Bump the python-minor group across 1 directory with 6 updates

[dependabot]

Bumps the python-minor group with 6 updates in the / directory:

Package	From	To
flask	3.1.1	3.1.2
pyyaml	6.0.2	6.0.3
requests	2.32.4	2.32.5
eventlet	0.40.2	0.40.4
werkzeug	3.1.3	3.1.4
coverage	7.10.3	7.12.0

Updates flask from 3.1.1 to 3.1.2

Release notes

Sourced from flask's releases.

3.1.2

This is the Flask 3.1.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.2/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-2 Milestone: https://github.com/pallets/flask/milestone/38?closed=1

• stream_with_context does not fail inside async views. #5774
• When using follow_redirects in the test client, the final state of session is correct. #5786
• Relax type hint for passing bytes IO to send_file. #5776

Changelog

Sourced from flask's changelog.

Version 3.1.2

Released 2025-08-19

• stream_with_context does not fail inside async views. :issue:5774
• When using follow_redirects in the test client, the final state of session is correct. :issue:5786
• Relax type hint for passing bytes IO to send_file. :issue:5776

Commits

• 2c1b30d release version 3.1.2
• 1292419 Update GitHub Actions workflow for artifact handling (#5795)
• 4dd52ca Update GitHub Actions workflow for artifact handling
• 55c6255 update dev dependencies
• d8259eb use Jinja name consistently
• 38b4c1e refactor stream_with_context for async views (#5799)
• 9822a03 refactor stream_with_context for async views
• 49b7e7b security docs for TRUSTED_HOSTS (#5798)
• b228ca3 security docs for TRUSTED_HOSTS
• ff64079 update flask-talisman link
• Additional commits viewable in compare view

Updates pyyaml from 6.0.2 to 6.0.3

Release notes

Sourced from pyyaml's releases.

6.0.3

What's Changed

• Support for Python 3.14 and free-threading (experimental).

Full Changelog: yaml/pyyaml@6.0.2...6.0.3

Changelog

Sourced from pyyaml's changelog.

6.0.3 (2025-09-25)

• yaml/pyyaml#864 -- Support for Python 3.14 and free-threading (experimental)

Commits

• 49790e7 Release 6.0.3 (#889)
• See full diff in compare view

Updates requests from 2.32.4 to 2.32.5

Release notes

Sourced from requests's releases.

v2.32.5

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

Changelog

Sourced from requests's changelog.

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

Commits

• b25c87d v2.32.5
• 131e506 Merge pull request #7010 from psf/dependabot/github_actions/actions/checkout-...
• b336cb2 Bump actions/checkout from 4.2.0 to 5.0.0
• 46e939b Update publish workflow to use artifact-id instead of name
• 4b9c546 Merge pull request #6999 from psf/dependabot/github_actions/step-security/har...
• 7618dbe Bump step-security/harden-runner from 2.12.0 to 2.13.0
• 2edca11 Add support for Python 3.14 and drop support for Python 3.8 (#6993)
• fec96cd Update Makefile rules (#6996)
• d58d8aa docs: clarify timeout parameter uses seconds in Session.request (#6994)
• 91a3eab Bump github/codeql-action from 3.28.5 to 3.29.0
• Additional commits viewable in compare view

Updates eventlet from 0.40.2 to 0.40.4

Changelog

Sourced from eventlet's changelog.

0.40.4

• Remove legacy setuptools configuration files (#1072)
• add 3.14 to supported versions (#1070)
• Emit warning on startup that eventlet is deprecated (#1065)
• Fix Python 3.14 on macOS (#1067)
• Workaround for #1068 (#1069)

0.40.3

• [SECURITY] Fix request smuggling vulnerability by discarding trailers (#1062)

Commits

• f3254a1 Update changelog for version 0.40.4 (#1074)
• 8cb2029 Remove legacy setuptools configuration files (#1072)
• 220f82d add 3.14 to supported versions (#1070)
• 01a3da5 Emit warning on startup that eventlet is deprecated (#1065)
• 1b2b959 Fix Python 3.14 on macOS (#1067)
• d8bf465 Workaround for #1068 (#1069)
• b0d9133 Update changelog for version 0.40.3 (#1064)
• 0bfebd1 [SECURITY] Fix request smuggling vulnerability by discarding trailers (#1062)
• See full diff in compare view

Updates werkzeug from 3.1.3 to 3.1.4

Release notes

Sourced from werkzeug's releases.

3.1.4

This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.4/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-4 Milestone: https://github.com/pallets/werkzeug/milestone/42?closed=1

• safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. ghsa-hgf8-39gv-g3f2
• The debugger pin fails after 10 attempts instead of 11. #3020
• The multipart form parser handles a \r\n sequence at a chunk boundary. #3065
• Improve CPU usage during Watchdog reloader. #3054
• Request.json annotation is more accurate. #3067
• Traceback rendering handles when the line number is beyond the available source lines. #3044
• HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. #3056

Changelog

Sourced from werkzeug's changelog.

Version 3.1.4

Released 2025-11-28

• safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. :ghsa:hgf8-39gv-g3f2
• The debugger pin fails after 10 attempts instead of 11. :pr:3020
• The multipart form parser handles a \r\n sequence at a chunk boundary. :issue:3065
• Improve CPU usage during Watchdog reloader. :issue:3054
• Request.json annotation is more accurate. :issue:3067
• Traceback rendering handles when the line number is beyond the available source lines. :issue:3044
• HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. :issue:3056

Commits

• 1c7beb6 release version 3.1.4
• 9c8b754 install less to run tox
• 474e22f update dev dependencies
• 4b83337 Merge commit from fork
• 9bdec46 safe_join prevents windows special device names
• b11713e better HTTPException.get_response annotation (#3072)
• 1131dbd distinguish wsgi and sansio response annotation
• 5d9a403 skip rendering missing source (#3071)
• 60ea32c skip rendering missing source
• c0e67e9 Request.json property is only Any (#3070)
• Additional commits viewable in compare view

Updates coverage from 7.10.3 to 7.12.0

Changelog

Sourced from coverage's changelog.

Version 7.12.0 — 2025-11-18

• The HTML report now shows separate coverage totals for statements and branches, as well as the usual combined coverage percentage. Thanks to Ryuta Otsuka for the discussion <issue 2081_>_ and the implementation <pull 2085_>_.

• The JSON report now includes separate coverage totals for statements and branches, thanks to Ryuta Otsuka <pull 2090_>_.

• Fix: except* clauses were not handled properly under the "sysmon" measurement core, causing KeyError exceptions as described in issue 2086_. This is now fixed.

• Fix: we now defend against aggressive mocking of open() that could cause errors inside coverage.py. An example of a failure is in issue 2083_.

• Fix: in unusual cases where a test suite intentionally exhausts the system's file descriptors to test handling errors in open(), coverage.py would fail when trying to open source files, as described in issue 2091_. This is now fixed.

• A small tweak to the HTML report: file paths now use thin spaces around slashes to make them easier to read.

.. _issue 2081: coveragepy/coveragepy#2081 .. _issue 2083: coveragepy/coveragepy#2083 .. _pull 2085: coveragepy/coveragepy#2085 .. _issue 2086: coveragepy/coveragepy#2086 .. _pull 2090: coveragepy/coveragepy#2090 .. _issue 2091: coveragepy/coveragepy#2091

.. _changes_7-11-3:

Version 7.11.3 — 2025-11-09

• Fix: the 7.11.1 changes meant that conflicts between a requested measurement core and other settings would raise an error. This was a breaking change from previous behavior, as reported in issue 2076_ and issue 2078_.

  The previous behavior has been restored: when the requested core conflicts with other settings, another core is used instead, and a warning is issued.

• For contributors: the repo has moved from Ned's nedbat GitHub account_ to the coveragepy GitHub organization_. The default branch has changed from master to main.

... (truncated)

Commits

• 63db2b1 docs: sample HTML for 7.12.0
• 598bbc3 docs: prep for 7.12.0
• 557dd15 feat: add statement and branch coverage percentages to JSON report (#2090)
• e18359c fix: don't crash if open() genuinely fails. #2091
• fff5e59 docs: thanks, Ryuta Otsuka #2085
• 97bf625 docs: support files for the sample html
• 8320b74 style(html): tweak the styling for the new stmt/branch stats #2085
• 7e08183 feat(templite): {% else %}
• 4abe253 feat: add statement and branch coverage columns to index.html report (#2085)
• ddbafa9 build: no longer need to work around a pytest/iTerm2 bug
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions