Skip to content

chore(deps): bump the backend-pip-security group across 1 directory with 2 updates#477

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/apps/backend/backend-pip-security-3a49ab0428
Closed

chore(deps): bump the backend-pip-security group across 1 directory with 2 updates#477
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/apps/backend/backend-pip-security-3a49ab0428

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown
Contributor

Bumps the backend-pip-security group with 2 updates in the /apps/backend directory: weasyprint and pytest.

Updates weasyprint from 68.0 to 69.0

Release notes

Sourced from weasyprint's releases.

v69.0

This is a security update (CVE-2026-49452).

We strongly recommend to upgrade WeasyPrint to the latest version if you use the --presentational-hints option and render untrusted HTML with restricted CSS properties.

Read about this release on our blog.

Security

  • Avoid CSS injection with HTML presentational hints.

Command-line API

  • The --srgb option has been replaced by --output-intent=srgb. Other values are possible: device-cmyk for CMYK documents with no ICC profile, or the CSS identifier of a @color-profile rule.

Python API

  • The output_intent string entry replaces the srgb boolean in default options.

Features

Bug fixes

  • #2697, #2691: Avoid endless loops in grids
  • #2709: Be less strict for gradient rasterization in tests
  • #2683: Fix rendering of emojis in SVG
  • #2688: Always describe font using absolute sizes
  • #2676: Fix inheritance for svg/symbol tags referenced by use tags
  • #2681: Add dc:description field to PDF/A metadata
  • #2680: Force first grid row rendering on empty pages
  • #2690: Compute units in gradients used in border background
  • #2689: Cut flex elements with fixed height and overflowing children
  • #2651, #2696: Fix tests on Debian
  • #2698, #2699: Fix alignment of right-to-left elements with auto width and set min/max-width
  • #2556: Apply presentational hints to svg tags
  • #2706: Handle infinite border radii
  • #2707, #2708, #2710: Get mimetypes from Python code instead of various third-party files
  • #2717, #2580, #2740: Fix table break retry after padding overflow
  • #2769: Add year in PDF/UA-2 metadata
  • #2768: Allow SVG lists of numbers to be split on + character
  • #2770: Add namespace to Document tag in PDF 2
  • #2771: Never try to render SVG use tags with external sources
  • #2774: Fix calc in logical

... (truncated)

Changelog

Sourced from weasyprint's changelog.

Version 69.0

Released on 2026-06-02.

This is a security update (CVE-2026-49452).

We strongly recommend to upgrade WeasyPrint to the latest version if you use the --presentational-hints option and render untrusted HTML with restricted CSS properties.

Security:

  • Avoid CSS injection with HTML presentational hints.

Command-line API:

  • The --srgb option has been replaced by --output-intent=srgb. Other values are possible: device-cmyk for CMYK documents with no ICC profile, or the CSS identifier of a @color-profile rule.

Python API:

  • The output_intent string entry replaces the srgb boolean in default options.

Features:

  • [#2357](https://github.com/Kozea/WeasyPrint/issues/2357) <https://github.com/Kozea/WeasyPrint/issues/2357>, [#2700](https://github.com/Kozea/WeasyPrint/issues/2700) <https://github.com/Kozea/WeasyPrint/pull/2700>: Support logical properties
  • [#1194](https://github.com/Kozea/WeasyPrint/issues/1194) <https://github.com/Kozea/WeasyPrint/issues/1194>, [#2702](https://github.com/Kozea/WeasyPrint/issues/2702) <https://github.com/Kozea/WeasyPrint/pull/2702>: Support viewport units
  • [#2686](https://github.com/Kozea/WeasyPrint/issues/2686) <https://github.com/Kozea/WeasyPrint/issues/2686>_: Detect redirection loops early in URL fetcher
  • [#2735](https://github.com/Kozea/WeasyPrint/issues/2735) <https://github.com/Kozea/WeasyPrint/issues/2735>, [#2737](https://github.com/Kozea/WeasyPrint/issues/2737) <https://github.com/Kozea/WeasyPrint/pull/2737>: Support SVG transform angle units
  • [#2636](https://github.com/Kozea/WeasyPrint/issues/2636) <https://github.com/Kozea/WeasyPrint/issues/2636>, [#2720](https://github.com/Kozea/WeasyPrint/issues/2720) <https://github.com/Kozea/WeasyPrint/pull/2720>, [#2773](https://github.com/Kozea/WeasyPrint/issues/2773) <https://github.com/Kozea/WeasyPrint/pull/2773>_: Use HTML parsers for presentational hints
  • [#2631](https://github.com/Kozea/WeasyPrint/issues/2631) <https://github.com/Kozea/WeasyPrint/issues/2631>, [#2778](https://github.com/Kozea/WeasyPrint/issues/2778) <https://github.com/Kozea/WeasyPrint/pull/2778>, [#2785](https://github.com/Kozea/WeasyPrint/issues/2785) <https://github.com/Kozea/WeasyPrint/issues/2785>, [#2788](https://github.com/Kozea/WeasyPrint/issues/2788) <https://github.com/Kozea/WeasyPrint/pull/2788>: Allow users to set PDF output intent

Bug fixes:

... (truncated)

Commits
  • 3287311 Version 69.0
  • 6f58a9a Add security message in Changelog
  • 2d13d3d Update test comment to indicate related issue
  • 227f5f7 Merge pull request #2791 from Kozea/improve-var
  • ff72115 Improve management of variables
  • b419c7f Merge pull request #2788 from Kozea/fix-hints
  • 1729ce4 Fix minor errors in presentational hints
  • 9898e84 Merge pull request #2787 from danfitz36/fix-namespace-type-typo
  • 15eea9f Add lang attribute to PDF/UA-2 namespace test
  • cb5f66c Fix /Namepace typo in PDF 2 structure-tree namespace
  • Additional commits viewable in compare view

Updates pytest from 8.3.4 to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

  • #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

  • #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

    Previously this resulted in an internal assertion failure during plugin loading.

    Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

  • #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

  • #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

  • #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

  • #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
  • #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
  • #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
  • #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

  • #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

    -- by aleguy02

9.0.2

pytest 9.0.2 (2025-12-06)

Bug fixes

  • #13896: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.

    You may enable it again by passing -p terminalprogress. We may enable it by default again once compatibility improves in the future.

    Additionally, when the environment variable TERM is dumb, the escape codes are no longer emitted, even if the plugin is enabled.

  • #13904: Fixed the TOML type of the tmp_path_retention_count settings in the API reference from number to string.

  • #13946: The private config.inicfg attribute was changed in a breaking manner in pytest 9.0.0. Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim. It will be deprecated in pytest 9.1 and removed in pytest 10.

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

…ith 2 updates

Bumps the backend-pip-security group with 2 updates in the /apps/backend directory: [weasyprint](https://github.com/Kozea/WeasyPrint) and [pytest](https://github.com/pytest-dev/pytest).


Updates `weasyprint` from 68.0 to 69.0
- [Release notes](https://github.com/Kozea/WeasyPrint/releases)
- [Changelog](https://github.com/Kozea/WeasyPrint/blob/main/docs/changelog.rst)
- [Commits](Kozea/WeasyPrint@v68.0...v69.0)

Updates `pytest` from 8.3.4 to 9.0.3
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@8.3.4...9.0.3)

---
updated-dependencies:
- dependency-name: weasyprint
  dependency-version: '69.0'
  dependency-type: direct:production
  dependency-group: backend-pip-security
- dependency-name: pytest
  dependency-version: 9.0.3
  dependency-type: direct:development
  dependency-group: backend-pip-security
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 7, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Jul 8, 2026
@dependabot dependabot Bot deleted the dependabot/pip/apps/backend/backend-pip-security-3a49ab0428 branch July 8, 2026 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants