enhances the existing recursion protections with configurable limits for token processing to prevent DoS through algorithmic complexity attacks. The new limits (MAX_GROUPING_DEPTH=100, MAX_GROUPING_TOKENS=10000) can be adjusted or disabled (by setting to None) if needed for legitimate large SQL statements.
• Remove shebang from cli.py and remove executable flag (pr818).
• Fix strip_comments not removing all comments when input contains only comments (issue801, pr803 by stropysh).
• Fix splitting statements with IF EXISTS/IF NOT EXISTS inside BEGIN...END blocks (issue812).
• Fix splitting on semicolons inside BEGIN...END blocks (issue809).

Commits

• 14e300b Bump version.
• 96a67e2 Code cleanup.
• 1a3bfbd Fix handling of semicolons inside BEGIN...END blocks (fixes #809).
• e92a032 Fix handling of IF EXISTS statements in BEGIN...END blocks (fixes #812).
• 149bebf Update Changelog.
• 561a67e Update AUTHORS.
• 73c8ba3 bugfix ISSUE_801; Remove all comments when only comments
• 1b32387 Update action to run on all prs.
• 31903e0 Add pre-commit hook support (fixes #537)
• 1357726 docs: add AGENTS.md for project guidance and development commands
• Additional commits viewable in compare view

Updates werkzeug from 3.1.3 to 3.1.6

Release notes

Sourced from werkzeug's releases.

3.1.6

This is the Werkzeug 3.1.6 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.6/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-6

• safe_join on Windows does not allow special devices names in multi-segment paths. GHSA-29vq-49wr-vm6x

3.1.5

This is the Werkzeug 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.5/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-5 Milestone: https://github.com/pallets/werkzeug/milestone/43?closed=1

• safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. GHSA-87hc-h4r5-73f7
• The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. #3065 #3077
• Fix AttributeError when initializing DebuggedApplication with pin_security=False. #3075

3.1.4

This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.4/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-4 Milestone: https://github.com/pallets/werkzeug/milestone/42?closed=1

• safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. ghsa-hgf8-39gv-g3f2
• The debugger pin fails after 10 attempts instead of 11. #3020
• The multipart form parser handles a \r\n sequence at a chunk boundary. #3065
• Improve CPU usage during Watchdog reloader. #3054
• Request.json annotation is more accurate. #3067
• Traceback rendering handles when the line number is beyond the available source lines. #3044
• HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. #3056

Changelog

Sourced from werkzeug's changelog.

Version 3.1.6

Released 2026-02-19

• safe_join on Windows does not allow special devices names in multi-segment paths. :ghsa:29vq-49wr-vm6x

Version 3.1.5

Released 2026-01-08

• safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. :ghsa:87hc-h4r5-73f7
• The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. :issue:3065 :issue:3077
• Fix AttributeError when initializing DebuggedApplication with pin_security=False. :issue:3075

Version 3.1.4

Released 2025-11-28

• safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. :ghsa:hgf8-39gv-g3f2
• The debugger pin fails after 10 attempts instead of 11. :pr:3020
• The multipart form parser handles a \r\n sequence at a chunk boundary. :issue:3065
• Improve CPU usage during Watchdog reloader. :issue:3054
• Request.json annotation is more accurate. :issue:3067
• Traceback rendering handles when the line number is beyond the available source lines. :issue:3044
• HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. :issue:3056

Commits

• 04da1b5 release version 3.1.6
• f407712 Merge commit from fork
• f54fe98 safe_join prevents Windows special device names in multi-segment paths
• d005985 start version 3.1.6
• 8565c2c document rule priority (#3102)
• 3febc7e document rule priority
• 2525b82 remove state machine docs
• 4abfbd5 rewrite build docstring (#3097)
• 161c18b rewrite build docstring
• 86e11c2 release version 3.1.5 (#3085)
• Additional commits viewable in compare view

Updates black from 24.8.0 to 26.3.1

Release notes

Sourced from black's releases.

26.3.1

Stable style

• Prevent Jupyter notebook magic masking collisions from corrupting cells by using exact-length placeholders for short magics and aborting if a placeholder can no longer be unmasked safely (#5038)

Configuration

• Always hash cache filename components derived from --python-cell-magics so custom magic names cannot affect cache paths (#5038)

Blackd

• Disable browser-originated requests by default, add configurable origin allowlisting and request body limits, and bound executor submissions to improve backpressure (#5039)

26.3.0

Stable style

• Don't double-decode input, causing non-UTF-8 files to be corrupted (#4964)
• Fix crash on standalone comment in lambda default arguments (#4993)
• Preserve parentheses when # type: ignore comments would be merged with other comments on the same line, preventing AST equivalence failures (#4888)

Preview style

• Fix bug where if guards in case blocks were incorrectly split when the pattern had a trailing comma (#4884)
• Fix string_processing crashing on unassigned long string literals with trailing commas (one-item tuples) (#4929)
• Simplify implementation of the power operator "hugging" logic (#4918)

Packaging

• Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in frozen environments (#4930)

Performance

• Introduce winloop for windows as an alternative to uvloop (#4996)
• Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop() (#4996)
• Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop installation and creation of either a uvloop/winloop evenloop or default eventloop (#4996)

Output

... (truncated)

Changelog

Sourced from black's changelog.

26.3.1

Stable style

• Prevent Jupyter notebook magic masking collisions from corrupting cells by using exact-length placeholders for short magics and aborting if a placeholder can no longer be unmasked safely (#5038)

Configuration

• Always hash cache filename components derived from --python-cell-magics so custom magic names cannot affect cache paths (#5038)

Blackd

• Disable browser-originated requests by default, add configurable origin allowlisting and request body limits, and bound executor submissions to improve backpressure (#5039)

26.3.0

Stable style

• Don't double-decode input, causing non-UTF-8 files to be corrupted (#4964)
• Fix crash on standalone comment in lambda default arguments (#4993)
• Preserve parentheses when # type: ignore comments would be merged with other comments on the same line, preventing AST equivalence failures (#4888)

Preview style

• Fix bug where if guards in case blocks were incorrectly split when the pattern had a trailing comma (#4884)
• Fix string_processing crashing on unassigned long string literals with trailing commas (one-item tuples) (#4929)
• Simplify implementation of the power operator "hugging" logic (#4918)

Packaging

• Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in frozen environments (#4930)

Performance

• Introduce winloop for windows as an alternative to uvloop (#4996)
• Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop() (#4996)
• Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop installation and creation of either a uvloop/winloop evenloop or default eventloop (#4996)

... (truncated)

Commits

• c6755bb Prepare release 26.3.1 (#5046)
• 69973fd Harden blackd browser-facing request handling (#5039)
• 4937fe6 Fix some shenanigans with the cache file and IPython (#5038)
• 2e641d1 docs: remove outdated Black Playground references (#5044)
• c014b22 Remove unused internal code (#5041)
• 0dae20b Add new changelog (#5036)
• c5c1cbd Minor release patches (#5035)
• 7e5a828 docs: clarify relationship between Black style and PEP 8 (#5025)
• 69705de docs: add clearer pyproject configuration guidance (#5026)
• 35ea679 Prepare release 26.3.0 (#5032)
• Additional commits viewable in compare view

Updates flask from 3.1.1 to 3.1.3

Release notes

Sourced from flask's releases.

3.1.3

This is the Flask 3.1.3 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.3/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-3

• The session is marked as accessed for operations that only access the keys but not the values, such as in and len. GHSA-68rp-wp8r-4726

3.1.2

This is the Flask 3.1.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.2/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-2 Milestone: https://github.com/pallets/flask/milestone/38?closed=1

• stream_with_context does not fail inside async views. #5774
• When using follow_redirects in the test client, the final state of session is correct. #5786
• Relax type hint for passing bytes IO to send_file. #5776

3.1.1

This is the Flask 3.1.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.1/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-1 Milestone https://github.com/pallets/flask/milestone/36?closed=1

• Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. GHSA-4grg-w6v8-c28g
• Fix type hint for cli_runner.invoke. #5645
• flask --help loads the app and plugins first to make sure all commands are shown. #5673
• Mark sans-io base class as being able to handle views that return AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. #5659

Changelog

Sourced from flask's changelog.

Version 3.1.3

Released 2026-02-18

• The session is marked as accessed for operations that only access the keys but not the values, such as in and len. :ghsa:68rp-wp8r-4726

Version 3.1.2

Released 2025-08-19

• stream_with_context does not fail inside async views. :issue:5774
• When using follow_redirects in the test client, the final state of session is correct. :issue:5786
• Relax type hint for passing bytes IO to send_file. :issue:5776

Version 3.1.1

Released 2025-05-13

• Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. :ghsa:4grg-w6v8-c28g
• Fix type hint for cli_runner.invoke. :issue:5645
• flask --help loads the app and plugins first to make sure all commands are shown. :issue:5673
• Mark sans-io base class as being able to handle views that return AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. :pr:5659

Commits

• 22d9247 release version 3.1.3
• 089cb86 Merge commit from fork
• c17f379 request context tracks session access
• 27be933 start version 3.1.3
• 4e652d3 Abort if the instance folder cannot be created (#5903)
• 3d03098 Abort if the instance folder cannot be created
• 407eb76 document using gevent for async (#5900)
• ac5664d document using gevent for async
• 4f79d5b Increase required flit_core version to 3.11 (#5865)
• fe3b215 Increase required flit_core version to 3.11
• Additional commits viewable in compare view

Updates orjson from 3.9.15 to 3.11.6

Release notes

Sourced from orjson's releases.

3.11.6

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

3.11.5

Changed

• Show simple error message instead of traceback when attempting to build on unsupported Python versions.

3.11.4

Changed

• ABI compatibility with CPython 3.15 alpha 1.
• Publish PyPI wheels for 3.14 and manylinux i686, manylinux arm7, manylinux ppc64le, manylinux s390x.
• Build now requires a C compiler.

3.11.3

Fixed

• Fix PyPI project metadata when using maturin 1.9.2 or later.

3.11.2

Fixed

• Fix build using Rust 1.89 on amd64.

Changed

• Build now depends on Rust 1.85 or later instead of 1.82.

3.11.1

Changed

• Publish PyPI wheels for CPython 3.14.

Fixed

• Fix str on big-endian architectures.

3.11.0

... (truncated)

Changelog

Sourced from orjson's changelog.

3.11.6 - 2026-01-29

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

3.11.5 - 2025-12-06

Changed

• Show simple error message instead of traceback when attempting to build on unsupported Python versions.

3.11.4 - 2025-10-24

Changed

• ABI compatibility with CPython 3.15 alpha 1.
• Publish PyPI wheels for 3.14 and manylinux i686, manylinux arm7, manylinux ppc64le, manylinux s390x.
• Build now requires a C compiler.

3.11.3 - 2025-08-26

Fixed

• Fix PyPI project metadata when using maturin 1.9.2 or later.

3.11.2 - 2025-08-12

Fixed

• Fix build using Rust 1.89 on amd64.

Changed

• Build now depends on Rust 1.85 or later instead of 1.82.

... (truncated)

Commits

• ec02024 3.11.6
• Description has been truncated

  ---

  [!NOTE]
  Medium Risk
  Primarily dependency and lockfile churn, but upgrades include runtime libs (flask, orjson, werkzeug) and a major black bump that could change formatting/tooling behavior and potentially impact CI/e2e runs.

  Overview
  Updates dependency pins for the E2E Python project and tests, including bumps to flask (^3.1.3), orjson (3.11.6), and dev formatter black (^26.3.1).

  Regenerates poetry.lock files (now Poetry 2.2.1/lock-version 2.1), which reclassifies packages into main/dev groups, adjusts environment markers/extras, and introduces new transitive tooling deps like pytokens (via black).

  ^{Written by} Cursor Bugbot for commit ec0fa65. This will update automatically on new commits. Configure here.

[github-actions]

☂️ Python Coverage

current status: ✅

Overall Coverage

Lines	Covered	Coverage	Threshold	Status
628	551	88%	0%	🟢

New Files

No new covered files...

Modified Files

No covered modified files...

updated for commit: ec0fa65 by action🐍