chore(deps): bump the python-packages group across 1 directory with 10 updates

[dependabot]

Bumps the python-packages group with 10 updates in the / directory:

Package	From	To
attrs	25.4.0	26.1.0
django	5.2.10	5.2.12
djangorestframework	3.16.1	3.17.0
dependency-injector	4.48.3	4.49.0
gunicorn	23.0.0	25.1.0
django-stubs	5.2.9	6.0.1
pytest-django	4.11.1	4.12.0
pytest-cov	7.0.0	7.1.0
asgiref	3.11.0	3.11.1
django-environ	0.12.0	0.13.0

Updates attrs from 25.4.0 to 26.1.0

Commits

• See full diff in compare view

Updates django from 5.2.10 to 5.2.12

Commits

• 4f382ca [5.2.x] Bumped version for 5.2.12 release.
• b07ed2a [5.2.x] Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions o...
• 4d3c184 [5.2.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection.
• 94e7f17 [5.2.x] Refs #36944 -- Added missing versionchanged annotation for MAX_LENGTH...
• 951fe8b [5.2.x] Pinned black == 25.12.0 for black docs checks and ensured they pass.
• 1db60ed [5.2.x] Aligned docs checks between GitHub Actions and local development.
• 703777c [5.2.x] Fixed #36944 -- Removed MAX_LENGTH_HTML and related 5M chars limit re...
• a73eed2 [5.2.x] Pinned black == 25.12.0 in GitHub actions, pre-commit and test requir...
• 490e495 [5.2.x] Bumped minimum isort version to 7.0.0.
• 2bc009b [5.2.x] Added stub release notes and release date for 5.2.12 and 4.2.29.
• Additional commits viewable in compare view

Updates djangorestframework from 3.16.1 to 3.17.0

Release notes

Sourced from djangorestframework's releases.

3.17.0

What's Changed

Breaking changes

• Drop support for Python 3.9 by @​auvipy in encode/django-rest-framework#9781
• Drop deprecated coreapi support by @​browniebroke in encode/django-rest-framework#9895

Features

• Add ability to specify output format for DurationField by @​sevdog in encode/django-rest-framework#8532
• Add missing decorators: @versioning_class(), @content_negotiation_class(), @metadata_class() for function-based views by @​qqii in encode/django-rest-framework#9719
• Add support for Python 3.14 by @​cclauss in encode/django-rest-framework#9780
• Support violation_error_code and violation_error_message from UniqueConstraint in UniqueTogetherValidator by @​s-aleshin in encode/django-rest-framework#9766
• Add support for ipaddress objects in JSONEncoder by @​corenting in encode/django-rest-framework#9087
• Add optional support to serialize BigInteger to string by @​HoodyH in encode/django-rest-framework#9775
• Add Django 6.0 support by @​MehrazRumman in encode/django-rest-framework#9819

Bug fixes

• Prevent small risk of Token overwrite by @​mahdirahimi1999 in encode/django-rest-framework#9754
• Fix UniqueTogetherValidator validation when condition references a read-only field by @​ticosax in encode/django-rest-framework#9764
• Fix validation on many to many field when default=None by @​Genarito in encode/django-rest-framework#9790
• Fix invalid SPDX license expression in __init__.py by @​TheFunctionalGuy in encode/django-rest-framework#9799
• Fix HTMLFormRenderer to ensure a valid datetime-local format by @​mgaligniana in encode/django-rest-framework#9365
• Fix mutable default arguments in OrderingFilter methods by @​killerdevildog in encode/django-rest-framework#9742
• Update TokenAdmin to respect USERNAME_FIELD of the user model by @​m000 in encode/django-rest-framework#9836
• Preserve ordering in MultipleChoiceField by @​fbozhang in encode/django-rest-framework#9735

Translations

• Update French translation by @​SebCorbin in encode/django-rest-framework#9770
• Update Brazilian Portuguese translations by @​JVPinheiroReis in encode/django-rest-framework#9828
• Fix and improve French translations by @​deronnax in encode/django-rest-framework#9896
• Add missing Russian translation by @​minorytanaka in encode/django-rest-framework#9903

Packaging

• Migrate packaging to pyproject.toml by @​deronnax in encode/django-rest-framework#9056
• Move package data rules from MANIFEST.in to pyproject.toml by @​p-r-a-v-i-n in encode/django-rest-framework#9825
• Set up release workflow with trusted publisher by @​browniebroke in encode/django-rest-framework#9852

Other changes

• Refactor token generation to use the secrets module by @​mahdirahimi1999 in encode/django-rest-framework#9760
• Add validation for decorator out-of-order with @api_view by @​kernelshard in encode/django-rest-framework#9821
• Switch to mkdocs material theme for documentation by @​browniebroke in encode/django-rest-framework#9849

New Contributors

• @​khaledsukkar2 made their first contribution in encode/django-rest-framework#9717
• @​qqii made their first contribution in encode/django-rest-framework#9719
• @​zankoAn made their first contribution in encode/django-rest-framework#9788
• @​uche-wealth made their first contribution in encode/django-rest-framework#9795
• @​s-aleshin made their first contribution in encode/django-rest-framework#9766
• @​Infamous003 made their first contribution in encode/django-rest-framework#9794
• @​Genarito made their first contribution in encode/django-rest-framework#9790
• @​TheFunctionalGuy made their first contribution in encode/django-rest-framework#9799
• @​mahdighadiriii made their first contribution in encode/django-rest-framework#9800
• @​p-r-a-v-i-n made their first contribution in encode/django-rest-framework#9801
• @​itssimon made their first contribution in encode/django-rest-framework#9718

... (truncated)

Commits

• 021ab56 Bump version and update release notes for 3.17.0 (#9921)
• 19ebad7 Bump mkdocs-material[imaging] from 9.7.4 to 9.7.5 (#9923)
• f222c55 Correct requires-python key in pyproject.toml
• 7e7de6f Remove code fences from release checklist
• c599d30 Update release process
• 866bf7c Bump mkdocs-material[imaging] from 9.7.3 to 9.7.4 (#9920)
• 7f8ad25 Drop deprecated coreapi support (#9895)
• 8bac51a Revert "Add drf-commons to third-party packages documentation (#9916)" (#9917)
• 9d7b26a Add drf-commons to third-party packages documentation (#9916)
• dff3c8d Add django-pydantic-field and drf-pydantic to third-party packages documentat...
• Additional commits viewable in compare view

Updates dependency-injector from 4.48.3 to 4.49.0

Release notes

Sourced from dependency-injector's releases.

4.49.0

What's Changed

• Python 3.14 support
• Fix Pydantic v2 deprecation warning triggering on settings class import (fixes #942)
• Fix grammar in Declarative Container documentation by @​okotdaniel in ets-labs/python-dependency-injector#916
• Add missing warn_unresolved parameter to WiringConfiguration in containers.pyi by @​jonathandannenberg in ets-labs/python-dependency-injector#951
• Add keep_cache argument to Container.wire typings by @​romantolkachyov in ets-labs/python-dependency-injector#952
• Retrofit assert type for some type-stub checks by @​leonarduschen in ets-labs/python-dependency-injector#943
• Retrofit assert type for remaining type-stub checks by @​leonarduschen in ets-labs/python-dependency-injector#953
• Add provided().call *args, **kwargs arguments #945 by @​pavalso in ets-labs/python-dependency-injector#946
• Add context local resource by @​elina-israyelyan in ets-labs/python-dependency-injector#931
• Update CI/CD to actions/checkout@v6, actions/setup-python@v6, actions/download-artifact@v8, actions/upload-artifact@v7 and pypa/cibuildwheel@v3.4.0.
• Add dependabot config for GitHub Actions

New Contributors

• @​okotdaniel made their first contribution in ets-labs/python-dependency-injector#916
• @​jonathandannenberg made their first contribution in ets-labs/python-dependency-injector#951
• @​romantolkachyov made their first contribution in ets-labs/python-dependency-injector#952
• @​pavalso made their first contribution in ets-labs/python-dependency-injector#946
• @​elina-israyelyan made their first contribution in ets-labs/python-dependency-injector#931

Full Changelog: ets-labs/python-dependency-injector@4.48.3...4.49.0

Commits

• 5f7aa1c Bump version
• 5863d99 Add .github/dependabot.yml
• 000c670 Upgrade GHA actions
• 9310840 Fix iscoroutinefunction import for older Pythons
• 05a5e7d Fix get_annotations import
• 58700d9 Use from import statements
• 0e25331 Do not build nogil wheels
• 1696986 Python 3.14 support
• 5259351 Add context local resource (#931)
• 76d5932 Add provided()<func>.call *args, **kwargs arguments (#946)
• Additional commits viewable in compare view

Updates gunicorn from 23.0.0 to 25.1.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 25.1.0

New Features

• Control Interface (gunicornc): Add interactive control interface for managing running Gunicorn instances, similar to birdc for BIRD routing daemon ([PR #3505](benoitc/gunicorn#3505))

  • Unix socket-based communication with JSON protocol
  • Interactive mode with readline support and command history
  • Commands: show all/workers/dirty/config/stats/listeners
  • Worker management: worker add/remove/kill, dirty add/remove
  • Server control: reload, reopen, shutdown
  • New settings: --control-socket, --control-socket-mode, --no-control-socket
  • New CLI tool: gunicornc for connecting to control socket
  • See Control Interface Guide for details

• Dirty Stash: Add global shared state between workers via dirty.stash ([PR #3503](benoitc/gunicorn#3503))

  • In-memory key-value store accessible by all workers
  • Supports get, set, delete, clear, keys, and has operations
  • Useful for sharing state like feature flags, rate limits, or cached data

• Dirty Binary Protocol: Implement efficient binary protocol for dirty arbiter IPC using TLV (Type-Length-Value) encoding ([PR #3500](benoitc/gunicorn#3500))

  • More efficient than JSON for binary data
  • Supports all Python types: str, bytes, int, float, bool, None, list, dict
  • Better performance for large payloads

• Dirty TTIN/TTOU Signals: Add dynamic worker scaling for dirty arbiters ([PR #3504](benoitc/gunicorn#3504))

  • Send SIGTTIN to increase dirty workers
  • Send SIGTTOU to decrease dirty workers
  • Respects minimum worker constraints from app configurations

Changes

• ASGI Worker: Promoted from beta to stable
• Dirty Arbiters: Now marked as beta feature

Documentation

• Fix Markdown formatting in /configure documentation

25.0.3

What's Changed

Bug Fixes

• Fix RuntimeError when StopIteration raised in ASGI coroutine (#3484)
• Fix passing maxsplit in re.split() as positional argument (deprecated in Python 3.13)

... (truncated)

Commits

• 2d43101 docs: merge gunicornc into 25.1.0 release
• bf4ad8d docs: update 25.1.0 release date to 2026-02-13
• 730350e Merge pull request #3505 from benoitc/feature/gunicornc-control-interface
• 63df19b fix(tests): use process groups for reliable signal handling in PyPy
• cd77bcc fix(tests): increase wait time for all server tests
• 02ea985 fix(tests): improve server test reliability on FreeBSD
• 6d81c9e fix: resolve pylint warnings
• 7486baa fix: remove unused imports
• 3e60d29 docs: add gunicornc control interface guide
• e05e40d feat(ctl): add message-based dirty worker management
• Additional commits viewable in compare view

Updates django-stubs from 5.2.9 to 6.0.1

Commits

• See full diff in compare view

Updates pytest-django from 4.11.1 to 4.12.0

Changelog

Sourced from pytest-django's changelog.

v4.12.0 (2026-02-14)

Compatibility ^^^^^^^^^^^^^

• Official Python 3.14 support.
• Dropped support for Python 3.9, minimum version is now Python 3.10.
• Official Django 6.0 support.

Improvements ^^^^^^^^^^^^

• The :ref:multiple databases <multi-db> support added in v4.3.0 is no longer considered experimental.
• Added :func:@pytest.mark.django_isolate_apps <pytest.mark.django_isolate_apps> for isolating Django's app registry in pytest tests, and a :fixture:django_isolated_apps fixture to access the isolated Apps registry instance if needed.

Commits

• a2a9495 Release 4.12.0
• 020bc23 tests: make sure access to default can also be blocked
• bcefbe8 Add support for isolating apps in tests
• 39c8dcc plugin: add a note why we reorder tests
• 1830acd pyproject.toml: require pytest 9 for self tests, switch to native toml config...
• f19da08 Fix the order of the test cases that use the live_server fixture
• 92858ee docs: add pytest 9.0+ native TOML configuration format
• 3f550d9 build(deps): bump hynek/build-and-inspect-python-package
• 1f50dd2 Drop obsolete traces of Django 5.0 in CI
• 247ec1c Fix PytestCollectionWarning for TestRunner class (#1259)
• Additional commits viewable in compare view

Updates pytest-cov from 7.0.0 to 7.1.0

Changelog

Sourced from pytest-cov's changelog.

7.1.0 (2026-03-21)

• Fixed total coverage computation to always be consistent, regardless of reporting settings. Previously some reports could produce different total counts, and consequently can make --cov-fail-under behave different depending on reporting options. See [#641](https://github.com/pytest-dev/pytest-cov/issues/641) <https://github.com/pytest-dev/pytest-cov/issues/641>_.

• Improve handling of ResourceWarning from sqlite3.

  The plugin adds warning filter for sqlite3 ResourceWarning unclosed database (since 6.2.0). It checks if there is already existing plugin for this message by comparing filter regular expression. When filter is specified on command line the message is escaped and does not match an expected message. A check for an escaped regular expression is added to handle this case.

  With this fix one can suppress ResourceWarning from sqlite3 from command line::

  pytest -W "ignore:unclosed database in <sqlite3.Connection object at:ResourceWarning" ...

• Various improvements to documentation. Contributed by Art Pelling in [#718](https://github.com/pytest-dev/pytest-cov/issues/718) <https://github.com/pytest-dev/pytest-cov/pull/718>_ and "vivodi" in [#738](https://github.com/pytest-dev/pytest-cov/issues/738) <https://github.com/pytest-dev/pytest-cov/pull/738>. Also closed [#736](https://github.com/pytest-dev/pytest-cov/issues/736) <https://github.com/pytest-dev/pytest-cov/issues/736>.

• Fixed some assertions in tests. Contributed by in Markéta Machová in [#722](https://github.com/pytest-dev/pytest-cov/issues/722) <https://github.com/pytest-dev/pytest-cov/pull/722>_.

• Removed unnecessary coverage configuration copying (meant as a backup because reporting commands had configuration side-effects before coverage 5.0).

Commits

• 66c8a52 Bump version: 7.0.0 → 7.1.0
• f707662 Make the examples use pypy 3.11.
• 6049a78 Make context test use the old ctracer (seems the new sysmon tracer behaves di...
• 8ebf20b Update changelog.
• 861d30e Remove the backup context manager - shouldn't be needed since coverage 5.0, ...
• fd4c956 Pass the precision on the nulled total (seems that there's some caching goion...
• 78c9c4e Only run the 3.9 on older deps.
• 4849a92 Punctuation.
• 197c35e Update changelog and hopefully I don't forget to publish release again :))
• 14dc1c9 Update examples to use 3.11 and make the adhoc layout example look a bit more...
• Additional commits viewable in compare view

Updates asgiref from 3.11.0 to 3.11.1

Changelog

Sourced from asgiref's changelog.

3.11.1 (2026-02-03)

• SECURITY FIX CVE-2025-14550: There was a potential DoS vector for users of the asgiref.wsgi.WsgiToAsgi adapter. Malicious requests, including an unreasonably large number of values for the same header, could lead to resource exhaustion when building the WSGI environment.

  To mitigate this, the algorithm is changed to be more efficient, and WsgiToAsgi gains a new optional duplicate_header_limit parameter, which defaults to 100. This specifies the number of times a single header may be repeated before the request is rejected as malformed.

  You may override duplicate_header_limit when configuring your application::

  application = WsgiToAsgi(wsgi_app, duplicate_header_limit=200)
  

  Set duplicate_header_limit=None if you wish to disable this check.

• Fixed a regression in 3.11.0 in sync_to_async when wrapping a callable with an attribute named context. (#537)

Commits

• d97a733 Releasing 3.11.1.
• a50968a CVE-2025-14550: Fixed duplicate header handling in WsgiToAsgi.
• 0fb85a4 Fixed sync_to_async wrapping callables with attribute named context.
• 2b28409 Updated Hypercorn homepage URL (#539)
• See full diff in compare view

Updates django-environ from 0.12.0 to 0.13.0

Release notes

Sourced from django-environ's releases.

v0.13.0

v0.13.0_ - 18-February-2026

Added +++++

• Added optional warnings when defaults are used [#582](https://github.com/joke2k/django-environ/issues/582) <https://github.com/joke2k/django-environ/pull/582>_.
• Added choices argument support for value validation in Env.str(...) [#555](https://github.com/joke2k/django-environ/issues/555) <https://github.com/joke2k/django-environ/pull/555>_.
• Added Valkey support via valkey:// and valkeys:// cache URL schemes [#554](https://github.com/joke2k/django-environ/issues/554) <https://github.com/joke2k/django-environ/pull/554>_.
• Added support for rediss:// scheme in channels URL parsing [#573](https://github.com/joke2k/django-environ/issues/573) <https://github.com/joke2k/django-environ/pull/573>_.
• Added django-prometheus database backend aliases to DB URL parsing schemes [#559](https://github.com/joke2k/django-environ/issues/559) <https://github.com/joke2k/django-environ/pull/559>_.

Changed +++++++

• Declared support for Python 3.14 [#580](https://github.com/joke2k/django-environ/issues/580) <https://github.com/joke2k/django-environ/pull/580>_.
• Declared support for Django 5.2 and Django 6.0 [#578](https://github.com/joke2k/django-environ/issues/578) <https://github.com/joke2k/django-environ/pull/578>_.

Fixed +++++

• Improved type hint coverage and related lint issues [#546](https://github.com/joke2k/django-environ/issues/546) <https://github.com/joke2k/django-environ/pull/546>_.
• Fixed typos in the FAQ page [#445](https://github.com/joke2k/django-environ/issues/445) <https://github.com/joke2k/django-environ/pull/445>_.

v0.12.1

Changelog

Fixed

• Fixed PostgreSQL cluster URL parsing with bracketed IPv6 hosts in recent Python versions, preventing failures in runtime URL parsing and related regression tests [#574](https://github.com/joke2k/django-environ/issues/574) <https://github.com/joke2k/django-environ/issues/574>_.
• Fixed debug logging in Env.get_value() to avoid evaluating lazy default objects when DEBUG logging is enabled [#571](https://github.com/joke2k/django-environ/issues/571) <https://github.com/joke2k/django-environ/issues/571>_.

Changelog

Sourced from django-environ's changelog.

v0.13.0_ - 18-February-2026

Added +++++

• Added optional warnings when defaults are used [#582](https://github.com/joke2k/django-environ/issues/582) <https://github.com/joke2k/django-environ/pull/582>_.
• Added choices argument support for value validation in Env.str(...) [#555](https://github.com/joke2k/django-environ/issues/555) <https://github.com/joke2k/django-environ/pull/555>_.
• Added Valkey support via valkey:// and valkeys:// cache URL schemes [#554](https://github.com/joke2k/django-environ/issues/554) <https://github.com/joke2k/django-environ/pull/554>_.
• Added support for rediss:// scheme in channels URL parsing [#573](https://github.com/joke2k/django-environ/issues/573) <https://github.com/joke2k/django-environ/pull/573>_.
• Added django-prometheus database backend aliases to DB URL parsing schemes [#559](https://github.com/joke2k/django-environ/issues/559) <https://github.com/joke2k/django-environ/pull/559>_.

Changed +++++++

• Declared support for Python 3.14 [#580](https://github.com/joke2k/django-environ/issues/580) <https://github.com/joke2k/django-environ/pull/581>_.
• Declared support for Django 5.2 and Django 6.0 [#578](https://github.com/joke2k/django-environ/issues/578) <https://github.com/joke2k/django-environ/pull/578>_.

Fixed +++++

• Improved type hint coverage and related lint issues [#546](https://github.com/joke2k/django-environ/issues/546) <https://github.com/joke2k/django-environ/pull/546>_.
• Fixed typos in the FAQ page [#445](https://github.com/joke2k/django-environ/issues/445) <https://github.com/joke2k/django-environ/pull/445>_.

v0.12.1_ - 13-February-2026

Fixed +++++

• Fixed PostgreSQL cluster URL parsing with bracketed IPv6 hosts in recent Python versions, preventing failures in runtime URL parsing and related regression tests [#574](https://github.com/joke2k/django-environ/issues/574) <https://github.com/joke2k/django-environ/issues/574>_.
• Fixed debug logging in Env.get_value() to avoid evaluating lazy default objects when DEBUG logging is enabled [#571](https://github.com/joke2k/django-environ/issues/571) <https://github.com/joke2k/django-environ/issues/571>_.

Commits

• 00746d0 docs: add Django 5.2 and 6.0 support to README
• d1f1159 Release 0.13.0
• d82e361 Add optional warnings when defaults are used (#582)
• a78f7c8 Fixed some typos in the FAQ page (#445)
• 24b299e Feature/add choice parameter and raise an exception if fetched value is not w...
• c441413 Add django-prometheus database backends to DB_SCHEMES (#559)
• 98a0aad Fix lint issues in environ type hints
• f4e77e4 feat(cache): add valkey and valkeys as allowed schemes (#554)
• dd4d308 Add type hints (#546)
• 3137c4f Support lower case options for Django Redis cache backend (#550)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions