Skip to content

chore(deps): bump the dependencies group across 1 directory with 16 updates#388

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/docs/dependencies-9a680d8460
Open

chore(deps): bump the dependencies group across 1 directory with 16 updates#388
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/docs/dependencies-9a680d8460

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown

Bumps the dependencies group with 16 updates in the /src/backend directory:

Package From To
coverage 7.14.3 7.15.0
django 5.2.15 6.0.6
prek 0.4.5 0.4.6
ty 0.0.54 0.0.56
typing-extensions 4.15.0 4.16.0
blessed 1.44.0 1.45.0
boto3 1.43.36 1.43.40
botocore 1.43.36 1.43.40
django-allauth 65.14.3 65.18.0
django-otp 1.3.0 1.7.0
dulwich 1.2.6 1.2.7
fido2 2.2.0 2.2.1
pillow 12.2.0 12.3.0
rpds-py 2026.5.1 2026.6.3
sentry-sdk 2.63.0 2.64.0
wcwidth 0.8.1 0.8.2

Updates coverage from 7.14.3 to 7.15.0

Changelog

Sourced from coverage's changelog.

Version 7.15.0 — 2026-07-02

  • Since 7.14.0, reporting commands implicitly combine parallel data files. Now those commands have a new option --keep-combined to retain the data files after combining them instead of the default, which is to delete them. Finishes issue 2198_.

  • Fix: the LCOV report would incorrectly count excluded functions as uncovered, as described in issue 2205. This is now fixed thanks to Martin Kuntz Jacobsen <pull 2206_>.

  • When running your program, coverage now correctly sets yourmodule.__spec__.loader as strongly recommended <--loader--_>, avoiding the deprecation warning described in issue 2208. Thanks, A5rocks <pull 2209_>_.

  • Fix: with Python 3.10, running with the -I (isolated mode) option didn't correctly omit the current directory from the module search path, as described in issue 2103. That is now fixed thanks to Ilia Sorokin <pull 2211_>.

.. --loader--: https://docs.python.org/3/reference/datamodel.html#module.__loader_ .. _issue 2103: coveragepy/coveragepy#2103 .. _issue 2198: coveragepy/coveragepy#2198 .. _issue 2205: coveragepy/coveragepy#2205 .. _pull 2206: coveragepy/coveragepy#2206 .. _issue 2208: coveragepy/coveragepy#2208 .. _pull 2209: coveragepy/coveragepy#2209 .. _pull 2211: coveragepy/coveragepy#2211

.. _changes_7-14-3:

Commits
  • c8c8020 docs: sample HTML for 7.15.0
  • ae19db1 docs: prep for 7.15.0
  • 17b45a1 docs: --keep-combined in the man page
  • 6f9fa1e fix: preserve isolated sys.path on Python 3.10 (#2211)
  • 787af5f chore: bump actions/checkout in the action-dependencies group (#2210)
  • 1ed3998 fix: start attaching the loader on __spec__ #2208 (#2209)
  • 1ab1122 docs: remove stray comma
  • f24a91f feat: --keep-combined for reporting commands. #2198
  • 5e70751 test: canonicalize mock calls in test_cmdline to reduce diff noise
  • 65979cc fix: skip excluded functions in LCOV function totals (#2206)
  • Additional commits viewable in compare view

Updates django from 5.2.15 to 6.0.6

Commits
  • ee93f65 [6.0.x] Bumped version for 6.0.6 release.
  • 1721035 [6.0.x] Fixed CVE-2026-48587 -- Ignored whitespace padding when checking Vary...
  • 664652f [6.0.x] Fixed CVE-2026-35193 -- Varied on Authorization when caching non-publ...
  • b433025 [6.0.x] Fixed CVE-2026-8404 -- Used Cache-Control directives case-insensitive...
  • 625a670 [6.0.x] Fixed CVE-2026-7666 -- Delayed setting SMTP connection until fully co...
  • c807d9c [6.0.x] Fixed CVE-2026-6873 -- Prevented signed cookie salt namespace collisi...
  • 98a75e3 [6.0.x] Included commit hash in checksum file when building artifacts for rel...
  • dd895d6 [6.0.x] Updated translations from Transifex.
  • 49ca2db [6.0.x] Updated links to severity levels in release notes.
  • c9f32a2 [6.0.x] Added stub release notes and release date for 6.0.6 and 5.2.15.
  • Additional commits viewable in compare view

Updates prek from 0.4.5 to 0.4.6

Release notes

Sourced from prek's releases.

0.4.6

Release Notes

Released on 2026-07-01.

Enhancements

  • Verify managed toolchain downloads before installation (#2229)
  • Add PREK_DOCKER_NO_INIT to opt-out Docker --init (#2242)
  • Improve subprocess error messages (#2257)
  • Split run concurrency knobs: PREK_CONCURRENT_HOOKS and PREK_CONCURRENT_BATCHES (#2276)

Performance

  • Avoid allocating markdown extensions per file (#2245)
  • Avoid unchanged config tracking writes (#2247)
  • Delay trailing whitespace output buffer (#2244)
  • Prefilter VCS permalink lines (#2253)
  • Skip unnecessary submodule updates during hook repo clone (#2255)

Documentation

  • Document language_version inferring for Python and Go (#2241)

Other changes

  • Refactor env var handling (#2277)
  • Use serde-saphyr for YAML string quoting (#2228)

Contributors

Install prek 0.4.6

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/j178/prek/releases/download/v0.4.6/prek-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/j178/prek/releases/download/v0.4.6/prek-installer.ps1 | iex"

Install prebuilt binaries via Homebrew

... (truncated)

Changelog

Sourced from prek's changelog.

0.4.6

Released on 2026-07-01.

Enhancements

  • Verify managed toolchain downloads before installation (#2229)
  • Add PREK_DOCKER_NO_INIT to opt-out Docker --init (#2242)
  • Improve subprocess error messages (#2257)
  • Split run concurrency knobs: PREK_CONCURRENT_HOOKS and PREK_CONCURRENT_BATCHES (#2276)

Performance

  • Avoid allocating markdown extensions per file (#2245)
  • Avoid unchanged config tracking writes (#2247)
  • Delay trailing whitespace output buffer (#2244)
  • Prefilter VCS permalink lines (#2253)
  • Skip unnecessary submodule updates during hook repo clone (#2255)

Documentation

  • Document language_version inferring for Python and Go (#2241)

Other changes

  • Refactor env var handling (#2277)
  • Use serde-saphyr for YAML string quoting (#2228)

Contributors

Commits

Updates ty from 0.0.54 to 0.0.56

Release notes

Sourced from ty's releases.

0.0.56

Release Notes

Released on 2026-07-01.

Bug fixes

  • Avoid MRO cycle when collecting NamedTuple fields (#26464)
  • Model int and str enum value normalization (#26349)
  • Prefer reflected operators by runtime class (#26434, #26474)

CLI

  • Exit with status 130 when interrupted (#26465)

Performance

  • Avoid exponential OR-pattern reachability (#26481)
  • Reduce bound typevar identity overhead (#26396)

Core type checking

  • Infer generic class pattern capture types (#26479)
  • Narrow exact tuples through sequence patterns (#26424)
  • Recognize inherited enum member constructors (#26410)
  • Respect return-context inference when filtering overloads (#26454)
  • Sync vendored typeshed stubs (#26501). Typeshed diff

Contributors

Install ty 0.0.56

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/ty/releases/download/0.0.56/ty-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://releases.astral.sh/github/ty/releases/download/0.0.56/ty-installer.ps1 | iex"

Download ty 0.0.56

| File | Platform | Checksum |

... (truncated)

Changelog

Sourced from ty's changelog.

0.0.56

Released on 2026-07-01.

Bug fixes

  • Avoid MRO cycle when collecting NamedTuple fields (#26464)
  • Model int and str enum value normalization (#26349)
  • Prefer reflected operators by runtime class (#26434, #26474)

CLI

  • Exit with status 130 when interrupted (#26465)

Performance

  • Avoid exponential OR-pattern reachability (#26481)
  • Reduce bound typevar identity overhead (#26396)

Core type checking

  • Infer generic class pattern capture types (#26479)
  • Narrow exact tuples through sequence patterns (#26424)
  • Recognize inherited enum member constructors (#26410)
  • Respect return-context inference when filtering overloads (#26454)
  • Sync vendored typeshed stubs (#26501). Typeshed diff

Contributors

0.0.55

Released on 2026-06-26.

LSP server

  • Render full diagnostics in color (#26384)

Documentation

  • Document colored diagnostic output (#3858)

Performance

  • Improve vendored filesystem concurrency (#26408)
  • Optimize enum comparisons in equality evaluation (#26340)
  • Remove redundant semantic index shrinks (#26392)
  • Use never-change durability for one-shot checks (#26359)

... (truncated)

Commits

Updates typing-extensions from 4.15.0 to 4.16.0

Release notes

Sourced from typing-extensions's releases.

4.16.0

No changes since 4.16.0rc2.

Changes since 4.15.0:

  • Make typing_extensions.TypeAliasType's __module__ attribute writable. Backport of CPython PR #149172.
  • Fix setting of __required_keys__ and __optional_keys__ when inheriting keys with the same name.
  • Add support for AsyncIterator, io.Reader, io.Writer and os.PathLike protocols as bases for other protocols.
  • Fix incorrect behaviour on Python 3.9 and Python 3.10 that meant that calling isinstance with typing_extensions.Concatenate[...] or typing_extensions.Unpack[...] as the first argument could have a different result in some situations depending on whether or not a profiling function had been set using sys.setprofile. This affected both CPython and PyPy implementations. Patch by Brian Schubert.
  • Fix __init_subclass__() behavior in the presence of multiple inheritance involving an @deprecated-decorated base class. Backport of CPython PR #138210 by Brian Schubert.
  • Raise TypeError when attempting to subclass typing_extensions.ParamSpec on Python 3.9. The typing implementation has always raised an error, and the typing_extensions implementation has raised an error on Python 3.10+ since typing_extensions v4.6.0. Patch by Brian Schubert.
  • Add the bound, covariant, contravariant, and infer_variance parameters to TypeVarTuple.
  • Officially support the bound, covariant, contravariant and infer_variance parameters to ParamSpec. Improve the validation of these parameters at runtime.
  • Rename typing_extensions.Sentinel to typing_extensions.sentinel, following the name that has been adopted for builtins.sentinel on Python 3.15. typing_extensions.Sentinel is retained as a soft-deprecated alias for backwards compatibility.
  • Add support for pickling sentinels.
  • Sentinels now preserve their identity when copied or deep-copied.
  • Deprecate passing name as a keyword argument or repr as a positional argument to the sentinel constructor.
  • The default repr of a sentinel X = sentinel("X") is now X rather than <X>.
  • Deprecate arbitrary attribute assignments to sentinels.
  • Deprecate subclassing sentinels.
  • Add support for Python 3.15.
  • Avoid a DeprecationWarning when deprecated is applied to a coroutine function on Python 3.14.0.

4.16.0rc2

Changes since 4.16.0rc1:

  • Avoid a DeprecationWarning when deprecated is applied to a coroutine function on Python 3.14.0.

Changes since 4.15.0:

  • Make typing_extensions.TypeAliasType's __module__ attribute writable. Backport of CPython PR #149172.
  • Fix setting of __required_keys__ and __optional_keys__ when inheriting keys with the same name.
  • Add support for AsyncIterator, io.Reader, io.Writer and os.PathLike protocols as bases for other protocols.
  • Fix incorrect behaviour on Python 3.9 and Python 3.10 that meant that calling isinstance with typing_extensions.Concatenate[...] or typing_extensions.Unpack[...] as the first argument could have a different result in some situations depending on whether or not a profiling function had been set using sys.setprofile. This affected both CPython and PyPy implementations. Patch by Brian Schubert.
  • Fix __init_subclass__() behavior in the presence of multiple inheritance involving an @deprecated-decorated base class. Backport of CPython PR #138210 by Brian Schubert.
  • Raise TypeError when attempting to subclass typing_extensions.ParamSpec on Python 3.9. The typing implementation has always raised an error, and the typing_extensions implementation has raised an error on Python 3.10+ since typing_extensions v4.6.0. Patch by Brian Schubert.
  • Add the bound, covariant, contravariant, and infer_variance parameters to TypeVarTuple.
  • Officially support the bound, covariant, contravariant and infer_variance parameters to ParamSpec. Improve the validation of these parameters at runtime.
  • Rename typing_extensions.Sentinel to typing_extensions.sentinel, following the name that has been adopted for builtins.sentinel on Python 3.15. typing_extensions.Sentinel is retained as a soft-deprecated alias for backwards compatibility.
  • Add support for pickling sentinels.
  • Sentinels now preserve their identity when copied or deep-copied.
  • Deprecate passing name as a keyword argument or repr as a positional argument to the sentinel constructor.
  • The default repr of a sentinel X = sentinel("X") is now X rather than <X>.
  • Deprecate arbitrary attribute assignments to sentinels.
  • Deprecate subclassing sentinels.
  • Add support for Python 3.15.

4.16.0rc1

  • Make typing_extensions.TypeAliasType's __module__ attribute writable. Backport of CPython PR #149172.
  • Fix setting of __required_keys__ and __optional_keys__ when inheriting keys with the same name.

... (truncated)

Changelog

Sourced from typing-extensions's changelog.

Release 4.16.0 (July 2, 2025)

No user-facing changes since 4.16.0rc2.

Release 4.16.0rc2 (June 25, 2026)

  • Avoid a DeprecationWarning when deprecated is applied to a coroutine function on Python 3.14.0.

Release 4.16.0rc1 (June 24, 2026)

  • Make typing_extensions.TypeAliasType's __module__ attribute writable. Backport of CPython PR #149172.
  • Fix setting of __required_keys__ and __optional_keys__ when inheriting keys with the same name.
  • Add support for AsyncIterator, io.Reader, io.Writer and os.PathLike protocols as bases for other protocols.
  • Fix incorrect behaviour on Python 3.9 and Python 3.10 that meant that calling isinstance with typing_extensions.Concatenate[...] or typing_extensions.Unpack[...] as the first argument could have a different result in some situations depending on whether or not a profiling function had been set using sys.setprofile. This affected both CPython and PyPy implementations. Patch by Brian Schubert.
  • Fix __init_subclass__() behavior in the presence of multiple inheritance involving an @deprecated-decorated base class. Backport of CPython PR #138210 by Brian Schubert.
  • Raise TypeError when attempting to subclass typing_extensions.ParamSpec on Python 3.9. The typing implementation has always raised an error, and the typing_extensions implementation has raised an error on Python 3.10+ since typing_extensions v4.6.0. Patch by Brian Schubert.
  • Add the bound, covariant, contravariant, and infer_variance parameters to TypeVarTuple.
  • Officially support the bound, covariant, contravariant and infer_variance parameters to ParamSpec. Improve the validation of these parameters at runtime.
  • Rename typing_extensions.Sentinel to typing_extensions.sentinel, following the name that has been adopted for builtins.sentinel on Python 3.15. typing_extensions.Sentinel is retained as a soft-deprecated alias for backwards compatibility.
  • Add support for pickling sentinels.
  • Sentinels now preserve their identity when copied or deep-copied.
  • Deprecate passing name as a keyword argument or repr as a positional argument to the sentinel constructor.
  • The default repr of a sentinel X = sentinel("X") is now X rather than <X>.
  • Deprecate arbitrary attribute assignments to sentinels.
  • Deprecate subclassing sentinels.
  • Add support for Python 3.15.
Commits

Updates blessed from 1.44.0 to 1.45.0

Release notes

Sourced from blessed's releases.

1.17.9: Initial support for Python 3.10

  • bugfix: Now imports on 3.10+

1.15.0: Disable various integration tests, support python 3.7

No release notes provided.

1.14.0: bugfix term.wrap for text containing newlines

  • bugfix: term.wrap misbehaved for text containing newlines, #74

1.13.0: new Terminal.split_seqs() function, speed enhancement

  • enhancement: method Terminal.split_seqs introduced, and 4x cost reduction in related sequence-aware functions, #29.
  • deprecated: function blessed.sequences.measure_length superseded by blessed.sequences.iter_parse if necessary.
  • deprecated: warnings about "binary-packed capabilities" are no longer emitted on strange terminal types, making best effort.

1.12.0: add Terminal.get_location() method

  • enhancement: method Terminal.get_locationreturns the(row, col)`` position of the cursor at the time of call for attached terminal.
  • enhancement: a keyboard now detected as stdin when stream is sys.stderr.
Changelog

Sourced from blessed's changelog.

.. py:currentmodule:: blessed.terminal

Version History

1.47

  • bugfix: :meth:~Terminal.does_sixel now returns True for SyncTERM using special-case matching of its illegal DA1 response.
  • bugfix: legacy SGR mouse decoder reported no-button motion event (mode 1003) as LEFT_MOTION instead of MOTION, :ghpull:398.
  • bugfix: match keyboard input \x1b\n as KEY_ALT_ENTER instead of KEY_CTRL_ALT_J.

1.46

  • bugfix: :meth:~Terminal.does_sixel failed to detect DA1 and caused the response to "leak" into next call to :meth:~Terminal.inkey for some terminals of unmatched patterns (e.g., kitty).
  • improve: add new sugar for extended cap-defined styles, like 'clear_scrollback' (common), 'strikethrough', and 'overline' (not common).
  • improve: Truecolor support by unique TERM, improves remote sessions like SSH that do not forward COLORTERM, and, for the few terminals that do not respond to XTGETTCAP request for RGB: (kitty).

1.45

  • bugfix: name consistency of kitty keyboard modifiers :ghpull:390.

1.44

  • improve: reduce errant XTGETTCAP output for Terminal.app and ConEmu.exe :ghpull:385.

1.43

  • bugfix: regression of XTGETTCAP responses leaking into first call for empty/non-response terminals (libvte/Gnome Terminal), in versions 1.40 to 1.42 :ghpull:383.

1.42

  • bugfix: regression in :meth:~.Terminal.cbreak and :meth:~.Terminal.raw were not thread-safe broken in versions 1.40 and 1.41, remove signal ignore of SIGTTOU :ghissue:380.

1.41

  • bugfix: :meth:~.Terminal.get_location broken in 1.40, returned a generator instead of a tuple. :ghissue:378.

1.40

  • improved: jinxed_ is now required on all platforms, providing a curses-free and singleton-free <https://jinxed.readthedocs.io/en/stable/capabilities.html#singleton-free>_ implementation of the subset of curses_ used by blessed. The jinxed_ 1.5.0 release provides a terminal capability database <https://jinxed.readthedocs.io/en/stable/capabilities.html#database> of 45 terminals and their common aliases.

  • improved: Class initialization of :class:~.Terminal() now uses XTGETTCAP_ to determine preferred terminal name TN, 24-bit color support RGB, number of colors Co, italic, and blink capabilities.

    This improves detection of Terminal kind and number_of_colors over protocols like serial

... (truncated)

Commits

Updates boto3 from 1.43.36 to 1.43.40

Commits
  • dd59a59 Merge branch 'release-1.43.40'
  • b416ca0 Bumping version to 1.43.40
  • b228d05 Add changelog entries from botocore
  • 121db7a Merge branch 'release-1.43.39'
  • 00141f6 Merge branch 'release-1.43.39' into develop
  • 310317d Bumping version to 1.43.39
  • ff7c1cf Add changelog entries from botocore
  • 805c683 Update CODEOWNERS to shared Python SDK and CLI team (#4809)
  • efcfb65 Merge branch 'release-1.43.38'
  • d7aa957 Merge branch 'release-1.43.38' into develop
  • Additional commits viewable in compare view

Updates botocore from 1.43.36 to 1.43.40

Commits
  • c1894c1 Merge branch 'release-1.43.40'
  • fc560a4 Bumping version to 1.43.40
  • 420c584 Update endpoints model
  • e00fad7 Update to latest models
  • 3f29544 Merge branch 'release-1.43.39'
  • db6ca71 Merge branch 'release-1.43.39' into develop
  • 97d313f Bumping version to 1.43.39
  • bcfbd50 Update endpoints model
  • 0813a0f Update to latest models
  • ea9157a Update CODEOWNERS to shared Python SDK and CLI team (#3740)
  • Additional commits viewable in compare view

Updates django-allauth from 65.14.3 to 65.18.0

Commits

Updates django-otp from 1.3.0 to 1.7.0

Changelog

Sourced from django-otp's changelog.

v1.7.0 - January 07, 2026 - Async support

  • [#185](https://github.com/django-otp/django-otp/issues/185)_: Make OTPMiddleware async capable

Thanks to Aljosha Papsch.

.. _#185: django-otp/django-otp#185

v1.6.3 - October 25, 2025 - Spanish update

  • [#182](https://github.com/django-otp/django-otp/issues/182)_: Correct missing Spanish translations
  • [#181](https://github.com/django-otp/django-otp/issues/181)_: Wrong :rtype: in StaticToken.random_token docstring

.. _#181: django-otp/django-otp#181 .. _#182: django-otp/django-otp#182

v1.6.2 - October 21, 2025 - Cleanup

  • [#179](https://github.com/django-otp/django-otp/issues/179)_: Add missing gettext strings
  • [#180](https://github.com/django-otp/django-otp/issues/180)_: Remove tests from wheels

.. _#179: django-otp/django-otp#179 .. _#180: django-otp/django-otp#180

v1.6.1 - July 08, 2025 - Small improvements

  • Allow a {token} placeholder in :setting:OTP_EMAIL_SUBJECT.

v1.6.0 - April 02, 2025 - Django 5.2

  • Update test matrix for Django 5.2.
  • Remove support for Django 3.2.

v1.5.4 - September 06, 2024 - Ignore proxy models when enumerating device classes

  • [#161](https://github.com/django-otp/django-otp/issues/161)_: Discard proxied models when iterating device models

.. _#161: django-otp/django-otp#161

... (truncated)

Commits

Updates dulwich from 1.2.6 to 1.2.7

Release notes

Sourced from dulwich's releases.

1.2.7

Security

  • Don't expand config include directives when parsing .gitmodules, so a crafted .gitmodules in a cloned repository can no longer make clone --recurse-submodules read arbitrary files.
  • Validate ref names before resolving them to a path, so a client-supplied name like ../../secret can no longer read a file outside the ref store. Closes a traversal via git-upload-archive's argument and other lookup paths. (#2212)
  • Reject pack names containing path separators in the dumb HTTP transport, so a malicious server can no longer escape the temporary directory. (#2213)
  • Verify that an object retrieved by id actually hashes to the requested id, raising ChecksumMismatch otherwise. (#2223)

New features

  • Add porcelain.request_pull and a dulwich request-pull command, like git request-pull. (#1823)
  • Add porcelain.range_diff and a dulwich range-diff command, like git range-diff (requires the dulwich[range_diff] extra). (#1828)

Fixes

  • Check out files whose names contain a colon or backslash on NTFS, instead of silently dropping them on clone, and abort the checkout on a genuinely invalid path. (#2205)
  • Fix apply_patch writing index entries with mode 0, which made native git abort. (#2218)
  • Fix deepening of a local shallow fetch not transferring newly-uncovered commits.
  • Several gc/repack fixes on Windows (read-only pack files, leaked temporary packs, files-in-use).
  • Discover and serve packs with non-pack- names such as loose-<hash> (written by git maintenance). (#2229)

See NEWS for the full changelog.

Changelog

Sourced from dulwich's changelog.

1.2.7 2026-06-12

  • Verify that an object retrieved by id actually hashes to the requested id, raising ChecksumMismatch otherwise. (Jelmer Vernooij, #2223)

  • Check out files whose names contain a colon or backslash. The NTFS path validator rejected any element containing : or \, so such files were silently dropped on clone. It now rejects only the .git/git~1 alternate-data-stream spellings, like git. (Jelmer Vernooij, #2205)

  • Abort the checkout when a tree entry has an invalid path (e.g. a .git alias) instead of silently skipping it. (Jelmer Vernooij, #2205)

  • Reject pack names containing path separators in the dumb HTTP transport, so a malicious server can no longer escape the temporary directory. (Jelmer Vernooij, #2213)

  • SECURITY: Don't expand config include directives when parsing .gitmodules, so a crafted .gitmodules in a cloned repository can no longer make clone --recurse-submodules read arbitrary files. (netliomax25-code)

  • SECURITY: Validate ref names before resolving them to a path, so a client-supplied name like ../../secret can no longer read a file outside the ref store. This closes a traversal via git-upload-archive's argument and other lookup paths. (reported by netliomax25-code, Jelmer Vernooij, #2212)

  • Add porcelain.request_pull and a dulwich request-pull command that generate a summary of pending changes between repositories, suitable for emailing to a maintainer, like git request-pull. (Jelmer Vernooij, #1823)

  • Add porcelain.range_diff and a dulwich range-diff command that compare two ranges of commits and show how a patch series evolved, like git range-diff. Requires the munkres package, installable via the dulwich[range_diff] extra. (Jelmer Vernooij, #1828)

  • Fix apply_patch writing index entries with mode 0, which made native git abort with unsupported ce_mode: 0. The file mode is now derived from the work-tree file. (Jelmer Vernooij, #2218)

  • Fix deepening of a local shallow fetch. Re-fetching with a larger depth moved the shallow boundary but did not transfer the newly-uncovered commits, because the parents provider still used the old boundary. (Jelmer Vernooij)

  • Fix gc/repack on Windows raising PermissionError when removing read-only pack files (as written by git). The read-only

... (truncated)

Commits
  • e076b16 Release 1.2.7
  • f545f72 index: match git on invalid checkout paths (#2235)
  • 420530a cli: catch InvalidPathError in pull, merge, cherry-pick, revert and stash pop
  • 6fca6d9 client, tests: fix Windows CI for invalid-checkout handling
  • 7544dcd index: match git on invalid checkout paths
  • 079311a object_store: Verify object id matches contents on retrieval (#2233)
  • afd8d8e contrib: Fix tests
  • 803d7a2 refs: validate ref names before resolving them to a path (#2234)
  • 925a0fd refs: validate ref names before resolving them to a path
  • bfed9db object_store: Fix object id verification regressions
  • Additional commits viewable in compare view

Updates fido2 from 2.2.0 to 2.2.1

Release notes

Sourced from fido2's releases.

python-fido2 2.2.1

Version 2.2.1 (released 2026-06-29)

  • Server example: Migrate build tool from poetry to uv.
  • Fix: Correctly format att_obj in previewSign.
Changelog

Sourced from fido2's changelog.

  • Version 2.2.1 (released 2026-06-29) ** Server example: Migrate build tool from poetry to uv. ** Fix: Correctly format att_obj in previewSign.
Commits
  • 018ef97 Set date in NEWS
  • e5b022d Use hmac_mc in prf example
  • 27e0999 Fix examples for WindowsClient
  • 1cc7241 Bump version
  • 664f033 Add ML-DSA support
  • 24b03d0 Migrate server example to uv
  • 1f15f16 Lock cryptography to <49 for win x86 builds
  • a084d2d Bump pre-commit and fix ty issues
  • f0816a3 Bump dependencies and PSL data
  • bac45ad Add Pico controller support for automated device tests
  • Additional commits viewable in compare view

Updates pillow from 12.2.0 to 12.3.0

Release notes

Sourced from pillow's releases.

12.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.3.0.html

Removals

Documentation

Dependencies

…pdates

Bumps the dependencies group with 16 updates in the /src/backend directory:

| Package | From | To |
| --- | --- | --- |
| [coverage](https://github.com/coveragepy/coveragepy) | `7.14.3` | `7.15.0` |
| [django](https://github.com/django/django) | `5.2.15` | `6.0.6` |
| [prek](https://github.com/j178/prek) | `0.4.5` | `0.4.6` |
| [ty](https://github.com/astral-sh/ty) | `0.0.54` | `0.0.56` |
| [typing-extensions](https://github.com/python/typing_extensions) | `4.15.0` | `4.16.0` |
| [blessed](https://github.com/jquast/blessed) | `1.44.0` | `1.45.0` |
| [boto3](https://github.com/boto/boto3) | `1.43.36` | `1.43.40` |
| [botocore](https://github.com/boto/botocore) | `1.43.36` | `1.43.40` |
| [django-allauth](https://github.com/sponsors/pennersr) | `65.14.3` | `65.18.0` |
| [django-otp](https://github.com/django-otp/django-otp) | `1.3.0` | `1.7.0` |
| [dulwich](https://github.com/dulwich/dulwich) | `1.2.6` | `1.2.7` |
| [fido2](https://github.com/Yubico/python-fido2) | `2.2.0` | `2.2.1` |
| [pillow](https://github.com/python-pillow/Pillow) | `12.2.0` | `12.3.0` |
| [rpds-py](https://github.com/crate-py/rpds) | `2026.5.1` | `2026.6.3` |
| [sentry-sdk](https://github.com/getsentry/sentry-python) | `2.63.0` | `2.64.0` |
| [wcwidth](https://github.com/jquast/wcwidth) | `0.8.1` | `0.8.2` |



Updates `coverage` from 7.14.3 to 7.15.0
- [Release notes](https://github.com/coveragepy/coveragepy/releases)
- [Changelog](https://github.com/coveragepy/coveragepy/blob/main/CHANGES.rst)
- [Commits](coveragepy/coveragepy@7.14.3...7.15.0)

Updates `django` from 5.2.15 to 6.0.6
- [Commits](django/django@5.2.15...6.0.6)

Updates `prek` from 0.4.5 to 0.4.6
- [Release notes](https://github.com/j178/prek/releases)
- [Changelog](https://github.com/j178/prek/blob/master/CHANGELOG.md)
- [Commits](j178/prek@v0.4.5...v0.4.6)

Updates `ty` from 0.0.54 to 0.0.56
- [Release notes](https://github.com/astral-sh/ty/releases)
- [Changelog](https://github.com/astral-sh/ty/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ty@0.0.54...0.0.56)

Updates `typing-extensions` from 4.15.0 to 4.16.0
- [Release notes](https://github.com/python/typing_extensions/releases)
- [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md)
- [Commits](python/typing_extensions@4.15.0...4.16.0)

Updates `blessed` from 1.44.0 to 1.45.0
- [Release notes](https://github.com/jquast/blessed/releases)
- [Changelog](https://github.com/jquast/blessed/blob/master/docs/history.rst)
- [Commits](https://github.com/jquast/blessed/commits)

Updates `boto3` from 1.43.36 to 1.43.40
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.43.36...1.43.40)

Updates `botocore` from 1.43.36 to 1.43.40
- [Commits](boto/botocore@1.43.36...1.43.40)

Updates `django-allauth` from 65.14.3 to 65.18.0
- [Commits](https://github.com/sponsors/pennersr/commits)

Updates `django-otp` from 1.3.0 to 1.7.0
- [Changelog](https://github.com/django-otp/django-otp/blob/master/CHANGES.rst)
- [Commits](django-otp/django-otp@v1.3.0...v1.7.0)

Updates `dulwich` from 1.2.6 to 1.2.7
- [Release notes](https://github.com/dulwich/dulwich/releases)
- [Changelog](https://github.com/jelmer/dulwich/blob/main/NEWS)
- [Commits](jelmer/dulwich@dulwich-1.2.6...dulwich-1.2.7)

Updates `fido2` from 2.2.0 to 2.2.1
- [Release notes](https://github.com/Yubico/python-fido2/releases)
- [Changelog](https://github.com/Yubico/python-fido2/blob/main/NEWS)
- [Commits](Yubico/python-fido2@2.2.0...2.2.1)

Updates `pillow` from 12.2.0 to 12.3.0
- [Release notes](https://github.com/python-pillow/Pillow/releases)
- [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst)
- [Commits](python-pillow/Pillow@12.2.0...12.3.0)

Updates `rpds-py` from 2026.5.1 to 2026.6.3
- [Release notes](https://github.com/crate-py/rpds/releases)
- [Changelog](https://github.com/crate-py/rpds/blob/main/release.toml)
- [Commits](crate-py/rpds@v2026.5.1...v2026.6.3)

Updates `sentry-sdk` from 2.63.0 to 2.64.0
- [Release notes](https://github.com/getsentry/sentry-python/releases)
- [Changelog](https://github.com/getsentry/sentry-python/blob/master/CHANGELOG.md)
- [Commits](getsentry/sentry-python@2.63.0...2.64.0)

Updates `wcwidth` from 0.8.1 to 0.8.2
- [Release notes](https://github.com/jquast/wcwidth/releases)
- [Commits](jquast/wcwidth@0.8.1...0.8.2)

---
updated-dependencies:
- dependency-name: coverage
  dependency-version: 7.15.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: django
  dependency-version: 6.0.6
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dependencies
- dependency-name: prek
  dependency-version: 0.4.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: ty
  dependency-version: 0.0.56
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: typing-extensions
  dependency-version: 4.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: blessed
  dependency-version: 1.45.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: boto3
  dependency-version: 1.43.40
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: botocore
  dependency-version: 1.43.40
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: django-allauth
  dependency-version: 65.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: django-otp
  dependency-version: 1.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: dulwich
  dependency-version: 1.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: fido2
  dependency-version: 2.2.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: pillow
  dependency-version: 12.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: rpds-py
  dependency-version: 2026.6.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: sentry-sdk
  dependency-version: 2.64.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: wcwidth
  dependency-version: 0.8.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jul 10, 2026
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant