Commit 8f189e3
authored
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4&size=40){kind=avatar}
build(deps): bump the uv group across 1 directory with 4 updates (#206)
Bumps the uv group with 4 updates in the / directory:
[filelock](https://github.com/tox-dev/py-filelock),
[urllib3](https://github.com/urllib3/urllib3),
[virtualenv](https://github.com/pypa/virtualenv) and
[werkzeug](https://github.com/pallets/werkzeug).
Updates `filelock` from 3.19.1 to 3.20.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tox-dev/py-filelock/releases">filelock's
releases</a>.</em></p>
<blockquote>
<h2>3.20.3</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>Fix TOCTOU symlink vulnerability in SoftFileLock by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/tox-dev/filelock/pull/465">tox-dev/filelock#465</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/tox-dev/filelock/compare/3.20.2...3.20.3">https://github.com/tox-dev/filelock/compare/3.20.2...3.20.3</a></p>
<h2>3.20.2</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>Support Unix systems without O_NOFOLLOW by <a
href="https://github.com/mwilliamson"><code>@mwilliamson</code></a> in
<a
href="https://redirect.github.com/tox-dev/filelock/pull/463">tox-dev/filelock#463</a></li>
<li>[pre-commit.ci] pre-commit autoupdate by <a
href="https://github.com/pre-commit-ci"><code>@pre-commit-ci</code></a>[bot]
in <a
href="https://redirect.github.com/tox-dev/filelock/pull/464">tox-dev/filelock#464</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/mwilliamson"><code>@mwilliamson</code></a>
made their first contribution in <a
href="https://redirect.github.com/tox-dev/filelock/pull/463">tox-dev/filelock#463</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/tox-dev/filelock/compare/3.20.1...3.20.2">https://github.com/tox-dev/filelock/compare/3.20.1...3.20.2</a></p>
<h2>3.20.1</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file
creation by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/tox-dev/filelock/pull/461">tox-dev/filelock#461</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/tox-dev/filelock/compare/3.20.0...3.20.1">https://github.com/tox-dev/filelock/compare/3.20.0...3.20.1</a></p>
<h2>3.20.0</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>Add tox.toml to sdist by <a
href="https://github.com/mtelka"><code>@mtelka</code></a> in <a
href="https://redirect.github.com/tox-dev/filelock/pull/436">tox-dev/filelock#436</a></li>
<li>Update docs with example by <a
href="https://github.com/znichollscr"><code>@znichollscr</code></a> in
<a
href="https://redirect.github.com/tox-dev/filelock/pull/438">tox-dev/filelock#438</a></li>
<li>Add 3.14 support and drop 3.9 by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/tox-dev/filelock/pull/448">tox-dev/filelock#448</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/mtelka"><code>@mtelka</code></a> made
their first contribution in <a
href="https://redirect.github.com/tox-dev/filelock/pull/436">tox-dev/filelock#436</a></li>
<li><a
href="https://github.com/znichollscr"><code>@znichollscr</code></a>
made their first contribution in <a
href="https://redirect.github.com/tox-dev/filelock/pull/438">tox-dev/filelock#438</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/tox-dev/filelock/compare/3.19.1...3.20.0">https://github.com/tox-dev/filelock/compare/3.19.1...3.20.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5"><code>41b42dd</code></a>
Fix TOCTOU symlink vulnerability in SoftFileLock (<a
href="https://redirect.github.com/tox-dev/py-filelock/issues/465">#465</a>)</li>
<li><a
href="https://github.com/tox-dev/filelock/commit/f2e7d4046b6a2b375a573bcfbad21827b99f8939"><code>f2e7d40</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/tox-dev/py-filelock/issues/464">#464</a>)</li>
<li><a
href="https://github.com/tox-dev/filelock/commit/50888548eb2f008d372e71f2835a47851ab83836"><code>5088854</code></a>
Support Unix systems without O_NOFOLLOW (<a
href="https://redirect.github.com/tox-dev/py-filelock/issues/463">#463</a>)</li>
<li><a
href="https://github.com/tox-dev/filelock/commit/377f62251d7cdf30768cc9ee1eb31cea1551c71b"><code>377f622</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/tox-dev/py-filelock/issues/460">#460</a>)</li>
<li><a
href="https://github.com/tox-dev/filelock/commit/4724d7f8c3393ec1f048c93933e6e3e6ec321f0e"><code>4724d7f</code></a>
Fix TOCTOU symlink vulnerability in lock file creation (<a
href="https://redirect.github.com/tox-dev/py-filelock/issues/461">#461</a>)</li>
<li><a
href="https://github.com/tox-dev/filelock/commit/cb69414a2327cf0a9887e12054d1dc112ee700af"><code>cb69414</code></a>
Bump actions/upload-artifact from 5 to 6 (<a
href="https://redirect.github.com/tox-dev/py-filelock/issues/459">#459</a>)</li>
<li><a
href="https://github.com/tox-dev/filelock/commit/0769294f14a6c62eea64741722f7acef5386b4cd"><code>0769294</code></a>
Bump actions/download-artifact from 6 to 7 (<a
href="https://redirect.github.com/tox-dev/py-filelock/issues/458">#458</a>)</li>
<li><a
href="https://github.com/tox-dev/filelock/commit/414193a188892bd376eb5c56eb45a9cf8ecc9284"><code>414193a</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/tox-dev/py-filelock/issues/457">#457</a>)</li>
<li><a
href="https://github.com/tox-dev/filelock/commit/1456797beb94ad59e5627462ad29f7ed3a966626"><code>1456797</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/tox-dev/py-filelock/issues/456">#456</a>)</li>
<li><a
href="https://github.com/tox-dev/filelock/commit/8d6bf90af313ac7fd6e41ef2b715d91dd6858f5c"><code>8d6bf90</code></a>
Bump actions/checkout from 5 to 6 (<a
href="https://redirect.github.com/tox-dev/py-filelock/issues/455">#455</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/tox-dev/py-filelock/compare/3.19.1...3.20.3">compare
view</a></li>
</ul>
</details>
<br />
Updates `urllib3` from 2.5.0 to 2.6.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/urllib3/urllib3/releases">urllib3's
releases</a>.</em></p>
<blockquote>
<h2>2.6.3</h2>
<h2>🚀 urllib3 is fundraising for HTTP/2 support</h2>
<p><a
href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3
is raising ~$40,000 USD</a> to release HTTP/2 support and ensure
long-term sustainable maintenance of the project after a sharp decline
in financial support. If your company or organization uses Python and
would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and
thousands of other projects <a
href="https://opencollective.com/urllib3">please consider contributing
financially</a> to ensure HTTP/2 support is developed sustainably and
maintained for the long-haul.</p>
<p>Thank you for your support.</p>
<h2>Changes</h2>
<ul>
<li>Fixed a security issue where decompression-bomb safeguards of the
streaming API were bypassed when HTTP redirects were followed.
(CVE-2026-21441 reported by <a
href="https://github.com/D47A"><code>@D47A</code></a>, 8.9 High,
GHSA-38jv-5279-wg99)</li>
<li>Started treating <code>Retry-After</code> times greater than 6 hours
as 6 hours by default. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3743">urllib3/urllib3#3743</a>)</li>
<li>Fixed <code>urllib3.connection.VerifiedHTTPSConnection</code> on
Emscripten. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3752">urllib3/urllib3#3752</a>)</li>
</ul>
<h2>2.6.2</h2>
<h2>🚀 urllib3 is fundraising for HTTP/2 support</h2>
<p><a
href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3
is raising ~$40,000 USD</a> to release HTTP/2 support and ensure
long-term sustainable maintenance of the project after a sharp decline
in financial support. If your company or organization uses Python and
would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and
thousands of other projects <a
href="https://opencollective.com/urllib3">please consider contributing
financially</a> to ensure HTTP/2 support is developed sustainably and
maintained for the long-haul.</p>
<p>Thank you for your support.</p>
<h2>Changes</h2>
<ul>
<li>Fixed <code>HTTPResponse.read_chunked()</code> to properly handle
leftover data in the decoder's buffer when reading compressed chunked
responses. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3734">urllib3/urllib3#3734</a>)</li>
</ul>
<h2>2.6.1</h2>
<h2>🚀 urllib3 is fundraising for HTTP/2 support</h2>
<p><a
href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3
is raising ~$40,000 USD</a> to release HTTP/2 support and ensure
long-term sustainable maintenance of the project after a sharp decline
in financial support. If your company or organization uses Python and
would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and
thousands of other projects <a
href="https://opencollective.com/urllib3">please consider contributing
financially</a> to ensure HTTP/2 support is developed sustainably and
maintained for the long-haul.</p>
<p>Thank you for your support.</p>
<h2>Changes</h2>
<ul>
<li>Restore previously removed <code>HTTPResponse.getheaders()</code>
and <code>HTTPResponse.getheader()</code> methods. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3731">#3731</a>)</li>
</ul>
<h2>2.6.0</h2>
<h2>🚀 urllib3 is fundraising for HTTP/2 support</h2>
<p><a
href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3
is raising ~$40,000 USD</a> to release HTTP/2 support and ensure
long-term sustainable maintenance of the project after a sharp decline
in financial support. If your company or organization uses Python and
would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and
thousands of other projects <a
href="https://opencollective.com/urllib3">please consider contributing
financially</a> to ensure HTTP/2 support is developed sustainably and
maintained for the long-haul.</p>
<p>Thank you for your support.</p>
<h2>Security</h2>
<ul>
<li>Fixed a security issue where streaming API could improperly handle
highly compressed HTTP content ("decompression bombs") leading
to excessive resource consumption even when a small amount of data was
requested. Reading small chunks of compressed data is safer and much
more efficient now. (CVE-2025-66471 reported by <a
href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>, 8.9
High, GHSA-2xpw-w6gg-jr37)</li>
<li>Fixed a security issue where an attacker could compose an HTTP
response with virtually unlimited links in the
<code>Content-Encoding</code> header, potentially leading to a denial of
service (DoS) attack by exhausting system resources during decoding. The
number of allowed chained encodings is now limited to 5. (CVE-2025-66418
reported by <a
href="https://github.com/illia-v"><code>@illia-v</code></a>, 8.9 High,
GHSA-gm62-xv2j-4w53)</li>
</ul>
<blockquote>
<p>[!IMPORTANT]</p>
<ul>
<li>If urllib3 is not installed with the optional
<code>urllib3[brotli]</code> extra, but your environment contains a
Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at
least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security
fixes and avoid warnings. Prefer using <code>urllib3[brotli]</code> to
install a compatible Brotli package automatically.</li>
</ul>
</blockquote>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's
changelog</a>.</em></p>
<blockquote>
<h1>2.6.3 (2026-01-07)</h1>
<ul>
<li>Fixed a high-severity security issue where decompression-bomb
safeguards of
the streaming API were bypassed when HTTP redirects were followed.
(<code>GHSA-38jv-5279-wg99
<https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99></code>__)</li>
<li>Started treating <code>Retry-After</code> times greater than 6 hours
as 6 hours by
default. (<code>[#3743](urllib3/urllib3#3743)
<https://github.com/urllib3/urllib3/issues/3743></code>__)</li>
<li>Fixed <code>urllib3.connection.VerifiedHTTPSConnection</code> on
Emscripten.
(<code>[#3752](urllib3/urllib3#3752)
<https://github.com/urllib3/urllib3/issues/3752></code>__)</li>
</ul>
<h1>2.6.2 (2025-12-11)</h1>
<ul>
<li>Fixed <code>HTTPResponse.read_chunked()</code> to properly handle
leftover data in
the decoder's buffer when reading compressed chunked responses.
(<code>[#3734](urllib3/urllib3#3734)
<https://github.com/urllib3/urllib3/issues/3734></code>__)</li>
</ul>
<h1>2.6.1 (2025-12-08)</h1>
<ul>
<li>Restore previously removed <code>HTTPResponse.getheaders()</code>
and
<code>HTTPResponse.getheader()</code> methods.
(<code>[#3731](urllib3/urllib3#3731)
<https://github.com/urllib3/urllib3/issues/3731></code>__)</li>
</ul>
<h1>2.6.0 (2025-12-05)</h1>
<h2>Security</h2>
<ul>
<li>Fixed a security issue where streaming API could improperly handle
highly
compressed HTTP content ("decompression bombs") leading to
excessive resource
consumption even when a small amount of data was requested. Reading
small
chunks of compressed data is safer and much more efficient now.
(<code>GHSA-2xpw-w6gg-jr37
<https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37></code>__)</li>
<li>Fixed a security issue where an attacker could compose an HTTP
response with
virtually unlimited links in the <code>Content-Encoding</code> header,
potentially
leading to a denial of service (DoS) attack by exhausting system
resources
during decoding. The number of allowed chained encodings is now limited
to 5.
(<code>GHSA-gm62-xv2j-4w53
<https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53></code>__)</li>
</ul>
<p>.. caution::</p>
<ul>
<li>If urllib3 is not installed with the optional
<code>urllib3[brotli]</code> extra, but
your environment contains a Brotli/brotlicffi/brotlipy package anyway,
make
sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to
benefit from the security fixes and avoid warnings. Prefer using</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/urllib3/urllib3/commit/0248277dd7ac0239204889ca991353ad3e3a1ddc"><code>0248277</code></a>
Release 2.6.3</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b"><code>8864ac4</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/70cecb27ca99d56aaaeb63ac27ee270ef2b24c5c"><code>70cecb2</code></a>
Fix Scorecard issues related to vulnerable dev dependencies (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3755">#3755</a>)</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/41f249abe1ef3e20768588969c4035aba060a359"><code>41f249a</code></a>
Move "v2.0 Migration Guide" to the end of the table of
contents (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3747">#3747</a>)</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/fd4dffd2fc544166b76151a2fa3d7b7c0eab540c"><code>fd4dffd</code></a>
Patch <code>VerifiedHTTPSConnection</code> for Emscripten (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3752">#3752</a>)</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/13f0bfd55e4468fe1ea9c6f809d3a87b0f93ebab"><code>13f0bfd</code></a>
Handle massive values in Retry-After when calculating time to sleep for
(<a
href="https://redirect.github.com/urllib3/urllib3/issues/3743">#3743</a>)</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/8c480bf87bcefd321b3a1ae47f04e908b6b2ed7b"><code>8c480bf</code></a>
Bump actions/upload-artifact from 5.0.0 to 6.0.0 (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3748">#3748</a>)</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/4b40616e959c0a2c466e8075f2a785a9f99bb0c1"><code>4b40616</code></a>
Bump actions/cache from 4.3.0 to 5.0.1 (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3750">#3750</a>)</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/82b8479663d037d220c883f1584dd01a43bb273b"><code>82b8479</code></a>
Bump actions/download-artifact from 6.0.0 to 7.0.0 (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3749">#3749</a>)</li>
<li><a
href="https://github.com/urllib3/urllib3/commit/34284cb01700bb7d4fdd472f909e22393e9174e2"><code>34284cb</code></a>
Mention experimental features in the security policy (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3746">#3746</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/urllib3/urllib3/compare/2.5.0...2.6.3">compare
view</a></li>
</ul>
</details>
<br />
Updates `virtualenv` from 20.34.0 to 20.36.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/virtualenv/releases">virtualenv's
releases</a>.</em></p>
<blockquote>
<h2>20.36.1</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>release 20.36.0 by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3011">pypa/virtualenv#3011</a></li>
<li>fix: resolve TOCTOU vulnerabilities in app_data and lock directory
creation by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3013">pypa/virtualenv#3013</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/pypa/virtualenv/compare/20.36.0...20.36.1">https://github.com/pypa/virtualenv/compare/20.36.0...20.36.1</a></p>
<h2>20.36.0</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>release 20.35.3 by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/2981">pypa/virtualenv#2981</a></li>
<li>fix: Prevent NameError when accessing _DISTUTILS_PATCH during file
ov… by <a href="https://github.com/gracetyy"><code>@gracetyy</code></a>
in <a
href="https://redirect.github.com/pypa/virtualenv/pull/2982">pypa/virtualenv#2982</a></li>
<li>Upgrade pip and fix 3.15 picking old wheel by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/2989">pypa/virtualenv#2989</a></li>
<li>release 20.35.4 by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/2990">pypa/virtualenv#2990</a></li>
<li>fix: wrong path on migrated venv by <a
href="https://github.com/sk1234567891"><code>@sk1234567891</code></a>
in <a
href="https://redirect.github.com/pypa/virtualenv/pull/2996">pypa/virtualenv#2996</a></li>
<li>test_too_many_open_files: assert on <code>errno.EMFILE</code>
instead of <code>strerror</code> by <a
href="https://github.com/pltrz"><code>@pltrz</code></a> in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3001">pypa/virtualenv#3001</a></li>
<li>fix: update filelock dependency version to 3.20.1 to fix CVE
CVE-2025-68146 by <a
href="https://github.com/pythonhubdev"><code>@pythonhubdev</code></a>
in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3002">pypa/virtualenv#3002</a></li>
<li>fix: resolve EncodingWarning in tox upgrade environment by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3007">pypa/virtualenv#3007</a></li>
<li>Fix Interpreter discovery bug wrt. Microsoft Store shortcut using
Latin-1 by <a
href="https://github.com/rahuldevikar"><code>@rahuldevikar</code></a>
in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3006">pypa/virtualenv#3006</a></li>
<li>Add support for PEP 440 version specifiers in the
<code>--python</code> flag. by <a
href="https://github.com/rahuldevikar"><code>@rahuldevikar</code></a>
in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3008">pypa/virtualenv#3008</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/gracetyy"><code>@gracetyy</code></a>
made their first contribution in <a
href="https://redirect.github.com/pypa/virtualenv/pull/2982">pypa/virtualenv#2982</a></li>
<li><a
href="https://github.com/sk1234567891"><code>@sk1234567891</code></a>
made their first contribution in <a
href="https://redirect.github.com/pypa/virtualenv/pull/2996">pypa/virtualenv#2996</a></li>
<li><a href="https://github.com/pltrz"><code>@pltrz</code></a> made
their first contribution in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3001">pypa/virtualenv#3001</a></li>
<li><a
href="https://github.com/pythonhubdev"><code>@pythonhubdev</code></a>
made their first contribution in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3002">pypa/virtualenv#3002</a></li>
<li><a
href="https://github.com/rahuldevikar"><code>@rahuldevikar</code></a>
made their first contribution in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3006">pypa/virtualenv#3006</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/pypa/virtualenv/compare/20.35.3...20.36.0">https://github.com/pypa/virtualenv/compare/20.35.3...20.36.0</a></p>
<h2>20.35.4</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>release 20.35.3 by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/2981">pypa/virtualenv#2981</a></li>
<li>fix: Prevent NameError when accessing _DISTUTILS_PATCH during file
ov… by <a href="https://github.com/gracetyy"><code>@gracetyy</code></a>
in <a
href="https://redirect.github.com/pypa/virtualenv/pull/2982">pypa/virtualenv#2982</a></li>
<li>Upgrade pip and fix 3.15 picking old wheel by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/2989">pypa/virtualenv#2989</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/gracetyy"><code>@gracetyy</code></a>
made their first contribution in <a
href="https://redirect.github.com/pypa/virtualenv/pull/2982">pypa/virtualenv#2982</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/pypa/virtualenv/compare/20.35.3...20.35.4">https://github.com/pypa/virtualenv/compare/20.35.3...20.35.4</a></p>
<h2>20.35.3</h2>
<!-- raw HTML omitted -->
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst">virtualenv's
changelog</a>.</em></p>
<blockquote>
<h2>v20.36.1 (2026-01-09)</h2>
<p>Bugfixes - 20.36.1</p>
<pre><code>- Fix TOCTOU vulnerabilities in app_data and lock directory
creation that could be exploited via symlink attacks - reported by
:user:`tsigouris007`, fixed by :user:`gaborbernat`. (:issue:`3013`)
<h2>v20.36.0 (2026-01-07)</h2>
<p>Features - 20.36.0
</code></pre></p>
<ul>
<li>Add support for PEP 440 version specifiers in the
<code>--python</code> flag. Users can now specify Python versions using
operators like <code>>=</code>, <code><=</code>, <code>~=</code>,
etc. For example: <code>virtualenv --python=">=3.12"
myenv</code> <code>. (:issue:</code>2994`)</li>
</ul>
<h2>v20.35.4 (2025-10-28)</h2>
<p>Bugfixes - 20.35.4</p>
<pre><code>- Fix race condition in ``_virtualenv.py`` when file is
overwritten during import, preventing ``NameError`` when
``_DISTUTILS_PATCH`` is accessed - by :user:`gracetyy`. (:issue:`2969`)
- Upgrade embedded wheels:
<ul>
<li>pip to <code>25.3</code> from <code>25.2</code>
(:issue:<code>2989</code>)</li>
</ul>
<h2>v20.35.3 (2025-10-10)</h2>
<p>Bugfixes - 20.35.3
</code></pre></p>
<ul>
<li>Accept RuntimeError in <code>test_too_many_open_files</code>, by
:user:<code>esafak</code> (:issue:<code>2935</code>)</li>
</ul>
<h2>v20.35.2 (2025-10-10)</h2>
<p>Bugfixes - 20.35.2</p>
<pre><code>- Revert out changes related to the extraction of the
discovery module - by :user:`gaborbernat`. (:issue:`2978`)
<h2>v20.35.1 (2025-10-09)</h2>
<p>Bugfixes - 20.35.1
</code></pre></p>
<ul>
<li>Patch get_interpreter to handle missing cache and app_data - by
:user:<code>esafak</code> (:issue:<code>2972</code>)</li>
<li>Fix backwards incompatible changes to <code>PythonInfo</code> - by
:user:<code>gaborbernat</code>. (:issue:<code>2975</code>)</li>
</ul>
<h2>v20.35.0 (2025-10-08)</h2>
<p>Features - 20.35.0</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pypa/virtualenv/commit/d0ad11d1146e81ea74d2461be9653f1da9cf3fd1"><code>d0ad11d</code></a>
release 20.36.1</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc"><code>dec4cec</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/virtualenv/issues/3013">#3013</a>
from gaborbernat/fix-sec</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/5fe5d38beb1273b489591a7b444f1018af2edf0a"><code>5fe5d38</code></a>
release 20.36.0 (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3011">#3011</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/9719376addaa710b61d9ed013774fa26f6224b4e"><code>9719376</code></a>
release 20.36.0</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/0276db6fcf8849c519d75465f659b12aefb2acd8"><code>0276db6</code></a>
Add support for PEP 440 version specifiers in the <code>--python</code>
flag. (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3008">#3008</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/4f900c29044e17812981b5b98ddce45604858b7f"><code>4f900c2</code></a>
Fix Interpreter discovery bug wrt. Microsoft Store shortcut using
Latin-1 (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3">#3</a>...</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/13afcc62a3444d0386c8031d0a62277a8274ab07"><code>13afcc6</code></a>
fix: resolve EncodingWarning in tox upgrade environment (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3007">#3007</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/31b5d31581df3e3a7bbc55e52568b26dd01b0d57"><code>31b5d31</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/pypa/virtualenv/issues/2997">#2997</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/7c284221b4751388801355fc6ebaa2abe60427bd"><code>7c28422</code></a>
fix: update filelock dependency version to 3.20.1 to fix CVE
CVE-2025-68146 (...</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/365628c544cd5498fbf0a3b6c6a8c1f41d25a749"><code>365628c</code></a>
test_too_many_open_files: assert on <code>errno.EMFILE</code> instead of
<code>strerror</code> (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3001">#3001</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/virtualenv/compare/20.34.0...20.36.1">compare
view</a></li>
</ul>
</details>
<br />
Updates `werkzeug` from 3.1.3 to 3.1.5
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pallets/werkzeug/releases">werkzeug's
releases</a>.</em></p>
<blockquote>
<h2>3.1.5</h2>
<p>This is the Werkzeug 3.1.5 security fix release, which fixes security
issues and bugs but does not otherwise change behavior and should not
result in breaking changes compared to the latest feature release.</p>
<p>PyPI: <a
href="https://pypi.org/project/Werkzeug/3.1.5/">https://pypi.org/project/Werkzeug/3.1.5/</a>
Changes: <a
href="https://werkzeug.palletsprojects.com/page/changes/#version-3-1-5">https://werkzeug.palletsprojects.com/page/changes/#version-3-1-5</a>
Milestone: <a
href="https://github.com/pallets/werkzeug/milestone/43?closed=1">https://github.com/pallets/werkzeug/milestone/43?closed=1</a></p>
<ul>
<li><code>safe_join</code> on Windows does not allow more special device
names, regardless of extension or surrounding spaces. <a
href="https://github.com/pallets/werkzeug/security/advisories/GHSA-87hc-h4r5-73f7">GHSA-87hc-h4r5-73f7</a></li>
<li>The multipart form parser handles a <code>\r\n</code> sequence at a
chunk boundary. This fixes the previous attempt, which caused incorrect
content lengths. <a
href="https://redirect.github.com/pallets/werkzeug/issues/3065">#3065</a>
<a
href="https://redirect.github.com/pallets/werkzeug/issues/3077">#3077</a></li>
<li>Fix <code>AttributeError</code> when initializing
<code>DebuggedApplication</code> with <code>pin_security=False</code>.
<a
href="https://redirect.github.com/pallets/werkzeug/issues/3075">#3075</a></li>
</ul>
<h2>3.1.4</h2>
<p>This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not
otherwise change behavior and should not result in breaking changes
compared to the latest feature release.</p>
<p>PyPI: <a
href="https://pypi.org/project/Werkzeug/3.1.4/">https://pypi.org/project/Werkzeug/3.1.4/</a>
Changes: <a
href="https://werkzeug.palletsprojects.com/page/changes/#version-3-1-4">https://werkzeug.palletsprojects.com/page/changes/#version-3-1-4</a>
Milestone: <a
href="https://github.com/pallets/werkzeug/milestone/42?closed=1">https://github.com/pallets/werkzeug/milestone/42?closed=1</a></p>
<ul>
<li><code>safe_join</code> on Windows does not allow special device
names. This prevents reading from these when using
<code>send_from_directory</code>. <code>secure_filename</code> already
prevented writing to these. <a
href="https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2">ghsa-hgf8-39gv-g3f2</a></li>
<li>The debugger pin fails after 10 attempts instead of 11. <a
href="https://redirect.github.com/pallets/werkzeug/issues/3020">#3020</a></li>
<li>The multipart form parser handles a <code>\r\n</code> sequence at a
chunk boundary. <a
href="https://redirect.github.com/pallets/werkzeug/issues/3065">#3065</a></li>
<li>Improve CPU usage during Watchdog reloader. <a
href="https://redirect.github.com/pallets/werkzeug/issues/3054">#3054</a></li>
<li><code>Request.json</code> annotation is more accurate. <a
href="https://redirect.github.com/pallets/werkzeug/issues/3067">#3067</a></li>
<li>Traceback rendering handles when the line number is beyond the
available source lines. <a
href="https://redirect.github.com/pallets/werkzeug/issues/3044">#3044</a></li>
<li><code>HTTPException.get_response</code> annotation and doc better
conveys the distinction between WSGI and sans-IO responses. <a
href="https://redirect.github.com/pallets/werkzeug/issues/3056">#3056</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pallets/werkzeug/blob/main/CHANGES.rst">werkzeug's
changelog</a>.</em></p>
<blockquote>
<h2>Version 3.1.5</h2>
<p>Released 2026-01-08</p>
<ul>
<li><code>safe_join</code> on Windows does not allow more special device
names, regardless
of extension or surrounding spaces.
:ghsa:<code>87hc-h4r5-73f7</code></li>
<li>The multipart form parser handles a <code>\r\n</code> sequence at a
chunk boundary.
This fixes the previous attempt, which caused incorrect content lengths.
:issue:<code>3065</code> :issue:<code>3077</code></li>
<li>Fix <code>AttributeError</code> when initializing
<code>DebuggedApplication</code> with
<code>pin_security=False</code>. :issue:<code>3075</code></li>
</ul>
<h2>Version 3.1.4</h2>
<p>Released 2025-11-28</p>
<ul>
<li><code>safe_join</code> on Windows does not allow special device
names. This prevents
reading from these when using <code>send_from_directory</code>.
<code>secure_filename</code>
already prevented writing to these.
:ghsa:<code>hgf8-39gv-g3f2</code></li>
<li>The debugger pin fails after 10 attempts instead of 11.
:pr:<code>3020</code></li>
<li>The multipart form parser handles a <code>\r\n</code> sequence at a
chunk boundary.
:issue:<code>3065</code></li>
<li>Improve CPU usage during Watchdog reloader.
:issue:<code>3054</code></li>
<li><code>Request.json</code> annotation is more accurate.
:issue:<code>3067</code></li>
<li>Traceback rendering handles when the line number is beyond the
available
source lines. :issue:<code>3044</code></li>
<li><code>HTTPException.get_response</code> annotation and doc better
conveys the
distinction between WSGI and sans-IO responses.
:issue:<code>3056</code></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pallets/werkzeug/commit/e3d06f4b1f7ff40a63eba78f81d9cda18f805d6d"><code>e3d06f4</code></a>
release version 3.1.5</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/7ae1d254e04a0c33e241ac1cca4783ce6c875ca3"><code>7ae1d25</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/37797aba260022c871718e0908b472727d366d09"><code>37797ab</code></a>
<code>safe_join</code> prevents windows special device names with
compound extensions</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/3db44c79caa74c00848ceefb0bd3d608e3d09cea"><code>3db44c7</code></a>
fix duplicate reference</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/a40f8fa05ff1108ba1096e7cd359d0599f5cd386"><code>a40f8fa</code></a>
fix class name typo</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/0f76c353b10afc2f8129aa3684ccc3262516a0c0"><code>0f76c35</code></a>
Correct parsing up to a potential partial boundary (<a
href="https://redirect.github.com/pallets/werkzeug/issues/3081">#3081</a>)</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/1049dd6b2a363e1ef302b4161c340fb8582f627a"><code>1049dd6</code></a>
Correct parsing up to a potential partial boundary</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/b48878cf16dfca3c89ac58aca47ab1ecfcb71354"><code>b48878c</code></a>
initialize <code>_pin</code> in debugger (<a
href="https://redirect.github.com/pallets/werkzeug/issues/3078">#3078</a>)</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/fa0f4f2710b8eaffef7f2b3fbc58fc3ca55247fb"><code>fa0f4f2</code></a>
initialize _pin</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/f637275bfa68ebd80bec1da9173211ce2dc4fa33"><code>f637275</code></a>
start version 3.1.5</li>
<li>Additional commits viewable in <a
href="https://github.com/pallets/werkzeug/compare/3.1.3...3.1.5">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/erickisos/simple-serverless-project/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>1 parent c47753b commit 8f189e3
1 file changed
Lines changed: 12 additions & 12 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments