Scheduled weekly dependency update for week 47

[pyup-bot]

Update asgiref from 3.8.1 to 3.11.0.

Changelog

3.11.0

-------------------

* ``sync_to_async`` gains a ``context`` parameter, similar to those for
``asyncio.create_task``, ``TaskGroup`` &co, that can be used on Python 3.11+ to
control the context used by the underlying task.

The parent context is already propagated by default but the additional
control is useful if multiple ``sync_to_async`` calls need to share the same
context, e.g. when used with ``asyncio.gather()``.

3.10.0

-------------------

* Added AsyncSingleThreadContext context manager to ensure multiple AsyncToSync
invocations use the same thread. (511)

3.9.2

------------------

* Adds support for Python 3.14.

* Fixes wsgi.errors file descriptor in WsgiToAsgi adapter.

3.9.1

------------------

* Fixed deletion of Local values affecting other contexts. (523)

* Skip CPython specific garbage collection test on pypy. (521)

3.9.0

------------------

* Adds support for Python 3.13.

* Drops support for (end-of-life) Python 3.8.

* Fixes an error with conflicting kwargs between AsyncToSync and the wrapped
function. (471)

* Fixes Local isolation between asyncio Tasks. (478)

* Fixes a reference cycle in Local (508)

* Fixes a deadlock in CurrentThreadExecutor with nested async_to_sync →
sync_to_async → async_to_sync → create_task calls. (494)

* The ApplicationCommunicator testing utility will now return the task result
if it's already completed on send_input and receive_nothing. You may need to
catch (e.g.) the asyncio.exceptions.CancelledError if sending messages to
already finished consumers in your tests. (505)

Links

• PyPI: https://pypi.org/project/asgiref
• Changelog: https://data.safetycli.com/changelogs/asgiref/
• Repo: https://github.com/django/asgiref/

Update dj-database-url from 2.3.0 to 3.0.1.

Changelog

3.0.1

* Drop dependency on `typing_extensions`.

3.0.0

> Bumping to version 3; changes to code do break some API compatability.
* Implement a new decorator registry pattern to impement checks on database connection string.
* You can now support and implement your own database strings by extending the register functionality.
* Update supported python versions and django versions.

Links

• PyPI: https://pypi.org/project/dj-database-url
• Changelog: https://data.safetycli.com/changelogs/dj-database-url/
• Repo: https://github.com/jazzband/dj-database-url

Update django from 5.2 to 5.2.8.

Changelog

5.2.8

==========================

*November 5, 2025*

Django 5.2.8 fixes one security issue with severity "high", one security issue
with severity "moderate", and several bugs in 5.2.7. It also adds compatibility
with Python 3.14.

CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
======================================================================================================================================

Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
denial-of-service attack via certain inputs with a very large number of Unicode
characters (follow up to :cve:`2025-27556`).

CVE-2025-64459: Potential SQL injection via ``_connector`` keyword argument
===========================================================================

:meth:`.QuerySet.filter`, :meth:`~.QuerySet.exclude`, :meth:`~.QuerySet.get`,
and :class:`~.Q` were subject to SQL injection using a suitably crafted
dictionary, with dictionary expansion, as the ``_connector`` argument.

Bugfixes
========

* Added compatibility for ``oracledb`` 3.4.0 (:ticket:`36646`).

* Fixed a bug in Django 5.2 where ``QuerySet.first()`` and ``QuerySet.last()``
raised an error on querysets performing aggregation that selected all fields
of a composite primary key.

* Fixed a bug in Django 5.2 where proxy models having a ``CompositePrimaryKey``
incorrectly raised a ``models.E042`` system check error.


==========================

5.2.7

==========================

*October 1, 2025*

Django 5.2.7 fixes one security issue with severity "high", one security issue
with severity "low", and one bug in 5.2.6. Also, the latest string translations
from Transifex are incorporated.

CVE-2025-59681: Potential SQL injection in ``QuerySet.annotate()``, ``alias()``, ``aggregate()``, and ``extra()`` on MySQL and MariaDB
======================================================================================================================================

:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.alias`,
:meth:`~.QuerySet.aggregate`, and :meth:`~.QuerySet.extra` methods were subject
to SQL injection in column aliases, using a suitably crafted dictionary, with
dictionary expansion, as the ``**kwargs`` passed to these methods (follow up to
:cve:`2022-28346`).

CVE-2025-59682: Potential partial directory-traversal via ``archive.extract()``
===============================================================================

The ``django.utils.archive.extract()`` function, used by
:option:`startapp --template` and :option:`startproject --template`, allowed
partial directory-traversal via an archive with file paths sharing a common
prefix with the target directory (follow up to :cve:`2021-3281`).

Bugfixes
========

* Fixed a regression in Django 5.2 that reduced the color contrast of
the chosen label of ``filter_horizontal`` and ``filter_vertical`` widgets
within a ``TabularInline`` (:ticket:`36601`).


==========================

5.2.6

==========================

*September 3, 2025*

Django 5.2.6 fixes a security issue with severity "high" and one bug in 5.2.5.

CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
==============================================================================

:class:`.FilteredRelation` was subject to SQL injection in column aliases,
using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.

Bugfixes
========

* Fixed a bug where using ``QuerySet.values()`` or ``values_list()`` with a
``ForeignObject`` composed of multiple fields returned incorrect results
instead of tuples of the referenced fields (:ticket:`36431`).


==========================

5.2.5

==========================

*August 6, 2025*

Django 5.2.5 fixes several bugs in 5.2.4.

Bugfixes
========

* Fixed a regression in Django 5.2.1 that prevented the usage of ``UNNEST``
PostgreSQL strategy of ``QuerySet.bulk_create()`` with foreign keys
(:ticket:`36502`).

* Fixed a crash in Django 5.2 when filtering against a composite primary key
using a tuple containing expressions (:ticket:`36522`).

* Fixed a crash in Django 5.2 when validating a model that uses
``GeneratedField`` or constraints composed of ``Q`` and ``Case`` lookups
(:ticket:`36518`).

* Added compatibility for ``docutils`` 0.22 (:ticket:`36535`).

* Fixed a crash in Django 5.2 when using a ``ManyToManyField`` on a model with
a composite primary key, by extending the ``fields.E347`` system check
(:ticket:`36530`).


==========================

5.2.4

==========================

*July 2, 2025*

Django 5.2.4 fixes several bugs in 5.2.3.

Bugfixes
========

* Fixed a regression in Django 5.2.2 where
:meth:`HttpRequest.get_preferred_type() <django.http.HttpRequest.get_preferred_type>`
incorrectly preferred more specific media types with a lower quality
(:ticket:`36447`).

* Fixed a regression in Django 5.2.3 where ``Value(None, JSONField())`` used in
a :class:`~django.db.models.expressions.When` condition was incorrectly
serialized as SQL ``NULL`` instead of JSON ``null`` (:ticket:`36453`).

* Fixed a crash in Django 5.2 when performing an ``__in`` lookup involving a
composite primary key and a subquery on backends that lack native support for
tuple lookups (:ticket:`36464`).


==========================

5.2.3

==========================

*June 10, 2025*

Django 5.2.3 fixes several bugs in 5.2.2. Also, the latest string translations
from Transifex are incorporated.

Bugfixes
========

* Fixed a log injection possibility by migrating remaining response logging
to ``django.utils.log.log_response()``, which safely escapes arguments such
as the request path to prevent unsafe log output (:cve:`2025-48432`).

* Fixed a regression in Django 5.2 that caused :meth:`.QuerySet.bulk_update` to
incorrectly convert ``None`` to JSON ``null`` instead of SQL ``NULL`` for
``JSONField`` (:ticket:`36419`).

* Fixed a regression in Django 5.2.2 where the ``q`` parameter was removed from
the internal ``django.http.MediaType.params`` property (:ticket:`36446`).


==========================

5.2.2

==========================

*June 4, 2025*

Django 5.2.2 fixes a security issue with severity "low" and several bugs in
5.2.1.

CVE-2025-48432: Potential log injection via unescaped request path
==================================================================

Internal HTTP response logging used ``request.path`` directly, allowing control
characters (e.g. newlines or ANSI escape sequences) to be written unescaped
into logs. This could enable log injection or forgery, letting attackers
manipulate log appearance or structure, especially in logs processed by
external systems or viewed in terminals.

Although this does not directly impact Django's security model, it poses risks
when logs are consumed or interpreted by other tools. To fix this, the internal
``django.utils.log.log_response()`` function now escapes all positional
formatting arguments using a safe encoding.

Bugfixes
========

* Fixed a crash when using ``select_related`` against a ``ForeignObject``
originating from a model with a ``CompositePrimaryKey`` (:ticket:`36373`).

* Fixed a bug in Django 5.2 where subqueries using ``"pk"`` to reference models
with a ``CompositePrimaryKey`` failed to raise ``ValueError`` when too many
or too few columns were selected (:ticket:`36392`).

* Fixed a regression in Django 5.2 that caused a crash when no arguments were
passed into ``QuerySet.union()`` (:ticket:`36388`).

* Fixed a regression in Django 5.2 where subclasses of ``RemoteUserMiddleware``
that had overridden ``process_request()`` were no longer supported
(:ticket:`36390`).

* Fixed a regression in Django 5.2 that caused a crash when using ``OuterRef``
in the ``filter`` argument of an ``Aggregate`` expression (:ticket:`36404`).

* Fixed a regression in Django 5.2 that caused a crash when using ``OuterRef``
in PostgreSQL aggregate functions ``ArrayAgg``, ``StringAgg``, and
``JSONBAgg`` (:ticket:`36405`).

* Fixed a regression in Django 5.2 where admin's ``filter_horizontal`` buttons
lacked ``type="button"``, causing them to intercept form submission when
pressing the Enter key (:ticket:`36423`).

* Fixed a bug in Django 5.2 where calling ``QuerySet.in_bulk()`` with an
``id_list`` argument on models with a ``CompositePrimaryKey`` failed to
observe database parameter limits (:ticket:`36416`).

* Fixed a bug in Django 5.2 where :meth:`HttpRequest.get_preferred_type()
<django.http.HttpRequest.get_preferred_type>` did not account for media type
parameters in ``Accept`` headers, reducing specificity in content negotiation
(:ticket:`36411`).

* Fixed a regression in Django 5.2 that caused a crash when using
``QuerySet.prefetch_related()`` to prefetch a foreign key with a ``Prefetch``
queryset for a subclass of the foreign target (:ticket:`36432`).


==========================

5.2.1

==========================

*May 7, 2025*

Django 5.2.1 fixes a security issue with severity "moderate" and several bugs
in 5.2.

This release was built using an upgraded :pypi:`setuptools`, producing
filenames compliant with :pep:`491` and :pep:`625` and thus addressing a PyPI
warning about non-compliant distribution filenames. This change only affects
the Django packaging process and does not impact Django's behavior.

CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
=================================================================

:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
containing large sequences of incomplete HTML tags. This function is used to
implement the :tfilter:`striptags` template filter, which was thus also
vulnerable.

:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
exception if it encounters an unusually large number of unclosed opening tags.

Bugfixes
========

* Fixed a regression in Django 5.2 that caused a crash when annotating
aggregate expressions over query that uses explicit grouping by transforms
followed by field references (:ticket:`36292`).

* Fixed a regression in Django 5.2 that caused unnecessary queries when
prefetching nullable foreign key relationships (:ticket:`36290`).

* Fixed a regression in Django 5.2 that caused a crash of
``QuerySet.bulk_create()`` with nullable geometry fields on PostGIS
(:ticket:`36289`).

* Fixed a regression in Django 5.2 that caused fields to be incorrectly
selected when using ``QuerySet.alias()`` after ``values()``
(:ticket:`36299`).

* Fixed a data corruption possibility in ``file_move_safe()`` when
``allow_overwrite=True``, where leftover content from a previously larger
file could remain after overwriting with a smaller one due to lack of
truncation (:ticket:`36298`).

* Fixed a regression in Django 5.2 that caused a crash when using
``QuerySet.select_for_update(of=(…))`` with ``values()/values_list()``
including expressions (:ticket:`36301`).

* Fixed a regression in Django 5.2 that caused improper values to be returned
from ``QuerySet.values_list()`` when duplicate field names were specified
(:ticket:`36288`).

* Fixed a regression in Django 5.2 where the password validation error message
from ``MinimumLengthValidator`` was not translated when using non-English
locales (:ticket:`36314`).

* Fixed a regression in Django 5.2 that caused the ``object-tools`` block to be
rendered twice when using custom admin templates with overridden blocks due
to changes in the base admin page block structure (:ticket:`36331`).

* Fixed a regression in Django 5.2, introduced when fixing :cve:`2025-26699`,
where the :tfilter:`wordwrap` template filter did not preserve empty lines
between paragraphs after wrapping text (:ticket:`36341`).

* Fixed a regression in Django 5.2 that caused a crash when serializing email
alternatives or attachments due to named tuple mismatches (:ticket:`36309`).

* Fixed a regression in Django 5.2 that caused a crash when using ``update()``
on a ``QuerySet`` filtered against a related model and including references
to annotations through ``values()`` (:ticket:`36360`).

* Fixed a bug in Django 5.2 that caused composite primary key introspection to
wrongly identify ``IntegerField`` as ``AutoField`` on SQLite
(:ticket:`36358`).

* Fixed a bug in Django 5.2 that caused a redundant ``unique_together``
constraint to be generated for composite primary keys when using
:djadmin:`inspectdb` (:ticket:`36357`).


========================

Links

• PyPI: https://pypi.org/project/django
• Changelog: https://data.safetycli.com/changelogs/django/

Update flake8 from 7.2.0 to 7.3.0.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/flake8
• Repo: https://github.com/pycqa/flake8

Update pillow from 11.2.1 to 12.0.0.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/pillow
• Changelog: https://data.safetycli.com/changelogs/pillow/

Update psycopg2-binary from 2.9.10 to 2.9.11.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/psycopg2-binary
• Homepage: https://psycopg.org/

Update pycodestyle from 2.13.0 to 2.14.0.

Changelog

2.14.0

-------------------

Changes:

* Add support for python 3.14.  PR 1283.
* Fix false positive for TypeVar defaults with more than one argument.
PR 1286.

Links

• PyPI: https://pypi.org/project/pycodestyle
• Changelog: https://data.safetycli.com/changelogs/pycodestyle/
• Homepage: https://pycodestyle.pycqa.org/

Update pyflakes from 3.3.2 to 3.4.0.

Changelog

3.4.0

- Add support for python 3.14
- Add "t-string is missing placeholders" error
- Fix annotation erroneously causing a name to be defined with
``from __future__ import annotations``
- Add support for always-deferred annotations (PEP 749)

Links

• PyPI: https://pypi.org/project/pyflakes
• Changelog: https://data.safetycli.com/changelogs/pyflakes/
• Repo: https://github.com/PyCQA/pyflakes

Update setuptools from 80.3.1 to 80.9.0.

Changelog

80.9.0

=======

Features
--------

- Set a deadline for the removal of pkg_resources later this year (December). (3085)
- Removed reliance on pkg_resources in test_wheel. (3085)

80.8.0

=======

Features
--------

- Replaced more references to pkg_resources with importlib equivalents in wheel odule. (3085)
- Restore explicit LICENSE file. (5001)
- Removed no longer used build dependency on ``coherent.licensed``. (5003)

80.7.1

=======

Bugfixes
--------

- Only attempt to fetch eggs for unsatisfied requirements. (4998)
- In installer, when discovering egg dists, let metadata discovery search each egg. (4998)

80.7.0

=======

Features
--------

- Removed usage of pkg_resources from installer. Set an official deadline on the installer deprecation to 2025-10-31. (4997)


Misc
----

- 4996

80.6.0

=======

Features
--------

- Added a build dependency on coherent.licensed to inject the declared license text at build time. (4981)


Misc
----

- 4995

80.5.0

=======

Features
--------

- Replaced more references to pkg_resources with importlib equivalents. (3085)


Misc
----

- 4982

80.4.0

=======

Features
--------

- Simplified the error reporting in editable installs. (4984)

Links

• PyPI: https://pypi.org/project/setuptools
• Changelog: https://data.safetycli.com/changelogs/setuptools/

Update typing-extensions from 4.13.2 to 4.15.0.

Changelog

4.15.0

No user-facing changes since 4.15.0rc1.

4.15.0rc1

- Add the `typing_extensions.disjoint_base` decorator, as specified
in PEP 800. Patch by Jelle Zijlstra.
- Add `typing_extensions.type_repr`, a backport of
[`annotationlib.type_repr`](https://docs.python.org/3.14/library/annotationlib.html#annotationlib.type_repr),
introduced in Python 3.14 (CPython PR [124551](https://github.com/python/cpython/pull/124551),
originally by Jelle Zijlstra). Patch by Semyon Moroz.
- Fix behavior of type params in `typing_extensions.evaluate_forward_ref`. Backport of
CPython PR [137227](https://github.com/python/cpython/pull/137227) by Jelle Zijlstra.

4.14.1

- Fix usage of `typing_extensions.TypedDict` nested inside other types
(e.g., `typing.Type[typing_extensions.TypedDict]`). This is not allowed by the
type system but worked on older versions, so we maintain support.

4.14.0rc1

- Drop support for Python 3.8 (including PyPy-3.8). Patch by [Victorien Plot](https://github.com/Viicos).
- Do not attempt to re-export names that have been removed from `typing`,
anticipating the removal of `typing.no_type_check_decorator` in Python 3.15.
Patch by Jelle Zijlstra.
- Update `typing_extensions.Format`, `typing_extensions.evaluate_forward_ref`, and
`typing_extensions.TypedDict` to align
with changes in Python 3.14. Patches by Jelle Zijlstra.
- Fix tests for Python 3.14 and 3.15. Patches by Jelle Zijlstra.

New features:

- Add support for inline typed dictionaries ([PEP 764](https://peps.python.org/pep-0764/)).
Patch by [Victorien Plot](https://github.com/Viicos).
- Add `typing_extensions.Reader` and `typing_extensions.Writer`. Patch by
Sebastian Rittau.
- Add support for sentinels ([PEP 661](https://peps.python.org/pep-0661/)). Patch by
[Victorien Plot](https://github.com/Viicos).

Links

• PyPI: https://pypi.org/project/typing-extensions
• Changelog: https://data.safetycli.com/changelogs/typing-extensions/

[pyup-bot]

Closing this in favor of #185