Skip to content

Bump the all-uv-dependencies group with 7 updates#2

Merged
fey merged 1 commit into
mainfrom
dependabot/uv/all-uv-dependencies-8fab594259
May 20, 2026
Merged

Bump the all-uv-dependencies group with 7 updates#2
fey merged 1 commit into
mainfrom
dependabot/uv/all-uv-dependencies-8fab594259

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 19, 2026

Bumps the all-uv-dependencies group with 7 updates:

Package From To
dj-database-url 2.3.0 3.1.2
django 5.1.7 6.0.5
django-bootstrap4 25.1 26.1
gunicorn 23.0.0 26.0.0
python-dotenv 1.1.0 1.2.2
whitenoise 6.9.0 6.12.0
ruff 0.11.2 0.15.13

Updates dj-database-url from 2.3.0 to 3.1.2

Release notes

Sourced from dj-database-url's releases.

v3.1.2

What's Changed

New Contributors

Full Changelog: jazzband/dj-database-url@v3.1.1...v3.1.2

v3.1.1

What's Changed

New Contributors

Full Changelog: jazzband/dj-database-url@v3.1.0...v3.1.1

v3.1.0

What's Changed

New Contributors

Full Changelog: jazzband/dj-database-url@v3.0.1...v3.1.0

v3.0.1

What's Changed

Full Changelog: jazzband/dj-database-url@v3.0.0...v3.0.1

v3.0.0

... (truncated)

Changelog

Sourced from dj-database-url's changelog.

CHANGELOG

v3.1.0 (2026-01-03)

  • Add support for Django 6.0
  • Update CI structure.
  • Migrate to UV for dependency management and builds.
  • Python >3.10 support.

v3.0.1 (2025-07-01)

  • Drop dependency on typing_extensions.

v3.0.0 (2025-05-18)

Bumping to version 3; changes to code do break some API compatibility.

  • Implement a new decorator registry pattern to implement checks on database connection string.
  • You can now support and implement your own database strings by extending the @​register functionality.
  • Update supported python versions and django versions.
Commits
  • e77149f [pre-commit.ci] pre-commit autoupdate (#297)
  • 6beffe6 Fix a regression in adding tests/ dir to source package
  • f9c3130 Bump wheel from 0.45.1 to 0.46.2 (#296)
  • 5337838 Bump urllib3 from 2.6.2 to 2.6.3 (#295)
  • 6fc3664 Bump django from 5.2.9 to 5.2.11 (#294)
  • 19805c9 Bump cryptography from 46.0.3 to 46.0.5 (#293)
  • 1b102cd Update project URLs in pyproject.toml
  • e41afda [pre-commit.ci] pre-commit autoupdate (#291)
  • dba6077 Update .pre-commit-config.yaml to use pinned version numbers. (#289)
  • e6f4ccc Add pytest to dependencies
  • Additional commits viewable in compare view

Updates django from 5.1.7 to 6.0.5

Commits
  • 8f8ad09 [6.0.x] Bumped version for 6.0.5 release.
  • 44ad76e [6.0.x] Fixed CVE-2026-6907 -- Prevented caching of requests when Vary header...
  • 1b0184a [6.0.x] Fixed CVE-2026-35192 -- Ensured Vary header is sent when setting sess...
  • ad8f9e1 [6.0.x] Fixed CVE-2026-5766 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE in Memory...
  • 990ab01 [6.0.x] Fixed #37039 -- Removed outdated note from QuerySet.iterator() docs.
  • f0c269f [6.0.x] Fixed typo in stub release notes for 5.2.14.
  • 8bcd15b [6.0.x] Fixed #37067 -- Added trailing slash in django_file_prefixes().
  • 3cdec64 [6.0.x] Refs CVE-2026-25674 -- Clarified role of umask in upload permissions.
  • 5dd5c70 [6.0.x] Added stub release notes and release date for 6.0.5 and 5.2.14.
  • 8ee7341 [6.0.x] Refs #373, #34122 -- Removed warning that ForeignObject is an interna...
  • Additional commits viewable in compare view

Updates django-bootstrap4 from 25.1 to 26.1

Changelog

Sourced from django-bootstrap4's changelog.

26.1 (2026-01-03)

  • Refactor release workflow to tag-based publishing via GitHub Actions (#843).
  • Remove support for Django 5.1 (EOL) (#840).

25.3 (2025-11-14)

  • Remove support for Python 3.9 (EOL) (#833, #835).
  • Add support for Python 3.14 (#831).
  • Add support for Django 6.0 (#830).

25.2 (2025-07-31)

  • Symlink CHANGELOG.md into docs for Sphinx (#812).
  • Drop support for Django 5.0 (EOL) (#814).
  • Add support for Django 5.2 (#815).
  • Use astral-sh/setup-uv in GitHub Actions (#820, #821).
  • Use uv build (#822).
  • Use uv.lock in GitHub Actions (#823).
Commits

Updates gunicorn from 23.0.0 to 26.0.0

Release notes

Sourced from gunicorn's releases.

26.0.0

Breaking Changes

  • Eventlet worker removed: The eventlet worker class has been dropped. Migrate to gevent, gthread, or tornado.

New Features

  • ASGI Framework Compatibility Suite: New end-to-end compatibility test harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep. Current grid passes 438/444 tests (98%).
  • ASGI Test Suite Expansion: 134 additional ASGI unit tests covering protocol semantics, lifespan, websockets, and chunked framing.

Security

  • HTTP/1.1 Request-Target Validation (RFC 9112 sections 3.2.3, 3.2.4):
    • Reject authority-form request-target outside CONNECT
    • Reject asterisk-form request-target outside OPTIONS
    • Reject relative-reference request-targets
  • Header Field Hardening (RFC 9110):
    • Reject control characters in header field-value (section 5.5)
    • Reject forbidden trailer field-names (section 6.5.1)
    • Reject Content-Length list form (RFC 9112 section 6.3)
  • Request Smuggling Hardening:
    • Tighten keepalive gate and scope finish_body byte cap
    • Keep _body_receiver alive across the keepalive smuggling gate so pipelined requests cannot re-enter a closed body
    • Address parser/protocol findings from a six-point WSGI/ASGI audit
  • PROXY Protocol (ASGI): Enforce proxy_allow_ips and tighten v1/v2 parsing in the ASGI callback parser.
  • Connection Draining: Drain the connection on close per RFC 9112 section 9.6 to prevent reset-on-close truncation.

Bug Fixes

  • Body Framing on HEAD/204/304:
    • Keep Content-Length on HEAD and 304 responses (#3621)
    • Drop body framing on HEAD/204/304 even when the framework set it
    • Warn once when an ASGI app emits a body for a no-body response
  • HTTP/2 ASGI:
    • Fix _handle_stream_ended to set _body_complete in the async HTTP/2 handler so request bodies finalize correctly on stream end
    • Add InvalidChunkExtension mapping and fast-parser support in ASGI tests (#3565)
  • HTTP/1.1 100-Continue: Stop adding Transfer-Encoding: chunked to 100-Continue interim responses.
  • WebSocket Close Handshake (RFC 6455):
    • Comply with the close handshake state machine
    • Close the transport after the close handshake completes
    • Fix binary send when the text key is None
  • Early Hints: Validate headers in the early_hints callback to match process_headers; pass only the header name to InvalidHeader (#3588).
  • ASGI Framework Fixes:
    • Fix ASGI disconnect handling for Django-style apps
    • Fix Litestar request handling (use raw ASGI receive for body/headers)
    • Fix Litestar HTTP endpoints for compatibility tests
    • Fix Quart headers endpoint to normalize keys to lowercase
    • Fix Quart WebSocket close test app (missing accept())
    • Fix duplicate Transfer-Encoding header for BlackSheep streaming

... (truncated)

Commits
  • 5d819cf release: 26.0.0
  • b45c70d Merge pull request #3611 from zc-mattcen/docs-typo
  • 99c8d48 Merge pull request #3623 from benoitc/chore/drop-eventlet-add-h2-uvloop-test-...
  • 5a655af Merge pull request #3622 from benoitc/test/docker-port-and-ipv4-fixes
  • 201df19 chore: remove eventlet worker; add h2 and uvloop to test deps
  • f4ac8e1 test: pass action name to dirty client and stabilize after TTOU spam
  • 54d38af test: unblock docker fixtures on macOS hosts
  • 68843c8 Merge pull request #3621 from benoitc/fix/asgi-preserve-content-length-on-hea...
  • 31f2618 Merge pull request #3620 from benoitc/fix/asgi-proxy-protocol-trust-and-parsing
  • 41ec752 fix: keep Content-Length on HEAD and 304 responses
  • Additional commits viewable in compare view

Updates python-dotenv from 1.1.0 to 1.2.2

Release notes

Sourced from python-dotenv's releases.

v1.2.2

Added

  • Support for Python 3.14, including the free-threaded (3.14t) build. (#)

Changed

  • The dotenv run command now forwards flags directly to the specified command by @​bbc2 in theskumar/python-dotenv#607
  • Improved documentation clarity regarding override behavior and the reference page.
  • Updated PyPy support to version 3.11.
  • Documentation for FIFO file support.
  • Support for Python 3.9.

Fixed

Breaking Changes

  • dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

  • In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

  • dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

Misc

New Contributors

Full Changelog: theskumar/python-dotenv@v1.2.1...v1.2.2

v1.2.1

What's Changed

... (truncated)

Changelog

Sourced from python-dotenv's changelog.

[1.2.2] - 2026-03-01

Added

  • Support for Python 3.14, including the free-threaded (3.14t) build. (#588)

Changed

  • The dotenv run command now forwards flags directly to the specified command by [@​bbc2] in #607
  • Improved documentation clarity regarding override behavior and the reference page.
  • Updated PyPy support to version 3.11.
  • Documentation for FIFO file support.
  • Dropped Support for Python 3.9.

Fixed

  • Improved set_key and unset_key behavior when interacting with symlinks by [@​bbc2] in [790c5c0]
  • Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by [@​JYOuyang] in #590

Breaking Changes

  • dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

  • In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

  • dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

[1.2.1] - 2025-10-26

  • Move more config to pyproject.toml, removed setup.cfg
  • Add support for reading .env from FIFOs (Unix) by [@​sidharth-sudhir] in #586

[1.2.0] - 2025-10-26

[1.1.1] - 2025-06-24

Fixed

... (truncated)

Commits

Updates whitenoise from 6.9.0 to 6.12.0

Changelog

Sourced from whitenoise's changelog.

6.12.0 (2026-02-27)

  • Drop Python 3.9 support.
  • Fix potential unauthorised file access vulnerability in "autorefesh" mode. See PR [#684](https://github.com/evansd/whitenoise/issues/684) <https://github.com/evansd/whitenoise/pull/684>__ for details, and a reminder that autorefresh mode has always been documented as unsuitable for production use. Thanks Seth Larson for reporting.

6.11.0 (2025-09-18)

  • Support Django 6.0.

6.10.0 (2025-09-09)

  • Support Python 3.14.
Commits

Updates ruff from 0.11.2 to 0.15.13

Release notes

Sourced from ruff's releases.

0.15.13

Release Notes

Released on 2026-05-14.

Preview features

  • Add a rule to flag lazy imports that are eagerly evaluated (#25016)
  • [pylint] Standardize diagnostic message (PLR0914, PLR0917) (#24996)

Bug fixes

  • Fix F811 false positive for class methods (#24933)
  • Fix setting selection for multi-folder workspace (#24819)
  • [eradicate] Fix false positive for lines with leading whitespace (ERA001) (#25122)
  • [flake8-pyi] Fix false positive for f-string debug specifier (PYI016) (#24098)

Rule changes

  • Always include panic payload in panic diagnostic message (#24873)
  • Restrict PYI034 for in-place operations to enclosing class (#24511)
  • Improve error message for parameters that are declared global (#24902)
  • Update known stdlib (#25103)

Performance

  • [isort] Avoid constructing glob::Patterns for literal known modules (#25123)

CLI

  • Add TOML examples to --config help text (#25013)
  • Colorize ruff check 'All checks passed' (#25085)

Configuration

  • Increase max allowed value of line-length setting (#24962)

Documentation

  • Add D203 to rules that conflict with the formatter (#25044)
  • Clarify COM819 and formatter interaction (#25045)
  • Clarify that NotImplemented is a value, not an exception (F901) (#25054)
  • Update number of lint rules supported (#24942)

Other changes

  • Simplify the playground's markdown template (#24924)

Contributors

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.13

Released on 2026-05-14.

Preview features

  • Add a rule to flag lazy imports that are eagerly evaluated (#25016)
  • [pylint] Standardize diagnostic message (PLR0914, PLR0917) (#24996)

Bug fixes

  • Fix F811 false positive for class methods (#24933)
  • Fix setting selection for multi-folder workspace (#24819)
  • [eradicate] Fix false positive for lines with leading whitespace (ERA001) (#25122)
  • [flake8-pyi] Fix false positive for f-string debug specifier (PYI016) (#24098)

Rule changes

  • Always include panic payload in panic diagnostic message (#24873)
  • Restrict PYI034 for in-place operations to enclosing class (#24511)
  • Improve error message for parameters that are declared global (#24902)
  • Update known stdlib (#25103)

Performance

  • [isort] Avoid constructing glob::Patterns for literal known modules (#25123)

CLI

  • Add TOML examples to --config help text (#25013)
  • Colorize ruff check 'All checks passed' (#25085)

Configuration

  • Increase max allowed value of line-length setting (#24962)

Documentation

  • Add D203 to rules that conflict with the formatter (#25044)
  • Clarify COM819 and formatter interaction (#25045)
  • Clarify that NotImplemented is a value, not an exception (F901) (#25054)
  • Update number of lint rules supported (#24942)

Other changes

  • Simplify the playground's markdown template (#24924)

Contributors

... (truncated)

Commits
  • 2afb467 Bump 0.15.13 (#25157)
  • 3008796 [ty] classify TypeVar semantic tokens as type parameters (#24891)
  • 79470e3 [isort] Avoid constructing glob::Patterns for literal known modules (#25123)
  • 2522549 Remove shellcheck from prek (#25154)
  • 7db7170 [ty] Support TypedDict key completions in incomplete, anonymous contexts (#25...
  • bb3dd53 [ty] Run full iteration analysis on narrowed typevars (#25143)
  • 828cdb7 [ty] Isolate file-watching test environment (#25151)
  • 89e1d86 [ty] Preserve TypedDict keys through dict unpacking (#24523)
  • 86f3064 [ty] Avoid accessing args[0] for static_assert (#25149)
  • ed819f9 [ty] Treat custom enum __new__ values as dynamic (#25136)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the all-uv-dependencies group with 7 updates
ae34ac6 
Bumps the all-uv-dependencies group with 7 updates:

| Package | From | To |
| --- | --- | --- |
| [dj-database-url](https://github.com/jazzband/dj-database-url) | `2.3.0` | `3.1.2` |
| [django](https://github.com/django/django) | `5.1.7` | `6.0.5` |
| [django-bootstrap4](https://github.com/zostera/django-bootstrap4) | `25.1` | `26.1` |
| [gunicorn](https://github.com/benoitc/gunicorn) | `23.0.0` | `26.0.0` |
| [python-dotenv](https://github.com/theskumar/python-dotenv) | `1.1.0` | `1.2.2` |
| [whitenoise](https://github.com/evansd/whitenoise) | `6.9.0` | `6.12.0` |
| [ruff](https://github.com/astral-sh/ruff) | `0.11.2` | `0.15.13` |


Updates `dj-database-url` from 2.3.0 to 3.1.2
- [Release notes](https://github.com/jazzband/dj-database-url/releases)
- [Changelog](https://github.com/jazzband/dj-database-url/blob/master/CHANGELOG.md)
- [Commits](jazzband/dj-database-url@v2.3.0...v3.1.2)

Updates `django` from 5.1.7 to 6.0.5
- [Commits](django/django@5.1.7...6.0.5)

Updates `django-bootstrap4` from 25.1 to 26.1
- [Release notes](https://github.com/zostera/django-bootstrap4/releases)
- [Changelog](https://github.com/zostera/django-bootstrap4/blob/main/CHANGELOG.md)
- [Commits](zostera/django-bootstrap4@v25.1...v26.1)

Updates `gunicorn` from 23.0.0 to 26.0.0
- [Release notes](https://github.com/benoitc/gunicorn/releases)
- [Commits](benoitc/gunicorn@23.0.0...26.0.0)

Updates `python-dotenv` from 1.1.0 to 1.2.2
- [Release notes](https://github.com/theskumar/python-dotenv/releases)
- [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md)
- [Commits](theskumar/python-dotenv@v1.1.0...v1.2.2)

Updates `whitenoise` from 6.9.0 to 6.12.0
- [Changelog](https://github.com/evansd/whitenoise/blob/main/docs/changelog.rst)
- [Commits](evansd/whitenoise@6.9.0...6.12.0)

Updates `ruff` from 0.11.2 to 0.15.13
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.11.2...0.15.13)

---
updated-dependencies:
- dependency-name: dj-database-url
  dependency-version: 3.1.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-uv-dependencies
- dependency-name: django
  dependency-version: 6.0.5
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-uv-dependencies
- dependency-name: django-bootstrap4
  dependency-version: '26.1'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-uv-dependencies
- dependency-name: gunicorn
  dependency-version: 26.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-uv-dependencies
- dependency-name: python-dotenv
  dependency-version: 1.2.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-uv-dependencies
- dependency-name: whitenoise
  dependency-version: 6.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-uv-dependencies
- dependency-name: ruff
  dependency-version: 0.15.13
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-uv-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels May 19, 2026
@fey fey merged commit 1dd815b into main May 20, 2026
2 checks passed
@fey fey deleted the dependabot/uv/all-uv-dependencies-8fab594259 branch May 20, 2026 15:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fey