Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

chore(deps): bump the uv group across 23 directories with 14 updates

Open
Number: #139
Type: Pull Request
State: Open
Author: dependabot[bot] dependabot[bot]
Association: Unknown
Comments: 2
Created: March 16, 2026 at 05:25 PM UTC
(24 days ago)
Updated: April 08, 2026 at 04:51 AM UTC
(1 day ago)
Labels:
dependencies python:uv
Description:

Bumps the uv group with 1 update in the /alloydb/notebooks directory: nbconvert.
Bumps the uv group with 2 updates in the /appengine/standard/firebase/firenotes/backend directory: flask and werkzeug.
Bumps the uv group with 3 updates in the /cloud-media-livestream/keypublisher directory: flask, werkzeug and pyopenssl.
Bumps the uv group with 3 updates in the /cloud-sql/sql-server/sqlalchemy directory: flask, werkzeug and pyopenssl.
Bumps the uv group with 2 updates in the /cloud_scheduler/snippets directory: flask and werkzeug.
Bumps the uv group with 10 updates in the /composer/2022_airflow_summit directory:

Package From To
flask 2.2.5 3.1.3
werkzeug 2.2.3 3.1.6
pyopenssl 23.2.0 26.0.0
apache-airflow 2.6.3 3.2.0b1
authlib 1.2.1 1.6.9
black 23.1a1 26.3.1
cryptography 40.0.2 46.0.5
google-cloud-aiplatform 1.27.1 1.133.0
orjson 3.9.1 3.11.6
protobuf 4.23.4 5.29.6

Bumps the uv group with 6 updates in the /composer/airflow_1_samples directory:

Package From To
flask 1.1.2 3.1.3
werkzeug 0.16.1 3.1.6
pyopenssl 20.0.0 26.0.0
black 20.8b0 25.11.0
cryptography 3.2.1 46.0.5
protobuf 3.14.0 5.29.6

Bumps the uv group with 10 updates in the /composer/cicd_sample directory:

Package From To
flask 2.2.5 3.1.3
werkzeug 2.2.3 3.1.6
pyopenssl 23.2.0 26.0.0
apache-airflow 2.6.3 3.2.0b1
authlib 1.2.1 1.6.9
black 23.1a1 26.3.1
cryptography 40.0.2 46.0.5
google-cloud-aiplatform 1.27.1 1.133.0
orjson 3.9.1 3.11.6
protobuf 4.23.4 5.29.6

Bumps the uv group with 9 updates in the /composer/workflows directory:

Package From To
flask 2.2.5 3.1.3
werkzeug 2.2.3 3.1.6
pyopenssl 24.1.0 26.0.0
authlib 1.3.1 1.6.9
black 24.4.2 26.3.1
cryptography 41.0.7 46.0.5
google-cloud-aiplatform 1.53.0 1.133.0
orjson 3.10.3 3.11.6
protobuf 4.25.3 5.29.6

Bumps the uv group with 1 update in the /compute/client_library directory: black.
Bumps the uv group with 1 update in the /compute/encryption directory: cryptography.
Bumps the uv group with 3 updates in the /dataflow/flex-templates/pipeline_with_dependencies directory: google-cloud-aiplatform, orjson and protobuf.
Bumps the uv group with 3 updates in the /dataflow/gemma directory: google-cloud-aiplatform, protobuf and keras.
Bumps the uv group with 1 update in the /dataflow/gemma-flex-template directory: google-cloud-aiplatform.
Bumps the uv group with 3 updates in the /dataflow/run-inference directory: google-cloud-aiplatform, torch and transformers.
Bumps the uv group with 1 update in the /dataflow/run_template directory: flask.
Bumps the uv group with 2 updates in the /datastore/cloud-ndb directory: flask and werkzeug.
Bumps the uv group with 2 updates in the /dialogflow directory: flask and werkzeug.
Bumps the uv group with 2 updates in the /dialogflow-cx directory: flask and werkzeug.
Bumps the uv group with 1 update in the /gemma2 directory: protobuf.
Bumps the uv group with 2 updates in the /iap directory: werkzeug and cryptography.
Bumps the uv group with 1 update in the /media_cdn directory: cryptography.
Bumps the uv group with 2 updates in the /run/mcp-server directory: authlib and cryptography.

Updates nbconvert from 7.16.6 to 7.17.0

Release notes

Sourced from nbconvert's releases.

v7.17.0

7.17.0

(Full Changelog)

Enhancements made

Bugs fixed

Maintenance and upkeep improvements

Documentation improvements

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​bollwyvl (activity) | @​Carreau (activity) | @​h3pdesign (activity) | @​hackowitz-af (activity) | @​krassowski (activity) | @​mberlanda (activity) | @​mgorny (activity) | @​minrk (activity) | @​MSeal (activity) | @​QuLogic (activity) | @​salmankadaya (activity) | @​shreve (activity) | @​th3gowtham (activity)

Changelog

Sourced from nbconvert's changelog.

7.17.0

(Full Changelog)

Enhancements made

Bugs fixed

Maintenance and upkeep improvements

Documentation improvements

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​bollwyvl (activity) | @​Carreau (activity) | @​h3pdesign (activity) | @​hackowitz-af (activity) | @​krassowski (activity) | @​mberlanda (activity) | @​mgorny (activity) | @​minrk (activity) | @​MSeal (activity) | @​QuLogic (activity) | @​salmankadaya (activity) | @​shreve (activity) | @​th3gowtham (activity)

Commits
  • 21b35d8 Publish 7.17.0
  • c9ac1d1 Fix CVE-2025-53000: Secure Inkscape Windows path (registry first + block CWD)...
  • b13276d avoid cov environment on free-threaded Pythons (#2267)
  • 7c7055f [pre-commit.ci] auto fixes from pre-commit.com hooks
  • 74f3ddd Fix QtPNGExporter returning empty bytes on macOS
  • 216550b fix links
  • 39777ac try to comment fialing test
  • 7b591ca ruff-check
  • 6ec7638 parent
  • 59414b3 fix mypy
  • Additional commits viewable in compare view

Updates flask from 3.0.0 to 3.1.3

Release notes

Sourced from flask's releases.

3.1.3

This is the Flask 3.1.3 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.3/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-3

  • The session is marked as accessed for operations that only access the keys but not the values, such as in and len. GHSA-68rp-wp8r-4726

3.1.2

This is the Flask 3.1.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.2/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-2 Milestone: https://github.com/pallets/flask/milestone/38?closed=1

  • stream_with_context does not fail inside async views. #5774
  • When using follow_redirects in the test client, the final state of session is correct. #5786
  • Relax type hint for passing bytes IO to send_file. #5776

3.1.1

This is the Flask 3.1.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.1/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-1 Milestone https://github.com/pallets/flask/milestone/36?closed=1

  • Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. GHSA-4grg-w6v8-c28g
  • Fix type hint for cli_runner.invoke. #5645
  • flask --help loads the app and plugins first to make sure all commands are shown. #5673
  • Mark sans-io base class as being able to handle views that return AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. #5659

3.1.0

This is the Flask 3.1.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecations, or introduce potentially breaking changes. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

PyPI: https://pypi.org/project/Flask/3.1.0/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-0 Milestone: https://github.com/pallets/flask/milestone/33?closed=1

  • Drop support for Python 3.8. #5623
  • Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. #5624, #5633
  • Provide a configuration option to control automatic option responses. #5496
  • Flask.open_resource/open_instance_resource and Blueprint.open_resource take an encoding parameter to use when opening in text mode. It defaults to utf-8. #5504
  • Request.max_content_length can be customized per-request instead of only through the MAX_CONTENT_LENGTH config. Added MAX_FORM_MEMORY_SIZE and MAX_FORM_PARTS config. Added documentation about resource limits to the security page. #5625
  • Add support for the Partitioned cookie attribute (CHIPS), with the SESSION_COOKIE_PARTITIONED config. #5472
  • -e path takes precedence over default .env and .flaskenv files. load_dotenv loads default files in addition to a path unless load_defaults=False is passed. #5628
  • Support key rotation with the SECRET_KEY_FALLBACKS config, a list of old secret keys that can still be used for unsigning. Extensions will need to add support. #5621
  • Fix how setting host_matching=True or subdomain_matching=False interacts with SERVER_NAME. Setting SERVER_NAME no longer restricts requests to only that domain. #5553
  • Request.trusted_hosts is checked during routing, and can be set through the TRUSTED_HOSTS config. #5636

3.0.3

... (truncated)

Changelog

Sourced from flask's changelog.

Version 3.1.3

Released 2026-02-18

  • The session is marked as accessed for operations that only access the keys but not the values, such as in and len. :ghsa:68rp-wp8r-4726

Version 3.1.2

Released 2025-08-19

  • stream_with_context does not fail inside async views. :issue:5774
  • When using follow_redirects in the test client, the final state of session is correct. :issue:5786
  • Relax type hint for passing bytes IO to send_file. :issue:5776

Version 3.1.1

Released 2025-05-13

  • Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. :ghsa:4grg-w6v8-c28g
  • Fix type hint for cli_runner.invoke. :issue:5645
  • flask --help loads the app and plugins first to make sure all commands are shown. :issue:5673
  • Mark sans-io base class as being able to handle views that return AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. :pr:5659

Version 3.1.0

Released 2024-11-13

  • Drop support for Python 3.8. :pr:5623
  • Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. :pr:5624,5633
  • Provide a configuration option to control automatic option responses. :pr:5496
  • Flask.open_resource/open_instance_resource and Blueprint.open_resource take an encoding parameter to use when opening in text mode. It defaults to utf-8. :issue:5504
  • Request.max_content_length can be customized per-request instead of only through the MAX_CONTENT_LENGTH config. Added

... (truncated)

Commits
  • 22d9247 release version 3.1.3
  • 089cb86 Merge commit from fork
  • c17f379 request context tracks session access
  • 27be933 start version 3.1.3
  • 4e652d3 Abort if the instance folder cannot be created (#5903)
  • 3d03098 Abort if the instance folder cannot be created
  • 407eb76 document using gevent for async (#5900)
  • ac5664d document using gevent for async
  • 4f79d5b Increase required flit_core version to 3.11 (#5865)
  • fe3b215 Increase required flit_core version to 3.11
  • Additional commits viewable in compare view

Updates werkzeug from 3.0.3 to 3.1.6

Release notes

Sourced from werkzeug's releases.

3.1.6

This is the Werkzeug 3.1.6 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.6/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-6

  • safe_join on Windows does not allow special devices names in multi-segment paths. GHSA-29vq-49wr-vm6x

3.1.5

This is the Werkzeug 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.5/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-5 Milestone: https://github.com/pallets/werkzeug/milestone/43?closed=1

  • safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. GHSA-87hc-h4r5-73f7
  • The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. #3065 #3077
  • Fix AttributeError when initializing DebuggedApplication with pin_security=False. #3075

3.1.4

This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.4/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-4 Milestone: https://github.com/pallets/werkzeug/milestone/42?closed=1

  • safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. ghsa-hgf8-39gv-g3f2
  • The debugger pin fails after 10 attempts instead of 11. #3020
  • The multipart form parser handles a \r\n sequence at a chunk boundary. #3065
  • Improve CPU usage during Watchdog reloader. #3054
  • Request.json annotation is more accurate. #3067
  • Traceback rendering handles when the line number is beyond the available source lines. #3044
  • HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. #3056

3.1.3

This is the Werkzeug 3.1.3 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes vs 3.1.0.

PyPI: https://pypi.org/project/Werkzeug/3.1.3/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-1-3 Milestone: https://github.com/pallets/werkzeug/milestone/41?closed=1

  • Initial data passed to MultiDict and similar interfaces only accepts list, tuple, or set when passing multiple values. It had been changed to accept any Collection, but this matched types that should be treated as single values, such as bytes. #2994
  • When the Host header is not set and Request.host falls back to the WSGI SERVER_NAME value, if that value is an IPv6 address it is wrapped in [] to match the Host header. #2993

3.1.2

This is the Werkzeug 3.1.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes vs 3.1.0.

PyPI: https://pypi.org/project/Werkzeug/3.1.2/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-1-2

... (truncated)

Changelog

Sourced from werkzeug's changelog.

Version 3.1.6

Released 2026-02-19

  • safe_join on Windows does not allow special devices names in multi-segment paths. :ghsa:29vq-49wr-vm6x
  • Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. :issue:3108

Version 3.1.5

Released 2026-01-08

  • safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. :ghsa:87hc-h4r5-73f7
  • The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. :issue:3065 :issue:3077
  • Fix AttributeError when initializing DebuggedApplication with pin_security=False. :issue:3075

Version 3.1.4

Released 2025-11-28

  • safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. :ghsa:hgf8-39gv-g3f2
  • The debugger pin fails after 10 attempts instead of 11. :pr:3020
  • The multipart form parser handles a \r\n sequence at a chunk boundary. :issue:3065
  • Improve CPU usage during Watchdog reloader. :issue:3054
  • Request.json annotation is more accurate. :issue:3067
  • Traceback rendering handles when the line number is beyond the available source lines. :issue:3044
  • HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. :issue:3056

Version 3.1.3

Released 2024-11-08

  • Initial data passed to MultiDict and similar interfaces only accepts

... (truncated)

Commits

Updates flask from 3.0.0 to 3.1.3

Release notes

Sourced from flask's releases.

3.1.3

This is the Flask 3.1.3 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.3/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-3

  • The session is marked as accessed for operations that only access the keys but not the values, such as in and len. GHSA-68rp-wp8r-4726

3.1.2

This is the Flask 3.1.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.2/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-2 Milestone: https://github.com/pallets/flask/milestone/38?closed=1

  • stream_with_context does not fail inside async views. #5774
  • When using follow_redirects in the test client, the final state of session is correct. #5786
  • Relax type hint for passing bytes IO to send_file. #5776

3.1.1

This is the Flask 3.1.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.1/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-1 Milestone https://github.com/pallets/flask/milestone/36?closed=1

  • Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. GHSA-4grg-w6v8-c28g
  • Fix type hint for cli_runner.invoke. #5645
  • flask --help loads the app and plugins first to make sure all commands are shown. #5673
  • Mark sans-io base class as being able to handle views that return AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. #5659

3.1.0

This is the Flask 3.1.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecations, or introduce potentially breaking changes. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

PyPI: https://pypi.org/project/Flask/3.1.0/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-0 Milestone: https://github.com/pallets/flask/milestone/33?closed=1

  • Drop support for Python 3.8. #5623
  • Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. #5624, #5633
  • Provide a configuration option to control automatic option responses. #5496
  • Flask.open_resource/open_instance_resource and Blueprint.open_resource take an encoding parameter to use when opening in text mode. It defaults to utf-8. #5504
  • Request.max_content_length can be customized per-request instead of only through the MAX_CONTENT_LENGTH config. Added MAX_FORM_MEMORY_SIZE and MAX_FORM_PARTS config. Added documentation about resource limits to the security page. #5625
  • Add support for the Partitioned cookie attribute (CHIPS), with the SESSION_COOKIE_PARTITIONED config. #5472
  • -e path takes precedence over default .env and .flaskenv files. load_dotenv loads default files in addition to a path unless load_defaults=False is passed. #5628
  • Support key rotation with the SECRET_KEY_FALLBACKS config, a list of old secret keys that can still be used for unsigning. Extensions will need to add support. #5621
  • Fix how setting host_matching=True or subdomain_matching=False interacts with SERVER_NAME. Setting SERVER_NAME no longer restricts requests to only that domain. #5553
  • Request.trusted_hosts is checked during routing, and can be set through the TRUSTED_HOSTS config. #5636

3.0.3

... (truncated)

Changelog

Sourced from flask's changelog.

Version 3.1.3

Released 2026-02-18

  • The session is marked as accessed for operations that only access the keys but not the values, such as in and len. :ghsa:68rp-wp8r-4726

Version 3.1.2

Released 2025-08-19

  • stream_with_context does not fail inside async views. :issue:5774
  • When using follow_redirects in the test client, the final state of session is correct. :issue:5786
  • Relax type hint for passing bytes IO to send_file. :issue:5776

Version 3.1.1

Released 2025-05-13

  • Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. :ghsa:4grg-w6v8-c28g
  • Fix type hint for cli_runner.invoke. :issue:5645
  • flask --help loads the app and plugins first to make sure all commands are shown. :issue:5673
  • Mark sans-io base class as being able to handle views that return AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. :pr:5659

Version 3.1.0

Released 2024-11-13

  • Drop support for Python 3.8. :pr:5623
  • Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. :pr:5624,5633
  • Provide a configuration option to control automatic option responses. :pr:5496
  • Flask.open_resource/open_instance_resource and Blueprint.open_resource take an encoding parameter to use when opening in text mode. It defaults to utf-8. :issue:5504
  • Request.max_content_length can be customized per-request instead of only through the MAX_CONTENT_LENGTH config. Added

... (truncated)

Commits
  • 22d9247 release version 3.1.3
  • 089cb86 Merge commit from fork
  • c17f379 request context tracks session access
  • 27be933 start version 3.1.3
  • 4e652d3 Abort if the instance folder cannot be created (#5903)
  • 3d03098 Abort if the instance folder cannot be created
  • 407eb76 document using gevent for async (#5900)
  • ac5664d document using gevent for async
  • 4f79d5b Increase required flit_core version to 3.11 (#5865)
  • fe3b215 Increase required flit_core version to 3.11
  • Additional commits viewable in compare view

Updates werkzeug from 3.0.3 to 3.1.6

Release notes

Sourced from werkzeug's releases.

3.1.6

This is the Werkzeug 3.1.6 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.6/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-6

  • safe_join on Windows does not allow special devices names in multi-segment paths. GHSA-29vq-49wr-vm6x

3.1.5

This is the Werkzeug 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.5/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-5 Milestone: https://github.com/pallets/werkzeug/milestone/43?closed=1

  • safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. GHSA-87hc-h4r5-73f7
  • The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. #3065 #3077
  • Fix AttributeError when initializing DebuggedApplication with pin_security=False. #3075

3.1.4

This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.4/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-4 Milestone: https://github.com/pallets/werkzeug/milestone/42?closed=1

  • safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. ghsa-hgf8-39gv-g3f2
  • The debugger pin fails after 10 attempts instead of 11. #3020
  • The multipart form parser handles a \r\n sequence at a chunk boundary. #3065
  • Improve CPU usage during Watchdog reloader. #3054
  • Request.json annotation is more accurate. #3067
  • Traceback rendering handles when the line number is beyond the available source lines. #3044
  • HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. #3056

3.1.3

This is the Werkzeug 3.1.3 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes vs 3.1.0.

PyPI: https://pypi.org/project/Werkzeug/3.1.3/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-1-3 Milestone: https://github.com/pallets/werkzeug/milestone/41?closed=1

  • Initial data passed to MultiDict and similar interfaces only accepts list, tuple, or set when passing multiple values. It had been changed to accept any Collection, but this matched types that should be treated as single values, such as bytes. #2994
  • When the Host header is not set and Request.host falls back to the WSGI SERVER_NAME value, if that value is an IPv6 address it is wrapped in [] to match the Host header. #2993

3.1.2

This is the Werkzeug 3.1.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes vs 3.1.0.

PyPI: https://pypi.org/project/Werkzeug/3.1.2/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-1-2

... (truncated)

Changelog

Sourced from werkzeug's changelog.

Version 3.1.6

Released 2026-02-19

  • safe_join on Windows does not allow special devices names in multi-segment paths. :ghsa:29vq-49wr-vm6x
  • Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. :issue:3108

Version 3.1.5

Released 2026-01-08

  • safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. :ghsa:87hc-h4r5-73f7
  • The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. :issue:3065 :issue:3077
  • Fix AttributeError when initializing DebuggedApplication with pin_security=False. :issue:3075

Version 3.1.4

Released 2025-11-28

  • safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. :ghsa:hgf8-39gv-g3f2
  • The debugger pin fails after 10 attempts instead of 11. :pr:3020
  • The multipart form parser handles a \r\n sequence at a chunk boundary. :issue:3065
  • Improve CPU usage during Watchdog reloader. :issue:3054
  • Request.json annotation is more accurate. :issue:3067
  • Traceback rendering handles when the line number is beyond the available source lines. :issue:3044
  • HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. :issue:3056

Version 3.1.3

Released 2024-11-08

  • Initial data passed to MultiDict and similar interfaces only accepts

... (truncated)

Commits
  • 04da1b5 release version 3.1.6
  • f407712 Merge commit from fork
  • f54fe98 safe_join prevents Windows special device names in multi-segment paths
  • d005985 start version 3.1.6
  • 8565c2c document rule priority (#3102)
  • 3febc7e document rule priority
  • 2525b82 remove state mac...

    Description has been truncated

Package Dependencies
Package:
werkzeug
Ecosystem:
pip
Version Change:
2.2.3 → 3.1.6
Update Type:
Major
Package:
protobuf
Ecosystem:
pip
Version Change:
4.23.4 → 5.29.6
Update Type:
Major
Package:
google-cloud-aiplatform
Ecosystem:
pip
Version Change:
1.27.1 → 1.133.0
Update Type:
Minor
Package:
black
Ecosystem:
pip
Version Change:
23.1a1 → 26.3.1
Package:
flask
Ecosystem:
pip
Version Change:
2.2.5 → 3.1.3
Update Type:
Major
Package:
cryptography
Ecosystem:
pip
Version Change:
40.0.2 → 46.0.5
Update Type:
Major
Package:
pyopenssl
Ecosystem:
pip
Version Change:
23.2.0 → 26.0.0
Update Type:
Major
Package:
authlib
Ecosystem:
pip
Version Change:
1.2.1 → 1.6.9
Update Type:
Minor
Package:
orjson
Ecosystem:
pip
Version Change:
3.9.1 → 3.11.6
Update Type:
Minor
Package:
apache-airflow
Ecosystem:
pip
Version Change:
2.6.3 → 3.2.0b1
Update Type:
Major
Security Advisories
Flask uses fallback key instead of current signing key
GHSA-4grg-w6v8-c28g CVE-2025-47278 LOW
In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the `itsdangero...
Werkzeug safe_join() allows Windows special device names
GHSA-hgf8-39gv-g3f2 CVE-2025-66221 MODERATE
Werkzeug's `safe_join` function allows path segments with Windows device names. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in ever...
nbconvert has an uncontrolled search path that leads to unauthorized code execution on Windows
GHSA-xm59-rqc7-hhvf CVE-2025-53000 HIGH
### Summary On Windows, converting a notebook containing SVG output to a PDF results in unauthorized code execution. Specifically, a third party can create a `inkscape.bat` file that defines a [Wi...
Werkzeug safe_join() allows Windows special device names with compound extensions
GHSA-87hc-h4r5-73f7 CVE-2026-21860 MODERATE
Werkzeug's `safe_join` function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as `CON`, `AUX`, etc tha...
Flask session does not add `Vary: Cookie` header when accessed in some ways
GHSA-68rp-wp8r-4726 CVE-2026-27205 LOW
When the `session` object is accessed, Flask should set the `Vary: Cookie` header. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This ...
Werkzeug safe_join() allows Windows special device names
GHSA-29vq-49wr-vm6x CVE-2026-27199 MODERATE
Werkzeug's `safe_join` function allows Windows device names as filenames if when preceded by other path segments. This was previously reported as https://github.com/pallets/werkzeug/security/advis...
Actions
View on GitHub View Repository All Dependabot PRs
Technical Details
ID: 15125129
UUID: 4083799073
Node ID: PR_kwDOOK9uiM7K_VkM
Host: GitHub
Repository: Reality2byte/python-docs-samples