build(deps): bump the python group across 1 directory with 7 updates

[dependabot]

Bumps the python group with 7 updates in the / directory:

Package	From	To
celery	5.6.2	5.6.3
djangorestframework	3.17.0	3.17.1
gunicorn	25.1.0	25.3.0
redis	7.3.0	7.4.0
sentry-sdk	2.55.0	2.56.0
ruff	0.15.7	0.15.8
werkzeug[watchdog]	3.1.6	3.1.7

Updates celery from 5.6.2 to 5.6.3

Release notes

Sourced from celery's releases.

v5.6.3

What's Changed

• Fix Django worker recursion bug + defensive checks for pool_cls.module by @​maycuatroi1 in celery/celery#10048
• Docs: Update user_preload_options example to use click. by @​jorsyk in celery/celery#10056
• Fix invalid configuration key "bootstrap_servers" in Kafka demo by @​jorsyk in celery/celery#10060
• Fix broken images on PyPI page by @​Timour-Ilyas in celery/celery#10066
• Remove broken reference. by @​sueannioanis in celery/celery#10071
• Removed --dist=loadscope from smoke tests by @​Nusnus in celery/celery#10073
• Docs: Clarify task_retry signal args may be None by @​GangEunzzang in celery/celery#10076
• Update example for Django by @​sbc-khacnha in celery/celery#10081
• Make tests compatible with pymongo >= 4.16 by @​cjwatson in celery/celery#10074
• fix: source install of cassandra-driver by @​Izzette in celery/celery#10105
• fix: register task cross-reference role in Sphinx extension by @​veeceey in celery/celery#10100
• fix: avoid cycle detection in native delayed delivery by @​Izzette in celery/celery#10095
• fix(asynpool): avoid AttributeError when proc lacks _sentinel_poll by @​mriddle in celery/celery#10086
• fix dusk_astronomical horizon sign (+18 -> -18) by @​Mr-Neutr0n in celery/celery#10121
• Fix/10106 onupdate col use lambda func by @​ChickenBenny in celery/celery#10108
• Fix warm shutdown RuntimeError with eventlet>=0.37.0 (#10083) by @​ChickenBenny in celery/celery#10123
• Fix 10109 db backend connection health by @​ChickenBenny in celery/celery#10124
• Database Backend filter unsupport sql engine arguments with nullpool #7355 by @​ChickenBenny in celery/celery#10134
• fix(beat): correct argument order in Service.reduce by @​bysiber in celery/celery#10137
• ci: declare explicit read-only token permissions in workflow jobs by @​Rohan5commit in celery/celery#10139
• chore: 'boto3to' to 'boto3 to' by @​cuiweixie in celery/celery#10133
• Database Backend: Add missing index on date_done (Fixes #10097) by @​ChickenBenny in celery/celery#10098
• docs: fix typo in CONTRIBUTING.rst by @​Rohan5commit in celery/celery#10141
• Refer to Flower / Prometheus for monitoring by @​WilliamDEdwards in celery/celery#10140
• docs: remove duplicated words in broker and routing docs by @​Rohan5commit in celery/celery#10146
• docs: fix stale version reference and grammar in README by @​kelsonbrito50 in celery/celery#10145
• docs: fix wording in Celery 5.3 worker pool notes by @​Rohan5commit in celery/celery#10149
• docs: fix duplicated wording in 3.1 changelog entry by @​Rohan5commit in celery/celery#10152
• docs: fix changelog typo in context manager wording by @​Rohan5commit in celery/celery#10144
• Fix/10096 worker fails to reconnect after redis failover by @​ChickenBenny in celery/celery#10151
• Improve on_after_finalize signal documentation by @​Br1an67 in celery/celery#10155
• Add non-commutative example to clarify partial arg ordering in canvas docs by @​Br1an67 in celery/celery#10157
• Remove redundant test_isa_mapping test (fixes #10077) by @​daniel7an in celery/celery#10103
• Upgrade pytest-celery to >=1.3.0 and adopt PYTEST_CELERY_PKG build arg by @​Nusnus in celery/celery#10162
• Remove deprecated args from redis get_connection call by @​JaeHyuckSa in celery/celery#10036
• Fix #6912 rpc backend reconnection error by @​ChickenBenny in celery/celery#10179
• Fix NameError with TYPE_CHECKING annotations on Python 3.14+ (PEP 649) by @​drichardson in celery/celery#10165
• docs: Add elaboration on prefetch multiplier settings (worker_prefetch_multiplier) and worker_eta_task_limit by @​tsangwailam in celery/celery#10181
• Fix O(K²) message bloat in a chain of chords by @​Borzik in celery/celery#10171
• Fix mock connection interfaces to prevent TypeError during exception handling by @​ChickenBenny in celery/celery#10178
• fix(trace): dispatch chain/callbacks on dedup fast-path for redelivered tasks by @​aurangzaib048 in celery/celery#10159
• Extract reconnect_on_error to BaseResultConsumer by @​ChickenBenny in celery/celery#10189
• pep 649 by @​ericbuehl in celery/celery#10187
• Fix#9722 friendly status errors for CLI by @​ChickenBenny in celery/celery#10190
• docs: clarify after_return behavior for retried tasks by @​KianAnbarestani in celery/celery#10192
• Add compression header to message protocol docs by @​Br1an67 in celery/celery#10156
• docs: fix duplicated word in bootsteps comment by @​Rohan5commit in celery/celery#10153
• Remove outdated autoreloader section from extending docs by @​Br1an67 in celery/celery#10154

... (truncated)

Changelog

Sourced from celery's changelog.

5.6.3

:release-date: 2026-03-26 :release-by: Tomer Nosrati

What's Changed

- Fix Django worker recursion bug + defensive checks for pool_cls.__module__ ([#10048](https://github.com/celery/celery/issues/10048))
- Docs: Update user_preload_options example to use click. ([#10056](https://github.com/celery/celery/issues/10056))
- Fix invalid configuration key "bootstrap_servers" in Kafka demo ([#10060](https://github.com/celery/celery/issues/10060))
- Fix broken images on PyPI page ([#10066](https://github.com/celery/celery/issues/10066))
- Remove broken reference. ([#10071](https://github.com/celery/celery/issues/10071))
- Removed --dist=loadscope from smoke tests ([#10073](https://github.com/celery/celery/issues/10073))
- Docs: Clarify task_retry signal args may be None ([#10076](https://github.com/celery/celery/issues/10076))
- Update example for Django ([#10081](https://github.com/celery/celery/issues/10081))
- Make tests compatible with pymongo >= 4.16 ([#10074](https://github.com/celery/celery/issues/10074))
- fix: source install of cassandra-driver ([#10105](https://github.com/celery/celery/issues/10105))
- fix: register task cross-reference role in Sphinx extension ([#10100](https://github.com/celery/celery/issues/10100))
- fix: avoid cycle detection in native delayed delivery ([#10095](https://github.com/celery/celery/issues/10095))
- fix(asynpool): avoid AttributeError when proc lacks _sentinel_poll ([#10086](https://github.com/celery/celery/issues/10086))
- fix dusk_astronomical horizon sign (+18 -> -18) ([#10121](https://github.com/celery/celery/issues/10121))
- Fix/10106 onupdate col use lambda func ([#10108](https://github.com/celery/celery/issues/10108))
- Fix warm shutdown RuntimeError with eventlet>=0.37.0 ([#10083](https://github.com/celery/celery/issues/10083)) ([#10123](https://github.com/celery/celery/issues/10123))
- Fix 10109 db backend connection health ([#10124](https://github.com/celery/celery/issues/10124))
- Database Backend filter unsupport sql engine arguments with nullpool [#7355](https://github.com/celery/celery/issues/7355) ([#10134](https://github.com/celery/celery/issues/10134))
- fix(beat): correct argument order in Service.__reduce__ ([#10137](https://github.com/celery/celery/issues/10137))
- ci: declare explicit read-only token permissions in workflow jobs ([#10139](https://github.com/celery/celery/issues/10139))
- chore: 'boto3to' to 'boto3 to' ([#10133](https://github.com/celery/celery/issues/10133))
- Database Backend: Add missing index on date_done (Fixes [#10097](https://github.com/celery/celery/issues/10097)) ([#10098](https://github.com/celery/celery/issues/10098))
- docs: fix typo in CONTRIBUTING.rst ([#10141](https://github.com/celery/celery/issues/10141))
- Refer to Flower / Prometheus for monitoring ([#10140](https://github.com/celery/celery/issues/10140))
- docs: remove duplicated words in broker and routing docs ([#10146](https://github.com/celery/celery/issues/10146))
- docs: fix stale version reference and grammar in README ([#10145](https://github.com/celery/celery/issues/10145))
- docs: fix wording in Celery 5.3 worker pool notes ([#10149](https://github.com/celery/celery/issues/10149))
- docs: fix duplicated wording in 3.1 changelog entry ([#10152](https://github.com/celery/celery/issues/10152))
- docs: fix changelog typo in context manager wording ([#10144](https://github.com/celery/celery/issues/10144))
- Fix/10096 worker fails to reconnect after redis failover ([#10151](https://github.com/celery/celery/issues/10151))
- Improve on_after_finalize signal documentation ([#10155](https://github.com/celery/celery/issues/10155))
- Add non-commutative example to clarify partial arg ordering in canvas docs ([#10157](https://github.com/celery/celery/issues/10157))
- Remove redundant test_isa_mapping test (fixes [#10077](https://github.com/celery/celery/issues/10077)) ([#10103](https://github.com/celery/celery/issues/10103))
- Upgrade pytest-celery to >=1.3.0 and adopt PYTEST_CELERY_PKG build arg ([#10162](https://github.com/celery/celery/issues/10162))
- Remove deprecated args from redis get_connection call ([#10036](https://github.com/celery/celery/issues/10036))
- Fix [#6912](https://github.com/celery/celery/issues/6912) rpc backend reconnection error ([#10179](https://github.com/celery/celery/issues/10179))
- Fix NameError with TYPE_CHECKING annotations on Python 3.14+ (PEP 649) ([#10165](https://github.com/celery/celery/issues/10165))
- docs: Add elaboration on prefetch multiplier settings (worker_prefetch_multiplier) and worker_eta_task_limit ([#10181](https://github.com/celery/celery/issues/10181))
- Fix O(K²) message bloat in a chain of chords ([#10171](https://github.com/celery/celery/issues/10171))
- Fix mock connection interfaces to prevent `TypeError` during exception handling ([#10178](https://github.com/celery/celery/issues/10178))
- fix(trace): dispatch chain/callbacks on dedup fast-path for redelivered tasks ([#10159](https://github.com/celery/celery/issues/10159))
</tr></table> 

... (truncated)

Commits

• 3f4d8d7 Prepare for release: v5.6.3 (#10221)
• a989e8c fix: clear the timer while catch the exception (#10218)
• d06de5f Chore(deps): Bump nick-fields/retry from 3 to 4 (#10213)
• c3c19c3 Fix: prioritize request ignore_result over task definition (#10184)
• d23be53 Remove outdated autoreloader section from extending docs (#10154)
• ada2da7 docs: fix duplicated word in bootsteps comment\n\nSigned-off-by: Rohan Santho...
• f45f62b Add compression header to message protocol docs (#10156)
• 9a27092 docs: clarify after_return behavior for retried tasks (#10192)
• 6ee6230 Fix#9722 friendly status errors for CLI (#10190)
• a9a2d4c [pre-commit.ci] pre-commit autoupdate (#10186)
• Additional commits viewable in compare view

Updates djangorestframework from 3.17.0 to 3.17.1

Release notes

Sourced from djangorestframework's releases.

3.17.1

What's Changed

Bug fixes

• Fix HTMLFormRenderer with empty datetime values by @​p-r-a-v-i-n in encode/django-rest-framework#9928

Full Changelog: encode/django-rest-framework@3.17.0...3.17.1

Commits

• 22e231c Prepare bug fix release 3.17.1 (#9931)
• 8e99b53 Add condition to skip pushed tags from forks (#9924)
• c0407de Fix HTMLFormRenderer with empty datetime values (#9928)
• 30d58a7 Fix the book sizing in the documentation (#9926)
• 6f03b79 Tweak order of changes in release notes
• See full diff in compare view

Updates gunicorn from 25.1.0 to 25.3.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 25.3.0

Bug Fixes

• HTTP/2 ASGI Body Duplication: Fix request body being received twice in HTTP/2 ASGI requests, causing JSON parsing errors with "Extra data" messages (#3558)

• ASGI Chunked EOF Handling: Add finish() method to callback parser to handle chunked encoding edge case where connection closes before final CRLF after zero-chunk

• HTTP/2 Documentation: Fix http_protocols examples to use comma-separated string instead of list syntax (#3561)

• Chunked Encoding: Reject chunk extensions containing bare CR bytes per RFC 9112 (#3556)

• Request Line Limit: Fix --limit-request-line 0 to mean unlimited as documented, instead of using default maximum. Works with both Python and fast C parser. (#3563)

Security

• ASGI Parser Header Validation: Add security checks per RFC 9110/9112:
  • Reject duplicate Content-Length headers
  • Reject requests with both Content-Length and Transfer-Encoding
  • Reject chunked transfer encoding in HTTP/1.0
  • Reject stacked chunked encoding
  • Validate Transfer-Encoding values
  • Strict chunk size validation

Changes

• Fast HTTP Parser: Update to gunicorn_h1c >= 0.6.3 for asgi_headers property and InvalidChunkExtension validation for bare CR rejection

• ASGI PROXY Protocol: Add PROXY protocol v1/v2 support to callback parser

• Docker Images: Update to Python 3.14

Gunicorn 25.2.0

New Features

• Fast HTTP Parser (gunicorn_h1c 0.4.1): Integrate new exception types and limit parameters from gunicorn_h1c 0.4.1 for both WSGI and ASGI workers
  • Requires gunicorn_h1c >= 0.4.1 for http_parser='fast'
  • Falls back to Python parser in auto mode if version not met
  • Proper HTTP status codes for limit errors (414, 431)

Bug Fixes

• uWSGI Async Workers: Fix InvalidUWSGIHeader: incomplete header error when using gevent or gthread workers with uwsgi protocol behind nginx. (#3552, [PR #3554](benoitc/gunicorn#3554))

... (truncated)

Commits

• 9bce72c Update changelog with missing 25.3.0 changes
• 2a15fdb Fix pylint isinstance-second-argument-not-valid-type warning
• 8d08aaa Fix --limit-request-line 0 to mean unlimited
• d40a374 Fix pytest-asyncio configuration and treq_asgi hex escapes
• da8bd48 Remove unused AsyncRequest class
• b00f125 Integrate gunicorn_h1c 0.6.3 with InvalidChunkExtension support
• bdb2ebd Reject chunk extensions with bare CR bytes (RFC 9112)
• 7057fc9 Fix http_protocols documentation to use string syntax
• d43acb8 Update to gunicorn_h1c >= 0.6.2 for asgi_headers support
• cbd27e8 Merge pull request #3559 from benleembruggen/fix/http2-asgi-body-duplication
• Additional commits viewable in compare view

Updates redis from 7.3.0 to 7.4.0

Release notes

Sourced from redis's releases.

7.4.0

Changes

🐛 Bug Fixes

• Fix AttributeError in cluster metrics recording when connection is None or ClusterNode object instance is used to extract the connection info (#3999)
• Fixing security concern in repr methods for ConnectionPools - passwords might leak in plain text logs (#3998)
• Refactored connection count and SCH metric collection (#4001)

🧪 Experimental Features

-Refactored health check logic for MultiDBClient (#3994)

🧰 Maintenance

• Expose basic Otel classes and functions to be importable through redis.observability to match the examples in the readthedocs (#3996)

We'd like to thank all the contributors who worked on this release! @​vladvildanov @​petyaslavova

Commits

• b72f24a Updating lib version to 7.4.0
• 0a4e0af Refactored health check logic for MultiDBClient (#3994)
• 15492c9 Refactored connection count and SCH metric collection (#4001)
• cd964ac Expose basic Otel classes and funtions to be importable through redis.observa...
• 46ab74d Fixing security concern in repr methods for ConnectionPools - passwords m...
• 26482db Fix AttributeError in cluster metrics recording when connection is None or Cl...
• See full diff in compare view

Updates sentry-sdk from 2.55.0 to 2.56.0

Release notes

Sourced from sentry-sdk's releases.

2.56.0

New Features ✨

• (asgi) Add option to disable suppressing chained exceptions by @​alexander-alderman-webb in #5714
• (logging) Separate ignore lists for events/breadcrumbs and sentry logs by @​sl0thentr0py in #5698

Bug Fixes 🐛

Anthropic

• Set exception info on streaming span when applicable by @​alexander-alderman-webb in #5683
• Patch AsyncStream.close() and AsyncMessageStream.close() to finish spans by @​alexander-alderman-webb in #5675
• Patch Stream.close() and MessageStream.close() to finish spans by @​alexander-alderman-webb in #5674

Other

• (starlette) Catch Jinja2Templates ImportError by @​alexander-alderman-webb in #5741

Documentation 📚

• Add note on AI PRs to CONTRIBUTING.md by @​sentrivana in #5696

Internal Changes 🔧

• Pin GitHub Actions to full-length commit SHAs by @​joshuarli in #5781
• Add -latest alias for each integration test suite by @​sentrivana in #5706
• Use date-based branch names for toxgen PRs by @​sentrivana in #5704
• 🤖 Update test matrix with new releases (03/19) by @​github-actions in #5703
• Add client report tests for span streaming by @​sentrivana in #5677

Other

• Update CHANGELOG.md by @​sentrivana in #5685

Changelog

Sourced from sentry-sdk's changelog.

2.56.0

New Features ✨

• (asgi) Add option to disable suppressing chained exceptions by @​alexander-alderman-webb in #5714
• (logging) Separate ignore lists for events/breadcrumbs and sentry logs by @​sl0thentr0py in #5698

Bug Fixes 🐛

Anthropic

• Set exception info on streaming span when applicable by @​alexander-alderman-webb in #5683
• Patch AsyncStream.close() and AsyncMessageStream.close() to finish spans by @​alexander-alderman-webb in #5675
• Patch Stream.close() and MessageStream.close() to finish spans by @​alexander-alderman-webb in #5674

Other

• (starlette) Catch Jinja2Templates ImportError by @​alexander-alderman-webb in #5741

Documentation 📚

• Add note on AI PRs to CONTRIBUTING.md by @​sentrivana in #5696

Internal Changes 🔧

• Pin GitHub Actions to full-length commit SHAs by @​joshuarli in #5781
• Add -latest alias for each integration test suite by @​sentrivana in #5706
• Use date-based branch names for toxgen PRs by @​sentrivana in #5704
• 🤖 Update test matrix with new releases (03/19) by @​github-actions in #5703
• Add client report tests for span streaming by @​sentrivana in #5677

Other

• Update CHANGELOG.md by @​sentrivana in #5685

Commits

• f5e93ad release: 2.56.0
• 4cd6752 chore: pin GitHub Actions to full-length commit SHAs (#5781)
• c3eb19f test: fix flaky threading test (#5700)
• b2b42df fix(starlette): Catch Jinja2Templates ImportError (#5741)
• 48dc566 feat(asgi): Add option to disable suppressing chained exceptions (#5714)
• f963475 tests: Add -latest alias for each integration test suite (#5706)
• 715fd2b ci: Use date-based branch names for toxgen PRs (#5704)
• 35fe9e4 ci: 🤖 Update test matrix with new releases (03/19) (#5703)
• 8d56b30 fix(anthropic): Set exception info on streaming span when applicable (#5683)
• e103926 feat: Make ASGI support span first (#5680)
• Additional commits viewable in compare view

Updates ruff from 0.15.7 to 0.15.8

Release notes

Sourced from ruff's releases.

0.15.8

Release Notes

Released on 2026-03-26.

Preview features

• [ruff] New rule unnecessary-if (RUF050) (#24114)
• [ruff] New rule useless-finally (RUF072) (#24165)
• [ruff] New rule f-string-percent-format (RUF073): warn when using % operator on an f-string (#24162)
• [pyflakes] Recognize frozendict as a builtin for Python 3.15+ (#24100)

Bug fixes

• [flake8-async] Use fully-qualified anyio.lowlevel import in autofix (ASYNC115) (#24166)
• [flake8-bandit] Check tuple arguments for partial paths in S607 (#24080)
• [pyflakes] Skip undefined-name (F821) for conditionally deleted variables (#24088)
• E501/W505/formatter: Exclude nested pragma comments from line width calculation (#24071)
• Fix %foo? parsing in IPython assignment expressions (#24152)
• analyze graph: resolve string imports that reference attributes, not just modules (#24058)

Rule changes

• [eradicate] ignore ty: ignore comments in ERA001 (#24192)
• [flake8-bandit] Treat sys.executable as trusted input in S603 (#24106)
• [flake8-self] Recognize Self annotation and self assignment in SLF001 (#24144)
• [pyflakes] F507: Fix false negative for non-tuple RHS in %-formatting (#24142)
• [refurb] Parenthesize generator arguments in FURB142 fixer (#24200)

Performance

• Speed up diagnostic rendering (#24146)

Server

• Warn when Markdown files are skipped due to preview being disabled (#24150)

Documentation

• Clarify extend-ignore and extend-select settings documentation (#24064)
• Mention AI policy in PR template (#24198)

Other changes

• Use trusted publishing for NPM packages (#24171)

Contributors

• @​bitloi
• @​Sim-hu

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.8

Released on 2026-03-26.

Preview features

• [ruff] New rule unnecessary-if (RUF050) (#24114)
• [ruff] New rule useless-finally (RUF072) (#24165)
• [ruff] New rule f-string-percent-format (RUF073): warn when using % operator on an f-string (#24162)
• [pyflakes] Recognize frozendict as a builtin for Python 3.15+ (#24100)

Bug fixes

• [flake8-async] Use fully-qualified anyio.lowlevel import in autofix (ASYNC115) (#24166)
• [flake8-bandit] Check tuple arguments for partial paths in S607 (#24080)
• [pyflakes] Skip undefined-name (F821) for conditionally deleted variables (#24088)
• E501/W505/formatter: Exclude nested pragma comments from line width calculation (#24071)
• Fix %foo? parsing in IPython assignment expressions (#24152)
• analyze graph: resolve string imports that reference attributes, not just modules (#24058)

Rule changes

• [eradicate] ignore ty: ignore comments in ERA001 (#24192)
• [flake8-bandit] Treat sys.executable as trusted input in S603 (#24106)
• [flake8-self] Recognize Self annotation and self assignment in SLF001 (#24144)
• [pyflakes] F507: Fix false negative for non-tuple RHS in %-formatting (#24142)
• [refurb] Parenthesize generator arguments in FURB142 fixer (#24200)

Performance

• Speed up diagnostic rendering (#24146)

Server

• Warn when Markdown files are skipped due to preview being disabled (#24150)

Documentation

• Clarify extend-ignore and extend-select settings documentation (#24064)
• Mention AI policy in PR template (#24198)

Other changes

• Use trusted publishing for NPM packages (#24171)

Contributors

• @​bitloi
• @​Sim-hu
• @​mvanhorn

... (truncated)

Commits

• c2a8815 Release 0.15.8 (#24217)
• d444d52 [ty] Infer lambda expressions with Callable type context (#22633)
• 9622285 [ty] Autocomplete arguments if in arguments node (#24167)
• d812662 Use the release environment in publish-docs (#24214)
• eda2355 [ty] Show Final source in final assignment diagnostic (#24194)
• 929eb52 [ty] Enforce Final attribute assignment rules for annotated and augmented wri...
• 34998be [ty] Fix typo in comment (#24211)
• 560aca0 [ty] Minor simplifications to some benchmark code (#24209)
• 683bae5 [ty] Track non-terminal-call constraints in global scope (#23245)
• 4704c2a [ty] Remove unnecessary intermediate collection in `StaticClassLiteral::field...
• Additional commits viewable in compare view

Updates werkzeug[watchdog] from 3.1.6 to 3.1.7

Release notes

Sourced from werkzeug[watchdog]'s releases.

3.1.7

This is the Werkzeug 3.1.7 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.7/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-7 Milestone: https://github.com/pallets/werkzeug/milestone/44?closed=1

• parse_list_header preserves partially quoted items, discards empty items, and returns empty for unclosed quoted values. #3128
• WWWAuthenticate.to_header does not produce a trailing space when there are no parameters. #3127
• Transfer-Encoding is parsed as a set. #3134
• Request.host, get_host, and host_is_trusted validate the characters of the value. An empty value is no longer allowed. A Unix socket server address is ignored. The trusted_list argument to host_is_trusted is optional. #3113
• Fix multipart form parser handling of newline at boundary. #3088
• Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. #3108
• merge_slashes merges any number of consecutive slashes. #3121

Changelog

Sourced from werkzeug[watchdog]'s changelog.

Version 3.1.7

Released 2026-03-23

• parse_list_header preserves partially quoted items, discards empty items, and returns empty for unclosed quoted values. :pr:3128
• WWWAuthenticate.to_header does not produce a trailing space when there are no parameters. :issue:3127
• Transfer-Encoding is parsed as a set. :pr:3134
• Request.host, get_host, and host_is_trusted validate the characters of the value. An empty value is no longer allowed. A Unix socket server address is ignored. The trusted_list argument to host_is_trusted is optional. :pr:3113
• Fix multipart form parser handling of newline at boundary. :issue:3088
• Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. :issue:3108
• merge_slashes merges any number of consecutive slashes. :issue:3121

Commits

• 005d93b release version 3.1.7
• c328342 merge any number of slashes (#3136)
• 23142a3 merge any number of slashes
• b913d68 always set accept-ranges header
• f282943 Correct 1049dd6b2a363e1ef302b4161c340fb8582f627a
• d3d3df5 validate host characters
• 2c6a3a5 parse transfer-encoding as set (#3134)
• 63261cd parse transfer-encoding as set
• dafe7f1 fix trailing whitespace in WWW-Authenticate bearer (#3129)
• 051fd66 fix trailing whitespace in WWW-Authenticate bearer
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions