Bump the uv group across 9 directories with 5 updates by dependabot[bot] · Pull Request #2017 · Zipstack/unstract

dependabot · 2026-06-07T15:29:24Z

Bumps the uv group with 3 updates in the /platform-service directory: protobuf, flask and werkzeug.
Bumps the uv group with 3 updates in the /prompt-service directory: protobuf, flask and werkzeug.
Bumps the uv group with 3 updates in the /runner directory: protobuf, flask and werkzeug.
Bumps the uv group with 2 updates in the /unstract/core directory: flask and werkzeug.
Bumps the uv group with 1 update in the /unstract/filesystem directory: protobuf.
Bumps the uv group with 1 update in the /unstract/flags directory: protobuf.
Bumps the uv group with 1 update in the /unstract/tool-registry directory: protobuf.
Bumps the uv group with 1 update in the /workers directory: black.
Bumps the uv group with 4 updates in the /x2text-service directory: protobuf, flask, setuptools and werkzeug.

Updates protobuf from 4.25.8 to 5.29.6

Release notes

Sourced from protobuf's releases.

Protocol Buffers v34.0-rc1

Announcements

This version includes breaking changes to: C++, Objective-C, PHP, Python.

[Bazel] Remove deprecated ProtoInfo.transitive_imports. Use equivalent transitive_sources instead (protocolbuffers/protobuf@0a5c2f6)

[C++] Make generator headers private (protocolbuffers/protobuf@3a2af35)

[C++] Add a debug check that the target of CopyFrom is not a descendant of the source. (protocolbuffers/protobuf@7a75898)

[C++] Add [[nodiscard]] to many APIs. (protocolbuffers/protobuf@a70115f)

[C++] Make the arena-enabled constructors of RepeatedField, RepeatedPtrField, and Map private. (protocolbuffers/protobuf@ef890c3)

[C++] Remove deprecated FieldDescriptor::label() in OSS. Use is_repeated() or is_required() instead (protocolbuffers/protobuf@b76faa9)

[C++] Removes proto2::util::MessageDifferencer::AddIgnoreCriteria that takes a raw pointer as an argument in favor of the overload that takes a unique_ptr. Remove macro PROTOBUF_FUTURE_REMOVE_ADD_IGNORE_CRITERIA (protocolbuffers/protobuf@b115358)

[C++] Remove deprecated FieldDescriptor::has_optional_keyword() in OSS. Use is_repeated() or has_presence() instead (protocolbuffers/protobuf@68346ec)

[C++] Remove AddUnusedImportTrackFile() and ClearUnusedImportTrackFiles(). Remove PROTOBUF_FUTURE_RENAME_ADD_UNUSED_IMPORT (protocolbuffers/protobuf@837a2cd)

[C++] Remove deprecated FieldDescriptor::is_optional() in OSS. Use (!is_required() && !is_repeated()) instead (protocolbuffers/protobuf@9dbc5d4)

[C++] Remove deprecated UseDeprecatedLegacyJsonFieldConflicts() (protocolbuffers/protobuf@c301c2c)

[C++] All entity names have length limit (2afb0dc)

[ObjC] Remove generate_minimal_imports generation option warning (protocolbuffers/protobuf@45b1297)

[ObjC] Fix nullability annotations on some GPB*Dictionary types. (protocolbuffers/protobuf@ea67d6d)

[ObjC] Remove -[GPBFieldDescriptor optional] (protocolbuffers/protobuf@3414dc1)

[Other] Remove deprecated flag for enabling MSVC support (protocolbuffers/protobuf@97c979b)

[PHP] Remove deprecated PHP APIs (protocolbuffers/protobuf@9c45014)

[PHP] Remove deprecated PHP APIs FieldDescriptor getLabel, use IsRepeated or isRequired instead. (protocolbuffers/protobuf@4208121, protocolbuffers/protobuf@cd76e67, protocolbuffers/protobuf@4208121)

[PHP] Add PHP typehints for setters and remove redundant GPBUtil checks (protocolbuffers/protobuf#25296) (protocolbuffers/protobuf@aee03b7)

[PHP] support default values for editions/proto2 (protocolbuffers/protobuf#25161) (protocolbuffers/protobuf@b01099d)

[Python] Raise errors in OSS when assign bool to int/enum field in Python Proto. (protocolbuffers/protobuf@5b116fe)

[Python] Remove float_format/double_format from python proto text_format (protocolbuffers/protobuf@e4854a1)

[Python] Raise TypeError when convert non-timedelta to Duration, or convert non-datetime to Timestamp in python proto. (Original code may raise ArributeError) (protocolbuffers/protobuf@00aaca1)

[Python] Remove float_precision from python proto json_format (protocolbuffers/protobuf@f027f1f)

[Python] Remove deprecated FieldDescriptor::label() in OSS. Use is_repeated() or is_required() instead (protocolbuffers/protobuf@b76faa9)

[Python] Remove deprecated FieldDescriptor.label (protocolbuffers/protobuf@0a8ff55)

[Python] Remove deprecated UseDeprecatedLegacyJsonFieldConflicts() (protocolbuffers/protobuf@c301c2c)

Protobuf News may include additional announcements or pre-announcements for upcoming changes.

Migration Guide may include additional guidance for breaking changes.

Bazel

Fix: cc_toolchain should prefer protoc when prebuilt flag is flipped. (#25168) (protocolbuffers/protobuf@8c857c3)

Breaking change: Remove deprecated ProtoInfo.transitive_imports. Use equivalent transitive_sources instead (protocolbuffers/protobuf@0a5c2f6)

Feat(bazel): wire up prebuilt protoc toolchain (#24115) (protocolbuffers/protobuf@cc23698)

Migrate proto_descriptor_set (#23369) (protocolbuffers/protobuf@8d4dfdd)

Compiler

Ruby codegen: support generation of rbs files (#15633) (protocolbuffers/protobuf@6ebdf85)

Avoid collision name problems between a message named Xyz and a direct sibling enum named XyzView (protocolbuffers/protobuf@eba53e8)

Generalizing and implementing ValidateFeatureSupport for both Options and Features during proto parsing (protocolbuffers/protobuf@ed3c571)

Fix a bug with custom features outside of the pb package. (protocolbuffers/protobuf@872d3ce)

Fix import option handling when include_imports isn't set. (protocolbuffers/protobuf@9ef9e80)

Fix a bug in STRICT check of namespaced enums to properly check for 'reserved 1 to max' (protocolbuffers/protobuf@1229d4a)

Prevent accidental stripping of debug_redact options via import option. (protocolbuffers/protobuf@f58b098)

C++

Add EnumerateEnumValues function. (protocolbuffers/protobuf@397d5d9)

... (truncated)

Commits

See full diff in compare view

Updates flask from 3.1.2 to 3.1.3

Release notes

Sourced from flask's releases.

3.1.3

This is the Flask 3.1.3 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.3/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-3

The session is marked as accessed for operations that only access the keys but not the values, such as in and len. GHSA-68rp-wp8r-4726

Changelog

Sourced from flask's changelog.

Version 3.1.3

Released 2026-02-18

The session is marked as accessed for operations that only access the keys but not the values, such as in and len. :ghsa:68rp-wp8r-4726

Commits

22d9247 release version 3.1.3
089cb86 Merge commit from fork
c17f379 request context tracks session access
27be933 start version 3.1.3
4e652d3 Abort if the instance folder cannot be created (#5903)
3d03098 Abort if the instance folder cannot be created
407eb76 document using gevent for async (#5900)
ac5664d document using gevent for async
4f79d5b Increase required flit_core version to 3.11 (#5865)
fe3b215 Increase required flit_core version to 3.11
Additional commits viewable in compare view

Updates werkzeug from 3.1.3 to 3.1.6

Release notes

Sourced from werkzeug's releases.

3.1.6

This is the Werkzeug 3.1.6 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.6/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-6

safe_join on Windows does not allow special devices names in multi-segment paths. GHSA-29vq-49wr-vm6x

3.1.5

This is the Werkzeug 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.5/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-5 Milestone: https://github.com/pallets/werkzeug/milestone/43?closed=1

safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. GHSA-87hc-h4r5-73f7

The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. #3065 #3077

Fix AttributeError when initializing DebuggedApplication with pin_security=False. #3075

3.1.4

This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.4/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-4 Milestone: https://github.com/pallets/werkzeug/milestone/42?closed=1

safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. ghsa-hgf8-39gv-g3f2

The debugger pin fails after 10 attempts instead of 11. #3020

The multipart form parser handles a \r\n sequence at a chunk boundary. #3065

Improve CPU usage during Watchdog reloader. #3054

Request.json annotation is more accurate. #3067

Traceback rendering handles when the line number is beyond the available source lines. #3044

HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. #3056

Changelog

Sourced from werkzeug's changelog.

Version 3.1.6

Released 2026-02-19

safe_join on Windows does not allow special devices names in multi-segment paths. :ghsa:29vq-49wr-vm6x

Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. :issue:3108

Version 3.1.5

Released 2026-01-08

safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. :ghsa:87hc-h4r5-73f7

The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. :issue:3065 :issue:3077

Fix AttributeError when initializing DebuggedApplication with pin_security=False. :issue:3075

Version 3.1.4

Released 2025-11-28

safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. :ghsa:hgf8-39gv-g3f2

The debugger pin fails after 10 attempts instead of 11. :pr:3020

The multipart form parser handles a \r\n sequence at a chunk boundary. :issue:3065

Improve CPU usage during Watchdog reloader. :issue:3054

Request.json annotation is more accurate. :issue:3067

Traceback rendering handles when the line number is beyond the available source lines. :issue:3044

HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. :issue:3056

Commits

04da1b5 release version 3.1.6
f407712 Merge commit from fork
f54fe98 safe_join prevents Windows special device names in multi-segment paths
d005985 start version 3.1.6
8565c2c document rule priority (#3102)
3febc7e document rule priority
2525b82 remove state machine docs
4abfbd5 rewrite build docstring (#3097)
161c18b rewrite build docstring
86e11c2 release version 3.1.5 (#3085)
Additional commits viewable in compare view

Updates protobuf from 4.25.8 to 5.29.6

Release notes

Sourced from protobuf's releases.

Protocol Buffers v34.0-rc1

Announcements

This version includes breaking changes to: C++, Objective-C, PHP, Python.

[Bazel] Remove deprecated ProtoInfo.transitive_imports. Use equivalent transitive_sources instead (protocolbuffers/protobuf@0a5c2f6)

[C++] Make generator headers private (protocolbuffers/protobuf@3a2af35)

[C++] Add a debug check that the target of CopyFrom is not a descendant of the source. (protocolbuffers/protobuf@7a75898)

[C++] Add [[nodiscard]] to many APIs. (protocolbuffers/protobuf@a70115f)

[C++] Make the arena-enabled constructors of RepeatedField, RepeatedPtrField, and Map private. (protocolbuffers/protobuf@ef890c3)

[C++] Remove deprecated FieldDescriptor::label() in OSS. Use is_repeated() or is_required() instead (protocolbuffers/protobuf@b76faa9)

[C++] Removes proto2::util::MessageDifferencer::AddIgnoreCriteria that takes a raw pointer as an argument in favor of the overload that takes a unique_ptr. Remove macro PROTOBUF_FUTURE_REMOVE_ADD_IGNORE_CRITERIA (protocolbuffers/protobuf@b115358)

[C++] Remove deprecated FieldDescriptor::has_optional_keyword() in OSS. Use is_repeated() or has_presence() instead (protocolbuffers/protobuf@68346ec)

[C++] Remove AddUnusedImportTrackFile() and ClearUnusedImportTrackFiles(). Remove PROTOBUF_FUTURE_RENAME_ADD_UNUSED_IMPORT (protocolbuffers/protobuf@837a2cd)

[C++] Remove deprecated FieldDescriptor::is_optional() in OSS. Use (!is_required() && !is_repeated()) instead (protocolbuffers/protobuf@9dbc5d4)

[C++] Remove deprecated UseDeprecatedLegacyJsonFieldConflicts() (protocolbuffers/protobuf@c301c2c)

[C++] All entity names have length limit (2afb0dc)

[ObjC] Remove generate_minimal_imports generation option warning (protocolbuffers/protobuf@45b1297)

[ObjC] Fix nullability annotations on some GPB*Dictionary types. (protocolbuffers/protobuf@ea67d6d)

[ObjC] Remove -[GPBFieldDescriptor optional] (protocolbuffers/protobuf@3414dc1)

[Other] Remove deprecated flag for enabling MSVC support (protocolbuffers/protobuf@97c979b)

[PHP] Remove deprecated PHP APIs (protocolbuffers/protobuf@9c45014)

[PHP] Remove deprecated PHP APIs FieldDescriptor getLabel, use IsRepeated or isRequired instead. (protocolbuffers/protobuf@4208121, protocolbuffers/protobuf@cd76e67, protocolbuffers/protobuf@4208121)

[PHP] Add PHP typehints for setters and remove redundant GPBUtil checks (protocolbuffers/protobuf#25296) (protocolbuffers/protobuf@aee03b7)

[PHP] support default values for editions/proto2 (protocolbuffers/protobuf#25161) (protocolbuffers/protobuf@b01099d)

[Python] Raise errors in OSS when assign bool to int/enum field in Python Proto. (protocolbuffers/protobuf@5b116fe)

[Python] Remove float_format/double_format from python proto text_format (protocolbuffers/protobuf@e4854a1)

[Python] Raise TypeError when convert non-timedelta to Duration, or convert non-datetime to Timestamp in python proto. (Original code may raise ArributeError) (protocolbuffers/protobuf@00aaca1)

[Python] Remove float_precision from python proto json_format (protocolbuffers/protobuf@f027f1f)

[Python] Remove deprecated FieldDescriptor::label() in OSS. Use is_repeated() or is_required() instead (protocolbuffers/protobuf@b76faa9)

[Python] Remove deprecated FieldDescriptor.label (protocolbuffers/protobuf@0a8ff55)

[Python] Remove deprecated UseDeprecatedLegacyJsonFieldConflicts() (protocolbuffers/protobuf@c301c2c)

Protobuf News may include additional announcements or pre-announcements for upcoming changes.

Migration Guide may include additional guidance for breaking changes.

Bazel

Fix: cc_toolchain should prefer protoc when prebuilt flag is flipped. (#25168) (protocolbuffers/protobuf@8c857c3)

Breaking change: Remove deprecated ProtoInfo.transitive_imports. Use equivalent transitive_sources instead (protocolbuffers/protobuf@0a5c2f6)

Feat(bazel): wire up prebuilt protoc toolchain (#24115) (protocolbuffers/protobuf@cc23698)

Migrate proto_descriptor_set (#23369) (protocolbuffers/protobuf@8d4dfdd)

Compiler

Ruby codegen: support generation of rbs files (#15633) (protocolbuffers/protobuf@6ebdf85)

Avoid collision name problems between a message named Xyz and a direct sibling enum named XyzView (protocolbuffers/protobuf@eba53e8)

Generalizing and implementing ValidateFeatureSupport for both Options and Features during proto parsing (protocolbuffers/protobuf@ed3c571)

Fix a bug with custom features outside of the pb package. (protocolbuffers/protobuf@872d3ce)

Fix import option handling when include_imports isn't set. (protocolbuffers/protobuf@9ef9e80)

Fix a bug in STRICT check of namespaced enums to properly check for 'reserved 1 to max' (protocolbuffers/protobuf@1229d4a)

Prevent accidental stripping of debug_redact options via import option. (protocolbuffers/protobuf@f58b098)

C++

Add EnumerateEnumValues function. (protocolbuffers/protobuf@397d5d9)

... (truncated)

Commits

See full diff in compare view

Updates flask from 3.1.2 to 3.1.3

Release notes

Sourced from flask's releases.

3.1.3

This is the Flask 3.1.3 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.3/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-3

The session is marked as accessed for operations that only access the keys but not the values, such as in and len. GHSA-68rp-wp8r-4726

Changelog

Sourced from flask's changelog.

Version 3.1.3

Released 2026-02-18

The session is marked as accessed for operations that only access the keys but not the values, such as in and len. :ghsa:68rp-wp8r-4726

Commits

22d9247 release version 3.1.3
089cb86 Merge commit from fork
c17f379 request context tracks session access
27be933 start version 3.1.3
4e652d3 Abort if the instance folder cannot be created (#5903)
3d03098 Abort if the instance folder cannot be created
407eb76 document using gevent for async (#5900)
ac5664d document using gevent for async
4f79d5b Increase required flit_core version to 3.11 (#5865)
fe3b215 Increase required flit_core version to 3.11
Additional commits viewable in compare view

Updates werkzeug from 3.1.3 to 3.1.6

Release notes

Sourced from werkzeug's releases.

3.1.6

This is the Werkzeug 3.1.6 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.6/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-6

safe_join on Windows does not allow special devices names in multi-segment paths. GHSA-29vq-49wr-vm6x

3.1.5

This is the Werkzeug 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.5/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-5 Milestone: https://github.com/pallets/werkzeug/milestone/43?closed=1

safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. GHSA-87hc-h4r5-73f7

The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. #3065 #3077

Fix AttributeError when initializing DebuggedApplication with pin_security=False. #3075

3.1.4

This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.4/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-4 Milestone: https://github.com/pallets/werkzeug/milestone/42?closed=1

safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. ghsa-hgf8-39gv-g3f2

The debugger pin fails after 10 attempts instead of 11. #3020

The multipart form parser handles a \r\n sequence at a chunk boundary. #3065

Improve CPU usage during Watchdog reloader. #3054

Request.json annotation is more accurate. #3067

Traceback rendering handles when the line number is beyond the available source lines. #3044

HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. #3056

Changelog

Sourced from werkzeug's changelog.

Version 3.1.6

Released 2026-02-19

safe_join on Windows does not allow special devices names in multi-segment paths. :ghsa:29vq-49wr-vm6x

Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. :issue:3108

Version 3.1.5

Released 2026-01-08

safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. :ghsa:87hc-h4r5-73f7

The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. :issue:3065 :issue:3077

Fix AttributeError when initializing DebuggedApplication with pin_security=False. :issue:3075

Version 3.1.4

Released 2025-11-28

safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. :ghsa:hgf8-39gv-g3f2

The debugger pin fails after 10 attempts instead of 11. :pr:3020

The multipart form parser handles a \r\n sequence at a chunk boundary. :issue:3065

Improve CPU usage during Watchdog reloader. :issue:3054

Request.json annotation is more accurate. :issue:3067

Traceback rendering handles when the line number is beyond the available source lines. :issue:3044

HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. :issue:3056

Commits

04da1b5 release version 3.1.6
f407712 Merge commit from fork
f54fe98 safe_join prevents Windows special device names in multi-segment paths
d005985 start version 3.1.6
8565c2c document rule priority (#3102)
3febc7e document rule priority
2525b82 remove state machine docs
4abfbd5 rewrite build docstring (#3097)
161c18b rewrite build docstring
86e11c2 release version 3.1.5 (#3085)
Additional commits viewable in compare view

Updates protobuf from 4.25.8 to 5.29.6

Release notes

Sourced from protobuf's releases.

Protocol Buffers v34.0-rc1

Announcements

This version includes breaking changes to: C++, Objective-C, PHP, Python.

[Bazel] Remove deprecated ProtoInfo.transitive_imports. Use equivalent transitive_sources instead (protocolbuffers/protobuf@0a5c2f6)

[C++] Make generator headers private (protocolbuffers/protobuf@3a2af35)

[C++] Add a debug check that the target of CopyFrom is not a descendant of the source. (protocolbuffers/protobuf@7a75898)

[C++] Add [[nodiscard]] to many APIs. (protocolbuffers/protobuf@a70115f)

[C++] Make the arena-enabled constructors of RepeatedField, RepeatedPtrField, and Map private. (protocolbuffers/protobuf@ef890c3)

[C++] Remove deprecated FieldDescriptor::label() in OSS. Use is_repeated() or is_required() instead (protocolbuffers/protobuf@b76faa9)

[C++] Removes proto2::util::MessageDifferencer::AddIgnoreCriteria that takes a raw pointer as an argument in favor of the overload that takes a unique_ptr. Remove macro PROTOBUF_FUTURE_REMOVE_ADD_IGNORE_CRITERIA (protocolbuffers/protobuf@b115358)

[C++] Remove deprecated FieldDescriptor::has_optional_keyword() in OSS. Use is_repeated() or has_presence() instead (protocolbuffers/protobuf@68346ec)

[C++] Remove AddUnusedImportTrackFile() and ClearUnusedImportTrackFiles(). Remove PROTOBUF_FUTURE_RENAME_ADD_UNUSED_IMPORT (protocolbuffers/protobuf@837a2cd)

[C++] Remove deprecated FieldDescriptor::is_optional() in OSS. Use (!is_required() && !is_repeated()) instead (protocolbuffers/protobuf@9dbc5d4)

[C++] Remove deprecated UseDeprecatedLegacyJsonFieldConflicts() (protocolbuffers/protobuf@c301c2c)

[C++] All entity names have length limit (2afb0dc)

[ObjC] Remove generate_minimal_imports generation option warning (protocolbuffers/protobuf@45b1297)

[ObjC] Fix nullability annotations on some GPB*Dictionary types. (protocolbuffers/protobuf@ea67d6d)

[ObjC] Remove -[GPBFieldDescriptor optional] (protocolbuffers/protobuf@3414dc1)

[Other] Remove deprecated flag for enabling MSVC support (protocolbuffers/protobuf@97c979b)

[PHP] Remove deprecated PHP APIs (protocolbuffers/protobuf@9c45014)

[PHP] Remove deprecated PHP APIs FieldDescriptor getLabel, use IsRepeated or isRequired instead. (protocolbuffers/protobuf@4208121, protocolbuffers/protobuf@cd76e67, protocolbuffers/protobuf@4208121)

[PHP] Add PHP typehints for setters and remove redundant GPBUtil checks (protocolbuffers/protobuf#25296) (protocolbuffers/protobuf@aee03b7)

[PHP] support default values for editions/proto2 (protocolbuffers/protobuf#25161) (protocolbuffers/protobuf@b01099d)

[Python] Raise errors in OSS when assign bool to int/enum field in Python Proto. (protocolbuffers/protobuf@5b116fe)

[Python] Remove float_format/double_format from python proto text_format (protocolbuffers/protobuf@e4854a1)

[Python] Raise TypeError when convert non-timedelta to Duration, or convert non-datetime to Timestamp in python proto. (Original code may raise ArributeError) (protocolbuffers/protobuf@00aaca1)

[Python] Remove float_precision from python proto json_format (protocolbuffers/protobuf@f027f1f)

[Python] Remove deprecated FieldDescriptor::label() in OSS. Use is_repeated() or is_required() instead (protocolbuffers/protobuf@b76faa9)

[Python] Remove deprecated FieldDescriptor.label (protocolbuffers/protobuf@0a8ff55)

[Python] Remove deprecated UseDeprecatedLegacyJsonFieldConflicts() (protocolbuffers/protobuf@c301c2c)

Protobuf News may include additional announcements or pre-announcements for upcoming changes.

Migration Guide may include additional guidance for breaking changes.

Bazel

Fix: cc_toolchain should prefer protoc when prebuilt flag is flipped. (#25168) (protocolbuffers/protobuf@8c857c3)

Breaking change: Remove deprecated ProtoInfo.transitive_imports. Use equivalent transitive_sources instead (protocolbuffers/protobuf@0a5c2f6)

Feat(bazel): wire up prebuilt protoc toolchain (#24115) (protocolbuffers/protobuf@cc23698)

Migrate proto_descriptor_set (#23369) (protocolbuffers/protobuf@8d4dfdd)

Compiler

Ruby codegen: support generation of rbs files (#15633) (protocolbuffers/protobuf@6ebdf85)

Avoid collision name problems between a message named Xyz and a direct sibling enum named XyzView (protocolbuffers/protobuf@eba53e8)

Generalizing and implementing ValidateFeatureSupport for both Options and Features during proto parsing (protocolbuffers/protobuf@ed3c571)

Fix a bug with custom features outside of the pb package. (protocolbuffers/protobuf@872d3ce)

Fix import option handling when include_imports isn't set. (protocolbuffers/protobuf@9ef9e80)

Fix a bug in STRICT check of namespaced enums to properly check for 'reserved 1 to max' (protocolbuffers/protobuf@1229d4a)

Prevent accidental stripping of debug_redact options via import option. (protocolbuffers/protobuf@f58b098)

C++

Add EnumerateEnumValues function. (protocolbuffers/protobuf@397d5d9)

... (truncated)

Commits

See full diff in compare view

Updates flask from 3.1.1 to 3.1.3

Release notes

Sourced from flask's releases.

3.1.3

This is the Flask 3.1.3 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.3/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-3

The session is marked as accessed for operations that only access the keys but not the values, such as in and len. GHSA-68rp-wp8r-4726

Changelog

Sourced from fla...

Description has been truncated

Bumps the uv group with 3 updates in the /platform-service directory: [protobuf](https://github.com/protocolbuffers/protobuf), [flask](https://github.com/pallets/flask) and [werkzeug](https://github.com/pallets/werkzeug). Bumps the uv group with 3 updates in the /prompt-service directory: [protobuf](https://github.com/protocolbuffers/protobuf), [flask](https://github.com/pallets/flask) and [werkzeug](https://github.com/pallets/werkzeug). Bumps the uv group with 3 updates in the /runner directory: [protobuf](https://github.com/protocolbuffers/protobuf), [flask](https://github.com/pallets/flask) and [werkzeug](https://github.com/pallets/werkzeug). Bumps the uv group with 2 updates in the /unstract/core directory: [flask](https://github.com/pallets/flask) and [werkzeug](https://github.com/pallets/werkzeug). Bumps the uv group with 1 update in the /unstract/filesystem directory: [protobuf](https://github.com/protocolbuffers/protobuf). Bumps the uv group with 1 update in the /unstract/flags directory: [protobuf](https://github.com/protocolbuffers/protobuf). Bumps the uv group with 1 update in the /unstract/tool-registry directory: [protobuf](https://github.com/protocolbuffers/protobuf). Bumps the uv group with 1 update in the /workers directory: [black](https://github.com/psf/black). Bumps the uv group with 4 updates in the /x2text-service directory: [protobuf](https://github.com/protocolbuffers/protobuf), [flask](https://github.com/pallets/flask), [setuptools](https://github.com/pypa/setuptools) and [werkzeug](https://github.com/pallets/werkzeug). Updates `protobuf` from 4.25.8 to 5.29.6 - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Commits](https://github.com/protocolbuffers/protobuf/commits) Updates `flask` from 3.1.2 to 3.1.3 - [Release notes](https://github.com/pallets/flask/releases) - [Changelog](https://github.com/pallets/flask/blob/main/CHANGES.rst) - [Commits](pallets/flask@3.1.2...3.1.3) Updates `werkzeug` from 3.1.3 to 3.1.6 - [Release notes](https://github.com/pallets/werkzeug/releases) - [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst) - [Commits](pallets/werkzeug@3.1.3...3.1.6) Updates `protobuf` from 4.25.8 to 5.29.6 - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Commits](https://github.com/protocolbuffers/protobuf/commits) Updates `flask` from 3.1.2 to 3.1.3 - [Release notes](https://github.com/pallets/flask/releases) - [Changelog](https://github.com/pallets/flask/blob/main/CHANGES.rst) - [Commits](pallets/flask@3.1.2...3.1.3) Updates `werkzeug` from 3.1.3 to 3.1.6 - [Release notes](https://github.com/pallets/werkzeug/releases) - [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst) - [Commits](pallets/werkzeug@3.1.3...3.1.6) Updates `protobuf` from 4.25.8 to 5.29.6 - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Commits](https://github.com/protocolbuffers/protobuf/commits) Updates `flask` from 3.1.1 to 3.1.3 - [Release notes](https://github.com/pallets/flask/releases) - [Changelog](https://github.com/pallets/flask/blob/main/CHANGES.rst) - [Commits](pallets/flask@3.1.2...3.1.3) Updates `werkzeug` from 3.1.3 to 3.1.6 - [Release notes](https://github.com/pallets/werkzeug/releases) - [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst) - [Commits](pallets/werkzeug@3.1.3...3.1.6) Updates `flask` from 3.1.0 to 3.1.3 - [Release notes](https://github.com/pallets/flask/releases) - [Changelog](https://github.com/pallets/flask/blob/main/CHANGES.rst) - [Commits](pallets/flask@3.1.2...3.1.3) Updates `werkzeug` from 3.1.3 to 3.1.6 - [Release notes](https://github.com/pallets/werkzeug/releases) - [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst) - [Commits](pallets/werkzeug@3.1.3...3.1.6) Updates `protobuf` from 4.25.6 to 5.29.6 - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Commits](https://github.com/protocolbuffers/protobuf/commits) Updates `protobuf` from 6.33.1 to 6.33.5 - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Commits](https://github.com/protocolbuffers/protobuf/commits) Updates `protobuf` from 4.25.6 to 5.29.6 - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Commits](https://github.com/protocolbuffers/protobuf/commits) Updates `black` from 26.1.0 to 26.3.1 - [Release notes](https://github.com/psf/black/releases) - [Changelog](https://github.com/psf/black/blob/main/CHANGES.md) - [Commits](psf/black@26.1.0...26.3.1) Updates `protobuf` from 5.29.4 to 5.29.6 - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Commits](https://github.com/protocolbuffers/protobuf/commits) Updates `flask` from 3.1.0 to 3.1.3 - [Release notes](https://github.com/pallets/flask/releases) - [Changelog](https://github.com/pallets/flask/blob/main/CHANGES.rst) - [Commits](pallets/flask@3.1.2...3.1.3) Updates `setuptools` from 78.1.0 to 78.1.1 - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](pypa/setuptools@v78.1.0...v78.1.1) Updates `werkzeug` from 3.1.3 to 3.1.6 - [Release notes](https://github.com/pallets/werkzeug/releases) - [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst) - [Commits](pallets/werkzeug@3.1.3...3.1.6) --- updated-dependencies: - dependency-name: protobuf dependency-version: 5.29.6 dependency-type: direct:production dependency-group: uv - dependency-name: flask dependency-version: 3.1.3 dependency-type: direct:production dependency-group: uv - dependency-name: werkzeug dependency-version: 3.1.6 dependency-type: indirect dependency-group: uv - dependency-name: protobuf dependency-version: 5.29.6 dependency-type: direct:production dependency-group: uv - dependency-name: flask dependency-version: 3.1.3 dependency-type: direct:production dependency-group: uv - dependency-name: werkzeug dependency-version: 3.1.6 dependency-type: indirect dependency-group: uv - dependency-name: protobuf dependency-version: 5.29.6 dependency-type: direct:production dependency-group: uv - dependency-name: flask dependency-version: 3.1.3 dependency-type: direct:production dependency-group: uv - dependency-name: werkzeug dependency-version: 3.1.6 dependency-type: indirect dependency-group: uv - dependency-name: flask dependency-version: 3.1.3 dependency-type: direct:production dependency-group: uv - dependency-name: werkzeug dependency-version: 3.1.6 dependency-type: indirect dependency-group: uv - dependency-name: protobuf dependency-version: 5.29.6 dependency-type: indirect dependency-group: uv - dependency-name: protobuf dependency-version: 6.33.5 dependency-type: direct:production dependency-group: uv - dependency-name: protobuf dependency-version: 5.29.6 dependency-type: direct:production dependency-group: uv - dependency-name: black dependency-version: 26.3.1 dependency-type: direct:development dependency-group: uv - dependency-name: protobuf dependency-version: 5.29.6 dependency-type: indirect dependency-group: uv - dependency-name: flask dependency-version: 3.1.3 dependency-type: direct:production dependency-group: uv - dependency-name: setuptools dependency-version: 78.1.1 dependency-type: indirect dependency-group: uv - dependency-name: werkzeug dependency-version: 3.1.6 dependency-type: indirect dependency-group: uv ... Signed-off-by: dependabot[bot] <support@github.com>

greptile-apps · 2026-06-07T15:29:28Z

PR author is in the excluded authors list.

CLAassistant · 2026-06-07T15:29:32Z

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ jaseemjaskp
❌ dependabot[bot]
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

jaseemjaskp

Automated dependency-bump review (PR Review Toolkit context).

Scope note: This PR contains only uv.lock (generated) and pyproject.toml (declared deps) — no application source. The source-semantics agents (Silent-Failure / Type-Design / Test / Comment / Simplifier) have no surface to analyze here, so this review focuses on what matters for a dependency bump: major-version jumps with breaking changes, declared-dependency edits beyond plain bumps, and monorepo version consistency. Each declared change was checked against actual usage in the codebase.

Findings inline below, prioritised. The cryptography and werkzeug/flask bumps were verified safe against current usage.

Dependabot added 'flask>=3.1.3' alongside the existing 'Flask>=3.0.1', leaving the same package declared twice with conflicting floors. Collapse to a single 'flask>=3.1.3'. Pure declaration cleanup - uv lock confirms no resolved versions change (flask was already locked at 3.1.3).

sonarqubecloud · 2026-06-08T02:17:29Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

github-actions · 2026-06-08T02:19:03Z

Unstract test results

Per-group results

Status	Group	Tier	Passed	Failed	Errors	Skipped	Duration (s)
❌	`unit-connectors`	unit	64	12	0	3	16.8
❌	`unit-core`	unit	0	0	2	0	1.2
❌	`unit-platform-service`	unit	9	0	1	0	1.3
✅	`unit-prompt-service`	unit	15	0	0	0	20.0
✅	`unit-runner`	unit	11	0	0	0	3.1
✅	`unit-sdk1`	unit	381	0	0	0	23.8
❌	`unit-tool-registry`	unit	0	0	1	0	1.3
	TOTAL		480	12	4	3	67.5

Critical paths

⚠️ Critical paths not yet covered

auth-login — User can log in and obtain a session cookie. (entry: POST /api/v1/auth/login; declared coverage: no groups declared)
adapter-register-llm — Register and validate an LLM adapter. (entry: POST /api/v1/adapter/; declared coverage: no groups declared)
workflow-create-execute — Create a workflow, configure source+destination, execute, poll, fetch result. (entry: POST /api/v1/workflow/{id}/execute/; declared coverage: e2e-workflow)
api-deployment-run — Deploy a workflow as an API, POST a document, receive structured JSON. (entry: POST /deployment/api/{org}/{name}/; declared coverage: e2e-api-deployment)
prompt-studio-fetch-response — Prompt Studio: create project, add prompt, run single-pass, get response. (entry: POST /api/v1/prompt-studio/prompt-studio-tool/{id}/fetch_response/; declared coverage: e2e-prompt-studio)
pipeline-etl-execute — Run an ETL pipeline from source connector to destination. (entry: POST /api/v1/pipeline/{id}/execute/; declared coverage: no groups declared)
usage-token-tracking — Per-execution token usage is recorded and retrievable. (entry: GET /api/v1/usage/get_token_usage/; declared coverage: no groups declared)
workflow-execution-fan-out — Multi-file workflow execution fans out to file-processing workers and rejoins. (entry: internal: backend → rabbitmq → workers/file_processing; declared coverage: no groups declared)
callback-result-delivery — Async results are posted back via the callback worker. (entry: internal: workers/callback → backend /internal endpoints; declared coverage: no groups declared)

✅ Covered critical paths

tool-sandbox-exec — covered by unit-runner

unstract-flags pinned protobuf>=6.33.5 (over-aggressive dependabot bump in #2017), which conflicts with google-cloud-bigquery==3.11.4 (caps protobuf<5) in every module pulling both flags and connectors (root, backend, workers), making uv lock unsatisfiable. The flipt gRPC stubs use the protobuf 4.x+ _builder API and egg-info declares protobuf>=4.25.0, so revert the floor to >=4.25.0 (no code requires protobuf>=5.26). Avoids forcing protobuf 6, which would otherwise downgrade opentelemetry 1.34->1.11. Also raise backend cryptography floor >=46.0.7 -> >=48.0.0 to genuinely align with platform-service, and re-lock all stale modules.

…hy 48.0.0 (CVE fixes) (#2018) * [FIX] Upgrade snowflake-connector-python to 4.x to unblock cryptography 48.0.0 (CVE fixes) snowflake-connector-python ~=3.14.0 pinned cffi<2.0.0, which conflicted with cryptography 46.0.1+ requiring cffi>=2.0.0. This capped cryptography at 46.0.0 in every module pulling unstract-connectors (backend, workers, connectors, root), leaving them on a version below the CVE fixes in 46.0.5/46.0.6/46.0.7 (CVE-2026-26007, CVE-2026-34073, CVE-2026-39892). snowflake 4.x drops the cffi dependency entirely and itself requires cryptography>=46.0.5, so bumping it lifts the cap. Re-locked all modules to cryptography 48.0.0 / cffi 2.0.0, eliminating version divergence. Fixes #2016 * Fix protobuf conflict blocking lock resolution; align crypto floor unstract-flags pinned protobuf>=6.33.5 (over-aggressive dependabot bump in #2017), which conflicts with google-cloud-bigquery==3.11.4 (caps protobuf<5) in every module pulling both flags and connectors (root, backend, workers), making uv lock unsatisfiable. The flipt gRPC stubs use the protobuf 4.x+ _builder API and egg-info declares protobuf>=4.25.0, so revert the floor to >=4.25.0 (no code requires protobuf>=5.26). Avoids forcing protobuf 6, which would otherwise downgrade opentelemetry 1.34->1.11. Also raise backend cryptography floor >=46.0.7 -> >=48.0.0 to genuinely align with platform-service, and re-lock all stale modules.

dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 7, 2026

jaseemjaskp self-requested a review June 8, 2026 01:42

jaseemjaskp reviewed Jun 8, 2026

View reviewed changes

Comment thread unstract/flags/pyproject.toml

Comment thread x2text-service/pyproject.toml

Comment thread workers/pyproject.toml

Comment thread platform-service/pyproject.toml

jaseemjaskp requested review from jaseemjaskp and johnyrahul June 8, 2026 02:18

jaseemjaskp approved these changes Jun 8, 2026

View reviewed changes

johnyrahul approved these changes Jun 8, 2026

View reviewed changes

jaseemjaskp merged commit 879a0cf into main Jun 8, 2026
4 of 10 checks passed

jaseemjaskp deleted the dependabot/uv/uv-ba867d4d4b branch June 8, 2026 04:05

jaseemjaskp mentioned this pull request Jun 8, 2026

[FIX] Upgrade snowflake-connector-python to 4.x to unblock cryptography 48.0.0 (CVE fixes) #2018

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the uv group across 9 directories with 5 updates#2017

Bump the uv group across 9 directories with 5 updates#2017
jaseemjaskp merged 2 commits into
mainfrom
dependabot/uv/uv-ba867d4d4b

dependabot Bot commented on behalf of github Jun 7, 2026

Uh oh!

greptile-apps Bot commented Jun 7, 2026

Uh oh!

CLAassistant commented Jun 7, 2026 •

edited

Loading

Uh oh!

jaseemjaskp left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

sonarqubecloud Bot commented Jun 8, 2026

Uh oh!

github-actions Bot commented Jun 8, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

dependabot Bot commented on behalf of github Jun 7, 2026

Protocol Buffers v34.0-rc1

Announcements

Bazel

Compiler

C++

3.1.3

Version 3.1.3

3.1.6

3.1.5

3.1.4

Version 3.1.6

Version 3.1.5

Version 3.1.4

Protocol Buffers v34.0-rc1

Announcements

Bazel

Compiler

C++

3.1.3

Version 3.1.3

3.1.6

3.1.5

3.1.4

Version 3.1.6

Version 3.1.5

Version 3.1.4

Protocol Buffers v34.0-rc1

Announcements

Bazel

Compiler

C++

3.1.3

Uh oh!

greptile-apps Bot commented Jun 7, 2026

Uh oh!

CLAassistant commented Jun 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jaseemjaskp left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

sonarqubecloud Bot commented Jun 8, 2026

Quality Gate passed

Uh oh!

github-actions Bot commented Jun 8, 2026

Unstract test results

Per-group results

Critical paths

⚠️ Critical paths not yet covered

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

CLAassistant commented Jun 7, 2026 •

edited

Loading