Bump werkzeug from 0.14.1 to 0.15.3

[dependabot]

Bumps werkzeug from 0.14.1 to 0.15.3.

Release notes

Sourced from werkzeug's releases.

0.15.3

• Blog: https://palletsprojects.com/blog/werkzeug-0-15-3-released/
• Changes: https://werkzeug.palletsprojects.com/en/0.15.x/changes/#version-0-15-3

0.15.2

• Blog: https://palletsprojects.com/blog/werkzeug-0-15-2-released/
• Changes: https://werkzeug.palletsprojects.com/en/0.15.x/changes/#version-0-15-2

0.15.1

• Blog: https://palletsprojects.com/blog/werkzeug-0-15-1-released/
• Changes: https://werkzeug.palletsprojects.com/en/0.15.x/changes/

0.15.0

• Blog: https://palletsprojects.com/blog/werkzeug-0-15-0-released/
• Changes: https://werkzeug.palletsprojects.com/en/0.15.x/changes/

Changelog

Sourced from werkzeug's changelog.

Version 0.15.3

Released 2019-05-14

• Properly handle multi-line header folding in development server in
  Python 2.7. (:issue:1080)
• Restore the response argument to :exc:~exceptions.Unauthorized.
  (:pr:1527)
• :exc:~exceptions.Unauthorized doesn't add the WWW-Authenticate
  header if www_authenticate is not given. (:issue:1516)
• The default URL converter correctly encodes bytes to string rather
  than representing them with b''. (:issue:1502)
• Fix the filename format string in
  :class:~middleware.profiler.ProfilerMiddleware to correctly handle
  float values. (:issue:1511)
• Update :class:~middleware.lint.LintMiddleware to work on Python 3.
  (:issue:1510)
• The debugger detects cycles in chained exceptions and does not time
  out in that case. (:issue:1536)
• When running the development server in Docker, the debugger security
  pin is now unique per container.

Version 0.15.2

Released 2019-04-02

• Rule code generation uses a filename that coverage will ignore.
  The previous value, "generated", was causing coverage to fail.
  (:issue:1487)
• The test client removes the cookie header if there are no persisted
  cookies. This fixes an issue introduced in 0.15.0 where the cookies
  from the original request were used for redirects, causing functions
  such as logout to fail. (:issue:1491)
• The test client copies the environ before passing it to the app, to
  prevent in-place modifications from affecting redirect requests.
  (:issue:1498)
• The "werkzeug" logger only adds a handler if there is no handler
  configured for its level in the logging chain. This avoids double
  logging if other code configures logging first. (:issue:1492)

Version 0.15.1

Released 2019-03-21

• :exc:~exceptions.Unauthorized takes description as the first

... (truncated)

Commits

• 9b1123a release version 0.15.3
• 00bc43b unique debugger pin in Docker containers
• 2cbdf2b Merge pull request #1542 from asottile/exceptions_arent_always_hashable
• 0e669f6 Fix unhashable exception types
• bdc17e4 Merge pull request #1540 from pallets/break-tb-cycle
• 44e38c2 break cycle in chained exceptions
• 777500b Merge pull request #1518 from NiklasMM/fix/1510_lint-middleware-python3-compa...
• e00c7c2 Make LintMiddleware Python 3 compatible and add tests
• d590cc7 Merge pull request #1539 from pallets/profiler-format
• 0388fc9 update filename_format for ProfilerMiddleware.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

[redshiftzero]

to investigate: why is the build passing here? we haven't updated our pip mirror (which is where the hashes in build-requirements.txt comes from)

[redshiftzero]

(test job fails because requests is removed in this diff)

[kushaldas]

to investigate: why is the build passing here? we haven't updated our pip mirror (which is where the hashes in build-requirements.txt comes from)

Somehow the build used old (committed build-requirements.txt ) file.

Collecting werkzeug==0.14.1

I am looking more into this.

[kushaldas]

The python setup.py sdist is creating a source tarball which seems to be from the master branch. Even though in the step before we can clearly see that the PR is actually got merged on the working branch.

I could not find the step which is causing the git cleanup in the CI.

[redshiftzero]

what's happening here is:

1. we run make requirements in CI. This makes sure that the build-requirements.txt file has been updated based on any changes in requirements.txt. We want to keep that step since it guards against a contributor modifying requirements.txt without updating build-requirements.txt: this would break nightly builds.
2. in this PR's diff build-requirements.txt is updated with the new version of werkzeug, but requirements.txt is not: so running make requirements overwrites build-requirements.txt with the version of werkzeug that is on master. Since all the dependencies from requirements.txt are on our pip mirror, this will build.

Some solutions:

1. run make update-pip-requirements in CI, confirm no diff, else fail the build. This will guard against PRs in the future from bots or otherwise that update *.in without updating the corresponding *.txt files.
2. after make requirements in CI, confirm there are no unstaged changes (e.g. via git diff-index --quiet HEAD or similar): this means that build-requirements.txt was modified in this step, and we fail the CI job with an informative message for the contributor.

I think 2 is a better solution for this specific scenario (though 1 is also probably a good idea), so will do that in a separate PR.

[redshiftzero]

for now closing this since this needs to get re-filed after updating our pip mirror, tracked in #140 which is in the near term backlog

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.