Update all dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update
Authlib	==1.1.0 -> ==1.3.2					install	minor
Hypercorn	==0.14.3 -> ==0.17.3					install	minor
Jinja2 (changelog)	==3.1.2 -> ==3.1.4					install	patch
Markdown (changelog)	==3.4.1 -> ==3.7					install	minor
SQLAlchemy (changelog)	==1.4.43 -> ==2.0.36					install	major
Werkzeug (changelog)	==2.2.2 -> ==3.1.3					install	major
actions/checkout	v3 -> v4					action	major
aiofiles (changelog)	==22.1.0 -> ==24.1.0					install	major
aiohttp	==3.8.3 -> ==3.10.11					install	minor
alembic (source, changelog)	==1.8.1 -> ==1.14.0					install	minor
asgiref (changelog)	==3.5.2 -> ==3.8.1					install	minor
autoflake	==1.7.7 -> ==2.3.1					install	major
bcrypt	==4.0.1 -> ==4.2.0					install	minor
beautifulsoup4 (changelog)	==4.11.1 -> ==4.12.3					install	minor
black (changelog)	==22.10.0 -> ==24.10.0					install	major
bleach	==5.0.1 -> ==6.2.0					install	major
coverage	==6.5.0 -> ==7.6.4					install	major
email-validator	==1.3.0 -> ==2.2.0					install	major
fakeredis	==1.10.0 -> ==2.26.1					install	major
fastapi (changelog)	==0.86.0 -> ==0.115.5					install	minor
feedgen	==0.9.0 -> ==1.0.0					install	major
filelock	==3.8.0 -> ==3.16.1					install	minor
flake8 (changelog)	==5.0.4 -> ==7.1.1					install	major
gunicorn (changelog)	==20.1.0 -> ==23.0.0					install	major
highlight.js (source)	11.5.0 -> 11.10.0						minor
httpx (changelog)	==0.23.0 -> ==0.27.2					install	minor
isort (source, changelog)	==5.10.1 -> ==5.13.2					install	minor
itsdangerous (changelog)	==2.1.2 -> ==2.2.0					install	minor
lxml (source, changelog)	==4.9.1 -> ==5.3.0					install	major
makedeb-srcinfo	==0.5.2 -> ==0.8.1					install	minor
mysqlclient	==2.1.1 -> ==2.2.6					install	minor
orjson (changelog)	==3.8.1 -> ==3.10.11					install	minor
paginate	==0.5.6 -> ==0.5.7					install	patch
posix-ipc	==1.0.5 -> ==1.1.1					install	minor
prometheus-fastapi-instrumentator	==5.9.1 -> ==7.0.0					install	major
protobuf	==4.21.9 -> ==5.28.3					install	major
pygit2 (changelog)	==1.10.1 -> ==1.16.0					install	minor
pytest (changelog)	==7.2.0 -> ==8.3.3					install	major
pytest-asyncio (changelog)	==0.20.1 -> ==0.24.0					install	minor
pytest-cov (changelog)	==4.0.0 -> ==6.0.0					install	major
pytest-tap	==3.3 -> ==3.4					install	minor
pytest-xdist (changelog)	==3.0.2 -> ==3.6.1					install	minor
python-multipart (changelog)	==0.0.5 -> ==0.0.17					install	patch
redis (changelog)	==4.3.4 -> ==5.2.0					install	major
requests (source, changelog)	==2.28.1 -> ==2.32.3					install	minor
sentry-sdk (changelog)	==1.10.1 -> ==2.18.0					install	major
uvicorn (changelog)	==0.19.0 -> ==0.32.0					install	minor

---

Release Notes

lepture/authlib (Authlib)

v1.3.2: Version 1.3.2

Compare Source

• Prevent ever-growing session size for OAuth clients.
• Revert quote client id and secret.
• unquote basic auth header for authorization server.

v1.3.1: Version 1.3.1

Compare Source

Prevent OctKey to import ssh and PEM strings.

v1.3.0: Version 1.3.0

Compare Source

Bug fixes

• Restore AuthorizationServer.create_authorization_response behavior, via #​558 by @​TurnrDev
• Include leeway in validate_iat() for JWT, via #​565 by @​dhallam
• Fix encode_client_secret_basic, via #​594 by @​Prilkop
• Use single key in JWK if JWS does not specify kid, via #​596 by @​dklimpel
• Fix error when RFC9068 JWS has no scope field, via #​598 by @​tanguilp
• Get werkzeug version using importlib, via #​591 by @​Sparrow0hawk

Breaking changes

• RFC9068 implementation, via #​586 by @​azmeuk.

v1.2.1: Version 1.2.1

Compare Source

• Apply headers in ClientSecretJWT.sign method, via #​552
• Allow falsy but non-None grant uri params, via #​544
• Fixed authorize_redirect for Starlette v0.26.0, via #​533
• Removed has_client_secret method and documentation, via #​513
• Removed request_invalid and token_revoked remaining occurences
  and documentation. #​514
• Fixed RFC7591 grant_types and response_types default values, via #​509
• Add support for python 3.12, via #​590

v1.2.0: Version 1.2.0

Compare Source

• Not passing request.body to ResourceProtector, #​485.
• Use flask.g instead of _app_ctx_stack, #​482.
• Add headers parameter back to ClientSecretJWT, #​457.
• Always passing realm parameter in OAuth 1 clients, #​339.
• Implemented RFC7592 Dynamic Client Registration Management Protocol, #​505`
• Add default_timeout for requests OAuth2Session and AssertionSession.
• Deprecate jwk.loads and jwk.dumps

pgjones/hypercorn (Hypercorn)

v0.17.3

Compare Source

• Restore set TCP_NODELAY on TCP sockets
• Support uvloop >= 0.18 and the loop_factory argument
• Bugfix ensure ExceptionGroup lifespan failures crash the server.

v0.17.2

Compare Source

• Bugfix pass the correct quic connection to the H3 Protocol.

v0.17.1

Compare Source

• Bugfix revert set TCP_NODELAY on sockets.

v0.17.0

Compare Source

• Set TCP_NODELAY on sockets.
• Support sending trailing headers on h2/h3.
• Add support for lifespan state.
• Allow sending of the response before body data arrives.
• Bugfix properly set host header to ascii string in
  ProxyFixMiddleware.
• Bugfix encode headers using latin-1.
• Bugfix don't double-access log if the response was sent.
• Bugfix a statsd logging bug.
• Bugfix handle already-closed on StreamEnded.
• Bugfix send a 400 response if data is received before the websocket
  is accepted.
• Bugfix ensure only a single QUIC timer task per connection.
• Bugfix ensure responses are sent with empty bodies for WSGI.

v0.16.0

Compare Source

• Add a max keep alive requests configuration option, this mitigates
  the HTTP/2 rapid reset attack.
• Return subprocess exit code if non-zero.
• Add ProxyFix middleware to make it easier to run Hypercorn behind a
  proxy.
• Support restarting workers after max requests to make it easier to
  manage memory leaks in apps.
• Bugfix ensure the idle task is stopped on error.
• Bugfix revert autoreload error because reausing old sockets.
• Bugfix send the hinted error from h11 on RemoteProtocolErrors.
• Bugfix handle asyncio.CancelledError when socket is closed without
  flushing.
• Bugfix improve WSGI compliance by closing iterators, only sending
  headers on first response byte, erroring if start_response is
  not called, and switching wsgi.errors to stdout.
• Don't error on LocalProtoclErrors for ws streams to better cope with
  race conditions.

v0.15.0

Compare Source

• Improve the NoAppError to help diagnose why the app has not been
  found.
• Log cancelled requests as well as successful to aid diagnositics of
  failures.
• Use more modern asyncio apis. This will hopefully fix reported
  memory leak issues.
• Bugfix only load the application in the main process if the reloader
  is being used.
• Bugfix Autoreload error because reausing old sockets.
• Bugfix scope client usage for sock binding.
• Bugfix disable multiprocessing if number of workers is 0 to support
  systems that don't support multiprocessing.

v0.14.4

Compare Source

• Bugfix Use tomllib/tomli for .toml support replacing the
  unmaintained toml library.
• Bugfix server hanging on startup failure.
• Bugfix close websocket with 1011 on internal error (1006 is a
  client-only code).
• Bugfix support trio > 0.22 utilising exception groups (note trio <=
  0.22 is not supported).
• Bugfix except ConnectionAbortedError which can be raised on Windows
  machines.
• Bugfix ensure that closed is sent on reading end.
• Bugfix handle read_timeout exception on trio.
• Support and test against Python 3.11.
• Add explanation of PicklingErrors.
• Add config option to pass raw h11 headers.

pallets/jinja (Jinja2)

v3.1.4

Compare Source

Released 2024-05-05

• The xmlattr filter does not allow keys with / solidus, >
  greater-than sign, or = equals sign, in addition to disallowing spaces.
  Regardless of any validation done by Jinja, user input should never be used
  as keys to this filter, or must be separately validated first.
  :ghsa:h75v-3vvj-5mfj

v3.1.3

Compare Source

Released 2024-01-10

• Fix compiler error when checking if required blocks in parent templates are
  empty. :pr:1858
• xmlattr filter does not allow keys with spaces. :ghsa:h5c8-rqwp-cp95
• Make error messages stemming from invalid nesting of {% trans %} blocks
  more helpful. :pr:1918

Python-Markdown/markdown (Markdown)

v3.7

Compare Source

Changed

Refactor abbr Extension

A new AbbrTreeprocessor has been introduced, which replaces the now deprecated
AbbrInlineProcessor. Abbreviation processing now happens after Attribute Lists,
avoiding a conflict between the two extensions (#​1460).

The AbbrPreprocessor class has been renamed to AbbrBlockprocessor, which
better reflects what it is. AbbrPreprocessor has been deprecated.

A call to Markdown.reset() now clears all previously defined abbreviations.

Abbreviations are now sorted by length before executing AbbrTreeprocessor
to ensure that multi-word abbreviations are implemented even if an abbreviation
exists for one of those component words. (#​1465)

Abbreviations without a definition are now ignored. This avoids applying
abbr tags to text without a title value.

Added an optional glossary configuration option to the abbreviations extension.
This provides a simple and efficient way to apply a dictionary of abbreviations
to every page.

Abbreviations can now be disabled by setting their definition to "" or ''.
This can be useful when using the glossary option.

Fixed

• Fixed links to source code on GitHub from the documentation (#​1453).

v3.6

Compare Source

Changed

Refactor TOC Sanitation

• All postprocessors are now run on heading content.
• Footnote references are now stripped from heading content. Fixes #​660.
• A more robust striptags is provided to convert headings to plain text.
  Unlike, the markupsafe implementation, HTML entities are not unescaped.
• The plain text name, rich html, and unescaped raw data-toc-label are
  saved to toc_tokens, allowing users to access the full rich text content of
  the headings directly from toc_tokens.
• The value of data-toc-label is sanitized separate from heading content
  before being written to name. This fixes a bug which allowed markup through
  in certain circumstances. To access the raw unsanitized data, retrieve the
  value from token['data-toc-label'] directly.
• An html.unescape call is made just prior to calling slugify so that
  slugify only operates on Unicode characters. Note that html.unescape is
  not run on name, html, or data-toc-label.
• The functions get_name and stashedHTML2text defined in the toc extension
  are both deprecated. Instead, third party extensions should use some
  combination of the new functions run_postprocessors, render_inner_html and
  striptags.

Fixed

• Include scripts/*.py in the generated source tarballs (#​1430).
• Ensure lines after heading in loose list are properly detabbed (#​1443).
• Give smarty tree processor higher priority than toc (#​1440).
• Permit carets (^) and square brackets (]) but explicitly exclude
  backslashes (\) from abbreviations (#​1444).
• In attribute lists (attr_list, fenced_code), quoted attribute values are
  now allowed to contain curly braces (}) (#​1414).

v3.5.2

Compare Source

Fixed

• Fix type annotations for convertFile - it accepts only bytes-based buffers.
  Also remove legacy checks from Python 2 (#​1400)
• Remove legacy import needed only in Python 2 (#​1403)
• Fix typo that left the attribute AdmonitionProcessor.content_indent unset
  (#​1404)
• Fix edge-case crash in InlineProcessor with AtomicString (#​1406).
• Fix edge-case crash in codehilite with an empty code tag (#​1405).
• Improve and expand type annotations in the code base (#​1401).
• Fix handling of bogus comments (#​1425).

v3.5.1

Compare Source

Fixed

• Fix a performance problem with HTML extraction where large HTML input could
  trigger quadratic line counting behavior (#​1392).
• Improve and expand type annotations in the code base (#​1394).

v3.5

Compare Source

v3.4.4

Compare Source

v3.4.3

Compare Source

v3.4.2

Compare Source

actions/checkout (actions/checkout)

v4

Compare Source

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in https://github.com/actions/checkout/pull/1924

Tinche/aiofiles (aiofiles)

v24.1.0: 24.1.0

Compare Source

• Import os.link conditionally to fix importing on android.
  #​175
• Remove spurious items from aiofiles.os.__all__ when running on Windows.
• Switch to more modern async idioms: Remove types.coroutine and make AiofilesContextManager an awaitable instead a coroutine.
• Add aiofiles.os.path.abspath and aiofiles.os.getcwd.
  #​174
• aiofiles is now tested on Python 3.13 too.
  #​184
• Dropped Python 3.7 support. If you require it, use version 23.2.1.

v23.2.1: 23.2.1

Compare Source

• Import os.statvfs conditionally to fix importing on non-UNIX systems.
  #​171 #​172
• aiofiles is now also tested on Windows.

v23.2.0: 23.2.0

Compare Source

23.2.0

• aiofiles is now tested on Python 3.12 too.
  #​166 #​168
• On Python 3.12, aiofiles.tempfile.NamedTemporaryFile now accepts a delete_on_close argument, just like the stdlib version.
• On Python 3.12, aiofiles.tempfile.NamedTemporaryFile no longer exposes a delete attribute, just like the stdlib version.
• Added aiofiles.os.statvfs and aiofiles.os.path.ismount.
  #​162
• Use PDM instead of Poetry.
  #​169

v23.1.0

Compare Source

aio-libs/aiohttp (aiohttp)

v3.10.11

Compare Source

====================

Bug fixes

• Authentication provided by a redirect now takes precedence over provided auth when making requests with the client -- by :user:PLPeeters.

  Related issues and pull requests on GitHub:
  :issue:9436.

• Fixed :py:meth:WebSocketResponse.close() <aiohttp.web.WebSocketResponse.close> to discard non-close messages within its timeout window after sending close -- by :user:lenard-mosys.

  Related issues and pull requests on GitHub:
  :issue:9506.

• Fixed a deadlock that could occur while attempting to get a new connection slot after a timeout -- by :user:bdraco.

  The connector was not cancellation-safe.

  Related issues and pull requests on GitHub:
  :issue:9670, :issue:9671.

• Fixed the WebSocket flow control calculation undercounting with multi-byte data -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9686.

• Fixed incorrect parsing of chunk extensions with the pure Python parser -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9851.

• Fixed system routes polluting the middleware cache -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9852.

Removals and backward incompatible breaking changes

• Improved performance of the connector when a connection can be reused -- by :user:bdraco.

  If BaseConnector.connect has been subclassed and replaced with custom logic, the ceil_timeout must be added.

  Related issues and pull requests on GitHub:
  :issue:9600.

Miscellaneous internal changes

• Improved performance of the client request lifecycle when there are no cookies -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9470.

• Improved performance of sending client requests when the writer can finish synchronously -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9485.

• Improved performance of serializing HTTP headers -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9603.

• Passing enable_cleanup_closed to :py:class:aiohttp.TCPConnector is now ignored on Python 3.12.7+ and 3.13.1+ since the underlying bug that caused asyncio to leak SSL connections has been fixed upstream -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9726, :issue:9736.

---

v3.10.10

Compare Source

====================

Bug fixes

• Fixed error messages from :py:class:~aiohttp.resolver.AsyncResolver being swallowed -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9451, :issue:9455.

Features

• Added :exc:aiohttp.ClientConnectorDNSError for differentiating DNS resolution errors from other connector errors -- by :user:mstojcevich.

  Related issues and pull requests on GitHub:
  :issue:8455.

Miscellaneous internal changes

• Simplified DNS resolution throttling code to reduce chance of race conditions -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:9454.

---

v3.10.9

Compare Source

===================

Bug fixes

• Fixed proxy headers being used in the ConnectionKey hash when a proxy was not being used -- by :user:bdraco.

  If default headers are used, they are also used for proxy headers. This could have led to creating connections that were not needed when one was already available.

  Related issues and pull requests on GitHub:
  :issue:9368.

• Widened the type of the trace_request_ctx parameter of
  :meth:ClientSession.request() <aiohttp.ClientSession.request> and friends
  -- by :user:layday.

  Related issues and pull requests on GitHub:
  :issue:9397.

Removals and backward incompatible breaking changes

• Fixed failure to try next host after single-host connection timeout -- by :user:brettdh.

  The default client :class:aiohttp.ClientTimeout params has changed to include

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[hwittenborn]

Holding off on this until fakeredis supports this version of redis. See jamesls/fakeredis#329.