Bump mako from 1.3.10 to 1.3.11 in /pathology-api

[dependabot]

Bumps mako from 1.3.10 to 1.3.11.

Release notes

Sourced from mako's releases.

1.3.11

Released: Tue Apr 14 2026

bug

• [bug] [template] Fixed issue in TemplateLookup where a URI with a double-slash prefix (e.g. //../../) could bypass the directory traversal check in Template, allowing reads of arbitrary files outside of the template directory. The issue was caused by an inconsistency in how leading slashes were stripped between TemplateLookup.get_template() and Template initialization.

  References: #434

Commits

• See full diff in compare view

[nhsd-rebecca-flynn]

@dependabot rebase

[github-actions]

Deployment Complete

• Preview with mock:
  • URL: https://dependabot-106.dev.endpoints.pathology-laboratory-reporting.national.nhs.uk — Status
    • Smoke test result: ✅ Passed (HTTP 200)
  • Proxy URL: https://internal-dev.api.service.nhs.uk/pathology-laboratory-reporting-pr-106
  • Lambda function: pr-dependabot-106
• Mock endpoints:
  • URL: https://dependabot-106.m.dev.endpoints.pathology-laboratory-reporting.national.nhs.uk
    • Smoke test result: ✅ Passed (HTTP 200)
  • Lambda function: mock-dependabot-106
• Preview with integration:
  • URL: Skipped for Dependabot PR
    • Smoke test result: Skipped for Dependabot PR
  • Proxy URL: Skipped for Dependabot PR
  • Lambda function: Skipped for Dependabot PR

[nhsd-rebecca-flynn]

This mako dependency upgrade fixes a moderate vulnerability where TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. The release has been out since 12 Apr 2026 and has been released by the same user as previous releases.