Bump the pip group across 1 directory with 8 updates

[dependabot]

Bumps the pip group with 8 updates in the / directory:

Package	From	To
requests	2.32.3	2.32.4
jupyterlab	4.2.5	4.4.8
flask-cors	5.0.0	6.0.0
jinja2	3.1.4	3.1.6
h11	0.14.0	0.16.0
protobuf	4.25.3	4.25.8
tornado	6.4.1	6.5
werkzeug	3.0.4	3.1.4

Updates requests from 2.32.3 to 2.32.4

Release notes

Sourced from requests's releases.

v2.32.4

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. (#6965)

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS. (#6926)
• Dropped support for pypy 3.9 following its end of support. (#6926)

Changelog

Sourced from requests's changelog.

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS.
• Dropped support for pypy 3.9 following its end of support.

Commits

• 021dc72 Polish up release tooling for last manual release
• 821770e Bump version and add release notes for v2.32.4
• 59f8aa2 Add netrc file search information to authentication documentation (#6876)
• 5b4b64c Add more tests to prevent regression of CVE 2024 47081
• 7bc4587 Add new test to check netrc auth leak (#6962)
• 96ba401 Only use hostname to do netrc lookup instead of netloc
• 7341690 Merge pull request #6951 from tswast/patch-1
• 6716d7c remove links
• a7e1c74 Update docs/conf.py
• c799b81 docs: fix dead links to kenreitz.org
• Additional commits viewable in compare view

Updates jupyterlab from 4.2.5 to 4.4.8

Release notes

Sourced from jupyterlab's releases.

v4.4.8

4.4.8

(Full Changelog)

Bugs fixed

• Debugger: Only send the configurationDone message once as per the DAP #17912 (@​martinRenou)
• Fix output prompt overlay height for large outputs #17863 (@​Meriem-BenIsmail)
• Prevent overlay of content from other columns when renaming a file in the file browser #17857 (@​CrafterKolyan)
• Fix notebook toolbar item order #17866 (@​Darshan808)

Maintenance and upkeep improvements

• Ignore npmjs.com in check-links #17915 (@​jtpio)

Documentation improvements

• Add JupyterCon banner and Jupyter colors #17906 (@​choldgraf)

Contributors to this release

(GitHub contributors page for this release)

@​brichet | @​github-actions | @​HaudinFlorence | @​jtpio | @​jupyterlab-probot | @​krassowski | @​martinRenou | @​meeseeksmachine | @​Meriem-BenIsmail | @​williamstein

v4.4.7

4.4.7

(Full Changelog)

Enhancements made

• Update to mermaid 11.10, marked 16.2 #17813 (@​bollwyvl)

Bugs fixed

• Change default line wrap in default editor config #17818 (@​gjmooney)
• Select file and accept dialog on file double click in FileDialog.getOpenFiles #17844 (@​martinRenou)
• Fix broken toolbar updates due to missing 'clear' cases in switch statements for ObservableList #17837 (@​Darshan808)
• Send code to console #17824 (@​gjmooney)
• Clear incomplete execution metadata when splitting running cells #17804 (@​Darshan808)
• Don't create empty page_config in sys_prefix when disabled is empty #17791 (@​gjmooney)

Documentation improvements

... (truncated)

Commits

• a889bb5 [ci skip] Publish 4.4.8
• 51c585b Fix integrity
• f8841dc Merge commit from fork
• 526a3d7 Backport PR #17915: Ignore npmjs.com in check-links (#17921)
• 911ff90 Backport PR #17912: Debugger: Only send the configurationDone message once ...
• 2d0ff31 Backport PR #17906: Add JupyterCon banner and Jupyter colors (#17908)
• 276b38c Backport PR #17863: Fix output prompt overlay height for large outputs (#17889)
• 88f58b1 Backport PR #17857: Prevent overlay of content from other columns when renami...
• baf78ec Backport PR #17866: Fix notebook toolbar item order (#17872)
• 30d1f70 [ci skip] Publish 4.4.7
• Additional commits viewable in compare view

Updates flask-cors from 5.0.0 to 6.0.0

Release notes

Sourced from flask-cors's releases.

6.0.0

Breaking

Path specificity ordering has changed to improve specificity. This may break users who expected the previous incorrect ordering.

• [CVE-2024-6839] Sort Paths by Regex Specificity by @​adrianosela in corydolphin/flask-cors#391
• [CVE-2024-6844] Replace use of (urllib) unquote_plus with unquote by @​adrianosela in corydolphin/flask-cors#389

What's Changed

• [CVE-2024-6866] Case Sensitive Request Path Matching by @​adrianosela in corydolphin/flask-cors#390

Full Changelog: corydolphin/flask-cors@5.0.1...6.0.0

5.0.1

What's Changed

This primarily changes packaging to use uv and a new release pipeline, along with some small documentation improvements

• [Docs] Fix links to documentation by @​coren-frankel in corydolphin/flask-cors#369
• Fix minor typos by @​kkirsche in corydolphin/flask-cors#371
• Migrate packaging and environment management to use uv by @​corydolphin in corydolphin/flask-cors#377
• Fix release pipeline by @​corydolphin in corydolphin/flask-cors#378
• Always use trusted publishing by @​corydolphin in corydolphin/flask-cors#379
• Workaround license publishing issue by @​corydolphin in corydolphin/flask-cors#380
• Fix packaging: missing source files by @​corydolphin in corydolphin/flask-cors#381

New Contributors

• @​coren-frankel made their first contribution in corydolphin/flask-cors#369
• @​kkirsche made their first contribution in corydolphin/flask-cors#371

Full Changelog: corydolphin/flask-cors@5.0.0...5.0.01

Commits

• 35d8753 [CVE-2024-6844] Replace use of (urllib) unquote_plus with unquote for paths (...
• e970988 [CVE-2024-6839] Sort Paths by Regex Specificity (#391)
• eb39516 [CVE-2024-6866] Case Sensitive Request Path Matching (#390)
• 5da9be4 Fix packaging: missing source files (#381)
• 65a5132 Workaround license publishing issue (#380)
• 7127e7e Always use trusted publishing (#379)
• 01e2e68 Fix release pipeline (#378)
• ade65a1 Major Packaging Refactor: migrate to uv (#377)
• eb44bff fix: typos (#371)
• 1225e78 replace documentation links in README (#369)
• See full diff in compare view

Updates jinja2 from 3.1.4 to 3.1.6

Release notes

Sourced from jinja2's releases.

3.1.6

This is the Jinja 3.1.6 security release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.6/ Changes: https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6

• The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. GHSA-cpwx-vrp4-4pq7

3.1.5

This is the Jinja 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.5/ Changes: https://jinja.palletsprojects.com/changes/#version-3-1-5 Milestone: https://github.com/pallets/jinja/milestone/16?closed=1

• The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. GHSA-q2x7-8rv6-6q7h
• Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. #1792, GHSA-gmj6-6f8f-6699
• Sandbox does not allow clear and pop on known mutable sequence types. #2032
• Calling sync render for an async template uses asyncio.run. #1952
• Avoid unclosed auto_aiter warnings. #1960
• Return an aclose-able AsyncGenerator from Template.generate_async. #1960
• Avoid leaving root_render_func() unclosed in Template.generate_async. #1960
• Avoid leaving async generators unclosed in blocks, includes and extends. #1960
• The runtime uses the correct concat function for the current environment when calling block references. #1701
• Make |unique async-aware, allowing it to be used after another async-aware filter. #1781
• |int filter handles OverflowError from scientific notation. #1921
• Make compiling deterministic for tuple unpacking in a {% set ... %} call. #2021
• Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. #2025
• Fix copy/pickle support for the internal missing object. #2027
• Environment.overlay(enable_async) is applied correctly. #2061
• The error message from FileSystemLoader includes the paths that were searched. #1661
• PackageLoader shows a clearer error message when the package does not contain the templates directory. #1705
• Improve annotations for methods returning copies. #1880
• urlize does not add mailto: to values like @a@b. #1870
• Tests decorated with @pass_context can be used with the |select filter. #1624
• Using set for multiple assignment (a, b = 1, 2) does not fail when the target is a namespace attribute. #1413
• Using set in all branches of {% if %}{% elif %}{% else %} blocks does not cause the variable to be considered initially undefined. #1253

Changelog

Sourced from jinja2's changelog.

Version 3.1.6

Released 2025-03-05

• The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. :ghsa:cpwx-vrp4-4pq7

Version 3.1.5

Released 2024-12-21

• The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. :ghsa:q2x7-8rv6-6q7h
• Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. :issue:1792, :ghsa:gmj6-6f8f-6699
• Sandbox does not allow clear and pop on known mutable sequence types. :issue:2032
• Calling sync render for an async template uses asyncio.run. :pr:1952
• Avoid unclosed auto_aiter warnings. :pr:1960
• Return an aclose-able AsyncGenerator from Template.generate_async. :pr:1960
• Avoid leaving root_render_func() unclosed in Template.generate_async. :pr:1960
• Avoid leaving async generators unclosed in blocks, includes and extends. :pr:1960
• The runtime uses the correct concat function for the current environment when calling block references. :issue:1701
• Make |unique async-aware, allowing it to be used after another async-aware filter. :issue:1781
• |int filter handles OverflowError from scientific notation. :issue:1921
• Make compiling deterministic for tuple unpacking in a {% set ... %} call. :issue:2021
• Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. :issue:2025
• Fix copy/pickle support for the internal missing object. :issue:2027
• Environment.overlay(enable_async) is applied correctly. :pr:2061
• The error message from FileSystemLoader includes the paths that were searched. :issue:1661
• PackageLoader shows a clearer error message when the package does not contain the templates directory. :issue:1705
• Improve annotations for methods returning copies. :pr:1880
• urlize does not add mailto: to values like @a@b. :pr:1870

... (truncated)

Commits

• 1520688 release version 3.1.6
• 90457bb Merge commit from fork
• 065334d attr filter uses env.getattr
• 033c200 start version 3.1.6
• bc68d4e use global contributing guide (#2070)
• 247de5e use global contributing guide
• ab8218c use project advisory link instead of global
• b4ffc8f release version 3.1.5 (#2066)
• 877f6e5 release version 3.1.5
• 8d58859 remove test pypi
• Additional commits viewable in compare view

Updates h11 from 0.14.0 to 0.16.0

Commits

• 1c5b075 this time for surer
• d9c3699 this time for sure...
• d91b9dd blacken
• 5a4683c Soothe mypy
• 9c9567f Bump version to 0.16.0
• 114803a Merge commit from fork
• 9462006 Bump version to 0.15.0
• 70a96be Merge pull request #181 from Julien00859/Julien00859/get_int_max_str_digits
• 60782ad Reject Content-Length longer 1 billion TB
• dff7cc3 Validate Chunked-Encoding chunk footer
• Additional commits viewable in compare view

Updates protobuf from 4.25.3 to 4.25.8

Commits

• a4cbdd3 Updating version.json and repo version numbers to: 25.8
• 29445be Merge pull request #21880 from shaod2/py-25
• cc13b69 Remove debugging code and add EOLs
• d31100c Manually backport recursion limit enforcement to 25.x
• 88a3b90 Change pre-22 poison pill to only log once per affected message type. (#21754)
• 320eafa Weaken vulnerable gencode poison pills to warning by default.
• f584fe3 Merge branch 'protocolbuffers:25.x' into 25.x
• c710036 Update test_upb.yml to use ubuntu-22
• 9721758 Fix missing trailing newline.
• cca7b28 Update test_upb.yml to use ubuntu-22
• Additional commits viewable in compare view

Updates tornado from 6.4.1 to 6.5

Changelog

Sourced from tornado's changelog.

Release notes

.. toctree:: :maxdepth: 2

releases/v6.5.2 releases/v6.5.1 releases/v6.5.0 releases/v6.4.2 releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1 releases/v3.2.0 releases/v3.1.1 releases/v3.1.0 releases/v3.0.2 releases/v3.0.1

... (truncated)

Commits

• ab5f354 Merge pull request #3498 from bdarnell/final-6.5
• 3623024 Final release notes for 6.5.0
• b39b892 Merge pull request #3497 from bdarnell/multipart-log-spam
• cc61050 httputil: Raise errors instead of logging in multipart/form-data parsing
• ae4a4e4 asyncio: Preserve contextvars across SelectorThread on Windows (#3479)
• 197ff13 Merge pull request #3496 from bdarnell/undeprecate-set-event-loop
• c3d906c requirements: Upgrade tox to 4.26.0
• a838977 testing: Remove deprecation warning filter for set_event_loop
• d8e0d36 build: Fix free-threaded build, mark speedups module as no-GIL
• bfe7489 Merge pull request #3492 from bdarnell/relnotes-6.5
• Additional commits viewable in compare view

Updates werkzeug from 3.0.4 to 3.1.4

Release notes

Sourced from werkzeug's releases.

3.1.4

This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.4/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-4 Milestone: https://github.com/pallets/werkzeug/milestone/42?closed=1

• safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. ghsa-hgf8-39gv-g3f2
• The debugger pin fails after 10 attempts instead of 11. #3020
• The multipart form parser handles a \r\n sequence at a chunk boundary. #3065
• Improve CPU usage during Watchdog reloader. #3054
• Request.json annotation is more accurate. #3067
• Traceback rendering handles when the line number is beyond the available source lines. #3044
• HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. #3056

3.1.3

This is the Werkzeug 3.1.3 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes vs 3.1.0.

PyPI: https://pypi.org/project/Werkzeug/3.1.3/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-1-3 Milestone: https://github.com/pallets/werkzeug/milestone/41?closed=1

• Initial data passed to MultiDict and similar interfaces only accepts list, tuple, or set when passing multiple values. It had been changed to accept any Collection, but this matched types that should be treated as single values, such as bytes. #2994
• When the Host header is not set and Request.host falls back to the WSGI SERVER_NAME value, if that value is an IPv6 address it is wrapped in [] to match the Host header. #2993

3.1.2

This is the Werkzeug 3.1.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes vs 3.1.0.

PyPI: https://pypi.org/project/Werkzeug/3.1.2/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-1-2 Milestone: https://github.com/pallets/werkzeug/milestone/40?closed=1

• Improve type annotation for TypeConversionDict.get to allow the type parameter to be a callable. #2988
• Headers does not inherit from MutableMapping, as it is does not exactly match that interface. #2989

3.1.1

This is the Werkzeug 3.1.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes vs 3.1.0.

PyPI: https://pypi.org/project/Werkzeug/3.1.1/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-1-1 Milestone: https://github.com/pallets/werkzeug/milestone/38?closed=1

• Fix an issue that caused str(Request.headers) to always appear empty. #2985

3.1.0

This is the Werkzeug 3.1.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecations, or introduce potentially breaking changes. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

PyPI: https://pypi.org/project/Werkzeug/3.1.0/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-1-0 Milestone: https://github.com/pallets/werkzeug/milestone/34?closed=1

... (truncated)

Changelog

Sourced from werkzeug's changelog.

Version 3.1.4

Released 2025-11-28

• safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. :ghsa:hgf8-39gv-g3f2
• The debugger pin fails after 10 attempts instead of 11. :pr:3020
• The multipart form parser handles a \r\n sequence at a chunk boundary. :issue:3065
• Improve CPU usage during Watchdog reloader. :issue:3054
• Request.json annotation is more accurate. :issue:3067
• Traceback rendering handles when the line number is beyond the available source lines. :issue:3044
• HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. :issue:3056

Version 3.1.3

Released 2024-11-08

• Initial data passed to MultiDict and similar interfaces only accepts list, tuple, or set when passing multiple values. It had been changed to accept any Collection, but this matched types that should be treated as single values, such as bytes. :issue:2994
• When the Host header is not set and Request.host falls back to the WSGI SERVER_NAME value, if that value is an IPv6 address it is wrapped in [] to match the Host header. :issue:2993

Version 3.1.2

Released 2024-11-04

• Improve type annotation for TypeConversionDict.get to allow the type parameter to be a callable. :issue:2988
• Headers does not inherit from MutableMapping, as it is does not exactly match that interface. :issue:2989

Version 3.1.1

Released 2024-11-01

• Fix an issue that caused str(Request.headers) to always appear empty.

... (truncated)

Commits

• 1c7beb6 release version 3.1.4
• 9c8b754 install less to run tox
• 474e22f update dev dependencies
• 4b83337 Merge commit from fork
• 9bdec46 safe_join prevents windows special device names
• b11713e better HTTPException.get_response annotation (#3072)
• 1131dbd distinguish wsgi and sansio response annotation
• 5d9a403 skip rendering missing source (#3071)
• 60ea32c skip rendering missing source
• c0e67e9 Request.json property is only Any (#3070)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.