Update all dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
Authlib	==1.1.0 -> ==1.6.5			install	minor
Hypercorn	==0.14.3 -> ==0.18.0			install	minor
Jinja2 (changelog)	==3.1.2 -> ==3.1.6			install	patch
Markdown (changelog)	==3.4.1 -> ==3.10			install	minor
SQLAlchemy (changelog)	==1.4.43 -> ==2.0.44			install	major
Werkzeug (changelog)	==2.2.2 -> ==3.1.3			install	major
actions/checkout	v3 -> v6			action	major
aiofiles (changelog)	==22.1.0 -> ==25.1.0			install	major
aiohttp	==3.8.3 -> ==3.13.2			install	minor
alembic (changelog)	==1.8.1 -> ==1.17.2			install	minor
asgiref (changelog)	==3.5.2 -> ==3.11.0			install	minor
autoflake	==1.7.7 -> ==2.3.1			install	major
bcrypt	==4.0.1 -> ==5.0.0			install	major
beautifulsoup4 (changelog)	==4.11.1 -> ==4.14.2			install	minor
black (changelog)	==22.10.0 -> ==25.11.0			install	major
bleach	==5.0.1 -> ==6.3.0			install	major
coverage	==6.5.0 -> ==7.12.0			install	major
email-validator	==1.3.0 -> ==2.3.0			install	major
fakeredis	==1.10.0 -> ==2.32.1			install	major
fastapi (changelog)	==0.86.0 -> ==0.121.3			install	minor
feedgen	==0.9.0 -> ==1.0.0			install	major
filelock	==3.8.0 -> ==3.20.0			install	minor
flake8 (changelog)	==5.0.4 -> ==7.3.0			install	major
gunicorn (changelog)	==20.1.0 -> ==23.0.0			install	major
highlight.js (source)	11.5.0 -> 11.11.1				minor
httpx (changelog)	==0.23.0 -> ==0.28.1			install	minor
isort (changelog)	==5.10.1 -> ==7.0.0			install	major
itsdangerous (changelog)	==2.1.2 -> ==2.2.0			install	minor
lxml (source, changelog)	==4.9.1 -> ==6.0.2			install	major
makedeb-srcinfo	==0.5.2 -> ==0.8.1			install	minor
mysqlclient	==2.1.1 -> ==2.2.7			install	minor
orjson (changelog)	==3.8.1 -> ==3.11.4			install	minor
paginate	==0.5.6 -> ==0.5.7			install	patch
posix-ipc	==1.0.5 -> ==1.3.2			install	minor
prometheus-fastapi-instrumentator	==5.9.1 -> ==7.1.0			install	major
protobuf	==4.21.9 -> ==6.33.1			install	major
pyalpm	==0.10.6 -> ==0.10.12			install	patch
pygit2 (changelog)	==1.10.1 -> ==1.19.0			install	minor
pytest (changelog)	==7.2.0 -> ==9.0.1			install	major
pytest-asyncio (changelog)	==0.20.1 -> ==1.3.0			install	major
pytest-cov (changelog)	==4.0.0 -> ==7.0.0			install	major
pytest-tap	==3.3 -> ==3.5			install	minor
pytest-xdist (changelog)	==3.0.2 -> ==3.8.0			install	minor
python-multipart (changelog)	==0.0.5 -> ==0.0.20			install	patch
redis (changelog)	==4.3.4 -> ==7.1.0			install	major
requests (source, changelog)	==2.28.1 -> ==2.32.5			install	minor
sentry-sdk (changelog)	==1.10.1 -> ==2.45.0			install	major
uvicorn (changelog)	==0.19.0 -> ==0.38.0			install	minor

---

Release Notes

authlib/authlib (Authlib)

v1.6.5

Compare Source

What's Changed

• Add a request param to RFC7591 generate_client_info and generate_client_secret methods by @​azmeuk in #​825
• feat: support list params in prepare_grant_uri by @​lisongmin in #​827
• chore(deps): bump SonarSource/sonarqube-scan-action from 5 to 6 in /.github/workflows by @​dependabot[bot] in #​828
• fix(jose): add max size for JWE zip=DEF decompression by @​lepture in #​830

New Contributors

• @​lisongmin made their first contribution in #​827
• @​dependabot[bot] made their first contribution in #​828

Full Changelog: authlib/authlib@v1.6.4...v1.6.5

v1.6.4

Compare Source

What's Changed

• fix(jose): prevent public/unprotected header overwriting protected header by @​lepture in #​809
• Fix InsecureTransportError raising by @​azmeuk in #​810
• Add conventional-commits pre-commit hook by @​azmeuk in #​811
• Fix response_mode=form_post with Starlette client by @​azmeuk in #​812
• Specify README.md as project long description by @​EpicWink in #​817
• Migrate tests to pytest paradigm by @​azmeuk in #​813
• jose/jws: Reject unprotected ‘crit’ and enforce type; add tests by @​AL-Cybision in #​823
• Use explicit *.test urls in unit tests by @​azmeuk in #​824

New Contributors

• @​EpicWink made their first contribution in #​817
• @​AL-Cybision made their first contribution in #​823

Full Changelog: authlib/authlib@v1.6.3...v1.6.4

v1.6.3: Version 1.6.3

Compare Source

What's Changed

• Add diff-cover check in GHA by @​azmeuk in #​803
• Run GHA unit tests with uv by @​azmeuk in #​805
• Move from pre-commit to prek by @​azmeuk in #​804
• Sign OIDC id_token according to id_token_signed_response_alg client metadata by @​azmeuk in #​802

Full Changelog: authlib/authlib@v1.6.2...v1.6.3

v1.6.2: Version 1.6.2

Compare Source

What's Changed

• Allow insecure transport for 127.0.0.1 for debugging by @​geigerzaehler in #​788
• Raise a MissingCodeError when code parameter is missing by @​lepture in #​786
• Temporarily restore OAuth2Request body parameter by @​azmeuk in #​791
• Raise MissingCodeException when code parameter is missing by @​lepture in #​794
• Fix id_token generation with EdDSA alg by @​azmeuk in #​800

Full Changelog: authlib/authlib@v1.6.1...v1.6.2

v1.6.1: Version 1.6.1

Compare Source

• Filter key set with additional "alg" and "use" parameters.

v1.6.0: Version 1.6.0

Compare Source

• Fix issue when RFC9207 is enabled and the authorization endpoint response is not a redirection. pull request #​733
• Fix missing state parameter in authorization error responses. issue #​525
• Support for acr and amr claims in id_token. issue #​734
• Support for the none JWS algorithm.
• Fix response_types strict order during dynamic client registration. issue #​760
• Implement RFC9101 The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR). issue #​723
• OIDC UserInfo endpoint support. issue #​459

v1.5.2: Version 1.5.2

Compare Source

Released on Apr 1, 2025

• Forbid fragments in redirect_uris. #​714
• Fix invalid characters in error_description. #​720
• Add claims_cls parameter for client's parse_id_token method. #​725

v1.5.1: Version 1.5.1

Compare Source

Released on Feb 28, 2025

• Fix RFC9207 iss parameter. #​715

v1.5.0: Version 1.5.0

Compare Source

• Fix token introspection auth method for clients. #​662
• Optional typ claim in JWT tokens. #​696
• JWT validation leeway. #​689
• Implement server-side RFC9207. #​700 #​701
• generate_id_token can take a kid parameter. #​702
• More detailed InvalidClientError. #​706
• OpenID Connect Dynamic Client Registration implementation. #​707

v1.4.1: Version 1.4.1

Compare Source

• Improve garbage collection on OAuth clients. #​698
• Fix client parameters for httpx. #​694

v1.4.0: Version 1.4.0

Compare Source

Bugfixes

• Fix id_token decoding when kid is null. #​659
• Support for Python 3.13. #​682
• Force login if the prompt parameter value is login. #​637
• Support for httpx 0.28. #​695

Breaking changes

• Stop support for Python 3.8. #​682

v1.3.2: Version 1.3.2

Compare Source

• Prevent ever-growing session size for OAuth clients.
• Revert quote client id and secret.
• unquote basic auth header for authorization server.

v1.3.1: Version 1.3.1

Compare Source

Prevent OctKey to import ssh and PEM strings.

v1.3.0: Version 1.3.0

Compare Source

Bug fixes

• Restore AuthorizationServer.create_authorization_response behavior, via #​558 by @​TurnrDev
• Include leeway in validate_iat() for JWT, via #​565 by @​dhallam
• Fix encode_client_secret_basic, via #​594 by @​Prilkop
• Use single key in JWK if JWS does not specify kid, via #​596 by @​dklimpel
• Fix error when RFC9068 JWS has no scope field, via #​598 by @​tanguilp
• Get werkzeug version using importlib, via #​591 by @​Sparrow0hawk

Breaking changes

• RFC9068 implementation, via #​586 by @​azmeuk.

v1.2.1: Version 1.2.1

Compare Source

• Apply headers in ClientSecretJWT.sign method, via #​552
• Allow falsy but non-None grant uri params, via #​544
• Fixed authorize_redirect for Starlette v0.26.0, via #​533
• Removed has_client_secret method and documentation, via #​513
• Removed request_invalid and token_revoked remaining occurences
  and documentation. #​514
• Fixed RFC7591 grant_types and response_types default values, via #​509
• Add support for python 3.12, via #​590

v1.2.0: Version 1.2.0

Compare Source

• Not passing request.body to ResourceProtector, #​485.
• Use flask.g instead of _app_ctx_stack, #​482.
• Add headers parameter back to ClientSecretJWT, #​457.
• Always passing realm parameter in OAuth 1 clients, #​339.
• Implemented RFC7592 Dynamic Client Registration Management Protocol, #​505`
• Add default_timeout for requests OAuth2Session and AssertionSession.
• Deprecate jwk.loads and jwk.dumps

pallets/jinja (Jinja2)

v3.1.6

Compare Source

Released 2025-03-05

• The |attr filter does not bypass the environment's attribute lookup,
  allowing the sandbox to apply its checks. :ghsa:cpwx-vrp4-4pq7

v3.1.5

Compare Source

Released 2024-12-21

• The sandboxed environment handles indirect calls to str.format, such as
  by passing a stored reference to a filter that calls its argument.
  :ghsa:q2x7-8rv6-6q7h
• Escape template name before formatting it into error messages, to avoid
  issues with names that contain f-string syntax.
  :issue:1792, :ghsa:gmj6-6f8f-6699
• Sandbox does not allow clear and pop on known mutable sequence
  types. :issue:2032
• Calling sync render for an async template uses asyncio.run.
  :pr:1952
• Avoid unclosed auto_aiter warnings. :pr:1960
• Return an aclose-able AsyncGenerator from
  Template.generate_async. :pr:1960
• Avoid leaving root_render_func() unclosed in
  Template.generate_async. :pr:1960
• Avoid leaving async generators unclosed in blocks, includes and extends.
  :pr:1960
• The runtime uses the correct concat function for the current environment
  when calling block references. :issue:1701
• Make |unique async-aware, allowing it to be used after another
  async-aware filter. :issue:1781
• |int filter handles OverflowError from scientific notation.
  :issue:1921
• Make compiling deterministic for tuple unpacking in a {% set ... %}
  call. :issue:2021
• Fix dunder protocol (copy/pickle/etc) interaction with Undefined
  objects. :issue:2025
• Fix copy/pickle support for the internal missing object.
  :issue:2027
• Environment.overlay(enable_async) is applied correctly. :pr:2061
• The error message from FileSystemLoader includes the paths that were
  searched. :issue:1661
• PackageLoader shows a clearer error message when the package does not
  contain the templates directory. :issue:1705
• Improve annotations for methods returning copies. :pr:1880
• urlize does not add mailto: to values like @a@b. :pr:1870
• Tests decorated with @pass_context`` can be used with the ``|select`` filter. :issue:1624`
• Using set for multiple assignment (a, b = 1, 2) does not fail when the
  target is a namespace attribute. :issue:1413
• Using set in all branches of {% if %}{% elif %}{% else %} blocks
  does not cause the variable to be considered initially undefined.
  :issue:1253

v3.1.4

Compare Source

Released 2024-05-05

• The xmlattr filter does not allow keys with / solidus, >
  greater-than sign, or = equals sign, in addition to disallowing spaces.
  Regardless of any validation done by Jinja, user input should never be used
  as keys to this filter, or must be separately validated first.
  :ghsa:h75v-3vvj-5mfj

v3.1.3

Compare Source

Released 2024-01-10

• Fix compiler error when checking if required blocks in parent templates are
  empty. :pr:1858
• xmlattr filter does not allow keys with spaces. :ghsa:h5c8-rqwp-cp95
• Make error messages stemming from invalid nesting of {% trans %} blocks
  more helpful. :pr:1918

Python-Markdown/markdown (Markdown)

v3.10

Compare Source

v3.9

Compare Source

v3.8.2

Compare Source

Fixed

• Fix codecs deprecation in Python 3.14.
• Fix issue with unclosed comment parsing in Python 3.14.
• Fix issue with unclosed declarations in Python 3.14.
• Fix issue with unclosed HTML tag <foo and Python 3.14.

v3.8.1

Compare Source

Fixed

• Ensure incomplete markup declaration in raw HTML doesn't crash parser (#​1534).
• Fixed dropped content in md_in_html (#​1526).
• Fixed HTML handling corner case that prevented some content from not being rendered (#​1528).

v3.8

Compare Source

Changed

• DRY fix in abbr extension by introducing method create_element (#​1483).
• Clean up test directory by removing some redundant tests and port
  non-redundant cases to the newer test framework.
• Improved performance of the raw HTML post-processor (#​1510).

Fixed

• Backslash Unescape IDs set via attr_list on toc (#​1493).
• Ensure md_in_html processes content inside "markdown" blocks as they are
  parsed outside of "markdown" blocks to keep things more consistent for
  third-party extensions (#​1503).
• md_in_html handle tags within inline code blocks better (#​1075).
• md_in_html fix handling of one-liner block HTML handling (#​1074).
• Ensure <center> is treated like a block-level element (#​1481).
• Ensure that abbr extension respects AtomicString and does not process
  perceived abbreviations in these strings (#​1512).
• Ensure smarty extension correctly renders nested closing quotes (#​1514).

v3.7

Compare Source

Changed

Refactor abbr Extension

A new AbbrTreeprocessor has been introduced, which replaces the now deprecated
AbbrInlineProcessor. Abbreviation processing now happens after Attribute Lists,
avoiding a conflict between the two extensions (#​1460).

The AbbrPreprocessor class has been renamed to AbbrBlockprocessor, which
better reflects what it is. AbbrPreprocessor has been deprecated.

A call to Markdown.reset() now clears all previously defined abbreviations.

Abbreviations are now sorted by length before executing AbbrTreeprocessor
to ensure that multi-word abbreviations are implemented even if an abbreviation
exists for one of those component words. (#​1465)

Abbreviations without a definition are now ignored. This avoids applying
abbr tags to text without a title value.

Added an optional glossary configuration option to the abbreviations extension.
This provides a simple and efficient way to apply a dictionary of abbreviations
to every page.

Abbreviations can now be disabled by setting their definition to "" or ''.
This can be useful when using the glossary option.

Fixed

• Fixed links to source code on GitHub from the documentation (#​1453).

v3.6

Compare Source

Changed

Refactor TOC Sanitation

• All postprocessors are now run on heading content.
• Footnote references are now stripped from heading content. Fixes #​660.
• A more robust striptags is provided to convert headings to plain text.
  Unlike, the markupsafe implementation, HTML entities are not unescaped.
• The plain text name, rich html, and unescaped raw data-toc-label are
  saved to toc_tokens, allowing users to access the full rich text content of
  the headings directly from toc_tokens.
• The value of data-toc-label is sanitized separate from heading content
  before being written to name. This fixes a bug which allowed markup through
  in certain circumstances. To access the raw unsanitized data, retrieve the
  value from token['data-toc-label'] directly.
• An html.unescape call is made just prior to calling slugify so that
  slugify only operates on Unicode characters. Note that html.unescape is
  not run on name, html, or data-toc-label.
• The functions get_name and stashedHTML2text defined in the toc extension
  are both deprecated. Instead, third party extensions should use some
  combination of the new functions run_postprocessors, render_inner_html and
  striptags.

Fixed

• Include scripts/*.py in the generated source tarballs (#​1430).
• Ensure lines after heading in loose list are properly detabbed (#​1443).
• Give smarty tree processor higher priority than toc (#​1440).
• Permit carets (^) and square brackets (]) but explicitly exclude
  backslashes (\) from abbreviations (#​1444).
• In attribute lists (attr_list, fenced_code), quoted attribute values are
  now allowed to contain curly braces (}) (#​1414).

v3.5.2

Compare Source

Fixed

• Fix type annotations for convertFile - it accepts only bytes-based buffers.
  Also remove legacy checks from Python 2 (#​1400)
• Remove legacy import needed only in Python 2 (#​1403)
• Fix typo that left the attribute AdmonitionProcessor.content_indent unset
  (#​1404)
• Fix edge-case crash in InlineProcessor with AtomicString (#​1406).
• Fix edge-case crash in codehilite with an empty code tag (#​1405).
• Improve and expand type annotations in the code base (#​1401).
• Fix handling of bogus comments (#​1425).

v3.5.1

Compare Source

Fixed

• Fix a performance problem with HTML extraction where large HTML input could
  trigger quadratic line counting behavior (#​1392).
• Improve and expand type annotations in the code base (#​1394).

v3.5

Compare Source

v3.4.4

Compare Source

v3.4.3

Compare Source

v3.4.2

Compare Source

actions/checkout (actions/checkout)

v6

Compare Source

v5

Compare Source

v4

Compare Source

• url-helper.ts now leverages well-known environment variables by @​jww3 in #​1941
• Expand unit test coverage for isGhes by @​jww3 in #​1946

Tinche/aiofiles (aiofiles)

v25.1.0

Compare Source

• Switch to uv + add Python v3.14 support.
  (#​219)
• Add ruff formatter and linter.
  #​216
• Drop Python 3.8 support. If you require it, use version 24.1.0.
  #​204

v24.1.0

Compare Source

• Import os.link conditionally to fix importing on android.
  #​175
• Remove spurious items from aiofiles.os.__all__ when running on Windows.
• Switch to more modern async idioms: Remove types.coroutine and make AiofilesContextManager an awaitable instead a coroutine.
• Add aiofiles.os.path.abspath and aiofiles.os.getcwd.
  #​174
• aiofiles is now tested on Python 3.13 too.
  #​184
• Drop Python 3.7 support. If you require it, use version 23.2.1.

v23.2.1

Compare Source

• Import os.statvfs conditionally to fix importing on non-UNIX systems.
  #​171 #​172
• aiofiles is now also tested on Windows.

v23.2.0

Compare Source

• aiofiles is now tested on Python 3.12 too.
  #​166 #​168
• On Python 3.12, aiofiles.tempfile.NamedTemporaryFile now accepts a delete_on_close argument, just like the stdlib version.
• On Python 3.12, aiofiles.tempfile.NamedTemporaryFile no longer exposes a delete attribute, just like the stdlib version.
• Added aiofiles.os.statvfs and aiofiles.os.path.ismount.
  #​162
• Use PDM instead of Poetry.
  #​169

v23.1.0

Compare Source

• Added aiofiles.os.access.
  #​146
• Removed aiofiles.tempfile.temptypes.AsyncSpooledTemporaryFile.softspace.
  #​151
• Added aiofiles.stdin, aiofiles.stdin_bytes, and other stdio streams.
  #​154
• Transition to asyncio.get_running_loop (vs asyncio.get_event_loop) internally.

aio-libs/aiohttp (aiohttp)

v3.13.2: 3.13.2

Compare Source

Bug fixes

• Fixed cookie parser to continue parsing subsequent cookies when encountering a malformed cookie that fails regex validation, such as Google's g_state cookie with unescaped quotes -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​11632.

• Fixed loading netrc credentials from the default :file:~/.netrc (:file:~/_netrc on Windows) location when the :envvar:NETRC environment variable is not set -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​11713, #​11714.

• Fixed WebSocket compressed sends to be cancellation safe. Tasks are now shielded during compression to prevent compressor state corruption. This ensures that the stateful compressor remains consistent even when send operations are cancelled -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​11725.

---

v3.13.1

Compare Source

===================

Features

• Make configuration options in AppRunner also available in run_app()
  -- by :user:Cycloctane.

  Related issues and pull requests on GitHub:
  :issue:11633.

Bug fixes

• Switched to backports.zstd for Python <3.14 and fixed zstd decompression for chunked zstd streams -- by :user:ZhaoMJ.

  Note: Users who installed zstandard for support on Python <3.14 will now need to install
  backports.zstd instead (installing aiohttp[speedups] will do this automatically).

  Related issues and pull requests on GitHub:
  :issue:11623.

• Updated Content-Type header parsing to return application/octet-stream when header contains invalid syntax.
  See :rfc:9110#section-8.3-5.

  -- by :user:sgaist.

  Related issues and pull requests on GitHub:
  :issue:10889.

• Fixed Python 3.14 support when built without zstd support -- by :user:JacobHenner.

  Related issues and pull requests on GitHub:
  :issue:11603.

• Fixed blocking I/O in the event loop when using netrc authentication by moving netrc file lookup to an executor -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:11634.

• Fixed routing to a sub-application added via .add_domain() not working
  if the same path exists on the parent app. -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:11673.

Packaging updates and notes for downstreams

• Moved core packaging metadata from :file:setup.cfg to :file:pyproject.toml per :pep:621
  -- by :user:cdce8p.

  Related issues and pull requests on GitHub:
  :issue:9951.

---

v3.13.0

Compare Source

===================

Features

• Added support for Python 3.14.

  Related issues and pull requests on GitHub:
  :issue:10851, :issue:10872.

• Added support for free-threading in Python 3.14+ -- by :user:kumaraditya303.

  *Related issues and pull

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[hwittenborn]

Holding off on this until fakeredis supports this version of redis. See jamesls/fakeredis#329.