Bump the python-minor-patch group across 1 directory with 16 updates by dependabot[bot] · Pull Request #172 · elixir-luxembourg/dss

dependabot · 2026-04-24T08:22:15Z

Bumps the python-minor-patch group with 16 updates in the / directory:

Package	From	To
sqlalchemy	`2.0.43`	`2.0.49`
werkzeug	`3.1.3`	`3.1.8`
flask-caching	`2.3.1`	`2.4.0`
flask-wtf	`1.2.2`	`1.3.0`
authlib	`1.6.5`	`1.7.0`
sqlalchemy-utils	`0.41.2`	`0.42.1`
requests	`2.32.4`	`2.33.1`
docxtpl	`0.20.1`	`0.20.2`
celery	`5.5.3`	`5.6.3`
markupsafe	`3.0.2`	`3.0.3`
email-validator	`2.2.0`	`2.3.0`
python-dotenv	`1.1.1`	`1.2.2`
tox	`4.31.0`	`4.53.0`
coverage	`7.11.0`	`7.13.5`
pytest-cov	`7.0.0`	`7.1.0`
ruff	`0.14.1`	`0.15.12`

Updates sqlalchemy from 2.0.43 to 2.0.49

Release notes

Sourced from sqlalchemy's releases.

2.0.49

Released: April 3, 2026

orm

[orm] [bug] Fixed issue where _orm.Session.get() would bypass the identity map and emit unnecessary SQL when with_for_update=False was passed, rather than treating it equivalently to the default of None. Pull request courtesy of Joshua Swanson.

References: #13176

[orm] [bug] Fixed issue where chained _orm.joinedload() options would not be applied correctly when the final relationship in the chain is declared on a base mapper and accessed through a subclass mapper in a _orm.with_polymorphic() query. The path registry now correctly computes the natural path when a property declared on a base class is accessed through a path containing a subclass mapper, ensuring the loader option can be located during query compilation.

References: #13193

[orm] [bug] [inheritance] Fixed issue where using _orm.Load.options() to apply a chained loader option such as _orm.joinedload() or _orm.selectinload() with _orm.PropComparator.of_type() for a polymorphic relationship would not generate the necessary clauses for the polymorphic subclasses. The polymorphic loading strategy is now correctly propagated when using a call such as joinedload(A.b).options(joinedload(B.c.of_type(poly))) to match the behavior of direct chaining e.g. joinedload(A.b).joinedload(B.c.of_type(poly)).

References: #13202

[orm] [bug] [inheritance] Fixed issue where using chained loader options such as _orm.selectinload() after _orm.joinedload() with _orm.PropComparator.of_type() for a polymorphic relationship would not properly apply the chained loader option. The loader option is now correctly applied when using a call such as joinedload(A.b.of_type(poly)).selectinload(poly.SubClass.c) to eagerly load related objects.

References: #13209

typing

[typing] [bug] Fixed a typing issue where the typed members of :data:.func would return the appropriate class of the same name, however this creates an issue for

... (truncated)

Commits

See full diff in compare view

Updates werkzeug from 3.1.3 to 3.1.8

Release notes

Sourced from werkzeug's releases.

3.1.8

This is the Werkzeug 3.1.8 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.8/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-8 Milestone: https://github.com/pallets/werkzeug/milestone/45?closed=1

Request.host and get_host return the empty string if the header is missing or has invalid characters. #3142

3.1.7

This is the Werkzeug 3.1.7 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.7/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-7 Milestone: https://github.com/pallets/werkzeug/milestone/44?closed=1

parse_list_header preserves partially quoted items, discards empty items, and returns empty for unclosed quoted values. #3128

WWWAuthenticate.to_header does not produce a trailing space when there are no parameters. #3127

Transfer-Encoding is parsed as a set. #3134

Request.host, get_host, and host_is_trusted validate the characters of the value. An empty value is no longer allowed. A Unix socket server address is ignored. The trusted_list argument to host_is_trusted is optional. #3113

Fix multipart form parser handling of newline at boundary. #3088

Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. #3108

merge_slashes merges any number of consecutive slashes. #3121

3.1.6

This is the Werkzeug 3.1.6 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.6/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-6

safe_join on Windows does not allow special devices names in multi-segment paths. GHSA-29vq-49wr-vm6x

3.1.5

This is the Werkzeug 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.5/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-5 Milestone: https://github.com/pallets/werkzeug/milestone/43?closed=1

safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. GHSA-87hc-h4r5-73f7

The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. #3065 #3077

Fix AttributeError when initializing DebuggedApplication with pin_security=False. #3075

3.1.4

This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.4/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-4 Milestone: https://github.com/pallets/werkzeug/milestone/42?closed=1

... (truncated)

Changelog

Sourced from werkzeug's changelog.

Version 3.1.8

Released 2026-04-02

Request.host and get_host return the empty string if the header is missing or has invalid characters. :issue:3142

Version 3.1.7

Released 2026-03-23

parse_list_header preserves partially quoted items, discards empty items, and returns empty for unclosed quoted values. :pr:3128

WWWAuthenticate.to_header does not produce a trailing space when there are no parameters. :issue:3127

Transfer-Encoding is parsed as a set. :pr:3134

Request.host, get_host, and host_is_trusted validate the characters of the value. An empty value is no longer allowed. A Unix socket server address is ignored. The trusted_list argument to host_is_trusted is optional. :pr:3113

Fix multipart form parser handling of newline at boundary. :issue:3088

Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. :issue:3108

merge_slashes merges any number of consecutive slashes. :issue:3121

Version 3.1.6

Released 2026-02-19

safe_join on Windows does not allow special devices names in multi-segment paths. :ghsa:29vq-49wr-vm6x

Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. :issue:3108

Version 3.1.5

Released 2026-01-08

safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. :ghsa:87hc-h4r5-73f7

The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. :issue:3065 :issue:3077

... (truncated)

Commits

c1a26b4 release version 3.1.8
7926f0b relax get_host strictness (#3148)
deab88f relax get_host strictness
65eb639 start version 3.1.8
7720b76 release version 3.1.7 (#3135)
005d93b release version 3.1.7
c328342 merge any number of slashes (#3136)
23142a3 merge any number of slashes
b913d68 always set accept-ranges header
f282943 Correct 1049dd6b2a363e1ef302b4161c340fb8582f627a
Additional commits viewable in compare view

Updates flask-caching from 2.3.1 to 2.4.0

Release notes

Sourced from flask-caching's releases.

2.4.0

https://github.com/pallets-eco/flask-caching/blob/v2.3.1/CHANGES.rst

Changelog

Sourced from flask-caching's changelog.

Version 2.4.0

2026-04-17

Modernize project setup

Update intersphinx_mapping for Sphinx 8 compatibility. :pr:599, :issue:598

Pass CACHE_OPTIONS as kwargs to redis_from_url. :pr:591

Pass sentinel_kwargs to redis client via CACHE_OPTIONS :pr:626

Fix response_hit_indication return True always. :pr:579, :pr:596, :issue:595, :issue:570

Use FORWARDREF annotation format when introspecting decorated functions so that @memoize / @cached work with TYPE_CHECKING-only annotations on Python 3.14. :issue:636

Commits

0573dc8 Update lock file
d48c83d Version 2.4.0
d9cdc84 Update changelog
001ed80 Add tests from #579
39e93b5 Fix response_hit_indication header value is true when "found" is false (#596)
f39ac54 Modernize project setup (#635)
b1cbcef Merge pull request #591 from foarsitter/redis_url_cache_options
aa4189e Merge pull request #627 from cjproud/master
7e0d46d Merge pull request #599 from musicinmybrain/sphinx8
1f6557a Merge pull request #597 from felixhummel/master
Additional commits viewable in compare view

Updates flask-wtf from 1.2.2 to 1.3.0

Release notes

Sourced from flask-wtf's releases.

v1.3.0

What's Changed

pre-commit autoupdate by @azmeuk in pallets-eco/flask-wtf#607

remove slsa provenance by @davidism in pallets-eco/flask-wtf#638

Support for Python 3.14 by @azmeuk in pallets-eco/flask-wtf#648

Try not to read uploaded files into memory by @Zverik in pallets-eco/flask-wtf#635

Migrate the project to uv by @azmeuk in pallets-eco/flask-wtf#649

ReCaptcha field testing mode documentation by @OmeirP in pallets-eco/flask-wtf#650

Allow nonce in reCaptcha by @kesara in pallets-eco/flask-wtf#312

CSRF meta tag helper by @azmeuk in pallets-eco/flask-wtf#674

widget support the kwargs to add custom html attributes by @thivolle-cazat-cedric in pallets-eco/flask-wtf#353

Respect exempts in CSRFProtect.protect() by @rauchy in pallets-eco/flask-wtf#419

Adding RECAPTCHA_ENABLE to disable recaptcha by @rnt in pallets-eco/flask-wtf#509

Improve CSRF Documentation by @israel-oye in pallets-eco/flask-wtf#584

New Contributors

@Zverik made their first contribution in pallets-eco/flask-wtf#635

@OmeirP made their first contribution in pallets-eco/flask-wtf#650

@kesara made their first contribution in pallets-eco/flask-wtf#312

@thivolle-cazat-cedric made their first contribution in pallets-eco/flask-wtf#353

@rauchy made their first contribution in pallets-eco/flask-wtf#419

@rnt made their first contribution in pallets-eco/flask-wtf#509

@israel-oye made their first contribution in pallets-eco/flask-wtf#584

Full Changelog: pallets-eco/flask-wtf@v1.2.2...v1.3.0

Changelog

Sourced from flask-wtf's changelog.

Version 1.3.0

Released 2026-04-23

Don't read the whole uploaded files to know their size. :pr:635

Stop support for Python 3.9. Start support for Python 3.14. :pr:648

Migrate the project to uv. :pr:649

Allow setting a nonce on :class:~flask_wtf.recaptcha.RecaptchaField (string or zero-argument callable) for nonce-based Content Security Policies. :pr:312

Add csrf_meta_tag() helper and WTF_CSRF_META_NAME setting to render the CSRF token as an HTML <meta> tag.

Forward keyword arguments passed to the reCAPTCHA widget as HTML attributes on the captcha <div>, with the field id used as a default id. :pr:353

Add apply_exemptions parameter to :meth:~flask_wtf.csrf.CSRFProtect.protect so @csrf.exempt keeps working when validation is triggered manually. :pr:419

Add RECAPTCHA_ENABLED setting. :pr:509

Commits

63eb4d3 chore: bump to v1.3.0
192ece3 Improve CSRF Documentation (#584)
1f8522d Adding RECAPTCHA_ENABLE to disable recaptcha (#509)
64b9215 Respect exempts in CSRFProtect.protect() (#419)
adf674f widget support the kwargs to add custom html attributes (#353)
ea1f797 feat: CSRF meta tag helper (#674)
412e3ef Allow nonce in reCaptcha (#312)
a7b764a ReCaptcha field testing mode documentation (#650)
c053c0e chore(deps-dev): bump pytest from 9.0.1 to 9.0.3 (#673)
ca2216c chore(deps): bump uv from 0.9.11 to 0.11.6 (#672)
Additional commits viewable in compare view

Updates authlib from 1.6.5 to 1.7.0

Release notes

Sourced from authlib's releases.

v1.7.0

What's Changed

Authorization and token endpoints request empty scope parameter management by @azmeuk in authlib/authlib#847

Support from Python 3.10 to 3.14 by @azmeuk in authlib/authlib#850

Allow composition of AuthorizationServerMetadata by @azmeuk in authlib/authlib#853

Make require_oauth parenthesis optional by @azmeuk in authlib/authlib#855

Fix expires_at behavior when its value is 0 by @azmeuk in authlib/authlib#854

Migration to joserfc by @lepture in authlib/authlib#852

RP-initiated logout by @frohrlich in authlib/authlib#849

Fix get_jwt_config by @lepture in authlib/authlib#858

chore(ci): Update PyPy version from 3.10 to 3.11 by @cclauss in authlib/authlib#863

fix: remove "none" from default authlib.jose.jwt algorithms by @lepture in authlib/authlib#860

fix: normalize resolve_client_public_key method by @lepture in authlib/authlib#861

Implement rfc9700 PKCE downgrade countermeasure by @azmeuk in authlib/authlib#864

Use correct syntax for tox.requires in tox.ini by @alex-ball in authlib/authlib#868

Set client session User-Agent when fetching server metadata and JWKs by @alex-ball in authlib/authlib#867

fix: use the real application object for Flask by @nblock in authlib/authlib#869

Accept the issuer URL as a valid audience by @azmeuk in authlib/authlib#865

Don't nest InvalidTokenError extra attribute by @azmeuk in authlib/authlib#872

Documentation overhaul by @azmeuk in authlib/authlib#875

Update README.md docs.authlib.org/en/latest => docs.authlib.org/en/stable by @guillett in authlib/authlib#876

Merge release/1.6 branch by @lepture in authlib/authlib#877

New Contributors

@frohrlich made their first contribution in authlib/authlib#849

@cclauss made their first contribution in authlib/authlib#863

@alex-ball made their first contribution in authlib/authlib#868

@nblock made their first contribution in authlib/authlib#869

@guillett made their first contribution in authlib/authlib#876

Full Changelog: authlib/authlib@v1.6.10...v1.7.0

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

Fix CSRF issue with starlette client

v1.6.10

Full Changelog: authlib/authlib@v1.6.9...v1.6.10

Fix redirecting to unvalidated redirect_uri on UnsupportedResponseTypeError.

v1.6.9

Full Changelog: authlib/authlib@v1.6.8...v1.6.9

Changes in jose module

Not using header's jwk automatically

Add ES256K into default jwt algorithms

Remove deprecated algorithm from default registry

Generate random cek when cek length doesn't match

... (truncated)

Commits

5d2e603 chore: release 1.7.0
767f08b fix: CSRF issue with starlette client
e9aaef3 Merge pull request #877 from authlib/merge/1.6
3c8ec9a Merge branch 'main' into merge/1.6
ef09aeb chore: release 1.6.10
3be0846 fix: redirecting to unvalidated redirect_uri on UnsupportedResponseTypeError
4cf6f97 Merge pull request #876 from guillett/patch-1
23f67b4 Update README.md docs.authlib.org/en/latest => docs.authlib.org/en/stable
1040163 chore: prek autoupdate
491209f Merge pull request #875 from azmeuk/doc
Additional commits viewable in compare view

Updates sqlalchemy-utils from 0.41.2 to 0.42.1

Release notes

Sourced from sqlalchemy-utils's releases.

0.42.1

Fix AttributeError with Sequence defaults in instant_defaults_listener by @wadinj in kvesteri/sqlalchemy-utils#793

0.42.0

Drop support for Python 3.7 and 3.8.

Drop support for sqlalchemy 1.3.

Add support for Python 3.12 and 3.13.

Add a Read the Docs configuration file.

Make documentation builds reproducible.

Test documentation builds in CI.

Fix Pendulum parsing of datetime instances with timezones. (#755)

Migrate package metadata to PEP 621 format in pyproject.toml

Migrate to ruff <https://docs.astral.sh/ruff/>_ for code linting and formatting, replacing flake8 and isort with a faster Rust-based tool.

Changelog

Sourced from sqlalchemy-utils's changelog.

0.42.1 (2025-12-12) ^^^^^^^^^^^^^^^^^^^

Fix AttributeError with Sequence defaults in instant_defaults_listener (#793)

0.42.0 (2025-08-30) ^^^^^^^^^^^^^^^^^^^

Drop support for Python 3.7 and 3.8.

Drop support for sqlalchemy 1.3.

Add support for Python 3.12 and 3.13.

Add a Read the Docs configuration file.

Make documentation builds reproducible.

Test documentation builds in CI.

Fix Pendulum parsing of datetime instances with timezones. (#755)

Migrate package metadata to PEP 621 format in pyproject.toml

Migrate to ruff <https://docs.astral.sh/ruff/>_ for code linting and formatting, replacing flake8 and isort with a faster Rust-based tool.

Commits

ed0cc46 Bump version to 0.42.1
11cf519 Bump urllib3 from 2.5.0 to 2.6.0 in /requirements/docs
881fed4 Merge pull request #797 from kvesteri/dependabot/github_actions/github-action...
81a5f82 Bump actions/checkout from 5 to 6 in the github-actions group
e8b12f8 Merge pull request #794 from kvesteri/dependabot/github_actions/github-action...
19570dc Bump actions/setup-python from 5 to 6 in the github-actions group
4a7d764 Fix AttributeError with Sequence defaults in instant_defaults_listener (#...
9645938 Fix AttributeError with Sequence defaults in instant_defaults_listener
e4b9f72 Merge pull request #792 from kvesteri/dependabot/github_actions/github-action...
755064d Bump actions/checkout from 4 to 5 in the github-actions group
Additional commits viewable in compare view

Updates requests from 2.32.4 to 2.33.1

Release notes

Sourced from requests's releases.

v2.33.1

2.33.1 (2026-03-30)

Bugfixes

Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)

Fixed Content-Type header parsing for malformed values. (#7309)

Improved error consistency for malformed header values. (#7308)

New Contributors

@ferdnyc made their first contribution in psf/requests#7277

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2331-2026-03-30

v2.33.0

2.33.0 (2026-03-25)

Announcements

📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

Various typo fixes and doc improvements.

New Contributors

@M0d3v1 made their first contribution in psf/requests#6865

@aminvakil made their first contribution in psf/requests#7220

@E8Price made their first contribution in psf/requests#6960

@mitre88 made their first contribution in psf/requests#7244

@magsen made their first contribution in psf/requests#6553

@Rohan5commit made their first contribution in psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

v2.32.5

2.32.5 (2025-08-18)

... (truncated)

Changelog

Sourced from requests's changelog.

2.33.1 (2026-03-30)

Bugfixes

Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)

Fixed Content-Type header parsing for malformed values. (#7309)

Improved error consistency for malformed header values. (#7308)

2.33.0 (2026-03-25)

Announcements

📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

Various typo fixes and doc improvements.

2.32.5 (2025-08-18)

Bugfixes

The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

Added support for Python 3.14.

... (truncated)

Commits

111d2b7 v2.33.1
f0198e6 Fix malformed value parsing for Content-Type (#7309)
bc7dd0f Fix cosmetic header validity parsing regex (#7308)
4443b1a Fix unintended test extra (#7306)
389eea5 Cleanup extracted file after extract_zipped_path test (#7305)
7407309 Packaging: DRY out extras definition (#7277)
bc04dfd v2.33.0
66d21cb Merge commit from fork
8b9bc8f Move badges to top of README (#7293)
e331a28 Remove unused extraction call (#7292)
Additional commits viewable in compare view

Updates docxtpl from 0.20.1 to 0.20.2

Changelog

Sourced from docxtpl's changelog.

0.20.2 (2025-11-13)

Fix fix_tables()

Move docxcompose to optional dependency (Thanks to Waket Zheng)

Commits

cf5437b Merge pull request #623 from waketzheng/fix-subdoc
fab696c Fix NameError: name Subdoc is not defined
f96b0b6 Merge pull request #617 from waketzheng/project-section
560b4b3 Use poetry-dynamic-versioning instead of pdm
e77cbf8 Fix pip install error with --editable
7a6ddbc Move docxcompose to optional dependency
d9bb19c Update setup.py
See full diff in compare view

Updates celery from 5.5.3 to 5.6.3

Release notes

Sourced from celery's releases.

v5.6.3

What's Changed

Fix Django worker recursion bug + defensive checks for pool_cls.module by @maycuatroi1 in celery/celery#10048

Docs: Update user_preload_options example to use click. by @jorsyk in celery/celery#10056

Fix invalid configuration key "bootstrap_servers" in Kafka demo by @jorsyk in celery/celery#10060

Fix broken images on PyPI page by @Timour-Ilyas in celery/celery#10066

Remove broken reference. by @sueannioanis in celery/celery#10071

Removed --dist=loadscope from smoke tests by @Nusnus in celery/celery#10073

Docs: Clarify task_retry signal args may be None by @GangEunzzang in celery/celery#10076

Update example for Django by @sbc-khacnha in celery/celery#10081

Make tests compatible with pymongo >= 4.16 by @cjwatson in celery/celery#10074

fix: source install of cassandra-driver by @Izzette in celery/celery#10105

fix: register task cross-reference role in Sphinx extension by @veeceey in celery/celery#10100

fix: avoid cycle detection in native delayed delivery by @Izzette in celery/celery#10095

fix(asynpool): avoid AttributeError when proc lacks _sentinel_poll by @mriddle in celery/celery#10086

fix dusk_astronomical horizon sign (+18 -> -18) by @Mr-Neutr0n in celery/celery#10121

Fix/10106 onupdate col use lambda func by @ChickenBenny in celery/celery#10108

Fix warm shutdown RuntimeError with eventlet>=0.37.0 (#10083) by @ChickenBenny in celery/celery#10123

Fix 10109 db backend connection health by @ChickenBenny in celery/celery#10124

Database Backend filter unsupport sql engine arguments with nullpool #7355 by @ChickenBenny in celery/celery#10134

fix(beat): correct argument order in Service.reduce by @bysiber in celery/celery#10137

ci: declare explicit read-only token permissions in workflow jobs by @Rohan5commit in celery/celery#10139

chore: 'boto3to' to 'boto3 to' by @cuiweixie in celery/celery#10133

Database Backend: Add missing index on date_done (Fixes #10097) by @ChickenBenny in celery/celery#10098

docs: fix typo in CONTRIBUTING.rst by @Rohan5commit in celery/celery#10141

Refer to Flower / Prometheus for monitoring by @WilliamDEdwards in celery/celery#10140

docs: remove duplicated words in broker and routing docs by @Rohan5commit in celery/celery#10146

docs: fix stale version reference and grammar in README by @kelsonbrito50 in celery/celery#10145

docs: fix wording in Celery 5.3 worker pool notes by @Rohan5commit in celery/celery#10149

docs: fix duplicated wording in 3.1 changelog entry by @Rohan5commit in celery/celery#10152

docs: fix changelog typo in context manager wording by @Rohan5commit in celery/celery#10144

Fix/10096 worker fails to reconnect after redis failover by @ChickenBenny in celery/celery#10151

Improve on_after_finalize signal documentation by @Br1an67 in celery/celery#10155

Add non-commutative example to clarify partial arg ordering in canvas docs by @Br1an67 in celery/celery#10157

Remove redundant test_isa_mapping test (fixes #10077) by @daniel7an in celery/celery#10103

Upgrade pytest-celery to >=1.3.0 and adopt PYTEST_CELERY_PKG build arg by @Nusnus in celery/celery#10162

Remove deprecated args from redis get_connection call by @JaeHyuckSa in celery/celery#10036

Fix #6912 rpc backend reconnection error by @ChickenBenny in celery/celery#10179

Fix NameError with TYPE_CHECKING annotations on Python 3.14+ (PEP 649) by @drichardson in celery/celery#10165

docs: Add elaboration on prefetch multiplier settings (worker_prefetch_multiplier) and worker_eta_task_limit by @tsangwailam in celery/celery#10181

Fix O(K²) message bloat in a chain of chords by @Borzik in celery/celery#10171

Fix mock connection interfaces to prevent TypeError during exception handling by @ChickenBenny in celery/celery#10178

fix(trace): dispatch chain/callbacks on dedup fast-path for redelivered tasks by @aurangzaib048 in celery/celery#10159

Extract reconnect_on_error to BaseResultConsumer by @ChickenBenny in celery/celery#10189

pep 649 by @ericbuehl in celery/celery#10187

Fix#9722 friendly status errors for CLI by @ChickenBenny in celery/celery#10190

docs: clarify after_return behavior for retried tasks by @KianAnbarestani in celery/celery#10192

Add compression header to message protocol docs by @Br1an67 in celery/celery#10156

docs: fix duplicated word in bootsteps comment by @Rohan5commit in celery/celery#10153

Remove outdated autoreloader section from extending docs by @Br1an67 in celery/celery#10154

... (truncated)

Changelog

Sourced from celery's changelog.

5.6.3

:release-date: 2026-03-26 :release-by: Tomer Nosrati

What's Changed


- Fix Django worker recursion bug + defensive checks for pool_cls.__module__ ([#10048](https://github.com/celery/celery/issues/10048))
- Docs: Update user_preload_options example to use click. ([#10056](https://github.com/celery/celery/issues/10056))
- Fix invalid configuration key "bootstrap_servers" in Kafka demo ([#10060](https://github.com/celery/celery/issues/10060))
- Fix broken images on PyPI page ([#10066](https://github.com/celery/celery/issues/10066))
- Remove broken reference. ([#10071](https://github.com/celery/celery/issues/10071))
- Removed --dist=loadscope from smoke tests ([#10073](https://github.com/celery/celery/issues/10073))
- Docs: Clarify task_retry signal args may be None ([#10076](https://github.com/celery/celery/issues/10076))
- Update example for Django ([#10081](https://github.com/celery/celery/issues/10081))
- Make tests compatible with pymongo >= 4.16 ([#10074](https://github.com/celery/celery/issues/10074))
- fix: source install of cassandra-driver ([#10105](https://github.com/celery/celery/issues/10105))
- fix: register task cross-reference role in Sphinx extension ([#10100](https://github.com/celery/celery/issues/10100))
- fix: avoid cycle detection in native delayed delivery ([#10095](https://github.com/celery/celery/issues/10095))
- fix(asynpool): avoid AttributeError when proc lacks _sentinel_poll ([#10086](https://github.com/celery/celery/issues/10086))
- fix dusk_astronomical horizon sign (+18 -> -18) ([#10121](https://github.com/celery/celery/issues/10121))
- Fix/10106 onupdate col use lambda func ([#10108](https://github.com/celery/celery/issues/10108))
- Fix warm shutdown RuntimeError with eventlet>=0.3...
Description has been truncated

Bumps the python-minor-patch group with 16 updates in the / directory: | Package | From | To | | --- | --- | --- | | [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) | `2.0.43` | `2.0.49` | | [werkzeug](https://github.com/pallets/werkzeug) | `3.1.3` | `3.1.8` | | [flask-caching](https://github.com/pallets-eco/flask-caching) | `2.3.1` | `2.4.0` | | [flask-wtf](https://github.com/pallets-eco/flask-wtf) | `1.2.2` | `1.3.0` | | [authlib](https://github.com/authlib/authlib) | `1.6.5` | `1.7.0` | | [sqlalchemy-utils](https://github.com/kvesteri/sqlalchemy-utils) | `0.41.2` | `0.42.1` | | [requests](https://github.com/psf/requests) | `2.32.4` | `2.33.1` | | [docxtpl](https://github.com/elapouya/python-docx-template) | `0.20.1` | `0.20.2` | | [celery](https://github.com/celery/celery) | `5.5.3` | `5.6.3` | | [markupsafe](https://github.com/pallets/markupsafe) | `3.0.2` | `3.0.3` | | [email-validator](https://github.com/JoshData/python-email-validator) | `2.2.0` | `2.3.0` | | [python-dotenv](https://github.com/theskumar/python-dotenv) | `1.1.1` | `1.2.2` | | [tox](https://github.com/tox-dev/tox) | `4.31.0` | `4.53.0` | | [coverage](https://github.com/coveragepy/coveragepy) | `7.11.0` | `7.13.5` | | [pytest-cov](https://github.com/pytest-dev/pytest-cov) | `7.0.0` | `7.1.0` | | [ruff](https://github.com/astral-sh/ruff) | `0.14.1` | `0.15.12` | Updates `sqlalchemy` from 2.0.43 to 2.0.49 - [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases) - [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES.rst) - [Commits](https://github.com/sqlalchemy/sqlalchemy/commits) Updates `werkzeug` from 3.1.3 to 3.1.8 - [Release notes](https://github.com/pallets/werkzeug/releases) - [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst) - [Commits](pallets/werkzeug@3.1.3...3.1.8) Updates `flask-caching` from 2.3.1 to 2.4.0 - [Release notes](https://github.com/pallets-eco/flask-caching/releases) - [Changelog](https://github.com/pallets-eco/flask-caching/blob/master/CHANGES.rst) - [Commits](pallets-eco/flask-caching@v2.3.1...v2.4.0) Updates `flask-wtf` from 1.2.2 to 1.3.0 - [Release notes](https://github.com/pallets-eco/flask-wtf/releases) - [Changelog](https://github.com/pallets-eco/flask-wtf/blob/main/docs/changes.rst) - [Commits](pallets-eco/flask-wtf@v1.2.2...v1.3.0) Updates `authlib` from 1.6.5 to 1.7.0 - [Release notes](https://github.com/authlib/authlib/releases) - [Commits](authlib/authlib@v1.6.5...v1.7.0) Updates `sqlalchemy-utils` from 0.41.2 to 0.42.1 - [Release notes](https://github.com/kvesteri/sqlalchemy-utils/releases) - [Changelog](https://github.com/kvesteri/sqlalchemy-utils/blob/master/CHANGES.rst) - [Commits](kvesteri/sqlalchemy-utils@0.41.2...0.42.1) Updates `requests` from 2.32.4 to 2.33.1 - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.32.4...v2.33.1) Updates `docxtpl` from 0.20.1 to 0.20.2 - [Changelog](https://github.com/elapouya/python-docx-template/blob/master/CHANGES.rst) - [Commits](elapouya/python-docx-template@v0.20.1...v0.20.2) Updates `celery` from 5.5.3 to 5.6.3 - [Release notes](https://github.com/celery/celery/releases) - [Changelog](https://github.com/celery/celery/blob/v5.6.3/Changelog.rst) - [Commits](celery/celery@v5.5.3...v5.6.3) Updates `markupsafe` from 3.0.2 to 3.0.3 - [Release notes](https://github.com/pallets/markupsafe/releases) - [Changelog](https://github.com/pallets/markupsafe/blob/main/CHANGES.rst) - [Commits](pallets/markupsafe@3.0.2...3.0.3) Updates `email-validator` from 2.2.0 to 2.3.0 - [Release notes](https://github.com/JoshData/python-email-validator/releases) - [Changelog](https://github.com/JoshData/python-email-validator/blob/main/CHANGELOG.md) - [Commits](JoshData/python-email-validator@v2.2.0...v2.3.0) Updates `python-dotenv` from 1.1.1 to 1.2.2 - [Release notes](https://github.com/theskumar/python-dotenv/releases) - [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md) - [Commits](theskumar/python-dotenv@v1.1.1...v1.2.2) Updates `tox` from 4.31.0 to 4.53.0 - [Release notes](https://github.com/tox-dev/tox/releases) - [Changelog](https://github.com/tox-dev/tox/blob/main/docs/changelog.rst) - [Commits](tox-dev/tox@4.31.0...4.53.0) Updates `coverage` from 7.11.0 to 7.13.5 - [Release notes](https://github.com/coveragepy/coveragepy/releases) - [Changelog](https://github.com/coveragepy/coveragepy/blob/main/CHANGES.rst) - [Commits](coveragepy/coveragepy@7.11.0...7.13.5) Updates `pytest-cov` from 7.0.0 to 7.1.0 - [Changelog](https://github.com/pytest-dev/pytest-cov/blob/master/CHANGELOG.rst) - [Commits](pytest-dev/pytest-cov@v7.0.0...v7.1.0) Updates `ruff` from 0.14.1 to 0.15.12 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](astral-sh/ruff@0.14.1...0.15.12) --- updated-dependencies: - dependency-name: authlib dependency-version: 1.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-minor-patch - dependency-name: celery dependency-version: 5.6.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-minor-patch - dependency-name: coverage dependency-version: 7.13.5 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-minor-patch - dependency-name: docxtpl dependency-version: 0.20.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python-minor-patch - dependency-name: email-validator dependency-version: 2.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-minor-patch - dependency-name: flask-caching dependency-version: 2.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-minor-patch - dependency-name: flask-wtf dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-minor-patch - dependency-name: markupsafe dependency-version: 3.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python-minor-patch - dependency-name: pytest-cov dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-minor-patch - dependency-name: python-dotenv dependency-version: 1.2.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-minor-patch - dependency-name: requests dependency-version: 2.33.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-minor-patch - dependency-name: ruff dependency-version: 0.15.11 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-minor-patch - dependency-name: sqlalchemy dependency-version: 2.0.49 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python-minor-patch - dependency-name: sqlalchemy-utils dependency-version: 0.42.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-minor-patch - dependency-name: tox dependency-version: 4.53.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-minor-patch - dependency-name: werkzeug dependency-version: 3.1.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-05-08T08:25:19Z

Looks like these dependencies are updatable in another way, so this is no longer needed.

dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Apr 24, 2026

dependabot Bot force-pushed the dependabot/uv/develop/python-minor-patch-f0bb105dba branch from 476bfa2 to 614474f Compare May 1, 2026 09:18

dependabot Bot closed this May 8, 2026

dependabot Bot deleted the dependabot/uv/develop/python-minor-patch-f0bb105dba branch May 8, 2026 08:25

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the python-minor-patch group across 1 directory with 16 updates#172

Bump the python-minor-patch group across 1 directory with 16 updates#172
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/uv/develop/python-minor-patch-f0bb105dba

dependabot Bot commented on behalf of github Apr 24, 2026 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github May 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Apr 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

2.0.49

orm

typing

3.1.8

3.1.7

3.1.6

3.1.5

3.1.4

Version 3.1.8

Version 3.1.7

Version 3.1.6

Version 3.1.5

2.4.0

Version 2.4.0

v1.3.0

What's Changed

New Contributors

Version 1.3.0

v1.7.0

What's Changed

New Contributors

v1.6.11

v1.6.10

v1.6.9

Changes in jose module

0.42.1

0.42.0

v2.33.1

2.33.1 (2026-03-30)

New Contributors

v2.33.0

2.33.0 (2026-03-25)

New Contributors

v2.32.5

2.32.5 (2025-08-18)

2.33.1 (2026-03-30)

2.33.0 (2026-03-25)

2.32.5 (2025-08-18)

0.20.2 (2025-11-13)

v5.6.3

What's Changed

5.6.3

Uh oh!

dependabot Bot commented on behalf of github May 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github Apr 24, 2026 •

edited

Loading

Changes in `jose` module