Skip to content

chore(deps): bump werkzeug from 3.1.3 to 3.1.6 in /python/x402_a2a#104

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/python/x402_a2a/werkzeug-3.1.6
Open

chore(deps): bump werkzeug from 3.1.3 to 3.1.6 in /python/x402_a2a#104
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/python/x402_a2a/werkzeug-3.1.6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 15, 2026

Copy link
Copy Markdown
Contributor

Bumps werkzeug from 3.1.3 to 3.1.6.

Release notes

Sourced from werkzeug's releases.

3.1.6

This is the Werkzeug 3.1.6 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.6/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-6

  • safe_join on Windows does not allow special devices names in multi-segment paths. GHSA-29vq-49wr-vm6x

3.1.5

This is the Werkzeug 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.5/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-5 Milestone: https://github.com/pallets/werkzeug/milestone/43?closed=1

  • safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. GHSA-87hc-h4r5-73f7
  • The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. #3065 #3077
  • Fix AttributeError when initializing DebuggedApplication with pin_security=False. #3075

3.1.4

This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.4/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-4 Milestone: https://github.com/pallets/werkzeug/milestone/42?closed=1

  • safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. ghsa-hgf8-39gv-g3f2
  • The debugger pin fails after 10 attempts instead of 11. #3020
  • The multipart form parser handles a \r\n sequence at a chunk boundary. #3065
  • Improve CPU usage during Watchdog reloader. #3054
  • Request.json annotation is more accurate. #3067
  • Traceback rendering handles when the line number is beyond the available source lines. #3044
  • HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. #3056
Changelog

Sourced from werkzeug's changelog.

Version 3.1.6

Released 2026-02-19

  • safe_join on Windows does not allow special devices names in multi-segment paths. :ghsa:29vq-49wr-vm6x
  • Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. :issue:3108

Version 3.1.5

Released 2026-01-08

  • safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. :ghsa:87hc-h4r5-73f7
  • The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. :issue:3065 :issue:3077
  • Fix AttributeError when initializing DebuggedApplication with pin_security=False. :issue:3075

Version 3.1.4

Released 2025-11-28

  • safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. :ghsa:hgf8-39gv-g3f2
  • The debugger pin fails after 10 attempts instead of 11. :pr:3020
  • The multipart form parser handles a \r\n sequence at a chunk boundary. :issue:3065
  • Improve CPU usage during Watchdog reloader. :issue:3054
  • Request.json annotation is more accurate. :issue:3067
  • Traceback rendering handles when the line number is beyond the available source lines. :issue:3044
  • HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. :issue:3056
Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels May 15, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 15, 2026 05:01
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels May 15, 2026
@dependabot dependabot Bot force-pushed the dependabot/uv/python/x402_a2a/werkzeug-3.1.6 branch from 1cf461d to 73a31b7 Compare May 15, 2026 05:12
Bumps [werkzeug](https://github.com/pallets/werkzeug) from 3.1.3 to 3.1.6.
- [Release notes](https://github.com/pallets/werkzeug/releases)
- [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst)
- [Commits](pallets/werkzeug@3.1.3...3.1.6)

---
updated-dependencies:
- dependency-name: werkzeug
  dependency-version: 3.1.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/uv/python/x402_a2a/werkzeug-3.1.6 branch from 73a31b7 to f264663 Compare May 15, 2026 05:14
lingzhong added a commit to lingzhong/a2a-x402 that referenced this pull request Jun 5, 2026
* chore(ci-deps): bump github-actions group (google-agentic-commerce#111)

- astral-sh/setup-uv v5.4.2/v6 -> v8.1.0
- pypa/gh-action-pypi-publish v1.12.4 -> v1.14.0
- googleapis/release-please-action v4 -> v5

* chore(deps): batch safe dependency updates for x402_a2a

Combines these upstream Dependabot PRs into one re-locked batch:
- google-agentic-commerce#112 pydantic 2.11.7 -> 2.13.4 (prod group)
- google-agentic-commerce#113 dev group: mypy 1.18.2->1.20.2, pytest-mock 3.14.1->3.15.1, ruff 0.13.1->0.15.13, trio 0.30.0->0.33.0
- google-agentic-commerce#115 pytest-cov 6.2.1 -> 7.1.0
- google-agentic-commerce#122 aiohttp 3.13.4 -> 3.14.0
- google-agentic-commerce#108 idna 3.10 -> 3.15
- google-agentic-commerce#106 protobuf 6.32.0 -> 6.33.5
- google-agentic-commerce#100 pyasn1 0.6.1 -> 0.6.3
- google-agentic-commerce#103 pygments 2.19.2 -> 2.20.0
- google-agentic-commerce#105 requests 2.32.4 -> 2.33.0
- google-agentic-commerce#104 werkzeug 3.1.3 -> 3.1.6
- google-agentic-commerce#96 urllib3 2.5.0 -> 2.7.0
- google-agentic-commerce#101 flask 3.1.1 -> 3.1.3

Re-locked with uv; pytest (3 passed) and ruff check/format pass.
Excludes majors x402 2.8.0 (google-agentic-commerce#117), a2a-sdk 1.0.2 (google-agentic-commerce#114), starlette 1.0.1 (google-agentic-commerce#123).

* chore(deps): batch safe dependency updates for adk-demo

Combines upstream Dependabot PRs:
- google-agentic-commerce#116 adk-demo-safe group: google-adk 1.14.1->1.33.0, click 8.2.1->8.3.3,
  uvicorn 0.35.0->0.46.0, web3 7.10.0->7.16.0, cdp-sdk 1.32.0->1.46.0,
  ruff 0.13.1->0.15.12, plus transitive cascade
- google-agentic-commerce#118 pytest-cov: obviated (google-adk 1.33 no longer pulls pytest-cov)

Re-locked with uv (181 packages); uv sync --group lint and ruff check/format pass.

* chore(deps): bump starlette 0.47.2 -> 1.0.1 in x402_a2a (google-agentic-commerce#123)

The one upstream major that re-locks and passes cleanly on top of the safe
batch. uv resolves starlette 1.0.1 without bumping a2a-sdk 0.3.1, i.e. a2a-sdk
0.3.1 already declares compatibility with starlette 1.0; package import, the
test suite (3 passed), and ruff check/format all pass.

Transitively pulls fastapi 0.116.1 -> 0.136.3 plus annotated-doc, fastar and
pydantic-extra-types.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants