chore(deps): bump the python-packages group with 3 updates

[dependabot]

Bumps the python-packages group with 3 updates: django, gunicorn and asgiref.

Updates django from 5.2.10 to 5.2.11

Commits

• 4a96a19 [5.2.x] Bumped version for 5.2.11 release.
• ab0ad8d [5.2.x] Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases...
• e863ee2 [5.2.x] Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via al...
• 3e68ccd [5.2.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column alia...
• 9f2ada8 [5.2.x] Fixed CVE-2026-1285 -- Mitigated potential DoS in django.utils.text.T...
• 17a1d64 [5.2.x] Fixed CVE-2026-1207 -- Prevented SQL injections in RasterField lookup...
• 1ba9006 [5.2.x] Fixed CVE-2025-14550 -- Optimized repeated header parsing in ASGI req...
• 184e38a [5.2.x] Fixed CVE-2025-13473 -- Standardized timing of check_password() in mo...
• d8c551d [5.2.x] Added stub release notes and release date for 5.2.11 and 4.2.28.
• 3ea659d [5.2.x] Clarified regression nature of data loss bug in docs/releases/5.2.10....
• Additional commits viewable in compare view

Updates gunicorn from 23.0.0 to 25.0.3

Release notes

Sourced from gunicorn's releases.

25.0.3

What's Changed

Bug Fixes

• Fix RuntimeError when StopIteration raised in ASGI coroutine (#3484)
• Fix passing maxsplit in re.split() as positional argument (deprecated in Python 3.13)

Documentation

• Updated sponsorship section and homepage

Full Changelog: benoitc/gunicorn@25.0.2...25.0.3

25.0.2

What's Changed

Bug Fixes

• Fix ASGI concurrent request failures through nginx proxy
• Graceful disconnect handling for ASGI worker
• Lazy import dirty module for gevent compatibility

Other

• Increase CI timeout for signal tests on PyPy
• Remove trailing blank line in instrument/init.py

Full Changelog: benoitc/gunicorn@25.0.1...25.0.2

25.0.1

Bug Fixes

• Fix ASGI streaming responses (SSE) hanging: add chunked transfer encoding for HTTP/1.1 responses without Content-Length header. Without chunked encoding, clients wait for connection close to determine end-of-response.

Changes

• Update celery_alternative example to use FastAPI with native ASGI worker and uvloop for async task execution

Testing

• Add ASGI compliance test suite with Docker-based integration tests covering HTTP, WebSocket, streaming, lifespan, framework integration (Starlette, FastAPI), HTTP/2, and concurrency scenarios

Gunicorn 25.0.0

New Features

• Dirty Arbiters: Separate process pool for executing long-running, blocking operations (AI model loading, heavy computation) without blocking HTTP workers ([PR #3460](benoitc/gunicorn#3460))

... (truncated)

Commits

• fc85068 chore: prepare release 25.0.3
• 787602f docs: shorten README sponsor section
• a52c81f Merge pull request #3492 from benoitc/feature/improve-sponsorship
• 1afb2b7 Merge pull request #3490 from tyrossel/master
• 2ead70d docs: add Sponsor to top-level navigation
• 874e8be docs: shorten sponsor section on homepage
• 7293b21 docs: add prominent sponsorship options
• 70d571b docs: update homepage title and remove version display
• d301d53 fix: resolve RuntimeError when StopIteration raised in ASGI coroutine
• 9508df6 test: increase CI timeout for signal tests on PyPy
• Additional commits viewable in compare view

Updates asgiref from 3.11.0 to 3.11.1

Changelog

Sourced from asgiref's changelog.

3.11.1 (2026-02-03)

• SECURITY FIX CVE-2025-14550: There was a potential DoS vector for users of the asgiref.wsgi.WsgiToAsgi adapter. Malicious requests, including an unreasonably large number of values for the same header, could lead to resource exhaustion when building the WSGI environment.

  To mitigate this, the algorithm is changed to be more efficient, and WsgiToAsgi gains a new optional duplicate_header_limit parameter, which defaults to 100. This specifies the number of times a single header may be repeated before the request is rejected as malformed.

  You may override duplicate_header_limit when configuring your application::

  application = WsgiToAsgi(wsgi_app, duplicate_header_limit=200)
  

  Set duplicate_header_limit=None if you wish to disable this check.

• Fixed a regression in 3.11.0 in sync_to_async when wrapping a callable with an attribute named context. (#537)

Commits

• d97a733 Releasing 3.11.1.
• a50968a CVE-2025-14550: Fixed duplicate header handling in WsgiToAsgi.
• 0fb85a4 Fixed sync_to_async wrapping callables with attribute named context.
• 2b28409 Updated Hypercorn homepage URL (#539)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.