Bump the python group across 1 directory with 12 updates

[dependabot]

Bumps the python group with 12 updates in the / directory:

Package	From	To
flask-caching	2.1.0	2.3.0
itsdangerous	2.1.2	2.2.0
jinja2	3.1.3	3.1.4
requests	2.31.0	2.32.2
werkzeug	3.0.2	3.0.3
zipp	3.18.1	3.18.2
coverage	7.4.4	7.5.1
pytest	8.1.1	8.2.1
pylint	3.1.0	3.2.2
mypy	1.9.0	1.10.0
types-requests	2.31.0.20240406	2.32.0.20240523
types-setuptools	69.5.0.20240415	70.0.0.20240523

Updates flask-caching from 2.1.0 to 2.3.0

Release notes

Sourced from flask-caching's releases.

2.3.0

https://github.com/pallets-eco/flask-caching/blob/v2.1.0/CHANGES.rst

2.2.0

https://github.com/pallets-eco/flask-caching/blob/v2.1.0/CHANGES.rst

Changelog

Sourced from flask-caching's changelog.

Version 2.3.0

Released 2024-05-04

• Added response_hit_indication flag to Cache.cached decorator for appending 'hit_cache' headers to responses, indicating cache hits.

Version 2.2.0

• Drop python 3.7 support
• python 3.11 officially supported
• Fix issue causing args_to_ignore to not work with flask_caching.Cache.memoize decorator when keyword arguments were used in the decorated function call

Commits

• dfacadd release 2.3.0 (#562)
• 59cf9af Hit cache indication (#532)
• c1b683c release-2.2.0 (#560)
• 67c34a0 Respect kwargs when args_to_ignore is set in memoize (#558)
• 6a2191a Update cache type names in index.rst (#547)
• 3c66171 Remove unused _get_prefix() method from RedisCache class. (#552)
• 7ec3ebd Drop py37 (#559)
• a367b9f Bump cryptography from 41.0.4 to 41.0.6 in /requirements (#549)
• See full diff in compare view

Updates itsdangerous from 2.1.2 to 2.2.0

Release notes

Sourced from itsdangerous's releases.

2.2.0

This is a feature release, which includes new features, removes previously deprecated code, and adds new deprecations. The 2.2.x branch is now the supported fix branch, the 2.1.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

Changes: https://itsdangerous.palletsprojects.com/en/2.2.x/changes/#version-2-2-0 Milestone: https://github.com/pallets/itsdangerous/milestone/8?closed=1

• Drop support for Python 3.7.
• Use modern packaging metadata with pyproject.toml instead of setup.cfg.
• Use flit_core instead of setuptools as build backend.
• Deprecate the __version__ attribute. Use feature detection, or importlib.metadata.version("itsdangerous"), instead.
• Serializer and the return type of dumps is generic for type checking. By default it is Serializer[str] and dumps returns a str. If a different serializer argument is given, it will try to infer the return type of its dumps method.
• The default hashlib.sha1 may not be available in FIPS builds. Don't access it at import time so the developer has time to change the default.

Changelog

Sourced from itsdangerous's changelog.

Version 2.2.0

Released 2024-04-16

• Drop support for Python 3.7. :pr:372
• Use modern packaging metadata with pyproject.toml instead of setup.cfg. :pr:326
• Use flit_core instead of setuptools as build backend.
• Deprecate the __version__ attribute. Use feature detection, or importlib.metadata.version("itsdangerous"), instead. :issue:371
• Serializer and the return type of dumps is generic for type checking. By default it is Serializer[str] and dumps returns a str. If a different serializer argument is given, it will try to infer the return type of its dumps method. :issue:347
• The default hashlib.sha1 may not be available in FIPS builds. Don't access it at import time so the developer has time to change the default. :issue:375

Commits

• 096c8d4 release version 2.2.0
• 7f4dcf8 access sha1 lazily
• 93ae366 change entry for generic serializer
• 135eb23 Generic serializer (#377)
• 999ce7a Improve generic typing further
• 52890d7 improve generic typing
• 385c0eb type Serializer as generic (#374)
• 01001c6 type Serializer as generic
• bc88e94 improve typing (#373)
• 69a3bca improve typing
• Additional commits viewable in compare view

Updates jinja2 from 3.1.3 to 3.1.4

Release notes

Sourced from jinja2's releases.

3.1.4

This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Jinja2/3.1.4/ Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

• The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj

Changelog

Sourced from jinja2's changelog.

Version 3.1.4

Released 2024-05-05

• The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. :ghsa:h75v-3vvj-5mfj

Commits

• dd4a8b5 release version 3.1.4
• 0668239 Merge pull request from GHSA-h75v-3vvj-5mfj
• d655030 disallow invalid characters in keys to xmlattr filter
• a7863ba add ghsa links
• b5c98e7 start version 3.1.4
• da3a9f0 update project files (#1968)
• 0ee5eb4 satisfy formatter, linter, and strict mypy
• 20477c6 update project files (#5457)
• e491223 update pyyaml dev dependency
• 36f9885 fix pr link
• Additional commits viewable in compare view

Updates requests from 2.31.0 to 2.32.2

Release notes

Sourced from requests's releases.

v2.32.2

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

v2.32.1

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

v2.32.0

2.32.0 (2024-05-20)

🐍 PYCON US 2024 EDITION 🐍

Security

• Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (GHSA-9wx4-h78v-vm56)

Improvements

• verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
• Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

• Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
• Fixed deserialization bug in JSONDecodeError. (#6629)
• Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

... (truncated)

Changelog

Sourced from requests's changelog.

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

2.32.0 (2024-05-20)

Security

• Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (GHSA-9wx4-h78v-vm56)

Improvements

• verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
• Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

• Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
• Fixed deserialization bug in JSONDecodeError. (#6629)
• Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

Deprecations

... (truncated)

Commits

• 88dce9d v2.32.2
• c98e4d1 Merge pull request #6710 from nateprewitt/api_rename
• 92075b3 Add deprecation warning
• aa1461b Move _get_connection to get_connection_with_tls_context
• 970e8ce v2.32.1
• d6ebc4a v2.32.0
• 9a40d12 Avoid reloading root certificates to improve concurrent performance (#6667)
• 0c030f7 Merge pull request #6702 from nateprewitt/no_char_detection
• 555b870 Allow character detection dependencies to be optional in post-packaging steps
• d6dded3 Merge pull request #6700 from franekmagiera/update-redirect-to-invalid-uri-test
• Additional commits viewable in compare view

Updates werkzeug from 3.0.2 to 3.0.3

Release notes

Sourced from werkzeug's releases.

3.0.3

This is the Werkzeug 3.0.3 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.3/ Changes: https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-3 Milestone: https://github.com/pallets/werkzeug/milestone/35?closed=1

• Only allow localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger UI makes requests using the full URL rather than only the path. GHSA-2g68-c3qc-8985
• Make reloader more robust when "" is in sys.path. #2823
• Better TLS cert format with adhoc dev certs. #2891
• Inform Python < 3.12 how to handle itms-services URIs correctly, rather than using an overly-broad workaround in Werkzeug that caused some redirect URIs to be passed on without encoding. #2828
• Type annotation for Rule.endpoint and other uses of endpoint is Any. #2836

Changelog

Sourced from werkzeug's changelog.

Version 3.0.3

Released 2024-05-05

• Only allow localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger UI makes requests using the full URL rather than only the path. :ghsa:2g68-c3qc-8985

• Make reloader more robust when "" is in sys.path. :pr:2823

• Better TLS cert format with adhoc dev certs. :pr:2891

• Inform Python < 3.12 how to handle itms-services URIs correctly, rather than using an overly-broad workaround in Werkzeug that caused some redirect URIs to be passed on without encoding. :issue:2828

• Type annotation for Rule.endpoint and other uses of endpoint is Any. :issue:2836

• Make reloader more robust when "" is in sys.path. :pr:2823

Commits

• f9995e9 release version 3.0.3
• 3386395 Merge pull request from GHSA-2g68-c3qc-8985
• 890b6b6 only require trusted host for evalex
• 71b69df restrict debugger trusted hosts
• d2d3869 endpoint type is Any (#2895)
• 7080b55 endpoint type is Any
• 7555eff remove iri_to_uri redirect workaround (#2894)
• 97fb2f7 remove _invalid_iri_to_uri workaround
• 249527f make cn field a valid single hostname, and use wildcard in SANs field. (#2892)
• 793be47 update adhoc tls dev cert format
• Additional commits viewable in compare view

Updates zipp from 3.18.1 to 3.18.2

Changelog

Sourced from zipp's changelog.

v3.18.2

No significant changes.

Commits

• 051250e Finalize
• 9f0a0c8 Use an overlay object to make tests appear to use zipfile.Path to reduce diff...
• b754ab7 Utilize temp_dir from os_helper.
• cdbd58b gh-119064: Use os_helper.FakePath instead of pathlib.Path in tests (python/cp...
• 18030dc Merge https://github.com/jaraco/skeleton
• ff0b75e Fix typo in Lib/zipfile/_path/init.py
• 67aab15 Revert "Allow macos on Python 3.8 to fail as GitHub CI has dropped support."
• dec8805 Merge https://github.com/jaraco/skeleton
• bcf8f07 Move project.urls to appear in the order that ini2toml generates it. Remove p...
• 744cf2a Allow macos on Python 3.8 to fail as GitHub CI has dropped support.
• Additional commits viewable in compare view

Updates coverage from 7.4.4 to 7.5.1

Changelog

Sourced from coverage's changelog.

Version 7.5.1 — 2024-05-04

• Fix: a pragma comment on the continuation lines of a multi-line statement now excludes the statement and its body, the same as if the pragma is on the first line. This closes issue 754. The fix was contributed by Daniel Diniz <pull 1773_>.

• Fix: very complex source files like this one <resolvent_lookup_>_ could cause a maximum recursion error when creating an HTML report. This is now fixed, closing issue 1774_.

• HTML report improvements:

  • Support files (JavaScript and CSS) referenced by the HTML report now have hashes added to their names to ensure updated files are used instead of stale cached copies.

  • Missing branch coverage explanations that said "the condition was never false" now read "the condition was always true" because it's easier to understand.

  • Column sort order is remembered better as you move between the index pages, fixing issue 1766. Thanks, Daniel Diniz <pull 1768_>.

.. _resolvent_lookup: https://github.com/sympy/sympy/blob/130950f3e6b3f97fcc17f4599ac08f70fdd2e9d4/sympy/polys/numberfields/resolvent_lookup.py .. _issue 754: nedbat/coveragepy#754 .. _issue 1766: nedbat/coveragepy#1766 .. _pull 1768: nedbat/coveragepy#1768 .. _pull 1773: nedbat/coveragepy#1773 .. _issue 1774: nedbat/coveragepy#1774

.. _changes_7-5-0:

Version 7.5.0 — 2024-04-23

• Added initial support for function and class reporting in the HTML report. There are now three index pages which link to each other: files, functions, and classes. Other reports don't yet have this information, but it will be added in the future where it makes sense. Feedback gladly accepted! Finishes issue 780_.

• Other HTML report improvements:

  • There is now a "hide covered" checkbox to filter out 100% files, finishing issue 1384_.

... (truncated)

Commits

• be938ea docs: sample HTML for 7.5.1
• 02c66d7 docs: prep for 7.5.1
• 5fa9f67 fix: avoid max recursion errors in ast code. #1774
• 34af01d build: easier to run metasmoke on desired python version
• 6b0cac5 perf: cache _human_key to speed html report by about 10%
• fdc0ee8 docs: oops, typo
• 60e6cb4 docs: changelog for #754 and #1773
• 277c8c4 fix: '# pragma: no branch' in multiline if statements. #754 (#1773)
• 34d3eb7 docs: update changelog for #1786. Thanks, Daniel Diniz
• 2bb5ef2 fix(html): make HTML column sorting consistent across index pages (fix #1766)...
• Additional commits viewable in compare view

Updates pytest from 8.1.1 to 8.2.1

Release notes

Sourced from pytest's releases.

8.2.1

pytest 8.2.1 (2024-05-19)

Improvements

• #12334: Support for Python 3.13 (beta1 at the time of writing).

Bug Fixes

• #12120: Fix [PermissionError]{.title-ref} crashes arising from directories which are not selected on the command-line.
• #12191: Keyboard interrupts and system exits are now properly handled during the test collection.
• #12300: Fixed handling of 'Function not implemented' error under squashfuse_ll, which is a different way to say that the mountpoint is read-only.
• #12308: Fix a regression in pytest 8.2.0 where the permissions of automatically-created .pytest_cache directories became rwx------ instead of the expected rwxr-xr-x.

Trivial/Internal Changes

• #12333: pytest releases are now attested using the recent Artifact Attestation support from GitHub, allowing users to verify the provenance of pytest's sdist and wheel artifacts.

8.2.0

pytest 8.2.0 (2024-04-27)

Deprecations

• #12069: A deprecation warning is now raised when implementations of one of the following hooks request a deprecated py.path.local parameter instead of the pathlib.Path parameter which replaced it:

  • pytest_ignore_collect{.interpreted-text role="hook"} - the path parameter - use collection_path instead.
  • pytest_collect_file{.interpreted-text role="hook"} - the path parameter - use file_path instead.
  • pytest_pycollect_makemodule{.interpreted-text role="hook"} - the path parameter - use module_path instead.
  • pytest_report_header{.interpreted-text role="hook"} - the startdir parameter - use start_path instead.
  • pytest_report_collectionfinish{.interpreted-text role="hook"} - the startdir parameter - use start_path instead.

  The replacement parameters are available since pytest 7.0.0. The old parameters will be removed in pytest 9.0.0.

  See legacy-path-hooks-deprecated{.interpreted-text role="ref"} for more details.

Features

• #11871: Added support for reading command line arguments from a file using the prefix character @, like e.g.: pytest @tests.txt. The file must have one argument per line.

  See Read arguments from file <args-from-file>{.interpreted-text role="ref"} for details.

Improvements

... (truncated)

Commits

• 66ff8df Prepare release version 8.2.1
• 3ffcfd1 Merge pull request #12340 from pytest-dev/backport-12334-to-8.2.x
• 0b28313 [8.2.x] Add Python 3.13 (beta) support
• f3dd93a [8.2.x] Attest package provenance (#12335)
• bb5a125 [8.2.x] Spelling (#12331)
• f179bf2 Merge pull request #12327 from pytest-dev/backport-12325-to-8.2.x
• 2b671b5 [8.2.x] cacheprovider: fix .pytest_cache not being world-readable
• 65ab7cb Merge pull request #12324 from pytest-dev/backport-12320-to-8.2.x
• 4d5fb7d Merge pull request #12319 from pytest-dev/backport-12311-to-8.2.x
• cbe5996 [8.2.x] changelog: document unittest 8.2 change as breaking
• Additional commits viewable in compare view

Updates pylint from 3.1.0 to 3.2.2

Commits

• 769ffd2 Bump pylint to 3.2.2, update changelog (#9658)
• 98c5af9 Fix false-positive with contextmanager missing cleanup (#9654) (#9657)
• 9a9db8f Update astroid to 3.2.2 (#9655) (#9656)
• 9223172 Bump pylint to 3.2.1, update changelog
• 926547b [trailing-comma-tuple] Fix enabling with message control locally when disable...
• 1498675 Fix linterstats.get_module_message_count() (#9146) (#9648)
• aed496a Fix FP for possibly-used-before-assignment with assert_never() (#9645) (#...
• 9dae975 [Backport maintenance/3.2.x] Add --prefer-stubs=y option (#9646)
• a03ceae Add --prefer-stubs=y option (#9632)
• b2ea316 [Backport maintenance/3.2.x] Don't emit incorrect-variance for type parameter...
• Additional commits viewable in compare view

Updates mypy from 1.9.0 to 1.10.0

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next release

Mypy 1.10

We’ve just uploaded mypy 1.10 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance improvements and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Support TypeIs (PEP 742)

Mypy now supports TypeIs (PEP 742), which allows functions to narrow the type of a value, similar to isinstance(). Unlike TypeGuard, TypeIs can narrow in both the if and else branches of an if statement:

from typing_extensions import TypeIs
def is_str(s: object) -> TypeIs[str]:
return isinstance(s, str)
def f(o: str | int) -> None:
if is_str(o):
# Type of o is 'str'
...
else:
# Type of o is 'int'
...

TypeIs will be added to the typing module in Python 3.13, but it can be used on earlier Python versions by importing it from typing_extensions.

This feature was contributed by Jelle Zijlstra (PR 16898).

Support TypeVar Defaults (PEP 696)

PEP 696 adds support for type parameter defaults. Example:

from typing import Generic
from typing_extensions import TypeVar
</tr></table>

... (truncated)

Commits

• 3faf0fc Remove +dev for version for release 1.10
• a5998d2 Update CHANGELOG.md (#17159)
• 62ea5b0 Various updates to changelog for 1.10 (#17158)
• 2f0864c Update CHANGELOG.md with draft for release 1.10 (#17150)
• e1443bb fix: incorrect returned type of access descriptors on unions of types (#16604)
• 5161ac2 Sync typeshed (#17124)
• e2fc1f2 Fix crash when expanding invalid Unpack in a Callable alias (#17028)
• 3ff6e47 Docs: docstrings in checker.py, ast_helpers.py (#16908)
• 732d98e Fix string formatting for string enums (#16555)
• 8019010 Narrow individual items when matching a tuple to a sequence pattern (#16905)
• Additional commits viewable in compare view

Updates types-requests from 2.31.0.20240406 to 2.32.0.20240523

Commits

• See full diff in compare view

Updates types-setuptools from 69.5.0.20240415 to 70.0.0.20240523

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 76.87%. Comparing base (37cba3e) to head (0fc8e60).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #1106   +/-   ##
=======================================
  Coverage   76.87%   76.87%           
=======================================
  Files          20       20           
  Lines        1310     1310           
=======================================
  Hits         1007     1007           
  Misses        303      303           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.