chore(deps): bump the dependencies group across 1 directory with 9 updates

[dependabot]

Bumps the dependencies group with 9 updates in the /src/backend directory:

Package	From	To
gunicorn	25.2.0	25.3.0
bleach	4.1.0	6.3.0
boto3	1.42.76	1.42.77
botocore	1.42.76	1.42.77
googleapis-common-protos	1.73.0	1.73.1
importlib-metadata	8.7.1	9.0.0
protobuf	6.33.6	7.34.1
wrapt	1.17.3	2.1.2
python-discovery	1.2.0	1.2.1

Updates gunicorn from 25.2.0 to 25.3.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 25.3.0

Bug Fixes

• HTTP/2 ASGI Body Duplication: Fix request body being received twice in HTTP/2 ASGI requests, causing JSON parsing errors with "Extra data" messages (#3558)

• ASGI Chunked EOF Handling: Add finish() method to callback parser to handle chunked encoding edge case where connection closes before final CRLF after zero-chunk

• HTTP/2 Documentation: Fix http_protocols examples to use comma-separated string instead of list syntax (#3561)

• Chunked Encoding: Reject chunk extensions containing bare CR bytes per RFC 9112 (#3556)

• Request Line Limit: Fix --limit-request-line 0 to mean unlimited as documented, instead of using default maximum. Works with both Python and fast C parser. (#3563)

Security

• ASGI Parser Header Validation: Add security checks per RFC 9110/9112:
  • Reject duplicate Content-Length headers
  • Reject requests with both Content-Length and Transfer-Encoding
  • Reject chunked transfer encoding in HTTP/1.0
  • Reject stacked chunked encoding
  • Validate Transfer-Encoding values
  • Strict chunk size validation

Changes

• Fast HTTP Parser: Update to gunicorn_h1c >= 0.6.3 for asgi_headers property and InvalidChunkExtension validation for bare CR rejection

• ASGI PROXY Protocol: Add PROXY protocol v1/v2 support to callback parser

• Docker Images: Update to Python 3.14

Commits

• 9bce72c Update changelog with missing 25.3.0 changes
• 2a15fdb Fix pylint isinstance-second-argument-not-valid-type warning
• 8d08aaa Fix --limit-request-line 0 to mean unlimited
• d40a374 Fix pytest-asyncio configuration and treq_asgi hex escapes
• da8bd48 Remove unused AsyncRequest class
• b00f125 Integrate gunicorn_h1c 0.6.3 with InvalidChunkExtension support
• bdb2ebd Reject chunk extensions with bare CR bytes (RFC 9112)
• 7057fc9 Fix http_protocols documentation to use string syntax
• d43acb8 Update to gunicorn_h1c >= 0.6.2 for asgi_headers support
• cbd27e8 Merge pull request #3559 from benleembruggen/fix/http2-asgi-body-duplication
• Additional commits viewable in compare view

Updates bleach from 4.1.0 to 6.3.0

Changelog

Sourced from bleach's changelog.

Version 6.3.0 (October 27th, 2025)

Backwards incompatible changes

• Dropped support for Python 3.9. (#756)

Security fixes

None

Bug fixes

• Add support for Python 3.14. (#758)
• Fix wbr handling. (#488)

Version 6.2.0 (October 29th, 2024)

Backwards incompatible changes

• Dropped support for Python 3.8. (#737)

Security fixes

None

Bug fixes

• Add support for Python 3.13. (#736)
• Remove six depdenncy. (#618)
• Update known-good versions for tinycss2. (#732)
• Fix additional < followed by characters and EOF issues. (#728)

Version 6.1.0 (October 6th, 2023)

Backwards incompatible changes

• Dropped support for Python 3.7. (#709)

Security fixes

None

Bug fixes

• Add support for Python 3.12. (#710)

... (truncated)

Commits

• 5546d5d chore: prep for 6.3.0 release
• 88df3ff chore: fix readthedocs
• d8b2fb4 fix: fix wbr handling (#488)
• 55e48ce chore: add support for Python 3.14 (#758)
• a4d6cdd chore: drop support for Python 3.9 (#756)
• 172d92f Bump actions/setup-python from 5.6.0 to 6.0.0
• df88612 Bump actions/checkout from 4.2.2 to 5.0.0
• cbcf6b1 Bump actions/cache from 4.2.3 to 4.3.0
• d9aa7ef Switch from dependabot reviewers to CODEOWNERS
• 06f0f76 Update setuptools, wheel, and twine for devs
• Additional commits viewable in compare view

Updates boto3 from 1.42.76 to 1.42.77

Commits

• 48369ea Merge branch 'release-1.42.77'
• 4398c8e Bumping version to 1.42.77
• 7c449e2 Add changelog entries from botocore
• a5ad9c3 Merge branch 'release-1.42.76' into develop
• See full diff in compare view

Updates botocore from 1.42.76 to 1.42.77

Commits

• a42e6cf Merge branch 'release-1.42.77'
• 7906a34 Bumping version to 1.42.77
• 7f9c3cd Update endpoints model
• 1db4cef Update to latest models
• 85f623c Merge branch 'release-1.42.76' into develop
• See full diff in compare view

Updates googleapis-common-protos from 1.73.0 to 1.73.1

Commits

• 7a05a34 chore: create a release (#16191)
• 0f19d85 chore: fix missing heading in changelog (#16189)
• a16755d chore: librarian onboard pull request: 20260323T111101Z (#16141)
• 9694ce9 chore: librarian onboard pull request: 20260323T114549Z (#16143)
• c4a35cf chore: librarian onboard pull request: 20260323T132735Z (#16146)
• 640a86b chore: librarian update image pull request: 20260325T221325Z (#16175)
• 341284c chore(deps): bump pyasn1 from 0.6.1 to 0.6.3 in /packages/sqlalchemy-spanner ...
• ec9262c fix: Allow Protobuf 7.x, require Python 3.9 (#16102)
• cf50cea feat(firestore): literals pipeline stage (#16028)
• 4b400fa chore: librarian generate pull request: 20260325T142358Z (#16166)
• Additional commits viewable in compare view

Updates importlib-metadata from 8.7.1 to 9.0.0

Changelog

Sourced from importlib-metadata's changelog.

v9.0.0

Deprecations and Removals

• Added MetadataNotFound (subclass of FileNotFoundError) and updated Distribution.metadata/metadata() to raise it when the metadata files are missing instead of returning Nonepython/cpython#143387#532)

v8.9.0

Features

• python/cpython#110937python/cpython#140141, python/cpython#143658)

v8.8.0

Features

• Removed Python 3.9 compatibility.

Commits

• a9f883f Finalize
• 9b0dfdf Raise an exception when no metadata file is found (#532)
• 0f2229c Merge branch 'main' into feature/no-metadata-exception
• 2f4088e Remove news fragments about internal details.
• 0ac2720 Add news fragment.
• a5c2154 Finalize
• e66e226 Drop support for EOL Python 3.9 (#530)
• 6027933 Add news fragment.
• b89388a Import os_helper directly.
• 2dcb761 Add uniform exclusions for test.support.
• Additional commits viewable in compare view

Updates protobuf from 6.33.6 to 7.34.1

Release notes

Sourced from protobuf's releases.

Protocol Buffers v34.0-rc1

Announcements

• This version includes breaking changes to: C++, Objective-C, PHP, Python.
• [Bazel] Remove deprecated ProtoInfo.transitive_imports. Use equivalent transitive_sources instead (protocolbuffers/protobuf@0a5c2f6)
• [C++] Make generator headers private (protocolbuffers/protobuf@3a2af35)
• [C++] Add a debug check that the target of CopyFrom is not a descendant of the source. (protocolbuffers/protobuf@7a75898)
• [C++] Add [[nodiscard]] to many APIs. (protocolbuffers/protobuf@a70115f)
• [C++] Make the arena-enabled constructors of RepeatedField, RepeatedPtrField, and Map private. (protocolbuffers/protobuf@ef890c3)
• [C++] Remove deprecated FieldDescriptor::label() in OSS. Use is_repeated() or is_required() instead (protocolbuffers/protobuf@b76faa9)
• [C++] Removes proto2::util::MessageDifferencer::AddIgnoreCriteria that takes a raw pointer as an argument in favor of the overload that takes a unique_ptr. Remove macro PROTOBUF_FUTURE_REMOVE_ADD_IGNORE_CRITERIA (protocolbuffers/protobuf@b115358)
• [C++] Remove deprecated FieldDescriptor::has_optional_keyword() in OSS. Use is_repeated() or has_presence() instead (protocolbuffers/protobuf@68346ec)
• [C++] Remove AddUnusedImportTrackFile() and ClearUnusedImportTrackFiles(). Remove PROTOBUF_FUTURE_RENAME_ADD_UNUSED_IMPORT (protocolbuffers/protobuf@837a2cd)
• [C++] Remove deprecated FieldDescriptor::is_optional() in OSS. Use (!is_required() && !is_repeated()) instead (protocolbuffers/protobuf@9dbc5d4)
• [C++] Remove deprecated UseDeprecatedLegacyJsonFieldConflicts() (protocolbuffers/protobuf@c301c2c)
• [C++] All entity names have length limit (2afb0dc)
• [ObjC] Remove generate_minimal_imports generation option warning (protocolbuffers/protobuf@45b1297)
• [ObjC] Fix nullability annotations on some GPB*Dictionary types. (protocolbuffers/protobuf@ea67d6d)
• [ObjC] Remove -[GPBFieldDescriptor optional] (protocolbuffers/protobuf@3414dc1)
• [Other] Remove deprecated flag for enabling MSVC support (protocolbuffers/protobuf@97c979b)
• [PHP] Remove deprecated PHP APIs (protocolbuffers/protobuf@9c45014)
• [PHP] Remove deprecated PHP APIs FieldDescriptor getLabel, use IsRepeated or isRequired instead. (protocolbuffers/protobuf@4208121, protocolbuffers/protobuf@cd76e67, protocolbuffers/protobuf@4208121)
• [PHP] Add PHP typehints for setters and remove redundant GPBUtil checks (protocolbuffers/protobuf#25296) (protocolbuffers/protobuf@aee03b7)
• [PHP] support default values for editions/proto2 (protocolbuffers/protobuf#25161) (protocolbuffers/protobuf@b01099d)
• [Python] Raise errors in OSS when assign bool to int/enum field in Python Proto. (protocolbuffers/protobuf@5b116fe)
• [Python] Remove float_format/double_format from python proto text_format (protocolbuffers/protobuf@e4854a1)
• [Python] Raise TypeError when convert non-timedelta to Duration, or convert non-datetime to Timestamp in python proto. (Original code may raise ArributeError) (protocolbuffers/protobuf@00aaca1)
• [Python] Remove float_precision from python proto json_format (protocolbuffers/protobuf@f027f1f)
• [Python] Remove deprecated FieldDescriptor::label() in OSS. Use is_repeated() or is_required() instead (protocolbuffers/protobuf@b76faa9)
• [Python] Remove deprecated FieldDescriptor.label (protocolbuffers/protobuf@0a8ff55)
• [Python] Remove deprecated UseDeprecatedLegacyJsonFieldConflicts() (protocolbuffers/protobuf@c301c2c)
• Protobuf News may include additional announcements or pre-announcements for upcoming changes.
• Migration Guide may include additional guidance for breaking changes.

Bazel

• Fix: cc_toolchain should prefer protoc when prebuilt flag is flipped. (#25168) (protocolbuffers/protobuf@8c857c3)
• Breaking change: Remove deprecated ProtoInfo.transitive_imports. Use equivalent transitive_sources instead (protocolbuffers/protobuf@0a5c2f6)
• Feat(bazel): wire up prebuilt protoc toolchain (#24115) (protocolbuffers/protobuf@cc23698)
• Migrate proto_descriptor_set (#23369) (protocolbuffers/protobuf@8d4dfdd)

Compiler

• Ruby codegen: support generation of rbs files (#15633) (protocolbuffers/protobuf@6ebdf85)
• Avoid collision name problems between a message named Xyz and a direct sibling enum named XyzView (protocolbuffers/protobuf@eba53e8)
• Generalizing and implementing ValidateFeatureSupport for both Options and Features during proto parsing (protocolbuffers/protobuf@ed3c571)
• Fix a bug with custom features outside of the pb package. (protocolbuffers/protobuf@872d3ce)
• Fix import option handling when include_imports isn't set. (protocolbuffers/protobuf@9ef9e80)
• Fix a bug in STRICT check of namespaced enums to properly check for 'reserved 1 to max' (protocolbuffers/protobuf@1229d4a)
• Prevent accidental stripping of debug_redact options via import option. (protocolbuffers/protobuf@f58b098)

C++

• Add EnumerateEnumValues function. (protocolbuffers/protobuf@397d5d9)

... (truncated)

Commits

• See full diff in compare view

Updates wrapt from 1.17.3 to 2.1.2

Release notes

Sourced from wrapt's releases.

wrapt-2.1.2

See the project page on the Python Package Index at https://pypi.org/project/wrapt/2.1.2/ for more information.

wrapt-2.1.1

See the project page on the Python Package Index at https://pypi.org/project/wrapt/2.1.1/ for more information.

wrapt-2.1.0

See the project page on the Python Package Index at https://pypi.org/project/wrapt/2.1.0/ for more information.

wrapt-2.0.1

See the project page on the Python Package Index at https://pypi.org/project/wrapt/2.0.1/ for more information.

wrapt-2.0.0

See the project page on the Python Package Index at https://pypi.org/project/wrapt/2.0.0/ for more information.

Changelog

Sourced from wrapt's changelog.

Version 2.1.2

Bugs Fixed

• Building of Python wheels for riscv64 Linux platform had been accidentally removed from the build configuration. This has now been added back in.

• When a weak function proxy was created for a bound method and the instance it was bound to was garbage collected, calling the proxy would silently call the function as unbound instead of raising a ReferenceError.

• When deleting an attribute named __annotations__ on an object proxy, the attribute was only being deleted from the proxy and not also from the wrapped object.

Version 2.1.1

Bugs Fixed

• Search field for documentation hosted on Read the Docs wasn't working correctly due to JavaScript error.

• Missing tox.ini from source distribution package has been added.

Version 2.1.0

Features Changed

• Drop support for Python 3.8. Python version 3.9 or later is now required.

Bugs Fixed

• Improved type hints so that mypy and ty work better for methods of classes when using wrapt.decorator and wrapt.function_wrapper. Note that applying these to static methods still does not work correctly due to possibly limitations in those type checkers. The pyrefly tool still does not work correctly with wrapt.decorator and wrapt.function_wrapper applied to any methods of classes. Overall pyright provides the best experience when using wrapt with type checking.

Version 2.0.1

Bugs Fixed

• The wrapt.lazy_import() function wasn't included in the __all__ attribute of the wrapt module, meaning that it wasn't

... (truncated)

Commits

• 1381ae8 Merge branch 'release/2.1.2'
• 26ab4fd Update ready for 2.1.2 release.
• fbdbef4 Handle pypy which raises different exception type.
• 87baf75 Add tests for deletion of qualname and annotations.
• b48debf Decided only needed a patch level update,
• 06c698f Update release notes for annotation deletion bug.
• 6e6ed87 Merge pull request #313 from bysiber/fix/delattr-annotations
• 4fc2c23 Add test to call proxy after weakref cleared.
• 9e53a71 Add change notes for ReferenceError fix.
• 2cda4e6 Merge pull request #312 from bysiber/fix/weakfunctionproxy-expired-instance
• Additional commits viewable in compare view

Updates python-discovery from 1.2.0 to 1.2.1

Release notes

Sourced from python-discovery's releases.

1.2.1

What's Changed

• 🔒 ci(workflows): add zizmor security auditing by @​gaborbernat in tox-dev/python-discovery#55
• expose KNOWN_ARCHITECTURES as public API by @​rahuldevikar in tox-dev/python-discovery#56

New Contributors

• @​rahuldevikar made their first contribution in tox-dev/python-discovery#56

Full Changelog: tox-dev/python-discovery@1.2.0...1.2.1

Commits

• 38eac12 expose KNOWN_ARCHITECTURES as public API (#56)
• eabb812 🔒 ci(workflows): add zizmor security auditing (#55)
• b4cbd35 [pre-commit.ci] pre-commit autoupdate (#54)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[netlify]

✅ Deploy Preview for inventree-web-pui-preview canceled.

Name	Link
🔨 Latest commit	7854125
🔍 Latest deploy log	https://app.netlify.com/projects/inventree-web-pui-preview/deploys/69d5e8ca90d4720008ad223e

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.45%. Comparing base (4d2ed8f) to head (7854125).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #11671   +/-   ##
=======================================
  Coverage   91.45%   91.45%           
=======================================
  Files         964      964           
  Lines       49985    49985           
=======================================
  Hits        45715    45715           
  Misses       4270     4270           

Flag	Coverage Δ
backend	89.26% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
Backend Apps	91.73% <ø> (ø)
Backend General	93.41% <ø> (ø)
Frontend	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[matmair]

@SchrodingersGat ready for review and merge