⬆️(dependencies) update python dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
bandit (source, changelog)	==1.7.5 -> ==1.8.6
black (changelog)	==23.9.1 -> ==25.9.0
cssselect	==1.2.0 -> ==1.3.0
django-configurations (source)	==2.4.1 -> ==2.5.1
django-cors-headers (changelog)	==4.2.0 -> ==4.9.0
dockerflow	==2022.8.0 -> ==2024.4.2
factory-boy	==3.3.0 -> ==3.3.3
flake8 (changelog)	==6.1.0 -> ==7.3.0
gunicorn (changelog)	==21.2.0 -> ==23.0.0
ipython	==8.15.0 -> ==9.6.0
isort (changelog)	==5.12.0 -> ==7.0.0
lxml (source, changelog)	==4.9.3 -> ==6.0.2
msgpack (changelog)	==1.0.7 -> ==1.1.2
mysqlclient	==2.2.0 -> ==2.2.7
psycopg2-binary (source, changelog)	==2.9.8 -> ==2.9.11
pylint (changelog)	==2.17.6 -> ==4.0.1
pylint-django	==2.5.3 -> ==2.6.1
pytest (changelog)	==7.4.2 -> ==8.4.2
pytest-cov (changelog)	==4.1.0 -> ==7.0.0
pytest-django (changelog)	==4.5.2 -> ==4.11.1
pytz	==2023.3.post1 -> ==2025.2
responses (changelog)	==0.23.3 -> ==0.25.8
sentry-sdk (changelog)	==1.31.0 -> ==2.42.0
time-machine (changelog)	==2.13.0 -> ==2.19.0
twine	==4.0.2 -> ==6.2.0

---

Release Notes

PyCQA/bandit (bandit)

v1.8.6

Compare Source

What's Changed

• Bump sigstore/cosign-installer from 3.8.2 to 3.9.0 by @​dependabot in #​1279
• Bump docker/setup-buildx-action from 3.10.0 to 3.11.1 by @​dependabot in #​1278
• added hint to FreeBSD package in doc/source/integrations.rst by @​daniel-mohr in #​1282
• Bump sigstore/cosign-installer from 3.9.0 to 3.9.1 by @​dependabot in #​1284
• Huggingface revision pinning by @​lukehinds in #​1281

New Contributors

• @​daniel-mohr made their first contribution in #​1282

Full Changelog: PyCQA/bandit@1.8.5...1.8.6

v1.8.5

Compare Source

What's Changed

• Fix the rendering of the CI/CD doc by @​ericwb in #​1274
• Fix for publish to PyPI failure by @​ericwb in #​1273

Full Changelog: PyCQA/bandit@1.8.4...1.8.5

v1.8.3

Compare Source

What's Changed

• Bump docker/build-push-action from 6.10.0 to 6.11.0 by @​dependabot in #​1220
• Bump docker/build-push-action from 6.11.0 to 6.12.0 by @​dependabot in #​1221
• Bump docker/build-push-action from 6.12.0 to 6.13.0 by @​dependabot in #​1222
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in #​1229
• Update bug template to include latest released versions by @​ericwb in #​1218
• Add markupsafe.Markup XSS plugin by @​Daverball in #​1225
• Warn not error on an nonexistant test given by @​ericwb in #​1230
• Bump sigstore/cosign-installer from 3.7.0 to 3.8.0 by @​dependabot in #​1233
• Bump docker/setup-buildx-action from 3.8.0 to 3.9.0 by @​dependabot in #​1234
• B107: Skip None values in hardcoded password detection by @​lukehinds in #​1232
• Pytorch fix by @​lukehinds in #​1231

New Contributors

• @​Daverball made their first contribution in #​1225

Full Changelog: PyCQA/bandit@1.8.2...1.8.3

v1.8.2

Compare Source

What's Changed

• Revert "Start testing with 3.14 alphas" by @​ericwb in #​1217

Full Changelog: PyCQA/bandit@1.8.1...1.8.2

v1.8.1

Compare Source

What's Changed

• Bump docker/build-push-action from 6.9.0 to 6.10.0 by @​dependabot in #​1209
• Update the bug template with latest bandit version by @​ericwb in #​1208
• Add Mercedes-Benz to sponsor list by @​ericwb in #​1210
• Bump docker/setup-buildx-action from 3.7.1 to 3.8.0 by @​dependabot in #​1211
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in #​1213
• Start testing with 3.14 alphas by @​ericwb in #​1189
• Remove lxml (B320 & B410) from blacklist by @​djbrown in #​1212
• Clarify "getting started" docs by @​Flimm in #​963

New Contributors

• @​djbrown made their first contribution in #​1212
• @​Flimm made their first contribution in #​963

Full Changelog: PyCQA/bandit@1.8.0...1.8.1

v1.8.0

Compare Source

What's Changed

• Bump docker/build-push-action from 6.7.0 to 6.9.0 by @​dependabot in #​1178
• Rename doc file to match proper bandit ID by @​ericwb in #​1183
• Removal of Python 3.8 support by @​ericwb in #​1174
• Add more insecure cryptography cipher algorithms by @​ericwb in #​1185
• Bump docker/setup-buildx-action from 3.6.1 to 3.7.1 by @​dependabot in #​1186
• Bump sigstore/cosign-installer from 3.6.0 to 3.7.0 by @​dependabot in #​1187
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in #​1162
• No need to check httpx client without timeout defined by @​ericwb in #​1177
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in #​1191
• Mark Python 3.13 as officially supported by @​ericwb in #​1192
• Update project urls with added links by @​ericwb in #​1193
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in #​1196
• Add a JSON to seek funding from the FLOSS/fund by @​ericwb in #​1194
• Remove Sentry as a sponsor by @​ericwb in #​1198
• Remove more leftover OpenStack references by @​ericwb in #​1195

Full Changelog: PyCQA/bandit@1.7.10...1.8.0

v1.7.10

Compare Source

What's Changed

• Bump docker/build-push-action from 5.4.0 to 6.0.0 by @​dependabot in #​1147
• Suggested small refactors in assignments by @​ericwb in #​1150
• Performance improvement in blacklist function by @​ericwb in #​1148
• Add test for usage of FTP_TLS by @​ericwb in #​1149
• New check: B113: TrojanSource - Bidirectional control characters by @​Lucas-C in #​757
• Bump docker/build-push-action from 6.0.0 to 6.1.0 by @​dependabot in #​1152
• feat(plugins): add support for httpx in B113 by @​mkniewallner in #​1060
• Nit: remove unused variable by @​ericwb in #​1153
• Add recent releases to version choice in bug report by @​ericwb in #​1151
• Bump docker/build-push-action from 6.1.0 to 6.2.0 by @​dependabot in #​1155
• Bump docker/build-push-action from 6.2.0 to 6.3.0 by @​dependabot in #​1157
• Bump docker/setup-buildx-action from 3.3.0 to 3.4.0 by @​dependabot in #​1156
• Bump docker/setup-buildx-action from 3.4.0 to 3.5.0 by @​dependabot in #​1158
• Bump docker/login-action from 3.2.0 to 3.3.0 by @​dependabot in #​1159
• Bump docker/build-push-action from 6.3.0 to 6.5.0 by @​dependabot in #​1160
• Bump docker/setup-buildx-action from 3.5.0 to 3.6.1 by @​dependabot in #​1163
• Bump docker/build-push-action from 6.5.0 to 6.6.1 by @​dependabot in #​1166
• Bump sigstore/cosign-installer from 3.5.0 to 3.6.0 by @​dependabot in #​1165
• Bump docker/build-push-action from 6.6.1 to 6.7.0 by @​dependabot in #​1168
• Use consistent file naming of docs by @​ericwb in #​1170
• Pytorch Load / Save Plugin by @​lukehinds in #​1114

New Contributors

• @​Lucas-C made their first contribution in #​757

Full Changelog: PyCQA/bandit@1.7.9...1.7.10

v1.7.9

Compare Source

What's Changed

• Bump docker/build-push-action from 5.1.0 to 5.2.0 by @​dependabot in #​1117
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in #​1119
• New logo for Bandit based on raccoon by @​ericwb in #​1121
• Start testing on Python 3.13 by @​ericwb in #​1122
• Bump docker/build-push-action from 5.2.0 to 5.3.0 by @​dependabot in #​1123
• Bump docker/setup-buildx-action from 3.1.0 to 3.2.0 by @​dependabot in #​1124
• Bump docker/login-action from 3.0.0 to 3.1.0 by @​dependabot in #​1125
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in #​1126
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in #​1127
• Bump docker/setup-buildx-action from 3.2.0 to 3.3.0 by @​dependabot in #​1130
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in #​1131
• Bump sigstore/cosign-installer from 3.4.0 to 3.5.0 by @​dependabot in #​1132
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in #​1133
• Updates banner logo so it renders well in dark mode by @​ericwb in #​1134
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in #​1135
• Add a sponsor section to README by @​ericwb in #​1137
• Ensure sarif extra is included as part of doc build by @​ericwb in #​1139
• Bump docker/login-action from 3.1.0 to 3.2.0 by @​dependabot in #​1142
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in #​1143
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in #​1145
• Guard against empty call argument list by @​ericwb in #​1146
• Bump docker/build-push-action from 5.3.0 to 5.4.0 by @​dependabot in #​1144
• Support configfile in .bandit file by @​bersbersbers in #​1052

New Contributors

• @​pre-commit-ci made their first contribution in #​1119
• @​bersbersbers made their first contribution in #​1052

Full Changelog: PyCQA/bandit@1.7.8...1.7.9

v1.7.8

Compare Source

What's Changed

• Incorrect tag naming in readme by @​lukehinds in #​1105
• Utilize PyPI's trusted publishing by @​ericwb in #​1107
• Bump sigstore/cosign-installer from 3.3.0 to 3.4.0 by @​dependabot in #​1109
• Add 1.7.7 to versions of bug template by @​ericwb in #​1110
• Use datetime to avoid updating copyright year by @​ericwb in #​1112
• filter data is safe for tarfile extractall by @​etienneschalk in #​1111
• Bump docker/setup-buildx-action from 3.0.0 to 3.1.0 by @​dependabot in #​1115
• [B605] Add functions that are vulnerable to shell injection. by @​shihai1991 in #​1116
• Add a SARIF output formatter by @​ericwb in #​1113

New Contributors

• @​etienneschalk made their first contribution in #​1111
• @​shihai1991 made their first contribution in #​1116

Full Changelog: PyCQA/bandit@1.7.7...1.7.8

v1.7.7

Compare Source

What's Changed

• Add the new release to bandit versions of bug template by @​ericwb in #​1075
• Bump actions/setup-python from 4 to 5 by @​dependabot in #​1076
• Handle variant in how policy is passed in paramiko by @​ericwb in #​1078
• Flag str.replace as possible sql injection by @​costaparas in #​1044
• defusedxml: Show correct module name by @​kajinamit in #​1081
• Add tidelift to the sponsor funding list by @​ericwb in #​1089
• Create a security policy by @​ericwb in #​1091
• Fix up issues found running Bandit on itself by @​ericwb in #​1093
• Add random.randbytes to blacklist calls by @​ericwb in #​1096
• Prepend ./ for files specified as CLI args by @​ericwb in #​1094
• Rework GitPython dependency to be an extra for bandit-baseline by @​ericwb in #​1099
• Bump actions/dependency-review-action from 3 to 4 by @​dependabot in #​1101
• Introduce Official Bandit Images by @​lukehinds in #​1088
• Remove markdown formatting in reStructuredText formatted README by @​ericwb in #​1103
• Downsize the org:repo name by @​lukehinds in #​1104

New Contributors

• @​kajinamit made their first contribution in #​1081

Full Changelog: PyCQA/bandit@1.7.6...1.7.7

v1.7.6

Compare Source

What's Changed

• Update bug report to include version 1.7.5 by @​ericwb in #​993
• Render Python 3.10 in drop down correctly by @​ericwb in #​997
• Remove checks for Python2 urllib by @​ericwb in #​999
• Improper detection of non-requests module by @​ericwb in #​1011
• xmlrpclib replaced with xmlrpc in Python3 by @​ericwb in #​1012
• language and linting updates by @​marksmayo in #​1015
• Adds check for crypt module usage as weak hash by @​ericwb in #​1018
• Switch to tox 4 by @​mportesdev in #​1020
• Skip unnecessary pip install commands in the pythonpackage.yml workflow by @​mportesdev in #​1021
• Update versions of used GitHub Actions by @​mportesdev in #​1024
• Update pre-commit hooks by @​mportesdev in #​1026
• Add random.Random to B311 checks by @​shiftinv in #​940
• Add a copy button to all code snippets in docs by @​ericwb in #​1030
• Replace pbr in favor of importlib by @​ericwb in #​1016
• Switch from open collective to PSF by @​ericwb in #​1031
• Make pre-commit run Bandit hook using a single process by @​Klavionik in #​1029
• Remove support for Python 3.7 due to end-of-life by @​ericwb in #​1034
• Update asserts.py documentation by @​deronnax in #​1036
• Simplify wrap_file_object by @​mportesdev in #​1037
• django_rawsql_used: support keyword arguments used in RawSQL by @​kevinmarsh in #​765
• Avoid gitpyhon CVE-2022-24439 by @​carlosduelo in #​1048
• Update blacklist call documentation by @​costaparas in #​1045
• Support ignoring blacklists by name by @​costaparas in #​1046
• Fix dependabot to update github actions by @​ericwb in #​1057
• Bump actions/checkout from 3 to 4 by @​dependabot in #​1058
• Fix for ReadtheDocs build by @​ericwb in #​1061
• fix(plugins/B507): also detect class instances by @​mkniewallner in #​1064
• Use mirror repository for black pre-commit hook by @​mportesdev in #​1070
• Add official support of Python 3.12 by @​ericwb in #​1068
• Fix crash on pyproject.toml without bandit config by @​javajawa in #​1073
• refactor: remove importlib-metadata fallback by @​mkniewallner in #​1066
• Fixes for sphinx build by @​ericwb in #​1063

New Contributors

• @​marksmayo made their first contribution in #​1015
• @​shiftinv made their first contribution in #​940
• @​Klavionik made their first contribution in #​1029
• @​deronnax made their first contribution in #​1036
• @​kevinmarsh made their first contribution in #​765
• @​carlosduelo made their first contribution in #​1048
• @​costaparas made their first contribution in #​1045
• @​dependabot made their first contribution in #​1058
• @​javajawa made their first contribution in #​1073

Full Changelog: PyCQA/bandit@1.7.5...1.7.6

psf/black (black)

v25.9.0

Compare Source

Highlights

• Remove support for pre-python 3.7 await/async as soft keywords/variable names
  (#​4676)

Stable style

• Fix crash while formatting a long del statement containing tuples (#​4628)
• Fix crash while formatting expressions using the walrus operator in complex with
  statements (#​4630)
• Handle # fmt: skip followed by a comment at the end of file (#​4635)
• Fix crash when a tuple appears in the as clause of a with statement (#​4634)
• Fix crash when tuple is used as a context manager inside a with statement (#​4646)
• Fix crash when formatting a \ followed by a \r followed by a comment (#​4663)
• Fix crash on a \\r\n (#​4673)
• Fix crash on await ... (where ... is a literal Ellipsis) (#​4676)
• Fix crash on parenthesized expression inside a type parameter bound (#​4684)
• Fix crash when using line ranges excluding indented single line decorated items
  (#​4670)

Preview style

• Fix a bug where one-liner functions/conditionals marked with # fmt: skip would still
  be formatted (#​4552)
• Improve multiline_string_handling with ternaries and dictionaries (#​4657)
• Fix a bug where string_processing would not split f-strings directly after
  expressions (#​4680)
• Wrap the in clause of comprehensions across lines if necessary (#​4699)
• Remove parentheses around multiple exception types in except and except* without
  as. (#​4720)
• Add \r style newlines to the potential newlines to normalize file newlines both from
  and to (#​4710)

Parser

• Rewrite tokenizer to improve performance and compliance (#​4536)
• Fix bug where certain unusual expressions (e.g., lambdas) were not accepted in type
  parameter bounds and defaults. (#​4602)

Performance

• Avoid using an extra process when running with only one worker (#​4734)

Integrations

• Fix the version check in the vim file to reject Python 3.8 (#​4567)
• Enhance GitHub Action psf/black to read Black version from an additional section in
  pyproject.toml: [project.dependency-groups] (#​4606)
• Build gallery docker image with python3-slim and reduce image size (#​4686)

Documentation

• Add FAQ entry for windows emoji not displaying (#​4714)

v25.1.0

Compare Source

Highlights

This release introduces the new 2025 stable style (#​4558), stabilizing the following
changes:

• Normalize casing of Unicode escape characters in strings to lowercase (#​2916)
• Fix inconsistencies in whether certain strings are detected as docstrings (#​4095)
• Consistently add trailing commas to typed function parameters (#​4164)
• Remove redundant parentheses in if guards for case blocks (#​4214)
• Add parentheses to if clauses in case blocks when the line is too long (#​4269)
• Whitespace before # fmt: skip comments is no longer normalized (#​4146)
• Fix line length computation for certain expressions that involve the power operator
  (#​4154)
• Check if there is a newline before the terminating quotes of a docstring (#​4185)
• Fix type annotation spacing between * and more complex type variable tuple (#​4440)

The following changes were not in any previous release:

• Remove parentheses around sole list items (#​4312)
• Generic function definitions are now formatted more elegantly: parameters are split
  over multiple lines first instead of type parameter definitions (#​4553)

Stable style

• Fix formatting cells in IPython notebooks with magic methods and starting or trailing
  empty lines (#​4484)
• Fix crash when formatting with statements containing tuple generators/unpacking
  (#​4538)

Preview style

• Fix/remove string merging changing f-string quotes on f-strings with internal quotes
  (#​4498)
• Collapse multiple empty lines after an import into one (#​4489)
• Prevent string_processing and wrap_long_dict_values_in_parens from removing
  parentheses around long dictionary values (#​4377)
• Move wrap_long_dict_values_in_parens from the unstable to preview style (#​4561)

Packaging

• Store license identifier inside the License-Expression metadata field, see
  PEP 639. (#​4479)

Performance

• Speed up the is_fstring_start function in Black's tokenizer (#​4541)

Integrations

• If using stdin with --stdin-filename set to a force excluded path, stdin won't be
  formatted. (#​4539)

v24.10.0

Compare Source

Highlights

• Black is now officially tested with Python 3.13 and provides Python 3.13
  mypyc-compiled wheels. (#​4436) (#​4449)
• Black will issue an error when used with Python 3.12.5, due to an upstream memory
  safety issue in Python 3.12.5 that can cause Black's AST safety checks to fail. Please
  use Python 3.12.6 or Python 3.12.4 instead. (#​4447)
• Black no longer supports running with Python 3.8 (#​4452)

Stable style

• Fix crashes involving comments in parenthesised return types or X | Y style unions.
  (#​4453)
• Fix skipping Jupyter cells with unknown %% magic (#​4462)

Preview style

• Fix type annotation spacing between * and more complex type variable tuple (i.e. def fn(*args: *tuple[*Ts, T]) -> None: pass) (#​4440)

Caching

• Fix bug where the cache was shared between runs with and without --unstable (#​4466)

Packaging

• Upgrade version of mypyc used to 1.12 beta (#​4450) (#​4449)
• blackd now requires a newer version of aiohttp. (#​4451)

Output

• Added Python target version information on parse error (#​4378)
• Add information about Black version to internal error messages (#​4457)

v24.8.0

Compare Source

Stable style

• Fix crash when # fmt: off is used before a closing parenthesis or bracket. (#​4363)

Packaging

• Packaging metadata updated: docs are explictly linked, the issue tracker is now also
  linked. This improves the PyPI listing for Black. (#​4345)

Parser

• Fix regression where Black failed to parse a multiline f-string containing another
  multiline string (#​4339)
• Fix regression where Black failed to parse an escaped single quote inside an f-string
  (#​4401)
• Fix bug with Black incorrectly parsing empty lines with a backslash (#​4343)
• Fix bugs with Black's tokenizer not handling \{ inside f-strings very well (#​4422)
• Fix incorrect line numbers in the tokenizer for certain tokens within f-strings
  (#​4423)

Performance

• Improve performance when a large directory is listed in .gitignore (#​4415)

Blackd

• Fix blackd (and all extras installs) for docker container (#​4357)

v24.4.2

Compare Source

This is a bugfix release to fix two regressions in the new f-string parser introduced in
24.4.1.

Parser

• Fix regression where certain complex f-strings failed to parse (#​4332)

Performance

• Fix bad performance on certain complex string literals (#​4331)

v24.4.1

Compare Source

Highlights

• Add support for the new Python 3.12 f-string syntax introduced by PEP 701 (#​3822)

Stable style

• Fix crash involving indented dummy functions containing newlines (#​4318)

Parser

• Add support for type parameter defaults, a new syntactic feature added to Python 3.13
  by PEP 696 (#​4327)

Integrations

• Github Action now works even when git archive is skipped (#​4313)

v24.4.0

Compare Source

Stable style

• Fix unwanted crashes caused by AST equivalency check (#​4290)

Preview style

• if guards in case blocks are now wrapped in parentheses when the line is too long.
  (#​4269)
• Stop moving multiline strings to a new line unless inside brackets (#​4289)

Integrations

• Add a new option use_pyproject to the GitHub Action psf/black. This will read the
  Black version from pyproject.toml. (#​4294)

v24.3.0

Compare Source

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you
run Black on untrusted input, or if you habitually put thousands of leading tab
characters in your docstrings, you are strongly encouraged to upgrade immediately to fix
CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make
incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

• Don't move comments along with delimiters, which could cause crashes (#​4248)
• Strengthen AST safety check to catch more unsafe changes to strings. Previous versions
  of Black would incorrectly format the contents of certain unusual f-strings containing
  nested strings with the same quote type. Now, Black will crash on such strings until
  support for the new f-string syntax is implemented. (#​4270)
• Fix a bug where line-ranges exceeding the last code line would not work as expected
  (#​4273)

Performance

• Fix catastrophic performance on docstrings that contain large numbers of leading tab
  characters. This fixes
  [CVE-2024-21503](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-202

---

Configuration

📅 Schedule: Branch creation - "before 7am on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.