Bump the all-pip-packages group with 7 updates #497

dependabot · 2026-02-01T04:26:14Z

Bumps the all-pip-packages group with 7 updates:

Package	From	To
werkzeug	`3.1.4`	`3.1.5`
types-requests	`2.32.4.20250913`	`2.32.4.20260107`
setuptools	`80.9.0`	`80.10.2`
wheel	`0.45.1`	`0.46.3`
python-gitlab	`7.1.0`	`8.0.0`
black	`25.12.0`	`26.1.0`
boto3	`1.42.21`	`1.42.39`

Updates werkzeug from 3.1.4 to 3.1.5

Release notes

Sourced from werkzeug's releases.

3.1.5

This is the Werkzeug 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.5/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-5 Milestone: https://github.com/pallets/werkzeug/milestone/43?closed=1

safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. GHSA-87hc-h4r5-73f7

The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. #3065 #3077

Fix AttributeError when initializing DebuggedApplication with pin_security=False. #3075

Changelog

Sourced from werkzeug's changelog.

Version 3.1.5

Released 2026-01-08

safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. :ghsa:87hc-h4r5-73f7

The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. :issue:3065 :issue:3077

Fix AttributeError when initializing DebuggedApplication with pin_security=False. :issue:3075

Commits

e3d06f4 release version 3.1.5
7ae1d25 Merge commit from fork
37797ab safe_join prevents windows special device names with compound extensions
3db44c7 fix duplicate reference
a40f8fa fix class name typo
0f76c35 Correct parsing up to a potential partial boundary (#3081)
1049dd6 Correct parsing up to a potential partial boundary
b48878c initialize _pin in debugger (#3078)
fa0f4f2 initialize _pin
f637275 start version 3.1.5
Additional commits viewable in compare view

Updates types-requests from 2.32.4.20250913 to 2.32.4.20260107

Commits

See full diff in compare view

Updates setuptools from 80.9.0 to 80.10.2

Changelog

Sourced from setuptools's changelog.

v80.10.2

Bugfixes

Update vendored dependencies. (#5159)

Misc

#5115, #5128

v80.10.1

Misc

#5152

v80.10.0

Features

Remove post-release tags on setuptools' own build. (#4530)

Refreshed vendored dependencies. (#5139)

Misc

#5033

Commits

5cf2d08 Bump version: 80.10.1 → 80.10.2
852cd5e Merge pull request #5166 from pypa/bugfix/5159-vendor-bin-free
11115ee Suppress deprecation warning.
5cf9185 Update vendored dependencies.
cf59f41 Delete all binaries generated by vendored package install.
89a5981 Add missing newsfragments
c0114af Postpone deprecation warnings related to PEP 639 to 2027-Feb-18 (#5115)
de07603 Revert "[CI] Constraint transient test dependency on pyobjc" (#5128)
3afd5d6 Revert "[CI] Constraint transient test dependency on pyobjc"
adfb0c9 Bump version: 80.10.0 → 80.10.1
Additional commits viewable in compare view

Updates wheel from 0.45.1 to 0.46.3

Release notes

Sourced from wheel's releases.

0.46.3

Fixed ImportError: cannot import name '_setuptools_logging' from 'wheel' when installed alongside an old version of setuptools and running the bdist_wheel command (#676)

0.46.2

Restored the bdist_wheel command for compatibility with setuptools older than v70.1

Importing wheel.bdist_wheel now emits a FutureWarning instead of a DeprecationWarning

Fixed wheel unpack potentially altering the permissions of files outside of the destination tree with maliciously crafted wheels (CVE-2026-24049)

0.46.1

Temporarily restored the wheel.macosx_libfile module (#659)

0.46.0

Dropped support for Python 3.8

Removed the bdist_wheel setuptools command implementation and entry point. The wheel.bdist_wheel module is now just an alias to setuptools.command.bdist_wheel, emitting a deprecation warning on import.

Removed vendored packaging in favor of a run-time dependency on it

Made the wheel.metadata module private (with a deprecation warning if it's imported

Made the wheel.cli package private (no deprecation warning)

Fixed an exception when calling the convert command with an empty description field

Changelog

Sourced from wheel's changelog.

Release Notes

0.46.3 (2026-01-22)

Fixed ImportError: cannot import name '_setuptools_logging' from 'wheel' when installed alongside an old version of setuptools and running the bdist_wheel command ([#676](https://github.com/pypa/wheel/issues/676) <https://github.com/pypa/wheel/issues/676>_)

0.46.2 (2026-01-22)

Restored the bdist_wheel command for compatibility with setuptools older than v70.1

Importing wheel.bdist_wheel now emits a FutureWarning instead of a DeprecationWarning

Fixed wheel unpack potentially altering the permissions of files outside of the destination tree with maliciously crafted wheels (CVE-2026-24049)

0.46.1 (2025-04-08)

Temporarily restored the wheel.macosx_libfile module ([#659](https://github.com/pypa/wheel/issues/659) <https://github.com/pypa/wheel/issues/659>_)

0.46.0 (2025-04-03)

Dropped support for Python 3.8

Removed the bdist_wheel setuptools command implementation and entry point. The wheel.bdist_wheel module is now just an alias to setuptools.command.bdist_wheel, emitting a deprecation warning on import.

Removed vendored packaging in favor of a run-time dependency on it

Made the wheel.metadata module private (with a deprecation warning if it's imported

Made the wheel.cli package private (no deprecation warning)

Fixed an exception when calling the convert command with an empty description field

0.45.1 (2024-11-23)

Fixed pure Python wheels converted from eggs and wininst files having the ABI tag in the file name

0.45.0 (2024-11-08)

Refactored the convert command to not need setuptools to be installed

Don't configure setuptools logging unless running bdist_wheel

Added a redirection from wheel.bdist_wheel.bdist_wheel to setuptools.command.bdist_wheel.bdist_wheel to improve compatibility with setuptools' latest fixes.

Projects are still advised to migrate away from the deprecated module and import

... (truncated)

Commits

8b6fa74 Created a new release
7445fb5 Fixed an import of a removed module
eba4036 Updated the version number for v0.46.2
557fb54 Created a new release
7a7d2de Fixed security issue around wheel unpack (#675)
41418fa Fixed test failures due to metadata normalization changes
c1d442b [pre-commit.ci] pre-commit autoupdate (#674)
0bac882 Update github actions environments (#673)
be9f45b [pre-commit.ci] pre-commit autoupdate (#667)
6244f08 Update pre-commit ruff legacy alias (#668)
Additional commits viewable in compare view

Updates python-gitlab from 7.1.0 to 8.0.0

Release notes

Sourced from python-gitlab's releases.

v8.0.0 (2026-01-28)

This release is published under the LGPL-3.0-or-later License.

Bug Fixes

Actually define project repr_attr (4187a69)

File save start_branch as a body attribute (1001d93)

Chores

black: Run black v26 on code (4a8d82b)

precommit: Update dependency black to v26 (ad43b76)

Features

graphql: Update to gql 4.0.0 (6f0da67)

Breaking Changes

graphql: GraphQL.execute() no longer accepts graphql.Source

Detailed Changes: v7.1.0...v8.0.0

Changelog

Sourced from python-gitlab's changelog.

v8.0.0 (2026-01-28)

Bug Fixes

Actually define project repr_attr (4187a69)

File save start_branch as a body attribute (1001d93)

Chores

black: Run black v26 on code (4a8d82b)

precommit: Update dependency black to v26 (ad43b76)

Features

graphql: Update to gql 4.0.0 (6f0da67)

Breaking Changes

graphql: GraphQL.execute() no longer accepts graphql.Source

Commits

425d0d5 chore: release v8.0.0
4440d0c chore(deps): update all non-major dependencies
ad43b76 chore(precommit): update dependency black to v26
3bcc42a chore(deps): update gitlab/gitlab-ee docker tag to v18.8.2-ee.0 (#3334)
e7d1fbb chore(deps): update dependency wheel to v0.46.2 [security]
4187a69 fix: actually define project repr_attr
1001d93 fix: file save start_branch as a body attribute
4a8d82b chore(black): run black v26 on code
39975d5 chore(deps): update dependency black to v26
1358e45 chore(deps): update dependency sphinx to v9
Additional commits viewable in compare view

Updates black from 25.12.0 to 26.1.0

Release notes

Sourced from black's releases.

26.1.0

Highlights

Introduces the 2026 stable style (#4892), stabilizing the following changes:

always_one_newline_after_import: Always force one blank line after import statements, except when the line after the import is a comment or an import statement (#4489)

fix_fmt_skip_in_one_liners: Fix # fmt: skip behavior on one-liner declarations, such as def foo(): return "mock" # fmt: skip, where previously the declaration would have been incorrectly collapsed (#4800)

fix_module_docstring_detection: Fix module docstrings being treated as normal strings if preceded by comments (#4764)

fix_type_expansion_split: Fix type expansions split in generic functions (#4777)

multiline_string_handling: Make expressions involving multiline strings more compact (#1879)

normalize_cr_newlines: Add \r style newlines to the potential newlines to normalize file newlines both from and to (#4710)

remove_parens_around_except_types: Remove parentheses around multiple exception types in except and except* without as (#4720)

remove_parens_from_assignment_lhs: Remove unnecessary parentheses from the left-hand side of assignments while preserving magic trailing commas and intentional multiline formatting (#4865)

standardize_type_comments: Format type comments which have zero or more spaces between # and type: or between type: and value to # type: (value) (#4645)

The following change was not in any previous stable release:

Regenerated the _width_table.py and added tests for the Khmer language (#4253)

This release alo bumps pathspec to v1 and fixes inconsistencies with Git's .gitignore logic (#4958). Now, files will be ignored if a pattern matches them, even if the parent directory is directly unignored. For example, Black would previously format exclude/not_this/foo.py with this .gitignore:
exclude/
!exclude/not_this/
Now, exclude/not_this/foo.py will remain ignored. To ensure exclude/not_this/ and all of it's children are included in formatting (and in Git), use this .gitignore:
*/exclude/*
!*/exclude/not_this/
This new behavior matches Git. The leading */ are only necessary if you wish to ignore matching subdirectories (like the previous behavior did), and not just matching root

... (truncated)

Changelog

Sourced from black's changelog.

26.1.0

Highlights

Introduces the 2026 stable style (#4892), stabilizing the following changes:

always_one_newline_after_import: Always force one blank line after import statements, except when the line after the import is a comment or an import statement (#4489)

fix_fmt_skip_in_one_liners: Fix # fmt: skip behavior on one-liner declarations, such as def foo(): return "mock" # fmt: skip, where previously the declaration would have been incorrectly collapsed (#4800)

fix_module_docstring_detection: Fix module docstrings being treated as normal strings if preceded by comments (#4764)

fix_type_expansion_split: Fix type expansions split in generic functions (#4777)

multiline_string_handling: Make expressions involving multiline strings more compact (#1879)

normalize_cr_newlines: Add \r style newlines to the potential newlines to normalize file newlines both from and to (#4710)

remove_parens_around_except_types: Remove parentheses around multiple exception types in except and except* without as (#4720)

remove_parens_from_assignment_lhs: Remove unnecessary parentheses from the left-hand side of assignments while preserving magic trailing commas and intentional multiline formatting (#4865)

standardize_type_comments: Format type comments which have zero or more spaces between # and type: or between type: and value to # type: (value) (#4645)

The following change was not in any previous stable release:

Regenerated the _width_table.py and added tests for the Khmer language (#4253)

This release alo bumps pathspec to v1 and fixes inconsistencies with Git's .gitignore logic (#4958). Now, files will be ignored if a pattern matches them, even if the parent directory is directly unignored. For example, Black would previously format exclude/not_this/foo.py with this .gitignore:
exclude/
!exclude/not_this/
Now, exclude/not_this/foo.py will remain ignored. To ensure exclude/not_this/ and all of it's children are included in formatting (and in Git), use this .gitignore:
*/exclude/*
!*/exclude/not_this/
This new behavior matches Git. The leading */ are only necessary if you wish to ignore

... (truncated)

Commits

6305bf1 Prepare 2026.1.0 release (#4892)
e71305b Bump pypa/cibuildwheel from 3.3.0 to 3.3.1 (#4961)
21a2a8c Fix Shutdown multiprocessing Manager in schedule_formatting (#4952)
e3146ce Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 (#4919)
fe1fbc4 Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#4923)
2b4b7fc Bump actions/download-artifact from 6.0.0 to 7.0.0 (#4922)
d745be6 docs: document --force-exclude for pre-commit workflows (#4957)
b41acd6 Various CI and doc refactors (#4928)
6f43612 Handle pathspec v1 changes (#4958)
200c550 Bump furo from 2025.9.25 to 2025.12.19 in /docs (#4933)
Additional commits viewable in compare view

Updates boto3 from 1.42.21 to 1.42.39

Commits

fd93dbb Merge branch 'release-1.42.39'
0a13ecc Bumping version to 1.42.39
e6b1f89 Add changelog entries from botocore
f76522e Merge branch 'release-1.42.38'
c7ef3d3 Merge branch 'release-1.42.38' into develop
24e7223 Bumping version to 1.42.38
0b29f3a Add changelog entries from botocore
68bd84f Update wheel to 0.46.3 (#4713)
bae9979 Merge branch 'release-1.42.37'
be2fdc5 Merge branch 'release-1.42.37' into develop
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the all-pip-packages group with 7 updates: | Package | From | To | | --- | --- | --- | | [werkzeug](https://github.com/pallets/werkzeug) | `3.1.4` | `3.1.5` | | [types-requests](https://github.com/typeshed-internal/stub_uploader) | `2.32.4.20250913` | `2.32.4.20260107` | | [setuptools](https://github.com/pypa/setuptools) | `80.9.0` | `80.10.2` | | [wheel](https://github.com/pypa/wheel) | `0.45.1` | `0.46.3` | | [python-gitlab](https://github.com/python-gitlab/python-gitlab) | `7.1.0` | `8.0.0` | | [black](https://github.com/psf/black) | `25.12.0` | `26.1.0` | | [boto3](https://github.com/boto/boto3) | `1.42.21` | `1.42.39` | Updates `werkzeug` from 3.1.4 to 3.1.5 - [Release notes](https://github.com/pallets/werkzeug/releases) - [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst) - [Commits](pallets/werkzeug@3.1.4...3.1.5) Updates `types-requests` from 2.32.4.20250913 to 2.32.4.20260107 - [Commits](https://github.com/typeshed-internal/stub_uploader/commits) Updates `setuptools` from 80.9.0 to 80.10.2 - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](pypa/setuptools@v80.9.0...v80.10.2) Updates `wheel` from 0.45.1 to 0.46.3 - [Release notes](https://github.com/pypa/wheel/releases) - [Changelog](https://github.com/pypa/wheel/blob/main/docs/news.rst) - [Commits](pypa/wheel@0.45.1...0.46.3) Updates `python-gitlab` from 7.1.0 to 8.0.0 - [Release notes](https://github.com/python-gitlab/python-gitlab/releases) - [Changelog](https://github.com/python-gitlab/python-gitlab/blob/main/CHANGELOG.md) - [Commits](python-gitlab/python-gitlab@v7.1.0...v8.0.0) Updates `black` from 25.12.0 to 26.1.0 - [Release notes](https://github.com/psf/black/releases) - [Changelog](https://github.com/psf/black/blob/main/CHANGES.md) - [Commits](psf/black@25.12.0...26.1.0) Updates `boto3` from 1.42.21 to 1.42.39 - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.42.21...1.42.39) --- updated-dependencies: - dependency-name: werkzeug dependency-version: 3.1.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-pip-packages - dependency-name: types-requests dependency-version: 2.32.4.20260107 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-pip-packages - dependency-name: setuptools dependency-version: 80.10.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-pip-packages - dependency-name: wheel dependency-version: 0.46.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-pip-packages - dependency-name: python-gitlab dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-pip-packages - dependency-name: black dependency-version: 26.1.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: all-pip-packages - dependency-name: boto3 dependency-version: 1.42.39 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: all-pip-packages ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Feb 1, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the all-pip-packages group with 7 updates #497

Bump the all-pip-packages group with 7 updates #497

dependabot bot commented on behalf of github Feb 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Bump the all-pip-packages group with 7 updates #497

Are you sure you want to change the base?

Bump the all-pip-packages group with 7 updates #497

Conversation

dependabot bot commented on behalf of github Feb 1, 2026

3.1.5

Version 3.1.5

v80.10.2

Bugfixes

Misc

v80.10.1

Misc

v80.10.0

Features

Misc

0.46.3

0.46.2

0.46.1

0.46.0

Release Notes

v8.0.0 (2026-01-28)

Bug Fixes

Chores

Features

Breaking Changes

v8.0.0 (2026-01-28)

Bug Fixes

Chores

Features

Breaking Changes

26.1.0

Highlights

26.1.0

Highlights

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants