Bump the all group across 1 directory with 8 updates

[dependabot]

Bumps the all group with 8 updates in the / directory:

Package	From	To
click	8.3.1	8.3.2
cryptography	46.0.5	46.0.7
django	5.2.11	5.2.13
pyasn1	0.6.2	0.6.3
tomli	2.4.0	2.4.1
uvicorn	0.41.0	0.44.0
whitenoise	6.11.0	6.12.0
zope-interface	8.2	8.3

Updates click from 8.3.1 to 8.3.2

Release notes

Sourced from click's releases.

8.3.2

This is the Click 8.3.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.3.2/ Changes: https://click.palletsprojects.com/page/changes/#version-8-3-2 Milestone: https://github.com/pallets/click/milestone/29

• Fix handling of flag_value when is_flag=False to allow such options to be used without an explicit value. #3084 #3152
• Hide Sentinel.UNSET values as None when using lookup_default(). #3136 #3199 #3202 #3209 #3212 #3224
• Prevent _NamedTextIOWrapper from closing streams owned by StreamMixer. #824 #2991 #2993 #3110 #3139 #3140
• Add comprehensive tests for CliRunner stream lifecycle, covering logging interaction, multi-threaded safety, and sequential invocation isolation. Add high-iteration stress tests behind a stress marker with a dedicated CI job. #3139
• Fix callable flag_value being instantiated when used as a default via default=True. #3121 #3201 #3213 #3225

Changelog

Sourced from click's changelog.

Version 8.3.2

Released 2026-04-02

• Fix handling of flag_value when is_flag=False to allow such options to be used without an explicit value. :issue:3084 :pr:3152
• Hide Sentinel.UNSET values as None when using lookup_default(). :issue:3136 :pr:3199 :pr:3202 :pr:3209 :pr:3212 :pr:3224
• Prevent _NamedTextIOWrapper from closing streams owned by StreamMixer. :issue:824 :issue:2991 :issue:2993 :issue:3110 :pr:3139 :pr:3140
• Add comprehensive tests for CliRunner stream lifecycle, covering logging interaction, multi-threaded safety, and sequential invocation isolation. Add high-iteration stress tests behind a stress marker with a dedicated CI job. :pr:3139
• Fix callable flag_value being instantiated when used as a default via default=True. :issue:3121 :pr:3201 :pr:3213 :pr:3225

Commits

• 052c006 Change update release date.
• 502b7ce Merge branch 'stable' of https://github.com/pallets/click into release-8.3.2
• a0a37e4 Change publish to werkzeug latest. (#3301)
• 57be6fc Change publish to werkzeug latest.
• 781d6a8 Update publish workflows (#3266)
• ff795b6 Update precommit pins with tox
• dd87ef4 Update github action pins with tox
• 93d3f9d Release version 8.3.2
• 3299ba1 Add missing PR to changelog. (#3264)
• b7f62c4 Add missing PR to changelog.
• Additional commits viewable in compare view

Updates cryptography from 46.0.5 to 46.0.7

Changelog

Sourced from cryptography's changelog.

46.0.7 - 2026-04-07

* **SECURITY ISSUE**: Fixed an issue where non-contiguous buffers could be
  passed to APIs that accept Python buffers, which could lead to buffer
  overflow. **CVE-2026-39892**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.6.
.. _v46-0-6:
46.0.6 - 2026-03-25

• SECURITY ISSUE: Fixed a bug where name constraints were not applied to peer names during verification when the leaf certificate contains a wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug, including those used by the Web PKI. Credit to Oleh Konko (1seal) for reporting the issue. CVE-2026-34073

.. _v46-0-5:

Commits

• 622d672 46.0.7 release (#14602)
• 91d7288 Cherry-pick #14542 (#14543)
• See full diff in compare view

Updates django from 5.2.11 to 5.2.13

Commits

• 7d831a9 [5.2.x] Bumped version for 5.2.13 release.
• 49e1e2b [5.2.x] Fixed CVE-2026-33034 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE on body ...
• 0b46789 [5.2.x] Fixed CVE-2026-33033 -- Mitigated potential DoS in MultiPartParser.
• 397c220 [5.2.x] Fixed CVE-2026-4292 -- Disallowed instance creation via ModelAdmin.li...
• 60ffa95 [5.2.x] Fixed CVE-2026-4277 -- Checked add permissions in GenericInlineModelA...
• 1cc2a76 [5.2.x] Fixed CVE-2026-3902 -- Ignored headers with underscores in ASGIRequest.
• 2a8a76a [5.2.x] Added stub release notes and release date for 5.2.13 and 4.2.30.
• 90924f5 [5.2.x] Bumped black to 26.3.1.
• 0ee44c6 [5.2.x] Applied Black's 2026 stable style.
• 89b4d94 [5.2.x] Combined scripts confirm_release.sh and test_new_version.sh into veri...
• Additional commits viewable in compare view

Updates pyasn1 from 0.6.2 to 0.6.3

Release notes

Sourced from pyasn1's releases.

Release 0.6.3

It's a minor release.

• Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (CVE-2026-30922).
• Fixed OverflowError from oversized BER length field.
• Fixed DeprecationWarning stacklevel for deprecated attributes.
• Fixed asDateTime incorrect fractional seconds parsing.

All changes are noted in the CHANGELOG.

Changelog

Sourced from pyasn1's changelog.

Revision 0.6.3, released 16-03-2026

• CVE-2026-30922 (GHSA-jr27-m4p2-rc6r): Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (thanks for reporting, romanticpragmatism)
• Fixed OverflowError from oversized BER length field [issue #54](pyasn1/pyasn1#54) [pr #100](pyasn1/pyasn1#100)
• Fixed DeprecationWarning stacklevel for deprecated attributes [issue #86](pyasn1/pyasn1#86) [pr #101](pyasn1/pyasn1#101)
• Fixed asDateTime incorrect fractional seconds parsing [issue #81](pyasn1/pyasn1#81) [pr #102](pyasn1/pyasn1#102)

Commits

• af65c3b Prepare release 0.6.3
• 5a49bd1 Merge commit from fork
• 5494ba4 Fix asDateTime incorrect fractional seconds parsing (#102)
• 71f486e Fix DeprecationWarning stacklevel for deprecated attributes (#101)
• d7cb42d Fix OverflowError from oversized BER length field (#100)
• See full diff in compare view

Updates tomli from 2.4.0 to 2.4.1

Changelog

Sourced from tomli's changelog.

2.4.1

• Fixed
  • Limit number of parts of a TOML key to address quadratic time complexity

Commits

• c5f4469 Bump version: 2.4.0 → 2.4.1
• 2bcd262 Add change log for 2.4.1 and 2.3.1
• e1fdb94 Limit number of parts of a key (#286)
• c20c491 pre-commit autoupdate
• 920e20b Update performance benchmark and results
• 064e492 Merge pull request #280 from hukkin/version-2.4.0
• See full diff in compare view

Updates uvicorn from 0.41.0 to 0.44.0

Release notes

Sourced from uvicorn's releases.

Version 0.44.0

What's Changed

• Implement websocket keepalive pings for websockets-sansio by @​Kludex in Kludex/uvicorn#2888

Full Changelog: Kludex/uvicorn@0.43.0...0.44.0

Version 0.43.0

Changed

• Emit http.disconnect ASGI receive() event on server shutting down for streaming responses (#2829)
• Use native context parameter for create_task on Python 3.11+ (#2859)
• Drop cast in ASGI types (#2875)

---

Full Changelog: Kludex/uvicorn@0.42.0...0.43.0

Version 0.42.0

Changed

• Use bytearray for request body accumulation to avoid O(n^2) allocation on fragmented bodies (#2845)

Fixed

• Escape brackets and backslash in httptools HEADER_RE regex (#2824)
• Fix multiple issues in websockets sans-io implementation (#2825)

---

New Contributors

• @​bysiber made their first contribution in Kludex/uvicorn#2825

---

Full Changelog: Kludex/uvicorn@0.41.0...0.42.0

Changelog

Sourced from uvicorn's changelog.

0.44.0 (April 6, 2026)

Added

• Implement websocket keepalive pings for websockets-sansio (#2888)

0.43.0 (April 3, 2026)

You can quit Uvicorn now. We heard you, @​pamelafox - all 47 of your Ctrl+C's (thanks for flagging it, and thanks to @​tiangolo for the fix 🙏). See the tweet.

Changed

• Emit http.disconnect ASGI receive() event on server shutting down for streaming responses (#2829)
• Use native context parameter for create_task on Python 3.11+ (#2859)
• Drop cast in ASGI types (#2875)

0.42.0 (March 16, 2026)

Changed

• Use bytearray for request body accumulation to avoid O(n^2) allocation on fragmented bodies (#2845)

Fixed

• Escape brackets and backslash in httptools HEADER_RE regex (#2824)
• Fix multiple issues in websockets sans-io implementation (#2825)

Commits

• edb54c4 Version 0.44.0 (#2890)
• 029be08 Implement websocket keepalive pings for websockets-sansio (#2888)
• 8d397c7 Version 0.43.0 (#2885)
• 587042d 🐛 Emit http.disconnect ASGI receive() event on server shutting down for s...
• c9a75fb chore(deps): bump the github-actions group with 3 updates (#2878)
• 84fd578 chore(deps): bump pygments from 2.19.2 to 2.20.0 (#2877)
• cd52d34 Use native context parameter for create_task on Python 3.11+ (#2859)
• 5211880 Drop cast in ASGI types (#2875)
• 1cb8e74 Add websocket 500 fallback header test (#2874)
• 28efbb2 chore(deps-dev): bump cryptography from 46.0.5 to 46.0.6 (#2873)
• Additional commits viewable in compare view

Updates whitenoise from 6.11.0 to 6.12.0

Changelog

Sourced from whitenoise's changelog.

6.12.0 (2026-02-27)

• Drop Python 3.9 support.
• Fix potential unauthorised file access vulnerability in "autorefesh" mode. See PR [#684](https://github.com/evansd/whitenoise/issues/684) <https://github.com/evansd/whitenoise/pull/684>__ for details, and a reminder that autorefresh mode has always been documented as unsuitable for production use. Thanks Seth Larson for reporting.

Commits

• 1e3a30b Version 6.12.0
• bc4c738 Merge pull request #684 from evansd/use-commonpath
• 505ed8d Use os.path.commonpath() to identify child paths
• b6d8ed4 Upgrade dependencies (#683)
• edc79de [pre-commit.ci] pre-commit autoupdate (#682)
• 79fb2f1 Bump the github-actions group with 2 updates (#680)
• 2b245df [pre-commit.ci] pre-commit autoupdate (#681)
• dcb50f3 Upgrade dependencies (#678)
• 1c4a746 [pre-commit.ci] pre-commit autoupdate (#677)
• e7f970a Bump actions/checkout from 5 to 6 in the github-actions group (#676)
• Additional commits viewable in compare view

Updates zope-interface from 8.2 to 8.3

Changelog

Sourced from zope-interface's changelog.

8.3 (2026-04-10)

• Add support for free-threaded Python 3.14t: declare Py_mod_gil_not_used in C extension, replace borrowed-reference PyDict_GetItem() with strong- reference PyDict_GetItemRef() in cache lookups, and use Py_TYPE() macro instead of direct ob_type struct access.

• Add CI testing for free-threaded Python 3.14t (Linux).

• Guard 4 unprotected PyErr_Clear() calls in the C extension with PyErr_ExceptionMatches checks, matching the pattern already used at 7 other sites in the same file. Without the guard, KeyboardInterrupt, MemoryError, and SystemExit are silently swallowed in implementedBy and providedBy. See issue 358 <https://github.com/zopefoundation/zope.interface/issues/358>_.

Commits

• 197258c Preparing release 8.3
• 89665f6 Guard 4 unprotected PyErr_Clear calls with exception type checks (#365)
• 6c5a72e Merge pull request #356 from bluedynamics/config-with-meta
• 008a255 Configure with zope.meta, enable free-threaded python wheels
• 58cf4b8 Merge pull request #353 from bluedynamics/optimize-c-lookups
• 394e9c4 Clarify Py_INCREF comment per review feedback
• 0a3ecc7 IB__call__: intern _CALL_CUSTOM_ADAPT string, use Py_TYPE macro
• 3993a35 _lookup/_lookupAll/_subscriptions: skip PySequence_Tuple when already a tuple
• 7d53d01 _getcache: use PyUnicode_GET_LENGTH instead of PyObject_IsTrue
• e3a3cbc _verify: compare generation counters in-place without tuple allocation
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.