Update all dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update
Authlib	==1.1.0 -> ==1.4.1					install	minor
Hypercorn	==0.14.3 -> ==0.17.3					install	minor
Jinja2 (changelog)	==3.1.2 -> ==3.1.5					install	patch
Markdown (changelog)	==3.4.1 -> ==3.7					install	minor
SQLAlchemy (changelog)	==1.4.43 -> ==2.0.38					install	major
Werkzeug (changelog)	==2.2.2 -> ==3.1.3					install	major
actions/checkout	v3 -> v4					action	major
aiofiles (changelog)	==22.1.0 -> ==24.1.0					install	major
aiohttp	==3.8.3 -> ==3.11.12					install	minor
alembic (source, changelog)	==1.8.1 -> ==1.14.1					install	minor
asgiref (changelog)	==3.5.2 -> ==3.8.1					install	minor
autoflake	==1.7.7 -> ==2.3.1					install	major
bcrypt	==4.0.1 -> ==4.2.1					install	minor
beautifulsoup4 (changelog)	==4.11.1 -> ==4.13.3					install	minor
black (changelog)	==22.10.0 -> ==25.1.0					install	major
bleach	==5.0.1 -> ==6.2.0					install	major
coverage	==6.5.0 -> ==7.6.10					install	major
email-validator	==1.3.0 -> ==2.2.0					install	major
fakeredis	==1.10.0 -> ==2.26.2					install	major
fastapi (changelog)	==0.86.0 -> ==0.115.8					install	minor
feedgen	==0.9.0 -> ==1.0.0					install	major
filelock	==3.8.0 -> ==3.17.0					install	minor
flake8 (changelog)	==5.0.4 -> ==7.1.1					install	major
gunicorn (changelog)	==20.1.0 -> ==23.0.0					install	major
highlight.js (source)	11.5.0 -> 11.11.1						minor
httpx (changelog)	==0.23.0 -> ==0.28.1					install	minor
isort (changelog)	==5.10.1 -> ==6.0.0					install	major
itsdangerous (changelog)	==2.1.2 -> ==2.2.0					install	minor
lxml (source, changelog)	==4.9.1 -> ==5.3.0					install	major
makedeb-srcinfo	==0.5.2 -> ==0.8.1					install	minor
mysqlclient	==2.1.1 -> ==2.2.7					install	minor
orjson (changelog)	==3.8.1 -> ==3.10.15					install	minor
paginate	==0.5.6 -> ==0.5.7					install	patch
posix-ipc	==1.0.5 -> ==1.1.1					install	minor
prometheus-fastapi-instrumentator	==5.9.1 -> ==7.0.2					install	major
protobuf	==4.21.9 -> ==5.29.3					install	major
pygit2 (changelog)	==1.10.1 -> ==1.17.0					install	minor
pytest (changelog)	==7.2.0 -> ==8.3.4					install	major
pytest-asyncio (changelog)	==0.20.1 -> ==0.25.3					install	minor
pytest-cov (changelog)	==4.0.0 -> ==6.0.0					install	major
pytest-tap	==3.3 -> ==3.5					install	minor
pytest-xdist (changelog)	==3.0.2 -> ==3.6.1					install	minor
python-multipart (changelog)	==0.0.5 -> ==0.0.20					install	patch
redis (changelog)	==4.3.4 -> ==5.2.1					install	major
requests (source, changelog)	==2.28.1 -> ==2.32.3					install	minor
sentry-sdk (changelog)	==1.10.1 -> ==2.20.0					install	major
uvicorn (changelog)	==0.19.0 -> ==0.34.0					install	minor

---

Release Notes

lepture/authlib (Authlib)

v1.4.1: Version 1.4.1

Compare Source

• Improve garbage collection on OAuth clients. #​698
• Fix client parameters for httpx. #​694

v1.4.0

Compare Source

v1.3.2: Version 1.3.2

Compare Source

• Prevent ever-growing session size for OAuth clients.
• Revert quote client id and secret.
• unquote basic auth header for authorization server.

v1.3.1: Version 1.3.1

Compare Source

Prevent OctKey to import ssh and PEM strings.

v1.3.0: Version 1.3.0

Compare Source

Bug fixes

• Restore AuthorizationServer.create_authorization_response behavior, via #​558 by @​TurnrDev
• Include leeway in validate_iat() for JWT, via #​565 by @​dhallam
• Fix encode_client_secret_basic, via #​594 by @​Prilkop
• Use single key in JWK if JWS does not specify kid, via #​596 by @​dklimpel
• Fix error when RFC9068 JWS has no scope field, via #​598 by @​tanguilp
• Get werkzeug version using importlib, via #​591 by @​Sparrow0hawk

Breaking changes

• RFC9068 implementation, via #​586 by @​azmeuk.

v1.2.1: Version 1.2.1

Compare Source

• Apply headers in ClientSecretJWT.sign method, via #​552
• Allow falsy but non-None grant uri params, via #​544
• Fixed authorize_redirect for Starlette v0.26.0, via #​533
• Removed has_client_secret method and documentation, via #​513
• Removed request_invalid and token_revoked remaining occurences
  and documentation. #​514
• Fixed RFC7591 grant_types and response_types default values, via #​509
• Add support for python 3.12, via #​590

v1.2.0: Version 1.2.0

Compare Source

• Not passing request.body to ResourceProtector, #​485.
• Use flask.g instead of _app_ctx_stack, #​482.
• Add headers parameter back to ClientSecretJWT, #​457.
• Always passing realm parameter in OAuth 1 clients, #​339.
• Implemented RFC7592 Dynamic Client Registration Management Protocol, #​505`
• Add default_timeout for requests OAuth2Session and AssertionSession.
• Deprecate jwk.loads and jwk.dumps

pgjones/hypercorn (Hypercorn)

v0.17.3

Compare Source

• Restore set TCP_NODELAY on TCP sockets
• Support uvloop >= 0.18 and the loop_factory argument
• Bugfix ensure ExceptionGroup lifespan failures crash the server.

v0.17.2

Compare Source

• Bugfix pass the correct quic connection to the H3 Protocol.

v0.17.1

Compare Source

• Bugfix revert set TCP_NODELAY on sockets.

v0.17.0

Compare Source

• Set TCP_NODELAY on sockets.
• Support sending trailing headers on h2/h3.
• Add support for lifespan state.
• Allow sending of the response before body data arrives.
• Bugfix properly set host header to ascii string in
  ProxyFixMiddleware.
• Bugfix encode headers using latin-1.
• Bugfix don't double-access log if the response was sent.
• Bugfix a statsd logging bug.
• Bugfix handle already-closed on StreamEnded.
• Bugfix send a 400 response if data is received before the websocket
  is accepted.
• Bugfix ensure only a single QUIC timer task per connection.
• Bugfix ensure responses are sent with empty bodies for WSGI.

v0.16.0

Compare Source

• Add a max keep alive requests configuration option, this mitigates
  the HTTP/2 rapid reset attack.
• Return subprocess exit code if non-zero.
• Add ProxyFix middleware to make it easier to run Hypercorn behind a
  proxy.
• Support restarting workers after max requests to make it easier to
  manage memory leaks in apps.
• Bugfix ensure the idle task is stopped on error.
• Bugfix revert autoreload error because reausing old sockets.
• Bugfix send the hinted error from h11 on RemoteProtocolErrors.
• Bugfix handle asyncio.CancelledError when socket is closed without
  flushing.
• Bugfix improve WSGI compliance by closing iterators, only sending
  headers on first response byte, erroring if start_response is
  not called, and switching wsgi.errors to stdout.
• Don't error on LocalProtoclErrors for ws streams to better cope with
  race conditions.

v0.15.0

Compare Source

• Improve the NoAppError to help diagnose why the app has not been
  found.
• Log cancelled requests as well as successful to aid diagnositics of
  failures.
• Use more modern asyncio apis. This will hopefully fix reported
  memory leak issues.
• Bugfix only load the application in the main process if the reloader
  is being used.
• Bugfix Autoreload error because reausing old sockets.
• Bugfix scope client usage for sock binding.
• Bugfix disable multiprocessing if number of workers is 0 to support
  systems that don't support multiprocessing.

v0.14.4

Compare Source

• Bugfix Use tomllib/tomli for .toml support replacing the
  unmaintained toml library.
• Bugfix server hanging on startup failure.
• Bugfix close websocket with 1011 on internal error (1006 is a
  client-only code).
• Bugfix support trio > 0.22 utilising exception groups (note trio <=
  0.22 is not supported).
• Bugfix except ConnectionAbortedError which can be raised on Windows
  machines.
• Bugfix ensure that closed is sent on reading end.
• Bugfix handle read_timeout exception on trio.
• Support and test against Python 3.11.
• Add explanation of PicklingErrors.
• Add config option to pass raw h11 headers.

pallets/jinja (Jinja2)

v3.1.5

Compare Source

Unreleased

• Calling sync render for an async template uses asyncio.run.
  :pr:1952
• Avoid unclosed auto_aiter warnings. :pr:1960
• Return an aclose-able AsyncGenerator from
  Template.generate_async. :pr:1960
• Avoid leaving root_render_func() unclosed in
  Template.generate_async. :pr:1960
• Avoid leaving async generators unclosed in blocks, includes and extends.
  :pr:1960

v3.1.4

Compare Source

Released 2024-05-05

• The xmlattr filter does not allow keys with / solidus, >
  greater-than sign, or = equals sign, in addition to disallowing spaces.
  Regardless of any validation done by Jinja, user input should never be used
  as keys to this filter, or must be separately validated first.
  :ghsa:h75v-3vvj-5mfj

v3.1.3

Compare Source

Released 2024-01-10

• Fix compiler error when checking if required blocks in parent templates are
  empty. :pr:1858
• xmlattr filter does not allow keys with spaces. :ghsa:h5c8-rqwp-cp95
• Make error messages stemming from invalid nesting of {% trans %} blocks
  more helpful. :pr:1918

Python-Markdown/markdown (Markdown)

v3.7

Compare Source

Changed

Refactor abbr Extension

A new AbbrTreeprocessor has been introduced, which replaces the now deprecated
AbbrInlineProcessor. Abbreviation processing now happens after Attribute Lists,
avoiding a conflict between the two extensions (#​1460).

The AbbrPreprocessor class has been renamed to AbbrBlockprocessor, which
better reflects what it is. AbbrPreprocessor has been deprecated.

A call to Markdown.reset() now clears all previously defined abbreviations.

Abbreviations are now sorted by length before executing AbbrTreeprocessor
to ensure that multi-word abbreviations are implemented even if an abbreviation
exists for one of those component words. (#​1465)

Abbreviations without a definition are now ignored. This avoids applying
abbr tags to text without a title value.

Added an optional glossary configuration option to the abbreviations extension.
This provides a simple and efficient way to apply a dictionary of abbreviations
to every page.

Abbreviations can now be disabled by setting their definition to "" or ''.
This can be useful when using the glossary option.

Fixed

• Fixed links to source code on GitHub from the documentation (#​1453).

v3.6

Compare Source

Changed

Refactor TOC Sanitation

• All postprocessors are now run on heading content.
• Footnote references are now stripped from heading content. Fixes #​660.
• A more robust striptags is provided to convert headings to plain text.
  Unlike, the markupsafe implementation, HTML entities are not unescaped.
• The plain text name, rich html, and unescaped raw data-toc-label are
  saved to toc_tokens, allowing users to access the full rich text content of
  the headings directly from toc_tokens.
• The value of data-toc-label is sanitized separate from heading content
  before being written to name. This fixes a bug which allowed markup through
  in certain circumstances. To access the raw unsanitized data, retrieve the
  value from token['data-toc-label'] directly.
• An html.unescape call is made just prior to calling slugify so that
  slugify only operates on Unicode characters. Note that html.unescape is
  not run on name, html, or data-toc-label.
• The functions get_name and stashedHTML2text defined in the toc extension
  are both deprecated. Instead, third party extensions should use some
  combination of the new functions run_postprocessors, render_inner_html and
  striptags.

Fixed

• Include scripts/*.py in the generated source tarballs (#​1430).
• Ensure lines after heading in loose list are properly detabbed (#​1443).
• Give smarty tree processor higher priority than toc (#​1440).
• Permit carets (^) and square brackets (]) but explicitly exclude
  backslashes (\) from abbreviations (#​1444).
• In attribute lists (attr_list, fenced_code), quoted attribute values are
  now allowed to contain curly braces (}) (#​1414).

v3.5.2

Compare Source

Fixed

• Fix type annotations for convertFile - it accepts only bytes-based buffers.
  Also remove legacy checks from Python 2 (#​1400)
• Remove legacy import needed only in Python 2 (#​1403)
• Fix typo that left the attribute AdmonitionProcessor.content_indent unset
  (#​1404)
• Fix edge-case crash in InlineProcessor with AtomicString (#​1406).
• Fix edge-case crash in codehilite with an empty code tag (#​1405).
• Improve and expand type annotations in the code base (#​1401).
• Fix handling of bogus comments (#​1425).

v3.5.1

Compare Source

Fixed

• Fix a performance problem with HTML extraction where large HTML input could
  trigger quadratic line counting behavior (#​1392).
• Improve and expand type annotations in the code base (#​1394).

v3.5

Compare Source

v3.4.4

Compare Source

v3.4.3

Compare Source

v3.4.2

Compare Source

actions/checkout (actions/checkout)

v4

Compare Source

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in https://github.com/actions/checkout/pull/1924

Tinche/aiofiles (aiofiles)

v24.1.0: 24.1.0

Compare Source

• Import os.link conditionally to fix importing on android.
  #​175
• Remove spurious items from aiofiles.os.__all__ when running on Windows.
• Switch to more modern async idioms: Remove types.coroutine and make AiofilesContextManager an awaitable instead a coroutine.
• Add aiofiles.os.path.abspath and aiofiles.os.getcwd.
  #​174
• aiofiles is now tested on Python 3.13 too.
  #​184
• Dropped Python 3.7 support. If you require it, use version 23.2.1.

v23.2.1: 23.2.1

Compare Source

• Import os.statvfs conditionally to fix importing on non-UNIX systems.
  #​171 #​172
• aiofiles is now also tested on Windows.

v23.2.0: 23.2.0

Compare Source

23.2.0

• aiofiles is now tested on Python 3.12 too.
  #​166 #​168
• On Python 3.12, aiofiles.tempfile.NamedTemporaryFile now accepts a delete_on_close argument, just like the stdlib version.
• On Python 3.12, aiofiles.tempfile.NamedTemporaryFile no longer exposes a delete attribute, just like the stdlib version.
• Added aiofiles.os.statvfs and aiofiles.os.path.ismount.
  #​162
• Use PDM instead of Poetry.
  #​169

v23.1.0

Compare Source

aio-libs/aiohttp (aiohttp)

v3.11.12: 3.11.12

Compare Source

Bug fixes

• MultipartForm.decode() now follows RFC1341 7.2.1 with a CRLF after the boundary
  -- by :user:imnotjames.

  Related issues and pull requests on GitHub:
  #​10270.

• Restored the missing total_bytes attribute to EmptyStreamReader -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​10387.

Features

• Updated :py:func:~aiohttp.request to make it accept _RequestOptions kwargs.
  -- by :user:Cycloctane.

  Related issues and pull requests on GitHub:
  #​10300.

• Improved logging of HTTP protocol errors to include the remote address -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​10332.

Improved documentation

• Added aiohttp-openmetrics to list of third-party libraries -- by :user:jelmer.

  Related issues and pull requests on GitHub:
  #​10304.

Packaging updates and notes for downstreams

• Added missing files to the source distribution to fix Makefile targets.
  Added a cythonize-nodeps target to run Cython without invoking pip to install dependencies.

  Related issues and pull requests on GitHub:
  #​10366.

• Started building armv7l musllinux wheels -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​10404.

Contributor-facing changes

• The CI/CD workflow has been updated to use upload-artifact v4 and download-artifact v4 GitHub Actions -- by :user:silamon.

  Related issues and pull requests on GitHub:
  #​10281.

Miscellaneous internal changes

• Restored support for zero copy writes when using Python 3.12 versions 3.12.9 and later or Python 3.13.2+ -- by :user:bdraco.

  Zero copy writes were previously disabled due to :cve:2024-12254 which is resolved in these Python versions.

  Related issues and pull requests on GitHub:
  #​10137.

---

v3.11.11

Compare Source

====================

Bug fixes

• Updated :py:meth:~aiohttp.ClientSession.request to reuse the quote_cookie setting from ClientSession._cookie_jar when processing cookies parameter.
  -- by :user:Cycloctane.

  Related issues and pull requests on GitHub:
  :issue:10093.

• Fixed type of SSLContext for some static type checkers (e.g. pyright).

  Related issues and pull requests on GitHub:
  :issue:10099.

• Updated :meth:aiohttp.web.StreamResponse.write annotation to also allow :class:bytearray and :class:memoryview as inputs -- by :user:cdce8p.

  *Related issues and pull reque

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[hwittenborn]

Holding off on this until fakeredis supports this version of redis. See jamesls/fakeredis#329.