Bump Werkzeug from 3.1.5 to 3.1.8#1157
Merged
Merged
Conversation
kevinschumacher
added
dependencies
zbmott
approved these changes
Jun 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Upgrades
werkzeugto 3.1.8.Fixes security alert
3.1.6 was a security fix release.
3.1.7 and 3.1.8 are bugfix releases.
Expand for [Changelog since 3.1.5]
Changelog since 3.1.5
Version 3.1.8
Released 2026-04-02
Request.host and get_host return the empty string if the header is missing or has invalid characters. #3142
Version 3.1.7
Released 2026-03-23
parse_list_header preserves partially quoted items, discards empty items, and returns empty for unclosed quoted values. #3128
WWWAuthenticate.to_header does not produce a trailing space when there are no parameters. #3127
Transfer-Encoding is parsed as a set. #3134
Request.host, get_host, and host_is_trusted validate the characters of the value. An empty value is no longer allowed. A Unix socket server address is ignored. The trusted_list argument to host_is_trusted is optional. #3113
Fix multipart form parser handling of newline at boundary. #3088
Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. #3108
merge_slashes merges any number of consecutive slashes. #3121
Version 3.1.6
Released 2026-02-19
safe_join on Windows does not allow special devices names in multi-segment paths. GHSA-29vq-49wr-vm6x
Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. #3108