Update all dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update
Authlib	==1.1.0 -> ==1.3.0					install	minor
Hypercorn	==0.14.3 -> ==0.16.0					install	minor
Jinja2 (changelog)	==3.1.2 -> ==3.1.4					install	patch
Markdown (changelog)	==3.4.1 -> ==3.6					install	minor
SQLAlchemy (changelog)	==1.4.43 -> ==2.0.30					install	major
Werkzeug (changelog)	==2.2.2 -> ==3.0.3					install	major
actions/checkout	v3 -> v4					action	major
aiofiles (changelog)	==22.1.0 -> ==23.2.1					install	major
aiohttp	==3.8.3 -> ==3.9.5					install	minor
alembic (source, changelog)	==1.8.1 -> ==1.13.1					install	minor
asgiref (changelog)	==3.5.2 -> ==3.8.1					install	minor
autoflake	==1.7.7 -> ==2.3.1					install	major
bcrypt	==4.0.1 -> ==4.1.3					install	minor
beautifulsoup4 (changelog)	==4.11.1 -> ==4.12.3					install	minor
black (changelog)	==22.10.0 -> ==24.4.2					install	major
bleach	==5.0.1 -> ==6.1.0					install	major
coverage	==6.5.0 -> ==7.5.1					install	major
email-validator	==1.3.0 -> ==2.1.1					install	major
fakeredis	==1.10.0 -> ==2.23.2					install	major
fastapi	==0.86.0 -> ==0.111.0					install	minor
feedgen	==0.9.0 -> ==1.0.0					install	major
filelock	==3.8.0 -> ==3.14.0					install	minor
flake8 (changelog)	==5.0.4 -> ==7.0.0					install	major
gunicorn (changelog)	==20.1.0 -> ==22.0.0					install	major
highlight.js (source)	11.5.0 -> 11.9.0						minor
httpx (changelog)	==0.23.0 -> ==0.27.0					install	minor
isort (source, changelog)	==5.10.1 -> ==5.13.2					install	minor
itsdangerous (changelog)	==2.1.2 -> ==2.2.0					install	minor
lxml (source, changelog)	==4.9.1 -> ==5.2.2					install	major
makedeb-srcinfo	==0.5.2 -> ==0.8.1					install	minor
mysqlclient	==2.1.1 -> ==2.2.4					install	minor
orjson (changelog)	==3.8.1 -> ==3.10.3					install	minor
posix-ipc	==1.0.5 -> ==1.1.1					install	minor
prometheus-fastapi-instrumentator	==5.9.1 -> ==7.0.0					install	major
protobuf	==4.21.9 -> ==5.26.1					install	major
pygit2 (changelog)	==1.10.1 -> ==1.15.0					install	minor
pytest (changelog)	==7.2.0 -> ==8.2.1					install	major
pytest-asyncio (changelog)	==0.20.1 -> ==0.23.7					install	minor
pytest-cov (changelog)	==4.0.0 -> ==5.0.0					install	major
pytest-tap	==3.3 -> ==3.4					install	minor
pytest-xdist (changelog)	==3.0.2 -> ==3.6.1					install	minor
python-multipart (changelog)	==0.0.5 -> ==0.0.9					install	patch
redis (changelog)	==4.3.4 -> ==5.0.4					install	major
requests (source, changelog)	==2.28.1 -> ==2.31.0					install	minor
sentry-sdk (changelog)	==1.10.1 -> ==2.2.0					install	major
uvicorn (changelog)	==0.19.0 -> ==0.29.0					install	minor

❗ Important

Release Notes retrieval for this PR were skipped because no github.com credentials were available.
If you are self-hosted, please see this instruction.

---

Release Notes

lepture/authlib (Authlib)

v1.3.0: Version 1.3.0

Compare Source

Bug fixes

• Restore AuthorizationServer.create_authorization_response behavior, via #​558 by @​TurnrDev
• Include leeway in validate_iat() for JWT, via #​565 by @​dhallam
• Fix encode_client_secret_basic, via #​594 by @​Prilkop
• Use single key in JWK if JWS does not specify kid, via #​596 by @​dklimpel
• Fix error when RFC9068 JWS has no scope field, via #​598 by @​tanguilp
• Get werkzeug version using importlib, via #​591 by @​Sparrow0hawk

Breaking changes

• RFC9068 implementation, via #​586 by @​azmeuk.

v1.2.1: Version 1.2.1

Compare Source

• Apply headers in ClientSecretJWT.sign method, via #​552
• Allow falsy but non-None grant uri params, via #​544
• Fixed authorize_redirect for Starlette v0.26.0, via #​533
• Removed has_client_secret method and documentation, via #​513
• Removed request_invalid and token_revoked remaining occurences
  and documentation. #​514
• Fixed RFC7591 grant_types and response_types default values, via #​509
• Add support for python 3.12, via #​590

v1.2.0: Version 1.2.0

Compare Source

• Not passing request.body to ResourceProtector, #​485.
• Use flask.g instead of _app_ctx_stack, #​482.
• Add headers parameter back to ClientSecretJWT, #​457.
• Always passing realm parameter in OAuth 1 clients, #​339.
• Implemented RFC7592 Dynamic Client Registration Management Protocol, #​505`
• Add default_timeout for requests OAuth2Session and AssertionSession.
• Deprecate jwk.loads and jwk.dumps

pgjones/hypercorn (Hypercorn)

v0.16.0

Compare Source

• Add a max keep alive requests configuration option, this mitigates
  the HTTP/2 rapid reset attack.
• Return subprocess exit code if non-zero.
• Add ProxyFix middleware to make it easier to run Hypercorn behind a
  proxy.
• Support restarting workers after max requests to make it easier to
  manage memory leaks in apps.
• Bugfix ensure the idle task is stopped on error.
• Bugfix revert autoreload error because reausing old sockets.
• Bugfix send the hinted error from h11 on RemoteProtocolErrors.
• Bugfix handle asyncio.CancelledError when socket is closed without
  flushing.
• Bugfix improve WSGI compliance by closing iterators, only sending
  headers on first response byte, erroring if start_response is
  not called, and switching wsgi.errors to stdout.
• Don't error on LocalProtoclErrors for ws streams to better cope with
  race conditions.

v0.15.0

Compare Source

• Improve the NoAppError to help diagnose why the app has not been
  found.
• Log cancelled requests as well as successful to aid diagnositics of
  failures.
• Use more modern asyncio apis. This will hopefully fix reported
  memory leak issues.
• Bugfix only load the application in the main process if the reloader
  is being used.
• Bugfix Autoreload error because reausing old sockets.
• Bugfix scope client usage for sock binding.
• Bugfix disable multiprocessing if number of workers is 0 to support
  systems that don't support multiprocessing.

v0.14.4

Compare Source

• Bugfix Use tomllib/tomli for .toml support replacing the
  unmaintained toml library.
• Bugfix server hanging on startup failure.
• Bugfix close websocket with 1011 on internal error (1006 is a
  client-only code).
• Bugfix support trio > 0.22 utilising exception groups (note trio <=
  0.22 is not supported).
• Bugfix except ConnectionAbortedError which can be raised on Windows
  machines.
• Bugfix ensure that closed is sent on reading end.
• Bugfix handle read_timeout exception on trio.
• Support and test against Python 3.11.
• Add explanation of PicklingErrors.
• Add config option to pass raw h11 headers.

pallets/jinja (Jinja2)

v3.1.4

Compare Source

Released 2024-05-05

• The xmlattr filter does not allow keys with / solidus, >
  greater-than sign, or = equals sign, in addition to disallowing spaces.
  Regardless of any validation done by Jinja, user input should never be used
  as keys to this filter, or must be separately validated first.
  :ghsa:h75v-3vvj-5mfj

v3.1.3

Compare Source

Released 2024-01-10

• Fix compiler error when checking if required blocks in parent templates are
  empty. :pr:1858
• xmlattr filter does not allow keys with spaces. :ghsa:h5c8-rqwp-cp95
• Make error messages stemming from invalid nesting of {% trans %} blocks
  more helpful. :pr:1918

Python-Markdown/markdown (Markdown)

v3.6

Compare Source

Changed

Refactor TOC Sanitation

• All postprocessors are now run on heading content.
• Footnote references are now stripped from heading content. Fixes #​660.
• A more robust striptags is provided to convert headings to plain text.
  Unlike, the markupsafe implementation, HTML entities are not unescaped.
• The plain text name, rich html, and unescaped raw data-toc-label are
  saved to toc_tokens, allowing users to access the full rich text content of
  the headings directly from toc_tokens.
• The value of data-toc-label is sanitized separate from heading content
  before being written to name. This fixes a bug which allowed markup through
  in certain circumstances. To access the raw unsanitized data, retrieve the
  value from token['data-toc-label'] directly.
• An html.unescape call is made just prior to calling slugify so that
  slugify only operates on Unicode characters. Note that html.unescape is
  not run on name, html, or data-toc-label.
• The functions get_name and stashedHTML2text defined in the toc extension
  are both deprecated. Instead, third party extensions should use some
  combination of the new functions run_postprocessors, render_inner_html and
  striptags.

Fixed

• Include scripts/*.py in the generated source tarballs (#​1430).
• Ensure lines after heading in loose list are properly detabbed (#​1443).
• Give smarty tree processor higher priority than toc (#​1440).
• Permit carets (^) and square brackets (]) but explicitly exclude
  backslashes (\) from abbreviations (#​1444).
• In attribute lists (attr_list, fenced_code), quoted attribute values are
  now allowed to contain curly braces (}) (#​1414).

v3.5.2

Compare Source

Fixed

• Fix type annotations for convertFile - it accepts only bytes-based buffers.
  Also remove legacy checks from Python 2 (#​1400)
• Remove legacy import needed only in Python 2 (#​1403)
• Fix typo that left the attribute AdmonitionProcessor.content_indent unset
  (#​1404)
• Fix edge-case crash in InlineProcessor with AtomicString (#​1406).
• Fix edge-case crash in codehilite with an empty code tag (#​1405).
• Improve and expand type annotations in the code base (#​1401).
• Fix handling of bogus comments (#​1425).

v3.5.1

Compare Source

Fixed

• Fix a performance problem with HTML extraction where large HTML input could
  trigger quadratic line counting behavior (#​1392).
• Improve and expand type annotations in the code base (#​1394).

v3.5

Compare Source

v3.4.4

Compare Source

v3.4.3

Compare Source

v3.4.2

Compare Source

actions/checkout (actions/checkout)

v4

Compare Source

• Support fetching without the --progress option
• Update to node20

Tinche/aiofiles (aiofiles)

v23.2.1: 23.2.1

Compare Source

• Import os.statvfs conditionally to fix importing on non-UNIX systems.
  #​171 #​172
• aiofiles is now also tested on Windows.

v23.2.0: 23.2.0

Compare Source

23.2.0

• aiofiles is now tested on Python 3.12 too.
  #​166 #​168
• On Python 3.12, aiofiles.tempfile.NamedTemporaryFile now accepts a delete_on_close argument, just like the stdlib version.
• On Python 3.12, aiofiles.tempfile.NamedTemporaryFile no longer exposes a delete attribute, just like the stdlib version.
• Added aiofiles.os.statvfs and aiofiles.os.path.ismount.
  #​162
• Use PDM instead of Poetry.
  #​169

v23.1.0

Compare Source

aio-libs/aiohttp (aiohttp)

v3.9.5

Compare Source

==================

Bug fixes

• Fixed "Unclosed client session" when initialization of
  :py:class:~aiohttp.ClientSession fails -- by :user:NewGlad.

  Related issues and pull requests on GitHub:
  :issue:8253.

• Fixed regression (from :pr:8280) with adding Content-Disposition to the form-data
  part after appending to writer -- by :user:Dreamsorcerer/:user:Olegt0rr.

  Related issues and pull requests on GitHub:
  :issue:8332.

• Added default Content-Disposition in multipart/form-data responses to avoid broken
  form-data responses -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:8335.

---

v3.9.4

Compare Source

==================

Bug fixes

• The asynchronous internals now set the underlying causes
  when assigning exceptions to the future objects
  -- by :user:webknjaz.

  Related issues and pull requests on GitHub:
  :issue:8089.

• Treated values of Accept-Encoding header as case-insensitive when checking
  for gzip files -- by :user:steverep.

  Related issues and pull requests on GitHub:
  :issue:8104.

• Improved the DNS resolution performance on cache hit -- by :user:bdraco.

  This is achieved by avoiding an :mod:asyncio task creation in this case.

  Related issues and pull requests on GitHub:
  :issue:8163.

• Changed the type annotations to allow dict on :meth:aiohttp.MultipartWriter.append,
  :meth:aiohttp.MultipartWriter.append_json and
  :meth:aiohttp.MultipartWriter.append_form -- by :user:cakemanny

  Related issues and pull requests on GitHub:
  :issue:7741.

• Ensure websocket transport is closed when client does not close it
  -- by :user:bdraco.

  The transport could remain open if the client did not close it. This
  change ensures the transport is closed when the client does not close
  it.

  Related issues and pull requests on GitHub:
  :issue:8200.

• Leave websocket transport open if receive times out or is cancelled
  -- by :user:bdraco.

  This restores the behavior prior to the change in #​7978.

  Related issues and pull requests on GitHub:
  :issue:8251.

• Fixed content not being read when an upgrade request was not supported with the pure Python implementation.
  -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:8252.

• Fixed a race condition with incoming connections during server shutdown -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:8271.

• Fixed multipart/form-data compliance with :rfc:7578 -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:8280.

• Fixed blocking I/O in the event loop while processing files in a POST request
  -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:8283.

• Escaped filenames in static view -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:8317.

• Fixed the pure python parser to mark a connection as closing when a
  response has no length -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:8320.

Features

• Upgraded llhttp to 9.2.1, and started rejecting obsolete line folding
  in Python parser to match -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:8146, :issue:8292.

Deprecations (removal in next major release)

• Deprecated content_transfer_encoding parameter in :py:meth:FormData.add_field() <aiohttp.FormData.add_field> -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:8280.

Improved documentation

• Added a note about canceling tasks to avoid delaying server shutdown -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:8267.

Contributor-facing changes

• The pull request template is now asking the contributors to
  answer a question about the long-term maintenance challenges
  they envision as a result of merging their patches
  -- by :user:webknjaz.

  Related issues and pull requests on GitHub:
  :issue:8099.

• Updated CI and documentation to use NPM clean install and upgrade
  node to version 18 -- by :user:steverep.

  Related issues and pull requests on GitHub:
  :issue:8116.

• A pytest fixture hello_txt was introduced to aid
  static file serving tests in
  :file:test_web_sendfile_functional.py. It dynamically
  provisions hello.txt file variants shared across the
  tests in the module.

  -- by :user:steverep

  Related issues and pull requests on GitHub:
  :issue:8136.

Packaging updates and notes for downstreams

• Added an internal pytest marker for tests which should be skipped
  by packagers (use -m 'not internal' to disable them) -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:8299.

---

v3.9.3

Compare Source

==================

Bug fixes

• Fixed backwards compatibility breakage (in 3.9.2) of ssl parameter when set outside
  of ClientSession (e.g. directly in TCPConnector) -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:8097, :issue:8098.

Miscellaneous internal changes

• Improved test suite handling of paths and temp files to consistently use pathlib and pytest fixtures.

  Related issues and pull requests on GitHub:
  :issue:3957.

---

v3.9.2

Compare Source

==================

Bug fixes

• Fixed server-side websocket connection leak.

  Related issues and pull requests on GitHub:
  :issue:7978.

• Fixed web.FileResponse doing blocking I/O in the event loop.

  Related issues and pull requests on GitHub:
  :issue:8012.

• Fixed double compress when compression enabled and compressed file exists in server file responses.

  Related issues and pull requests on GitHub:
  :issue:8014.

• Added runtime type check for ClientSession timeout parameter.

  Related issues and pull requests on GitHub:
  :issue:8021.

• Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

  Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
  Invalid header field names containing question mark or slash are now rejected.
  Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

  Related issues and pull requests on GitHub:
  :issue:8074.

• Improved validation of paths for static resources requests to the server -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:8079.

Features

• Added support for passing :py:data:True to ssl parameter in ClientSession while
  deprecating :py:data:None -- by :user:xiangyan99.

  Related issues and pull requests on GitHub:
  :issue:7698.

Breaking changes

• Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

  Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
  Invalid header field names containing question mark or slash are now rejected.
  Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

  Related issues and pull requests on GitHub:
  :issue:8074.

Improved documentation

• Fixed examples of fallback_charset_resolver function in the :doc:client_advanced document. -- by :user:henry0312.

  Related issues and pull requests on GitHub:
  :issue:7995.

• The Sphinx setup was updated to avoid showing the empty
  changelog draft section in the tagged release documentation
  builds on Read The Docs -- by :user:webknjaz.

  Related issues and pull requests on GitHub:
  :issue:8067.

Packaging updates and notes for downstreams

• The changelog categorization was made clearer. The
  contributors can now mark their fragment files more
  accurately -- by :user:webknjaz.

  The new category tags are:

  * ``bugfix``
  
  * ``feature``
  
  * ``deprecation``
  
  * ``breaking`` (previously, ``removal``)
  
  * ``doc``
  
  * ``packaging``
  
  * ``contrib``
  
  * ``misc``
  

  Related issues and pull requests on GitHub:
  :issue:8066.

Contributor-facing changes

• Updated :ref:contributing/Tests coverage <aiohttp-contributing> section to show how we use codecov -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:7916.

• The changelog categorization was made clearer. The
  contributors can now mark their fragment files more
  accurately -- by :user:webknjaz.

  The new category tags are:

  * ``bugfix``
  
  * ``feature``
  
  * ``deprecation``
  
  * ``breaking`` (previously, ``removal``)
  
  * ``doc``
  
  * ``packaging``
  
  * ``contrib``
  
  * ``misc``
  

  Related issues and pull requests on GitHub:
  :issue:8066.

Miscellaneous internal changes

• Replaced all tmpdir fixtures with tmp_path in test suite.

  Related issues and pull requests on GitHub:
  :issue:3551.

---

v3.9.1

Compare Source

==================

Bugfixes

• Fixed importing aiohttp under PyPy on Windows.

  #&#8203;7848 <https://github.com/aio-libs/aiohttp/issues/7848>_

• Fixed async concurrency safety in websocket compressor.

  #&#8203;7865 <https://github.com/aio-libs/aiohttp/issues/7865>_

• Fixed ClientResponse.close() releasing the connection instead of closing.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[hwittenborn]

Holding off on this until fakeredis supports this version of redis. See jamesls/fakeredis#329.