Skip to content

fix(deps): update all non-major dependencies

renovate requested to merge renovate/all-minor-patch into master

This MR contains the following updates:

Package Change Age Adoption Passing Confidence
Jinja2 (changelog) 3.1.3 -> 3.1.4 age adoption passing confidence
Werkzeug (changelog) 3.0.2 -> 3.0.3 age adoption passing confidence
bcrypt 4.1.2 -> 4.1.3 age adoption passing confidence
coverage 7.4.4 -> 7.5.1 age adoption passing confidence
fakeredis 2.21.3 -> 2.23.2 age adoption passing confidence
filelock 3.13.3 -> 3.14.0 age adoption passing confidence
itsdangerous (changelog) 2.1.2 -> 2.2.0 age adoption passing confidence
lxml (source, changelog) 5.2.1 -> 5.2.2 age adoption passing confidence
orjson (changelog) 3.10.0 -> 3.10.3 age adoption passing confidence
pygit2 (changelog) 1.14.1 -> 1.15.0 age adoption passing confidence
pytest (changelog) 8.1.1 -> 8.2.1 age adoption passing confidence
pytest-asyncio (changelog) 0.23.6 -> 0.23.7 age adoption passing confidence
pytest-xdist (changelog) 3.5.0 -> 3.6.1 age adoption passing confidence
redis (changelog) 5.0.3 -> 5.0.4 age adoption passing confidence
requests (source, changelog) 2.31.0 -> 2.32.1 age adoption passing confidence
tomlkit 0.12.4 -> 0.12.5 age adoption passing confidence

Release Notes

pallets/jinja (Jinja2)


Compare Source

Released 2024-05-05

  • The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. :ghsa:h75v-3vvj-5mfj
nedbat/coveragepy (coverage)


Compare Source

  • Fix: a pragma comment on the continuation lines of a multi-line statement now excludes the statement and its body, the same as if the pragma is on the first line. This closes issue 754*. The fix was contributed by Daniel Diniz <pull 1773_>*.

  • Fix: very complex source files like this one <resolvent_lookup_>_ could cause a maximum recursion error when creating an HTML report. This is now fixed, closing issue 1774_.

  • HTML report improvements:

    • Support files (JavaScript and CSS) referenced by the HTML report now have hashes added to their names to ensure updated files are used instead of stale cached copies.

    • Missing branch coverage explanations that said "the condition was never false" now read "the condition was always true" because it's easier to understand.

    • Column sort order is remembered better as you move between the index pages, fixing issue 1766*. Thanks, Daniel Diniz <pull 1768_>*.

.. _resolvent_lookup: .. _issue 754: .. _issue 1766: .. _pull 1768: .. _pull 1773: .. _issue 1774:

.. _changes_7-5-0:


Compare Source

  • Added initial support for function and class reporting in the HTML report. There are now three index pages which link to each other: files, functions, and classes. Other reports don't yet have this information, but it will be added in the future where it makes sense. Feedback gladly accepted! Finishes issue 780_.

  • Other HTML report improvements:

    • There is now a "hide covered" checkbox to filter out 100% files, finishing issue 1384_.

    • The index page is always sorted by one of its columns, with clearer indications of the sorting.

    • The "previous file" shortcut key didn't work on the index page, but now it does, fixing issue 1765_.

  • The debug output showing which configuration files were tried now shows absolute paths to help diagnose problems where settings aren't taking effect, and is renamed from "attempted_config_files" to the more logical "config_files_attempted."

  • Python 3.13.0a6 is supported.

.. _issue 780: .. _issue 1384: .. _issue 1765:

.. _changes_7-4-4:

cunla/fakeredis-py (fakeredis)

v2.23.2: 🌈

Compare Source

🐛 Bug Fixes
  • Fix reading multiple streams with blocking #​309

Full Changelog:

v2.23.1: 🌈

Compare Source

🐛 Bug Fixes
  • Fix XREAD behavior when COUNT is not provided but BLOCKING is provided #​308

Full Changelog:

v2.23.0: 🌈

Compare Source

🚀 Features
🐛 Bug Fixes
  • Import Self from typing vs. typing_extension
🧰 Maintenance
  • Update dependencies
  • Add redis-py 5.0.4 to tests
  • Update lupa version constraint #​306 @​noamkush


We'd like to thank all the contributors who supported the work on this release! @​noamkush

Full Changelog:

v2.22.0: 🌈

Compare Source


🚀 Features
  • Support for setting LUA version from environment variable FAKEREDIS_LUA_VERSION #​287
  • Support for loading LUA binary modules in fakeredis #​304
🐛 Bug Fixes
  • Fix the type hint for the version parameter in the async client #​302
  • Using LUA 5.1 like real redis #​287
  • fix: FakeRedisMixin.from_url() return type is really Self. @​ben-xo #​305


Full Changelog:

tox-dev/py-filelock (filelock)


Compare Source

What's Changed

New Contributors

Full Changelog:


Compare Source

What's Changed

Full Changelog:

pallets/itsdangerous (itsdangerous)


Compare Source

Released 2024-04-16

  • Drop support for Python 3.7. 🇵🇷372
  • Use modern packaging metadata with pyproject.toml instead of setup.cfg. 🇵🇷326
  • Use flit_core instead of setuptools as build backend.
  • Deprecate the __version__ attribute. Use feature detection, or importlib.metadata.version("itsdangerous"), instead. :issue:371
  • Serializer and the return type of dumps is generic for type checking. By default it is Serializer[str] and dumps returns a str. If a different serializer argument is given, it will try to infer the return type of its dumps method. :issue:347
  • The default hashlib.sha1 may not be available in FIPS builds. Don't access it at import time so the developer has time to change the default. :issue:375
lxml/lxml (lxml)


Compare Source


Bugs fixed

  • GH#417: The test_feed_parser test could fail if lxml_html_clean was not installed. It is now skipped in that case.

  • LP#2059910: The minimum CPU architecture for the Linux x86 binary wheels was set back to "core2", without SSE 4.2.

  • If libxml2 uses iconv, the compile time version is available as etree.ICONV_COMPILED_VERSION.

ijl/orjson (orjson)


Compare Source

  • manylinux amd64 builds include runtime-detected AVX-512 str implementation.
  • Tests now compatible with numpy v2.


Compare Source

  • Fix crash serializing str introduced in 3.10.1.
  • Improve performance.
  • Drop support for arm7.


Compare Source

  • Serializing numpy.ndarray with non-native endianness raises orjson.JSONEncodeError.
  • Improve performance of serializing.
libgit2/pygit2 (pygit2)


Compare Source

  • Many deprecated features have been removed, see below

  • Upgrade to libgit2 v1.8.1

  • New push_options optional argument in Repository.push(...) #​1282

  • New support comparison of Oid with text string

  • Fix CheckoutNotify.IGNORED #​1288

  • Use default error handler when decoding/encoding paths #​537

  • Remove setuptools runtime dependency #​1281

  • Coding style with ruff #​1280

  • Add wheels for ppc64le #​1279

  • Fix tests on EPEL8 builds for s390x #​1283


  • Deprecate IndexEntry.hex, use str(

Breaking changes:

  • Remove deprecated oid.hex, use str(oid)

  • Remove deprecated object.hex, use str(

  • Remove deprecated object.oid, use

  • Remove deprecated Repository.add_submodule(...), use Repository.submodules.add(...)

  • Remove deprecated Repository.lookup_submodule(...), use Repository.submodules[...]

  • Remove deprecated Repository.init_submodules(...), use Repository.submodules.init(...)

  • Remove deprecated Repository.update_submodule(...), use Repository.submodules.update(...)

  • Remove deprecated constants GIT_OBJ_XXX, use ObjectType

  • Remove deprecated constants GIT_REVPARSE_XXX, use RevSpecFlag

  • Remove deprecated constants GIT_REF_XXX, use ReferenceType

  • Remove deprecated ReferenceType.OID, use instead ReferenceType.DIRECT

  • Remove deprecated ReferenceType.LISTALL, use instead ReferenceType.ALL

  • Remove deprecated support for passing dicts to repository's merge(...), merge_commits(...) and merge_trees(...). Instead pass MergeFlag for flags, and MergeFileFlag for file_flags.

  • Remove deprecated support for passing a string for the favor argument to repository's merge(...), merge_commits(...) and merge_trees(...). Instead pass MergeFavor.

pytest-dev/pytest (pytest)


Compare Source

pytest 8.2.1 (2024-05-19)


  • #​12334: Support for Python 3.13 (beta1 at the time of writing).

Bug Fixes

  • #​12120: Fix [PermissionError]{.title-ref} crashes arising from directories which are not selected on the command-line.
  • #​12191: Keyboard interrupts and system exits are now properly handled during the test collection.
  • #​12300: Fixed handling of 'Function not implemented' error under squashfuse_ll, which is a different way to say that the mountpoint is read-only.
  • #​12308: Fix a regression in pytest 8.2.0 where the permissions of automatically-created .pytest_cache directories became rwx------ instead of the expected rwxr-xr-x.

Trivial/Internal Changes

  • #​12333: pytest releases are now attested using the recent Artifact Attestation support from GitHub, allowing users to verify the provenance of pytest's sdist and wheel artifacts.


Compare Source

pytest 8.2.0 (2024-04-27)


  • #​12069: A deprecation warning is now raised when implementations of one of the following hooks request a deprecated py.path.local parameter instead of the pathlib.Path parameter which replaced it:

    • pytest_ignore_collect{.interpreted-text role="hook"} - the path parameter - use collection_path instead.
    • pytest_collect_file{.interpreted-text role="hook"} - the path parameter - use file_path instead.
    • pytest_pycollect_makemodule{.interpreted-text role="hook"} - the path parameter - use module_path instead.
    • pytest_report_header{.interpreted-text role="hook"} - the startdir parameter - use start_path instead.
    • pytest_report_collectionfinish{.interpreted-text role="hook"} - the startdir parameter - use start_path instead.

    The replacement parameters are available since pytest 7.0.0. The old parameters will be removed in pytest 9.0.0.

    See legacy-path-hooks-deprecated{.interpreted-text role="ref"} for more details.


  • #​11871: Added support for reading command line arguments from a file using the prefix character @, like e.g.: pytest @&#8203;tests.txt. The file must have one argument per line.

    See Read arguments from file <args-from-file>{.interpreted-text role="ref"} for details.


  • #​11523: pytest.importorskip{.interpreted-text role="func"} will now issue a warning if the module could be found, but raised ImportError{.interpreted-text role="class"} instead of ModuleNotFoundError{.interpreted-text role="class"}.

    The warning can be suppressed by passing exc_type=ImportError to pytest.importorskip{.interpreted-text role="func"}.

    See import-or-skip-import-error{.interpreted-text role="ref"} for details.

  • #​11728: For unittest-based tests, exceptions during class cleanup (as raised by functions registered with TestCase.addClassCleanup <unittest.TestCase.addClassCleanup>{.interpreted-text role="meth"}) are now reported instead of silently failing.

  • #​11777: Text is no longer truncated in the short test summary info section when -vv is given.

  • #​12112: Improved namespace packages detection when consider_namespace_packages{.interpreted-text role="confval"} is enabled, covering more situations (like editable installs).

  • #​9502: Added PYTEST_VERSION{.interpreted-text role="envvar"} environment variable which is defined at the start of the pytest session and undefined afterwards. It contains the value of pytest.__version__, and among other things can be used to easily check if code is running from within a pytest run.

Bug Fixes

  • #​12065: Fixed a regression in pytest 8.0.0 where test classes containing setup_method and tests using @staticmethod or @classmethod would crash with AttributeError: 'NoneType' object has no attribute 'setup_method'.

    Now the request.instance <pytest.FixtureRequest.instance>{.interpreted-text role="attr"} attribute of tests using @staticmethod and @classmethod is no longer None, but a fresh instance of the class, like in non-static methods. Previously it was None, and all fixtures of such tests would share a single self.

  • #​12135: Fixed issue where fixtures adding their finalizer multiple times to fixtures they request would cause unreliable and non-intuitive teardown ordering in some instances.

  • #​12194: Fixed a bug with --importmode=importlib and --doctest-modules where child modules did not appear as attributes in parent modules.

  • #​1489: Fixed some instances where teardown of higher-scoped fixtures was not happening in the reverse order they were initialized in.

Trivial/Internal Changes

  • #​12069: pluggy>=1.5.0 is now required.
  • #​12167: cache <cache>{.interpreted-text role="ref"}: create supporting files (CACHEDIR.TAG, .gitignore, etc.) in a temporary directory to provide atomic semantics.


Compare Source

pytest 8.1.2 (2024-04-26)

Bug Fixes

  • #​12114: Fixed error in pytest.approx{.interpreted-text role="func"} when used with [numpy]{.title-ref} arrays and comparing with other types.
pytest-dev/pytest-asyncio (pytest-asyncio)

v0.23.7: pytest-asyncio 0.23.7

Compare Source

0.23.7 (2024-05-19)

  • Silence deprecation warnings about unclosed event loops that occurred with certain CPython patch releases #​817

Known issues

As of v0.23, pytest-asyncio attaches an asyncio event loop to each item of the test suite (i.e. session, packages, modules, classes, functions) and allows tests to be run in those loops when marked accordingly. Pytest-asyncio currently assumes that async fixture scope is correlated with the new event loop scope. This prevents fixtures from being evaluated independently from the event loop scope and breaks some existing test suites (see #​706). For example, a test suite may require all fixtures and tests to run in the same event loop, but have async fixtures that are set up and torn down for each module. If you're affected by this issue, please continue using the v0.21 release, until it is resolved.

pytest-dev/pytest-xdist (pytest-xdist)


Compare Source


Bug Fixes

  • #&#8203;1071 <>_: Add backward compatibility for deadlock issue with the execnet new main_thread_only "execmodel" triggered when pytest-cov accesses rinfo.


Compare Source


This release was YANKED due to a regression fixed in 3.6.1.


  • #&#8203;1027 <>_:pytest-xdist workers now always execute the tests in the main thread. Previously some tests might end up executing in a separate thread other than main in the workers, due to some internal execnet`` details. This can cause problems specially with async frameworks where the event loop is running in the ``main`` thread (for example #​620 #​620`__).

Bug Fixes

  • #&#8203;1024 <>_: Added proper handling of shouldstop (such as set by --max-fail) and shouldfail conditions in workers. Previously, a worker might have continued executing further tests before the controller could terminate the session.

  • #&#8203;1028 <>_: Fixed compatibility issue between looponfail and editable installs.

  • #&#8203;620 <>_: Use the new main_thread_only execnet "execmodel" so that code which expects to only run in the main thread will now work as expected.

  • #&#8203;937 <>_: Fixed a bug where plugin would raise an incompatibility error with --pdb despite using -n0.


  • #&#8203;1053 <>_: Dropped support for Python 3.7.

  • #&#8203;1057 <>_: pytest>=7.0.0 is now required.

    execnet>=2.1.0 is now required.

Trivial Changes

  • #&#8203;1020 <>_: pytest-xdist's file is removed.

    If you relied on this file, e.g. to install pytest using install, please see Why you shouldn't invoke directly <>_ for alternatives.

  • #&#8203;1057 <>_: The internals of pytest-xdist are now fully typed. The typing is not exposed yet.

  • #&#8203;996 <>_: Adjusted license file format and content to ensure security scanners will identity the license.

redis/redis-py (redis)

v5.0.4: 5.0.4

Compare Source


🐛 Bug Fixes

  • Make it possible to customize SSL ciphers (#​3212)
psf/requests (requests)


Compare Source


  • Add missing test certs to the sdist distributed on PyPI.


Compare Source



  • verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#​6667)
  • Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#​6702)


  • Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#​6589)
  • Fixed deserialization bug in JSONDecodeError. (#​6629)
  • Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#​6644)


  • Requests has officially added support for CPython 3.12 (#​6503)
  • Requests has officially added support for PyPy 3.9 and 3.10 (#​6641)
  • Requests has officially dropped support for CPython 3.7 (#​6642)
  • Requests has officially dropped support for PyPy 3.7 and 3.8 (#​6641)


  • Various typo fixes and doc improvements.


  • Requests has started adopting some modern packaging practices. The source files for the projects (formerly requests) is now located in src/requests in the Requests sdist. (#​6506)
  • Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system using hatchling. This should not impact the average user, but extremely old versions of packaging utilities may have issues with the new packaging format.
sdispater/tomlkit (tomlkit)


Compare Source

What's Changed

New Contributors

Full Changelog:


📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This MR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Edited by renovate

Merge request reports