Bump the flask group with 4 updates

[dependabot]

Bumps the flask group with 4 updates: flask, blinker, itsdangerous and werkzeug.

Updates flask from 3.0.3 to 3.1.0

Release notes

Sourced from flask's releases.

3.1.0

This is the Flask 3.1.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecations, or introduce potentially breaking changes. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

PyPI: https://pypi.org/project/Flask/3.1.0/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-0 Milestone: https://github.com/pallets/flask/milestone/33?closed=1

• Drop support for Python 3.8. #5623
• Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. #5624, #5633
• Provide a configuration option to control automatic option responses. #5496
• Flask.open_resource/open_instance_resource and Blueprint.open_resource take an encoding parameter to use when opening in text mode. It defaults to utf-8. #5504
• Request.max_content_length can be customized per-request instead of only through the MAX_CONTENT_LENGTH config. Added MAX_FORM_MEMORY_SIZE and MAX_FORM_PARTS config. Added documentation about resource limits to the security page. #5625
• Add support for the Partitioned cookie attribute (CHIPS), with the SESSION_COOKIE_PARTITIONED config. #5472
• -e path takes precedence over default .env and .flaskenv files. load_dotenv loads default files in addition to a path unless load_defaults=False is passed. #5628
• Support key rotation with the SECRET_KEY_FALLBACKS config, a list of old secret keys that can still be used for unsigning. Extensions will need to add support. #5621
• Fix how setting host_matching=True or subdomain_matching=False interacts with SERVER_NAME. Setting SERVER_NAME no longer restricts requests to only that domain. #5553
• Request.trusted_hosts is checked during routing, and can be set through the TRUSTED_HOSTS config. #5636

Changelog

Sourced from flask's changelog.

Version 3.1.0

Released 2024-11-13

• Drop support for Python 3.8. :pr:5623
• Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. :pr:5624,5633
• Provide a configuration option to control automatic option responses. :pr:5496
• Flask.open_resource/open_instance_resource and Blueprint.open_resource take an encoding parameter to use when opening in text mode. It defaults to utf-8. :issue:5504
• Request.max_content_length can be customized per-request instead of only through the MAX_CONTENT_LENGTH config. Added MAX_FORM_MEMORY_SIZE and MAX_FORM_PARTS config. Added documentation about resource limits to the security page. :issue:5625
• Add support for the Partitioned cookie attribute (CHIPS), with the SESSION_COOKIE_PARTITIONED config. :issue:5472
• -e path takes precedence over default .env and .flaskenv files. load_dotenv loads default files in addition to a path unless load_defaults=False is passed. :issue:5628
• Support key rotation with the SECRET_KEY_FALLBACKS config, a list of old secret keys that can still be used for unsigning. Extensions will need to add support. :issue:5621
• Fix how setting host_matching=True or subdomain_matching=False interacts with SERVER_NAME. Setting SERVER_NAME no longer restricts requests to only that domain. :issue:5553
• Request.trusted_hosts is checked during routing, and can be set through the TRUSTED_HOSTS config. :issue:5636

Commits

• ab81496 release version 3.1.0
• 70602a1 remove test pypi
• 6748a09 update dev dependencies
• 22c48a7 Merge remote-tracking branch 'origin/stable'
• 2eab96a use generic bases for session (#5638)
• f49dbfd use generic bases for session
• 7b21d43 configure and check request.trusted_hosts (#5637)
• 4f7156f configure and check trusted_hosts
• 10bdf61 setting SERVER_NAME does not restrict routing for both subdomain_matching...
• 4995a77 fix subdomain_matching=False behavior
• Additional commits viewable in compare view

Updates blinker from 1.7.0 to 1.9.0

Release notes

Sourced from blinker's releases.

1.9.0

This is the Blinker 1.9.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecations, or introduce potentially breaking changes. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

PyPI: https://pypi.org/project/blinker/1.9.0/ Changes: https://blinker.readthedocs.io/en/stable/#version-1-9-0 Milestone: https://github.com/pallets-eco/blinker/milestone/1?closed=1

• Drop support for Python 3.8. #175
• Remove previously deprecated __version__, receiver_connected, Signal.temporarily_connected_to and WeakNamespace. #172
• Skip weakref signal cleanup if the interpreter is shutting down. #173

1.8.2

This is the Blinker 1.8.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/blinker/1.8.2/ Changes: https://blinker.readthedocs.io/en/latest/#version-1-8-2

• Simplify type for _async_wrapper and _sync_wrapper arguments. #156

1.8.1

This is the Blinker 1.8.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/blinker/1.8.1/ Changes: https://blinker.readthedocs.io/en/latest/#version-1-8-1

• Restore identity handling for str and int senders. #148
• Fix deprecated blinker.base.WeakNamespace import. #149
• Fix deprecated blinker.base.receiver_connected import. #153
• Use types from collections.abc instead of typing. #150
• Fully specify exported types as reported by pyright. #152

1.8.0

This is the Blinker 1.8.0 feature release, which may include new features, remove previously deprecated code, or add new deprecations. The 1.8.x line is now the supported fix branch, support has ended for the 1.7.x line. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

PyPI: https://pypi.org/project/blinker/1.8.0/ Changes: https://blinker.readthedocs.io/en/latest/#version-1-8-0

• Deprecate the __version__ attribute. Use feature detection, or importlib.metadata.version("blinker"), instead. #128
• Specify that the deprecated temporarily_connected_to will be removed in the next version.
• Show a deprecation warning for the deprecated global receiver_connected signal and specify that it will be removed in the next version.
• Show a deprecation warning for the deprecated WeakNamespace and specify that it will be removed in the next version.
• Greatly simplify how the library uses weakrefs. This is a significant change internally but should not affect any public API. #144
• Expose the namespace used by signal() as default_namespace. #145

Changelog

Sourced from blinker's changelog.

Version 1.9.0

Released 2024-11-08

• Drop support for Python 3.8. :pr:175
• Remove previously deprecated __version__, receiver_connected, Signal.temporarily_connected_to and WeakNamespace. :pr:172
• Skip weakref signal cleanup if the interpreter is shutting down. :issue:173

Version 1.8.2

Released 2024-05-06

• Simplify type for _async_wrapper and _sync_wrapper arguments. :pr:156

Version 1.8.1

Released 2024-04-28

• Restore identity handling for str and int senders. :pr:148
• Fix deprecated blinker.base.WeakNamespace import. :pr:149
• Fix deprecated blinker.base.receiver_connected import. :pr:153
• Use types from collections.abc instead of typing. :pr:150
• Fully specify exported types as reported by pyright. :pr:152

Version 1.8.0

Released 2024-04-27

• Deprecate the __version__ attribute. Use feature detection, or importlib.metadata.version("blinker"), instead. :issue:128
• Specify that the deprecated temporarily_connected_to will be removed in the next version.
• Show a deprecation warning for the deprecated global receiver_connected signal and specify that it will be removed in the next version.
• Show a deprecation warning for the deprecated WeakNamespace and specify that it will be removed in the next version.
• Greatly simplify how the library uses weakrefs. This is a significant change internally but should not affect any public API. :pr:144
• Expose the namespace used by signal() as default_namespace. :pr:145

Commits

• 669f3a0 release version 1.9.0
• cfe116f try disabling attestions on test pypi
• 16e4bd7 Merge pull request #174 from projectgus/bugfix/weakref_disconnect_shutdown
• 42561fd Fix "Exception ignored" in weakref callback during interpreter shutdown.
• dcce3e9 Merge pull request #175 from pallets-eco/drop-python3.8
• efa95ea drop support for python 3.8
• 8230518 update dev dependencies
• 94f1202 update dev dependencies
• 8c983ec remove previously deprecated code (#172)
• f5915f3 set up pre-commit lite workflow
• Additional commits viewable in compare view

Updates itsdangerous from 2.1.2 to 2.2.0

Release notes

Sourced from itsdangerous's releases.

2.2.0

This is a feature release, which includes new features, removes previously deprecated code, and adds new deprecations. The 2.2.x branch is now the supported fix branch, the 2.1.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

Changes: https://itsdangerous.palletsprojects.com/en/2.2.x/changes/#version-2-2-0 Milestone: https://github.com/pallets/itsdangerous/milestone/8?closed=1

• Drop support for Python 3.7.
• Use modern packaging metadata with pyproject.toml instead of setup.cfg.
• Use flit_core instead of setuptools as build backend.
• Deprecate the __version__ attribute. Use feature detection, or importlib.metadata.version("itsdangerous"), instead.
• Serializer and the return type of dumps is generic for type checking. By default it is Serializer[str] and dumps returns a str. If a different serializer argument is given, it will try to infer the return type of its dumps method.
• The default hashlib.sha1 may not be available in FIPS builds. Don't access it at import time so the developer has time to change the default.

Changelog

Sourced from itsdangerous's changelog.

Version 2.2.0

Released 2024-04-16

• Drop support for Python 3.7. :pr:372
• Use modern packaging metadata with pyproject.toml instead of setup.cfg. :pr:326
• Use flit_core instead of setuptools as build backend.
• Deprecate the __version__ attribute. Use feature detection, or importlib.metadata.version("itsdangerous"), instead. :issue:371
• Serializer and the return type of dumps is generic for type checking. By default it is Serializer[str] and dumps returns a str. If a different serializer argument is given, it will try to infer the return type of its dumps method. :issue:347
• The default hashlib.sha1 may not be available in FIPS builds. Don't access it at import time so the developer has time to change the default. :issue:375

Commits

• 096c8d4 release version 2.2.0
• 7f4dcf8 access sha1 lazily
• 93ae366 change entry for generic serializer
• 135eb23 Generic serializer (#377)
• 999ce7a Improve generic typing further
• 52890d7 improve generic typing
• 385c0eb type Serializer as generic (#374)
• 01001c6 type Serializer as generic
• bc88e94 improve typing (#373)
• 69a3bca improve typing
• Additional commits viewable in compare view

Updates werkzeug from 3.0.1 to 3.1.3

Release notes

Sourced from werkzeug's releases.

3.1.3

This is the Werkzeug 3.1.3 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes vs 3.1.0.

PyPI: https://pypi.org/project/Werkzeug/3.1.3/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-1-3 Milestone: https://github.com/pallets/werkzeug/milestone/41?closed=1

• Initial data passed to MultiDict and similar interfaces only accepts list, tuple, or set when passing multiple values. It had been changed to accept any Collection, but this matched types that should be treated as single values, such as bytes. #2994
• When the Host header is not set and Request.host falls back to the WSGI SERVER_NAME value, if that value is an IPv6 address it is wrapped in [] to match the Host header. #2993

3.1.2

This is the Werkzeug 3.1.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes vs 3.1.0.

PyPI: https://pypi.org/project/Werkzeug/3.1.2/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-1-2 Milestone: https://github.com/pallets/werkzeug/milestone/40?closed=1

• Improve type annotation for TypeConversionDict.get to allow the type parameter to be a callable. #2988
• Headers does not inherit from MutableMapping, as it is does not exactly match that interface. #2989

3.1.1

This is the Werkzeug 3.1.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes vs 3.1.0.

PyPI: https://pypi.org/project/Werkzeug/3.1.1/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-1-1 Milestone: https://github.com/pallets/werkzeug/milestone/38?closed=1

• Fix an issue that caused str(Request.headers) to always appear empty. #2985

3.1.0

This is the Werkzeug 3.1.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecations, or introduce potentially breaking changes. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

PyPI: https://pypi.org/project/Werkzeug/3.1.0/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-1-0 Milestone: https://github.com/pallets/werkzeug/milestone/34?closed=1

• Drop support for Python 3.8. #2966
• Remove previously deprecated code. #2967
• Request.max_form_memory_size defaults to 500kB instead of unlimited. Non-file form fields over this size will cause a RequestEntityTooLarge error. #2964
• OrderedMultiDict and ImmutableOrderedMultiDict are deprecated. Use MultiDict and ImmutableMultiDict instead. #2968
• Behavior of properties on request.cache_control and response.cache_control has been significantly adjusted.
  • Dict values are always str | None. Setting properties will convert the value to a string. Setting a property to False is equivalent to setting it to None. Getting typed properties will return None if conversion raises ValueError, rather than the string. #2980
  • max_age is None if present without a value, rather than -1. #2980
  • no_cache is a boolean for requests, it is True instead of "*" when present. It remains a string for responses. #2980
  • max_stale is True if present without a value, rather than "*". #2980
  • no_transform is a boolean. Previously it was mistakenly always None. #2881
  • min_fresh is None if present without a value, rather than "*". #2881
  • private is True if present without a value, rather than "*". #2980
  • Added the must_understand property. #2881
  • Added the stale_while_revalidate, and stale_if_error properties. #2948

... (truncated)

Changelog

Sourced from werkzeug's changelog.

Version 3.1.3

Released 2024-11-08

• Initial data passed to MultiDict and similar interfaces only accepts list, tuple, or set when passing multiple values. It had been changed to accept any Collection, but this matched types that should be treated as single values, such as bytes. :issue:2994
• When the Host header is not set and Request.host falls back to the WSGI SERVER_NAME value, if that value is an IPv6 address it is wrapped in [] to match the Host header. :issue:2993

Version 3.1.2

Released 2024-11-04

• Improve type annotation for TypeConversionDict.get to allow the type parameter to be a callable. :issue:2988
• Headers does not inherit from MutableMapping, as it is does not exactly match that interface. :issue:2989

Version 3.1.1

Released 2024-11-01

• Fix an issue that caused str(Request.headers) to always appear empty. :issue:2985

Version 3.1.0

Released 2024-10-31

• Drop support for Python 3.8. :pr:2966

• Remove previously deprecated code. :pr:2967

• Request.max_form_memory_size defaults to 500kB instead of unlimited. Non-file form fields over this size will cause a RequestEntityTooLarge error. :issue:2964

• OrderedMultiDict and ImmutableOrderedMultiDict are deprecated. Use MultiDict and ImmutableMultiDict instead. :issue:2968

• Behavior of properties on request.cache_control and response.cache_control has been significantly adjusted.

  • Dict values are always str | None. Setting properties will convert

... (truncated)

Commits

• 6389612 release version 3.1.3
• ba15683 wrap IPv6 SERVER_NAME in [] (#2997)
• d99f72d wrap IPv6 SERVER_NAME in []
• ea93b54 restrict containers accepted by multi (#2995)
• 598bb1d restrict containers accepted by multi
• 1a1728e start version 3.1.3
• 4fd7073 release version 3.1.2 (#2992)
• 4764684 release version 3.1.2
• 1803db6 Headers is not MutableMapping (#2991)
• ac87bf8 Headers is not MutableMapping
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will merge this PR once it's up-to-date and CI passes on it, as requested by @tim-s-ccs.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[tim-s-ccs]

@dependabot merge