Bump werkzeug from 0.15.4 to 2.0.0

[dependabot-preview]

Bumps werkzeug from 0.15.4 to 2.0.0.

Release notes

Sourced from werkzeug's releases.

2.0.0

New major versions of all the core Pallets libraries, including Werkzeug 2.0, have been released! 🎉

• Read the announcement on our blog: https://palletsprojects.com/blog/flask-2-0-released/
• Read the full list of changes: https://werkzeug.palletsprojects.com/changes/#version-2-0-0
• Retweet the announcement on Twitter: https://twitter.com/PalletsTeam/status/1392266507296514048
• Follow our blog, Twitter, or GitHub to see future announcements.

This represents a significant amount of work, and there are quite a few changes. Be sure to carefully read the changelog, and use tools such as pip-compile and Dependabot to pin your dependencies and control your updates.

2.0.0rc5

• Changes: https://werkzeug.palletsprojects.com/en/master/changes#version-2-0-0

2.0.0rc4

• Changes: https://werkzeug.palletsprojects.com/en/master/changes/#version-2-0-0

2.0.0 Release Candidate 3

• Changes: https://werkzeug.palletsprojects.com/en/master/changes/#version-2-0-0

Use the --pre flag to install this pre-release:

pip install --pre Werkzeug==2.0.0rc3

2.0.0 Release Candidate 2

• Changes: https://werkzeug.palletsprojects.com/en/master/changes/#version-2-0-0

Use the --pre flag to install this pre-release:

pip install --pre Werkzeug==2.0.0rc2

2.0.0 Release Candidate 1

• Changes: https://werkzeug.palletsprojects.com/en/master/changes/#version-2-0-0

Use the --pre flag to install this pre-release:

pip install --pre Werkzeug==2.0.0rc1

1.0.1

• Changelog: https://werkzeug.palletsprojects.com/en/1.0.x/changes/#version-1-0-1

1.0.0

After 13 years of development, we're finally 1.0!

Note that previously deprecated code has been removed in this release. Use 0.16.1 as an intermediate step to see deprecation warnings and upgrade.

... (truncated)

Changelog

Sourced from werkzeug's changelog.

Version 2.0.0

Released 2021-05-11

• Drop support for Python 2 and 3.5. 1693
• Deprecate utils.format_string, use string.Template instead. 1756
• Deprecate utils.bind_arguments and utils.validate_arguments, use Signature.bind and inspect.signature instead. 1757
• Deprecate utils.HTMLBuilder. 1761
• Deprecate utils.escape and utils.unescape, use MarkupSafe instead. 1758
• Deprecate the undocumented python -m werkzeug.serving CLI. 1834
• Deprecate the environ["werkzeug.server.shutdown"] function that is available when running the development server. 1752
• Deprecate the useragents module and the built-in user agent parser. Use a dedicated parser library instead by subclassing user_agent.UserAgent and setting Request.user_agent_class. 2078
• Remove the unused, internal posixemulation module. 1759
• All datetime values are timezone-aware with tzinfo=timezone.utc. This applies to anything using http.parse_date: Request.date, .if_modified_since, .if_unmodified_since; Response.date, .expires, .last_modified, .retry_after; parse_if_range_header, and IfRange.date. When comparing values, the other values must also be aware, or these values must be made naive. When passing parameters or setting attributes, naive values are still assumed to be in UTC. 2040
• Merge all request and response wrapper mixin code into single Request and Response classes. Using the mixin classes is no longer necessary and will show a deprecation warning. Checking isinstance or issubclass against BaseRequest and BaseResponse will show a deprecation warning and check against Request or Response instead. 1963
• JSON support no longer uses simplejson if it's installed. To use another JSON module, override Request.json_module and Response.json_module. 1766
• Response.get_json() no longer caches the result, and the cache parameter is removed. 1698
• Response.freeze() generates an ETag header if one is not set. The no_etag parameter (which usually wasn't visible anyway) is no longer used. 1963
• Add a url_scheme argument to ~routing.MapAdapter.build to override the bound scheme. 1721
• Passing an empty list as a query string parameter to build() won't append an unnecessary ?. Also drop any number of None items in a list. 1992
• When passing a Headers object to a test client method or EnvironBuilder, multiple values for a key are joined into one comma separated value. This matches the HTTP spec on multi-value headers. 1655
• Setting Response.status and status_code uses identical parsing and error checking. 1658, 1728
• MethodNotAllowed and RequestedRangeNotSatisfiable take a response kwarg, consistent with other HTTP errors. 1748
• The response generated by ~exceptions.Unauthorized produces one WWW-Authenticate header per value in www_authenticate, rather than joining them into a single value, to improve interoperability with browsers and other clients. 1755
• If parse_authorization_header can't decode the header value, it returns None instead of raising a UnicodeDecodeError. 1816
• The debugger no longer uses jQuery. 1807
• The test client includes the query string in REQUEST_URI and RAW_URI. 1781
• Switch the parameter order of default_stream_factory to match the order used when calling it. 1085
• Add send_file function to generate a response that serves a file. Adapted from Flask's implementation. 265, 1850
• Add send_from_directory function to safely serve an untrusted path within a trusted directory. Adapted from Flask's implementation. 1880
• send_file takes download_name, which is passed even if as_attachment=False by using Content-Disposition: inline. download_name replaces Flask's attachment_filename. 1869
• send_file sets conditional=True and max_age=None by default. Cache-Control is set to no-cache if max_age is not set, otherwise public. This tells browsers to validate conditional requests instead of using a timed cache. max_age=None replaces Flask's cache_timeout=43200. 1882
• send_file can be called with etag="string" to set a custom ETag instead of generating one. etag replaces Flask's add_etags. 1868
• send_file sets the Content-Encoding header if an encoding is returned when guessing mimetype from download_name. 3896
• Update the defaults used by generate_password_hash. Increase PBKDF2 iterations to 260000 from 150000. Increase salt length to 16 from 8. Use secrets module to generate salt. 1935
• The reloader doesn't crash if sys.stdin is somehow None. 1915
• Add arguments to delete_cookie to match set_cookie and the attributes modern browsers expect. 1889
• utils.cookie_date is deprecated, use utils.http_date instead. The value for Set-Cookie expires is no longer "-" delimited. 2040
• Use request.headers instead of request.environ to look up header attributes. 1808
• The test Client request methods (client.get, etc.) always return an instance of TestResponse. In addition to the normal behavior of Response, this class provides request with the request that produced the response, and history to track intermediate responses when follow_redirects is used. 763, 1894
• The test Client request methods takes an auth parameter to add an Authorization header. It can be an Authorization object or a (username, password) tuple for Basic auth. 1809
• Calling response.close() on a response from the test Client will close the request input stream. This matches file behavior and can prevent a ResourceWarning in some cases. 1785
• EnvironBuilder.from_environ decodes values encoded for WSGI, to avoid double encoding the new values. 1959
• The default stat reloader will watch Python files under non-system/virtualenv sys.path entries, which should contain most user code. It will also watch all Python files under directories given in extra_files. 1945
• The reloader ignores __pycache__ directories again. 1945
• run_simple takes exclude_patterns a list of fnmatch patterns that will not be scanned by the reloader. 1333
• Cookie names are no longer unquoted. This was against 6265 and potentially allowed setting __Secure prefixed cookies. 1965
• Fix some word matches for user agent platform when the word can be a substring. 1923
• The development server logs ignored SSL errors. 1967

... (truncated)

Commits

• af160e0 Merge pull request #2111 from pallets/release-2.0.0
• c987e02 release version 2.0.0
• d6a0f17 update requirements
• 13b8520 Merge pull request #2110 from pallets/pre-commit-ci-schedule
• 264446f update pre-commit monthly
• d6f89ee Merge pull request #2109 from pallets/more-typing
• 2dfb6dc enable more mypy checks
• 30ce9ee Merge pull request #2108 from pallets/pre-commit-ci-update-config
• 6212134 [pre-commit.ci] pre-commit autoupdate
• 4970558 Merge pull request #2107 from TrizlyBear/patch-1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Superseded by #41.