chore(deps): bump the python-minor-patch group across 1 directory with 12 updates by dependabot[bot] · Pull Request #224 · CarterPerez-dev/CertGames-Core

dependabot · 2026-04-05T10:06:36Z

Bumps the python-minor-patch group with 12 updates in the /backend directory:

Package	From	To
anyio	`4.12.1`	`4.13.0`
celery	`5.6.2`	`5.6.3`
click	`8.3.1`	`8.3.2`
cryptography	`46.0.5`	`46.0.6`
marshmallow	`4.2.2`	`4.3.0`
pyjwt	`2.11.0`	`2.12.1`
requests	`2.32.5`	`2.33.1`
werkzeug	`3.1.6`	`3.1.8`
deptry	`0.24.0`	`0.25.1`
ipython	`9.11.0`	`9.12.0`
mypy	`1.19.1`	`1.20.0`
vulture	`2.15`	`2.16`

Updates anyio from 4.12.1 to 4.13.0

Release notes

Sourced from anyio's releases.

4.13.0

Dropped support for Python 3.9

Added a ttl parameter to the anyio.functools.lru_cache wrapper (#1073; PR by @Graeme22)

Widened the type annotations of file I/O streams to accept IO[bytes] instead of just BinaryIO (#1078)

Fixed anyio.Path not being compatible with Python 3.15 due to the removal of pathlib.Path.is_reserved() and the addition of pathlib.Path.__vfspath__() (#1061; PR by @veeceey)

Fixed the BrokenResourceError raised by the asyncio SocketStream not having the original exception as its cause (#1055; PR by @veeceey)

Fixed the TypeError raised when using "func" as a parameter name in pytest.mark.parametrize when using the pytest plugin (#1068; PR by @JohnnyDeuss)

Fixed the pytest plugin not running tests that had the anyio marker added programmatically via pytest_collection_modifyitems (#422; PR by @chbndrhnns)

Fixed cancellation exceptions leaking from a CancelScope on asyncio when they are contained in an exception group alongside non-cancellation exceptions (#1091; PR by @gschaffner)

Fixed Condition.wait() not passing on a notification when the task is cancelled but already received a notification

Fixed inverted condition in the process pool shutdown phase which would cause still-running pooled processes not to be terminated (#1074; PR by @bysiber)

Commits

afbe93c Bumped up the version
33bdf2e Rearranged the changelog entries
19e09e2 Fixed inverted condition in _forcibly_shutdown_process_pool_on_exit (#1074)
9369d80 Fixed Condition.wait() not handing over notification when cancelled
6f122ab Fixed cancellation exceptions leaking from a CancelScope on asyncio when th...
beaa45a [pre-commit.ci] pre-commit autoupdate (#1097)
602f660 Widened type annotations to accept IO[bytes] in file streams
b5dcd45 Added note about erasing the template
d68670b [pre-commit.ci] pre-commit autoupdate (#1090)
fc17a22 tweak to_thread docs about abandon_on_cancel (#1088)
Additional commits viewable in compare view

Updates celery from 5.6.2 to 5.6.3

Release notes

Sourced from celery's releases.

v5.6.3

What's Changed

Fix Django worker recursion bug + defensive checks for pool_cls.module by @maycuatroi1 in celery/celery#10048

Docs: Update user_preload_options example to use click. by @jorsyk in celery/celery#10056

Fix invalid configuration key "bootstrap_servers" in Kafka demo by @jorsyk in celery/celery#10060

Fix broken images on PyPI page by @Timour-Ilyas in celery/celery#10066

Remove broken reference. by @sueannioanis in celery/celery#10071

Removed --dist=loadscope from smoke tests by @Nusnus in celery/celery#10073

Docs: Clarify task_retry signal args may be None by @GangEunzzang in celery/celery#10076

Update example for Django by @sbc-khacnha in celery/celery#10081

Make tests compatible with pymongo >= 4.16 by @cjwatson in celery/celery#10074

fix: source install of cassandra-driver by @Izzette in celery/celery#10105

fix: register task cross-reference role in Sphinx extension by @veeceey in celery/celery#10100

fix: avoid cycle detection in native delayed delivery by @Izzette in celery/celery#10095

fix(asynpool): avoid AttributeError when proc lacks _sentinel_poll by @mriddle in celery/celery#10086

fix dusk_astronomical horizon sign (+18 -> -18) by @Mr-Neutr0n in celery/celery#10121

Fix/10106 onupdate col use lambda func by @ChickenBenny in celery/celery#10108

Fix warm shutdown RuntimeError with eventlet>=0.37.0 (#10083) by @ChickenBenny in celery/celery#10123

Fix 10109 db backend connection health by @ChickenBenny in celery/celery#10124

Database Backend filter unsupport sql engine arguments with nullpool #7355 by @ChickenBenny in celery/celery#10134

fix(beat): correct argument order in Service.reduce by @bysiber in celery/celery#10137

ci: declare explicit read-only token permissions in workflow jobs by @Rohan5commit in celery/celery#10139

chore: 'boto3to' to 'boto3 to' by @cuiweixie in celery/celery#10133

Database Backend: Add missing index on date_done (Fixes #10097) by @ChickenBenny in celery/celery#10098

docs: fix typo in CONTRIBUTING.rst by @Rohan5commit in celery/celery#10141

Refer to Flower / Prometheus for monitoring by @WilliamDEdwards in celery/celery#10140

docs: remove duplicated words in broker and routing docs by @Rohan5commit in celery/celery#10146

docs: fix stale version reference and grammar in README by @kelsonbrito50 in celery/celery#10145

docs: fix wording in Celery 5.3 worker pool notes by @Rohan5commit in celery/celery#10149

docs: fix duplicated wording in 3.1 changelog entry by @Rohan5commit in celery/celery#10152

docs: fix changelog typo in context manager wording by @Rohan5commit in celery/celery#10144

Fix/10096 worker fails to reconnect after redis failover by @ChickenBenny in celery/celery#10151

Improve on_after_finalize signal documentation by @Br1an67 in celery/celery#10155

Add non-commutative example to clarify partial arg ordering in canvas docs by @Br1an67 in celery/celery#10157

Remove redundant test_isa_mapping test (fixes #10077) by @daniel7an in celery/celery#10103

Upgrade pytest-celery to >=1.3.0 and adopt PYTEST_CELERY_PKG build arg by @Nusnus in celery/celery#10162

Remove deprecated args from redis get_connection call by @JaeHyuckSa in celery/celery#10036

Fix #6912 rpc backend reconnection error by @ChickenBenny in celery/celery#10179

Fix NameError with TYPE_CHECKING annotations on Python 3.14+ (PEP 649) by @drichardson in celery/celery#10165

docs: Add elaboration on prefetch multiplier settings (worker_prefetch_multiplier) and worker_eta_task_limit by @tsangwailam in celery/celery#10181

Fix O(K²) message bloat in a chain of chords by @Borzik in celery/celery#10171

Fix mock connection interfaces to prevent TypeError during exception handling by @ChickenBenny in celery/celery#10178

fix(trace): dispatch chain/callbacks on dedup fast-path for redelivered tasks by @aurangzaib048 in celery/celery#10159

Extract reconnect_on_error to BaseResultConsumer by @ChickenBenny in celery/celery#10189

pep 649 by @ericbuehl in celery/celery#10187

Fix#9722 friendly status errors for CLI by @ChickenBenny in celery/celery#10190

docs: clarify after_return behavior for retried tasks by @KianAnbarestani in celery/celery#10192

Add compression header to message protocol docs by @Br1an67 in celery/celery#10156

docs: fix duplicated word in bootsteps comment by @Rohan5commit in celery/celery#10153

Remove outdated autoreloader section from extending docs by @Br1an67 in celery/celery#10154

... (truncated)

Changelog

Sourced from celery's changelog.

5.6.3

:release-date: 2026-03-26 :release-by: Tomer Nosrati

What's Changed


- Fix Django worker recursion bug + defensive checks for pool_cls.__module__ ([#10048](https://github.com/celery/celery/issues/10048))
- Docs: Update user_preload_options example to use click. ([#10056](https://github.com/celery/celery/issues/10056))
- Fix invalid configuration key "bootstrap_servers" in Kafka demo ([#10060](https://github.com/celery/celery/issues/10060))
- Fix broken images on PyPI page ([#10066](https://github.com/celery/celery/issues/10066))
- Remove broken reference. ([#10071](https://github.com/celery/celery/issues/10071))
- Removed --dist=loadscope from smoke tests ([#10073](https://github.com/celery/celery/issues/10073))
- Docs: Clarify task_retry signal args may be None ([#10076](https://github.com/celery/celery/issues/10076))
- Update example for Django ([#10081](https://github.com/celery/celery/issues/10081))
- Make tests compatible with pymongo >= 4.16 ([#10074](https://github.com/celery/celery/issues/10074))
- fix: source install of cassandra-driver ([#10105](https://github.com/celery/celery/issues/10105))
- fix: register task cross-reference role in Sphinx extension ([#10100](https://github.com/celery/celery/issues/10100))
- fix: avoid cycle detection in native delayed delivery ([#10095](https://github.com/celery/celery/issues/10095))
- fix(asynpool): avoid AttributeError when proc lacks _sentinel_poll ([#10086](https://github.com/celery/celery/issues/10086))
- fix dusk_astronomical horizon sign (+18 -> -18) ([#10121](https://github.com/celery/celery/issues/10121))
- Fix/10106 onupdate col use lambda func ([#10108](https://github.com/celery/celery/issues/10108))
- Fix warm shutdown RuntimeError with eventlet>=0.37.0 ([#10083](https://github.com/celery/celery/issues/10083)) ([#10123](https://github.com/celery/celery/issues/10123))
- Fix 10109 db backend connection health ([#10124](https://github.com/celery/celery/issues/10124))
- Database Backend filter unsupport sql engine arguments with nullpool [#7355](https://github.com/celery/celery/issues/7355) ([#10134](https://github.com/celery/celery/issues/10134))
- fix(beat): correct argument order in Service.__reduce__ ([#10137](https://github.com/celery/celery/issues/10137))
- ci: declare explicit read-only token permissions in workflow jobs ([#10139](https://github.com/celery/celery/issues/10139))
- chore: 'boto3to' to 'boto3 to' ([#10133](https://github.com/celery/celery/issues/10133))
- Database Backend: Add missing index on date_done (Fixes [#10097](https://github.com/celery/celery/issues/10097)) ([#10098](https://github.com/celery/celery/issues/10098))
- docs: fix typo in CONTRIBUTING.rst ([#10141](https://github.com/celery/celery/issues/10141))
- Refer to Flower / Prometheus for monitoring ([#10140](https://github.com/celery/celery/issues/10140))
- docs: remove duplicated words in broker and routing docs ([#10146](https://github.com/celery/celery/issues/10146))
- docs: fix stale version reference and grammar in README ([#10145](https://github.com/celery/celery/issues/10145))
- docs: fix wording in Celery 5.3 worker pool notes ([#10149](https://github.com/celery/celery/issues/10149))
- docs: fix duplicated wording in 3.1 changelog entry ([#10152](https://github.com/celery/celery/issues/10152))
- docs: fix changelog typo in context manager wording ([#10144](https://github.com/celery/celery/issues/10144))
- Fix/10096 worker fails to reconnect after redis failover ([#10151](https://github.com/celery/celery/issues/10151))
- Improve on_after_finalize signal documentation ([#10155](https://github.com/celery/celery/issues/10155))
- Add non-commutative example to clarify partial arg ordering in canvas docs ([#10157](https://github.com/celery/celery/issues/10157))
- Remove redundant test_isa_mapping test (fixes [#10077](https://github.com/celery/celery/issues/10077)) ([#10103](https://github.com/celery/celery/issues/10103))
- Upgrade pytest-celery to >=1.3.0 and adopt PYTEST_CELERY_PKG build arg ([#10162](https://github.com/celery/celery/issues/10162))
- Remove deprecated args from redis get_connection call ([#10036](https://github.com/celery/celery/issues/10036))
- Fix [#6912](https://github.com/celery/celery/issues/6912) rpc backend reconnection error ([#10179](https://github.com/celery/celery/issues/10179))
- Fix NameError with TYPE_CHECKING annotations on Python 3.14+ (PEP 649) ([#10165](https://github.com/celery/celery/issues/10165))
- docs: Add elaboration on prefetch multiplier settings (worker_prefetch_multiplier) and worker_eta_task_limit ([#10181](https://github.com/celery/celery/issues/10181))
- Fix O(K²) message bloat in a chain of chords ([#10171](https://github.com/celery/celery/issues/10171))
- Fix mock connection interfaces to prevent `TypeError` during exception handling ([#10178](https://github.com/celery/celery/issues/10178))
- fix(trace): dispatch chain/callbacks on dedup fast-path for redelivered tasks ([#10159](https://github.com/celery/celery/issues/10159))
</tr></table>

... (truncated)

Commits

3f4d8d7 Prepare for release: v5.6.3 (#10221)
a989e8c fix: clear the timer while catch the exception (#10218)
d06de5f Chore(deps): Bump nick-fields/retry from 3 to 4 (#10213)
c3c19c3 Fix: prioritize request ignore_result over task definition (#10184)
d23be53 Remove outdated autoreloader section from extending docs (#10154)
ada2da7 docs: fix duplicated word in bootsteps comment\n\nSigned-off-by: Rohan Santho...
f45f62b Add compression header to message protocol docs (#10156)
9a27092 docs: clarify after_return behavior for retried tasks (#10192)
6ee6230 Fix#9722 friendly status errors for CLI (#10190)
a9a2d4c [pre-commit.ci] pre-commit autoupdate (#10186)
Additional commits viewable in compare view

Updates click from 8.3.1 to 8.3.2

Release notes

Sourced from click's releases.

8.3.2

This is the Click 8.3.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.3.2/ Changes: https://click.palletsprojects.com/page/changes/#version-8-3-2 Milestone: https://github.com/pallets/click/milestone/29

Fix handling of flag_value when is_flag=False to allow such options to be used without an explicit value. #3084 #3152

Hide Sentinel.UNSET values as None when using lookup_default(). #3136 #3199 #3202 #3209 #3212 #3224

Prevent _NamedTextIOWrapper from closing streams owned by StreamMixer. #824 #2991 #2993 #3110 #3139 #3140

Add comprehensive tests for CliRunner stream lifecycle, covering logging interaction, multi-threaded safety, and sequential invocation isolation. Add high-iteration stress tests behind a stress marker with a dedicated CI job. #3139

Fix callable flag_value being instantiated when used as a default via default=True. #3121 #3201 #3213 #3225

Changelog

Sourced from click's changelog.

Version 8.3.2

Released 2026-04-02

Fix handling of flag_value when is_flag=False to allow such options to be used without an explicit value. :issue:3084 :pr:3152

Hide Sentinel.UNSET values as None when using lookup_default(). :issue:3136 :pr:3199 :pr:3202 :pr:3209 :pr:3212 :pr:3224

Prevent _NamedTextIOWrapper from closing streams owned by StreamMixer. :issue:824 :issue:2991 :issue:2993 :issue:3110 :pr:3139 :pr:3140

Add comprehensive tests for CliRunner stream lifecycle, covering logging interaction, multi-threaded safety, and sequential invocation isolation. Add high-iteration stress tests behind a stress marker with a dedicated CI job. :pr:3139

Fix callable flag_value being instantiated when used as a default via default=True. :issue:3121 :pr:3201 :pr:3213 :pr:3225

Commits

052c006 Change update release date.
502b7ce Merge branch 'stable' of https://github.com/pallets/click into release-8.3.2
a0a37e4 Change publish to werkzeug latest. (#3301)
57be6fc Change publish to werkzeug latest.
781d6a8 Update publish workflows (#3266)
ff795b6 Update precommit pins with tox
dd87ef4 Update github action pins with tox
93d3f9d Release version 8.3.2
3299ba1 Add missing PR to changelog. (#3264)
b7f62c4 Add missing PR to changelog.
Additional commits viewable in compare view

Updates cryptography from 46.0.5 to 46.0.6

Changelog

Sourced from cryptography's changelog.

46.0.6 - 2026-03-25

* **SECURITY ISSUE**: Fixed a bug where name constraints were not applied to peer names during verification when the leaf certificate contains a wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug, including those used by the Web PKI. Credit to **Oleh Konko (1seal)** for reporting the issue. **CVE-2026-34073**

.. _v46-0-5:

Commits

91d7288 Cherry-pick #14542 (#14543)
See full diff in compare view

Updates marshmallow from 4.2.2 to 4.3.0

Changelog

Sourced from marshmallow's changelog.

4.3.0 (2026-04-03)

Features:

Add pre_load and post_load parameters to marshmallow.fields.Field for field-level pre- and post-processing (:issue:2787).

Typing: improvements to marshmallow.validate (:pr:2940).

4.2.4 (2026-04-02)

Bug fixes:

marshmallow.validate.URL and marshmallow.validate.Email accept Internationalized Domain Names (IDNs) (:issue:2821, :issue:2936). marshmallow.validate.Email also correctly rejects IDN domains with leading/trailing hyphens. Thanks :user:touhidurrr for the report.

Typing: Fix typing of nested in marshmallow.fields.Nested (:pr:2935).

4.2.3 (2026-03-25)

Bug fixes:

Make marshmallow.fields.Number and marshmallow.fields.Mapping abstract base classes to prevent using them within Schemas (:issue:2924). Thanks :user:MartingaleCoda for reporting.

Allow required to be set on marshmallow.fields.Contant (:issue:2900). Thanks :user:nosnickid for the report and :user:worksbyfriday for the PR.

Fix marshmallow.validate.OneOf emitting extra pairs when labels outnumber choices (:issue:2869). Thanks: user:T90REAL for the report and :user:rstar327 for the PR.

Fix behavior when passing a dot-delimited attribute name to partial for a key with data_key set (:pr:2903). Thanks :user:bysiber for the PR.

Fix Enum field by-name lookup to only return actual members (:pr:2902). Thanks :user:bysiber for the PR.

marshmallow.fields.DateTime with format="timestamp_ms" properly rejects bool values (:pr:2904). Thanks :user:bysiber for the PR.

Fix typing of error_messages argument to marshmallow.fields.Field (:pr:1636). Thanks :user:repole for reporting and :user:dhruvildarji for the PR.

Other changes:

Add ipaddress.* to marshmallow.Schema.TYPE_MAPPING (:issue:1695). Thanks :user:liberforce for the suggestion and :user:dhruvildarji for the PR.

Commits

b596fdb Bump version and update changelog
256f0aa Add pre/post_load parameters to Field (#2799)
c847ad4 Typing improvements to marshmallow.validate (#2940)
eb86322 Remove redundant docs job (#2939)
a44ad62 Avoid infinite recursion in nesting docs (#2938)
3360e34 Bump version and update changelog
7b9ce45 Fix changelog typos and update releasing docs
f07eadc Fix validate.Email to accept IDNs (#2937)
4acb783 Fix Unreachable Warning (#2935)
3492fae Remove redundant python-version (#2932)
Additional commits viewable in compare view

Updates pyjwt from 2.11.0 to 2.12.1

Release notes

Sourced from pyjwt's releases.

2.12.1

What's Changed

Add typing_extensions dependency for Python < 3.11 by @jpadilla in jpadilla/pyjwt#1151

Full Changelog: jpadilla/pyjwt@2.12.0...2.12.1

2.12.0

Security

Validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. by @dmbs335 in GHSA-752w-5fwx-jx9f

What's Changed

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in jpadilla/pyjwt#1132

chore(docs): fix docs build by @tamird in jpadilla/pyjwt#1137

Annotate PyJWKSet.keys for pyright by @tamird in jpadilla/pyjwt#1134

fix: close HTTPError to prevent ResourceWarning on Python 3.14 by @veeceey in jpadilla/pyjwt#1133

chore: remove superfluous constants by @tamird in jpadilla/pyjwt#1136

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in jpadilla/pyjwt#1135

chore(tests): enable mypy by @tamird in jpadilla/pyjwt#1138

Bump actions/download-artifact from 7 to 8 by @dependabot[bot] in jpadilla/pyjwt#1142

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in jpadilla/pyjwt#1141

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in jpadilla/pyjwt#1145

fix: do not store reference to algorithms dict on PyJWK by @akx in jpadilla/pyjwt#1143

Use PyJWK algorithm when encoding without explicit algorithm by @jpadilla in jpadilla/pyjwt#1148

New Contributors

@tamird made their first contribution in jpadilla/pyjwt#1137

@veeceey made their first contribution in jpadilla/pyjwt#1133

Full Changelog: jpadilla/pyjwt@2.11.0...2.12.0

Changelog

Sourced from pyjwt's changelog.

v2.12.1 <https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1>__

Fixed
- Add missing ``typing_extensions`` dependency for Python < 3.11 in `[#1150](https://github.com/jpadilla/pyjwt/issues/1150) <https://github.com/jpadilla/pyjwt/issues/1150>`__
v2.12.0 &lt;https://github.com/jpadilla/pyjwt/compare/2.11.0...2.12.0&gt;__
Fixed
Annotate PyJWKSet.keys for pyright by @tamird in [#1134](https://github.com/jpadilla/pyjwt/issues/1134) <https://github.com/jpadilla/pyjwt/pull/1134>__

Close HTTPError response to prevent ResourceWarning on Python 3.14 by @veeceey in [#1133](https://github.com/jpadilla/pyjwt/issues/1133) <https://github.com/jpadilla/pyjwt/pull/1133>__

Do not keep algorithms dict in PyJWK instances by @akx in [#1143](https://github.com/jpadilla/pyjwt/issues/1143) <https://github.com/jpadilla/pyjwt/pull/1143>__

Validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. by @dmbs335 in GHSA-752w-5fwx-jx9f <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f>__

Use PyJWK algorithm when encoding without explicit algorithm in [#1148](https://github.com/jpadilla/pyjwt/issues/1148) <https://github.com/jpadilla/pyjwt/pull/1148>__

Added
- Docs: Add ``PyJWKClient`` API reference and document the two-tier caching system (JWK Set cache and signing key LRU cache).

Commits

a4e1a3d Add typing_extensions dependency for Python < 3.11 (#1151)
bd9700c Use PyJWK algorithm when encoding without explicit algorithm (#1148)
051ea34 Merge commit from fork
1451d70 fix: do not store reference to algorithms dict on PyJWK (#1143)
f3ba74c [pre-commit.ci] pre-commit autoupdate (#1145)
0318ffa [pre-commit.ci] pre-commit autoupdate (#1141)
a52753d Bump actions/download-artifact from 7 to 8 (#1142)
b85050f chore(tests): enable mypy (#1138)
1272b26 [pre-commit.ci] pre-commit autoupdate (#1135)
99a8728 chore: remove superfluous constants (#1136)
Additional commits viewable in compare view

Updates requests from 2.32.5 to 2.33.1

Release notes

Sourced from requests's releases.

v2.33.1

2.33.1 (2026-03-30)

Bugfixes

Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)

Fixed Content-Type header parsing for malformed values. (#7309)

Improved error consistency for malformed header values. (#7308)

New Contributors

@ferdnyc made their first contribution in psf/requests#7277

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2331-2026-03-30

v2.33.0

2.33.0 (2026-03-25)

Announcements

📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

Various typo fixes and doc improvements.

New Contributors

@M0d3v1 made their first contribution in psf/requests#6865

@aminvakil made their first contribution in psf/requests#7220

@E8Price made their first contribution in psf/requests#6960

@mitre88 made their first contribution in psf/requests#7244

@magsen made their first contribution in psf/requests#6553

@Rohan5commit made their first contribution in psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

Changelog

Sourced from requests's changelog.

2.33.1 (2026-03-30)

Bugfixes

Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)

Fixed Content-Type header parsing for malformed values. (#7309)

Improved error consistency for malformed header values. (#7308)

2.33.0 (2026-03-25)

Announcements

📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

Various typo fixes and doc improvements.

Commits

111d2b7 v2.33.1
f0198e6 Fix malformed value parsing for Content-Type (#7309)
bc7dd0f Fix cosmetic header validity parsing regex (#7308)
4443b1a Fix unintended test extra (#7306)
389eea5 Cleanup extracted file after extract_zipped_path test (#7305)
7407309 Packaging: DRY out extras definition (#7277)
bc04dfd v2.33.0
66d21cb Merge commit from fork
8b9bc8f Move badges to top of README (#7293)
e331a28 Remove unused extraction call (#7292)
Additional commits viewable in compare view

Updates werkzeug from 3.1.6 to 3.1.8

Release notes

Sourced from werkzeug's releases.

3.1.8

This is the Werkzeug 3.1.8 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.8/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-8 Milestone: https://github.com/pallets/werkzeug/milestone/45?closed=1

Request.host and get_host return the empty string if the header is missing or has invalid characters. #3142

3.1.7

This is the Werkzeug 3.1.7 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.7/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-7 Milestone: https://github.com/pallets/werkzeug/milestone/44?closed=1

parse_list_header preserves partially quoted items, discards empty items, and returns empty for unclosed quoted values. #3128

WWWAuthenticate.to_header does not produce a trailing space when there are no parameters. #3127

Transfer-Encoding is parsed as a set. #3134

Request.host, get_host, and host_is_trusted validate the characters of the value. An empty value is no longer allowed. A Unix socket server address is ignored. The trusted_list argument to host_is_trusted is optional. #3113

Fix multipart form parser handling of newline at boundary. #3088

Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. #3108

merge_slashes merges any number of consecutive slashes. #3121

Changelog

Sourced from werkzeug's changelog.

Version 3.1.8

Released 2026-04-02

Request.host and get_host return the empty string if the header is missing or has invalid characters. :issue:3142

Version 3.1.7

Released 2026-03-23

parse_list_header preserves partially quoted items, discards empty items, and returns empty for unclosed quoted values. :pr:3128

WWWAuthenticate.to_header does not produce a trailing space when there are no parameters. :issue:3127

Transfer-Encoding is parsed as a set. :pr:3134

Request.host, get_host, and host_is_trusted validate the characters of the value. An empty value is no longer allowed. A Unix socket server address is ignored. The trusted_list argument to host_is_trusted is optional. :pr:3113

Fix multipart form parser handling of newline at boundary. :issue:3088

Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. :issue:3108

merge_slashes merges any number of consecutive slashes. :issue:3121

Commits

c1a26b4 release version 3.1.8
7926f0b relax get_host strictness (#3148)
deab88f relax get_host strictness
65eb639 start version 3.1.8
7720b76 release version 3.1.7 (#3135)
005d93b release version 3.1.7
c328342 merge any number of slashes (#3136)
23142a3 merge any number of slashes
b913d68 always set accept-ranges header
f282943 Correct 1049dd6b2a363e1ef302b4161c340fb8582f627a
Additional commits viewable in compare view

Updates deptry from 0.24.0 to 0.25.1

Release notes

Sourced from deptry's releases.

0.25.1

What's Changed

Release 0.25.0 was yanked in PyPI because of a failure during the release. 0.25.1 is identical, but includes a fix in the release process.

Full Changelog: osprey-oss/deptry@0.25.0...0.25.1

0.25.0

What's Changed

Repository moved to Osprey OSS

deptry has moved from fpgmaas/deptry to osprey-oss/deptry under the new Osprey OSS organisation. This ensures the project is not tied to a single account and makes it easier to manage contributors and access as the project grows.

Features

Support inline # deptry: ignore comments to suppress violations (#1473)

Support non-dev dependency groups with --non-dev-dependency-groups (#1440)

Use tomli on Python < 3.15 for TOML 1.1 support (#1446)

Add --optional-dependencies-dev-groups and deprecate --pep621-dev-dependency-groups (#1391)

Bug Fixes

Ensure that --config does not suppress output (#1390)

Full Changelog

osprey-oss/deptry@0.24.0...0.25.0

Changelog

Sourced from deptry's changelog.

0.25.1 - 2025-03-18

Release 0.25.0 was yanked in PyPI because of a failure during the release. 0.25.1 is identical, but includes a fix in the release process.

0.25.0 - 2025-03-18

Repository moved to Osprey OSS

deptry has moved from fpgmaas/deptry to osprey-oss/deptry under the new Osprey OSS organisation. This ensures the project is not tied to a single account and makes it easier to manage contributors and access as the project grows.

Features

Support inline # deptry: ignore comments to suppress violations (#1473)

Support non-dev dependency groups with --non-dev-dependency-group... Description has been truncated

…h 12 updates Bumps the python-minor-patch group with 12 updates in the /backend directory: | Package | From | To | | --- | --- | --- | | [anyio](https://github.com/agronholm/anyio) | `4.12.1` | `4.13.0` | | [celery](https://github.com/celery/celery) | `5.6.2` | `5.6.3` | | [click](https://github.com/pallets/click) | `8.3.1` | `8.3.2` | | [cryptography](https://github.com/pyca/cryptography) | `46.0.5` | `46.0.6` | | [marshmallow](https://github.com/marshmallow-code/marshmallow) | `4.2.2` | `4.3.0` | | [pyjwt](https://github.com/jpadilla/pyjwt) | `2.11.0` | `2.12.1` | | [requests](https://github.com/psf/requests) | `2.32.5` | `2.33.1` | | [werkzeug](https://github.com/pallets/werkzeug) | `3.1.6` | `3.1.8` | | [deptry](https://github.com/osprey-oss/deptry) | `0.24.0` | `0.25.1` | | [ipython](https://github.com/ipython/ipython) | `9.11.0` | `9.12.0` | | [mypy](https://github.com/python/mypy) | `1.19.1` | `1.20.0` | | [vulture](https://github.com/jendrikseipp/vulture) | `2.15` | `2.16` | Updates `anyio` from 4.12.1 to 4.13.0 - [Release notes](https://github.com/agronholm/anyio/releases) - [Commits](agronholm/anyio@4.12.1...4.13.0) Updates `celery` from 5.6.2 to 5.6.3 - [Release notes](https://github.com/celery/celery/releases) - [Changelog](https://github.com/celery/celery/blob/v5.6.3/Changelog.rst) - [Commits](celery/celery@v5.6.2...v5.6.3) Updates `click` from 8.3.1 to 8.3.2 - [Release notes](https://github.com/pallets/click/releases) - [Changelog](https://github.com/pallets/click/blob/main/CHANGES.rst) - [Commits](pallets/click@8.3.1...8.3.2) Updates `cryptography` from 46.0.5 to 46.0.6 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@46.0.5...46.0.6) Updates `marshmallow` from 4.2.2 to 4.3.0 - [Changelog](https://github.com/marshmallow-code/marshmallow/blob/dev/CHANGELOG.rst) - [Commits](marshmallow-code/marshmallow@4.2.2...4.3.0) Updates `pyjwt` from 2.11.0 to 2.12.1 - [Release notes](https://github.com/jpadilla/pyjwt/releases) - [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst) - [Commits](jpadilla/pyjwt@2.11.0...2.12.1) Updates `requests` from 2.32.5 to 2.33.1 - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.32.5...v2.33.1) Updates `werkzeug` from 3.1.6 to 3.1.8 - [Release notes](https://github.com/pallets/werkzeug/releases) - [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst) - [Commits](pallets/werkzeug@3.1.6...3.1.8) Updates `deptry` from 0.24.0 to 0.25.1 - [Release notes](https://github.com/osprey-oss/deptry/releases) - [Changelog](https://github.com/osprey-oss/deptry/blob/main/CHANGELOG.md) - [Commits](osprey-oss/deptry@0.24.0...0.25.1) Updates `ipython` from 9.11.0 to 9.12.0 - [Release notes](https://github.com/ipython/ipython/releases) - [Commits](ipython/ipython@9.11.0...9.12.0) Updates `mypy` from 1.19.1 to 1.20.0 - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](python/mypy@v1.19.1...v1.20.0) Updates `vulture` from 2.15 to 2.16 - [Release notes](https://github.com/jendrikseipp/vulture/releases) - [Changelog](https://github.com/jendrikseipp/vulture/blob/main/CHANGELOG.md) - [Commits](jendrikseipp/vulture@v2.15...v2.16) --- updated-dependencies: - dependency-name: anyio dependency-version: 4.13.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-minor-patch - dependency-name: celery dependency-version: 5.6.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python-minor-patch - dependency-name: click dependency-version: 8.3.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python-minor-patch - dependency-name: cryptography dependency-version: 46.0.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python-minor-patch - dependency-name: marshmallow dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-minor-patch - dependency-name: pyjwt dependency-version: 2.12.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-minor-patch - dependency-name: requests dependency-version: 2.33.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-minor-patch - dependency-name: werkzeug dependency-version: 3.1.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python-minor-patch - dependency-name: deptry dependency-version: 0.25.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: python-minor-patch - dependency-name: ipython dependency-version: 9.12.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: python-minor-patch - dependency-name: mypy dependency-version: 1.20.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: python-minor-patch - dependency-name: vulture dependency-version: '2.16' dependency-type: direct:development update-type: version-update:semver-minor dependency-group: python-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-04-05T10:06:36Z

Labels

The following labels could not be found: dependencies, python. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

github-actions · 2026-04-05T10:07:14Z

🔒 Security Scan Results

✅ Bandit: Passed

No security issues found. Your code passed all security checks! 🎉

Security scans help identify potential vulnerabilities in your code. Learn more about Bandit

dependabot · 2026-04-12T10:05:54Z

Looks like these dependencies are updatable in another way, so this is no longer needed.

github-actions bot approved these changes Apr 5, 2026

View reviewed changes

github-actions bot enabled auto-merge (squash) April 5, 2026 10:06

dependabot bot closed this Apr 12, 2026

auto-merge was automatically disabled April 12, 2026 10:05
Pull request was closed

dependabot bot deleted the dependabot/pip/backend/prod/python-minor-patch-045d995b9f branch April 12, 2026 10:05

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the python-minor-patch group across 1 directory with 12 updates#224

chore(deps): bump the python-minor-patch group across 1 directory with 12 updates#224
dependabot[bot] wants to merge 1 commit intoprodfrom
dependabot/pip/backend/prod/python-minor-patch-045d995b9f

dependabot bot commented on behalf of github Apr 5, 2026 •

edited

Loading

`v2.12.0 <https://github.com/jpadilla/pyjwt/compare/2.11.0...2.12.0>`__

Uh oh!

dependabot bot commented on behalf of github Apr 5, 2026

Uh oh!

github-actions bot commented Apr 5, 2026

Uh oh!

dependabot bot commented on behalf of github Apr 12, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Apr 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

4.13.0

v5.6.3

What's Changed

5.6.3

8.3.2

Version 8.3.2

4.3.0 (2026-04-03)

4.2.4 (2026-04-02)

4.2.3 (2026-03-25)

2.12.1

What's Changed

2.12.0

Security

What's Changed

New Contributors

v2.12.1 <https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1>__

v2.12.0 &lt;https://github.com/jpadilla/pyjwt/compare/2.11.0...2.12.0&gt;__

v2.33.1

2.33.1 (2026-03-30)

New Contributors

v2.33.0

2.33.0 (2026-03-25)

New Contributors

2.33.1 (2026-03-30)

2.33.0 (2026-03-25)

3.1.8

3.1.7

Version 3.1.8

Version 3.1.7

0.25.1

What's Changed

0.25.0

What's Changed

Repository moved to Osprey OSS

Features

Bug Fixes

Full Changelog

0.25.1 - 2025-03-18

0.25.0 - 2025-03-18

Repository moved to Osprey OSS

Features

Uh oh!

dependabot bot commented on behalf of github Apr 5, 2026

Labels

Uh oh!

github-actions bot commented Apr 5, 2026

🔒 Security Scan Results

✅ Bandit: Passed

Uh oh!

dependabot bot commented on behalf of github Apr 12, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot bot commented on behalf of github Apr 5, 2026 •

edited

Loading

`v2.12.1 <https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1>`__

`v2.12.0 <https://github.com/jpadilla/pyjwt/compare/2.11.0...2.12.0>`__