chore(deps): bump the python-deps group across 1 directory with 5 updates

[dependabot]

Updates the requirements on httpx, pyjwt, bcrypt, alembic and slowapi to permit the latest version.
Updates httpx to 0.28.1

Release notes

Sourced from httpx's releases.

Version 0.28.1

0.28.1 (6th December, 2024)

• Fix SSL case where verify=False together with client side certificates.

Changelog

Sourced from httpx's changelog.

0.28.1 (6th December, 2024)

• Fix SSL case where verify=False together with client side certificates.

0.28.0 (28th November, 2024)

Be aware that the default JSON request bodies now use a more compact representation. This is generally considered a prefered style, tho may require updates to test suites.

The 0.28 release includes a limited set of deprecations...

Deprecations:

We are working towards a simplified SSL configuration API.

For users of the standard verify=True or verify=False cases, or verify=<ssl_context> case this should require no changes. The following cases have been deprecated...

• The verify argument as a string argument is now deprecated and will raise warnings.
• The cert argument is now deprecated and will raise warnings.

Our revised SSL documentation covers how to implement the same behaviour with a more constrained API.

The following changes are also included:

• The deprecated proxies argument has now been removed.
• The deprecated app argument has now been removed.
• JSON request bodies use a compact representation. (#3363)
• Review URL percent escape sets, based on WHATWG spec. (#3371, #3373)
• Ensure certifi and httpcore are only imported if required. (#3377)
• Treat socks5h as a valid proxy scheme. (#3178)
• Cleanup Request() method signature in line with client.request() and httpx.request(). (#3378)
• Bugfix: When passing params={}, always strictly update rather than merge with an existing querystring. (#3364)

0.27.2 (27th August, 2024)

Fixed

• Reintroduced supposedly-private URLTypes shortcut. (#2673)

0.27.1 (27th August, 2024)

Added

• Support for zstd content decoding using the python zstandard package is added. Installable using httpx[zstd]. (#3139)

Fixed

• Improved error messaging for InvalidURL exceptions. (#3250)
• Fix app type signature in ASGITransport. (#3109)

0.27.0 (21st February, 2024)

... (truncated)

Commits

• 26d48e0 Version 0.28.1 (#3445)
• 89599a9 Fix verify=False, cert=... case. (#3442)
• 8ecb86f Add test for request params behavior changes (#3364) (#3440)
• 0cb7e5a Bump the python-packages group with 11 updates (#3434)
• 15e21e9 Updating deprecated docstring Client() class (#3426)
• 80960fa Version 0.28.0. (#3419)
• a33c878 Fix extensions type annotation. (#3380)
• ce7e14d Error on verify as str. (#3418)
• 47f4a96 Handle empty zstd responses (#3412)
• 189fc4b Update CHANGELOG.md, fix typo(s) (#3406)
• Additional commits viewable in compare view

Updates pyjwt to 2.13.0

Release notes

Sourced from pyjwt's releases.

2.13.0

PyJWT 2.13.0 — Security Release

This release bundles five security fixes plus three additional hardening / spec-compliance changes. We recommend all users upgrade.

Security

• GHSA-xgmm-8j9v-c9wx — JWK JSON accepted as HMAC secret (algorithm confusion). HMACAlgorithm.prepare_key previously rejected PEM- and SSH-formatted asymmetric keys but did not catch a JWK passed as a raw JSON string. In a verifier configured with both symmetric and asymmetric algorithms in algorithms=[…] and a raw-JSON JWK as the key, an attacker could forge HS256 tokens using the JWK text as the HMAC secret. The guard has been extended to reject any JWK-shaped JSON. Reported by @​aradona91.

• GHSA-jq35-7prp-9v3f — Algorithm allow-list bypass with PyJWK / PyJWKClient. When verifying with a PyJWK, the caller's algorithms=[…] allow-list was checked against the token header alg as a string only; actual verification used the algorithm bound to the PyJWK. An attacker who controlled a registered JWKS key could sign with one algorithm and advertise another on the header. PyJWT now requires the token header alg to match the PyJWK's algorithm before verification. Reported by @​sushi-gif.

• GHSA-w7vc-732c-9m39 — DoS via base64 decode of unused payload segment when b64=false. For detached-payload JWS (b64=false), the compact-form payload segment was base64-decoded before being discarded in favor of the caller-supplied detached_payload. An attacker could inflate the unused segment to force CPU + memory cost without holding a valid signature. The segment is now required to be empty per RFC 7515 Appendix F, and is no longer decoded. Reported by @​thesmartshadow.

• GHSA-993g-76c3-p5m4 — PyJWKClient accepts non-HTTP(S) URIs. PyJWKClient.fetch_data passed its URI to urllib.request.urlopen, which by default also handles file://, ftp://, and data: schemes. An application that fed an attacker-influenced URI into PyJWKClient could be coerced into reading local files or reaching other unintended schemes. PyJWKClient now rejects any URI whose scheme isn't http or https. Reported by @​KEIJOT.

• GHSA-fhv5-28vv-h8m8 — PyJWKClient cache wiped on fetch error. A finally-block put(jwk_set=None) cleared the JWK Set cache whenever a fetch raised, turning a transient JWKS-endpoint outage into application-wide auth failure. The cache write was moved into the success path; transient errors no longer evict valid cached keys. Reported by @​eddieran.

Fixed

• Reject empty HMAC keys outright in HMACAlgorithm.prepare_key with InvalidKeyError instead of accepting them with only a warning. Defends against the os.getenv("JWT_SECRET", "") footgun. Thanks to @​SnailSploit and @​spartan8806 for the reports.
• Forward per-call options (including enforce_minimum_key_length) from PyJWT.decode through to PyJWS._verify_signature. The option was previously silently dropped between the two layers, so it only took effect when set on the PyJWT instance. Thanks to @​WLUB for the report.
• RFC 7797 §3 compliance for b64=false: the encoder now auto-adds "b64" to crit, and the decoder rejects tokens that set b64=false without listing it in crit. Thanks to @​MachineLearning-Nerd for the report.

Changed

• Migrate the dev, docs, and tests package extras to dependency groups, by @​kurtmckee in #1152.

Upgrade notes

Most fixes are invisible to correctly-configured callers. A few behavioral changes you may encounter:

• Empty HMAC keys now raise. If your app passed "" or b"" as a secret (often via a missing env var, e.g. os.getenv("JWT_SECRET", "")), encode/decode will now raise InvalidKeyError. This is the intended behavior — fix the configuration.
• PyJWK decoding now requires the token's alg to match the JWK's algorithm. Previously a mismatch was silently honored if the header alg appeared in the allow-list. Tokens that relied on this mismatch will now fail with InvalidAlgorithmError.
• PyJWKClient now rejects non-HTTP(S) URIs at construction time. Tests or dev environments that fetched JWKS from file:// URIs need to switch to a local HTTP server or load the JWKS by other means (e.g. construct PyJWKSet.from_dict(...) directly).
• b64=false tokens are now strictly RFC 7515 / 7797 compliant. Tokens with a non-empty compact-form payload segment, or that omit "b64" from crit, will be rejected. PyJWT-produced tokens always satisfy both invariants, so round-trips through PyJWT are unaffected.
• enforce_minimum_key_length set per-call now takes effect. Callers who passed options={"enforce_minimum_key_length": True} to jwt.decode() previously got no enforcement; they will now get InvalidKeyError on undersized keys, as documented.

Full changelog: jpadilla/pyjwt@2.12.1...2.13.0

Changelog

Sourced from pyjwt's changelog.

v2.13.0 <https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0>__

Security

- Reject JWK JSON documents passed as raw HMAC secrets in
  ``HMACAlgorithm.prepare_key`` to close an algorithm-confusion gap that
  the existing PEM/SSH guard did not cover. Reported by @aradona91 in
  `GHSA-xgmm-8j9v-c9wx <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx>`__.
- Bind the JWT header ``alg`` to ``PyJWK.algorithm_name`` during
  verification so the caller's ``algorithms=[...]`` allow-list cannot be
  bypassed when decoding with a ``PyJWK`` / ``PyJWKClient`` key. Reported
  by @sushi-gif in `GHSA-jq35-7prp-9v3f <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f>`__.
- Reject non-``http(s)`` URI schemes in ``PyJWKClient`` so attacker-
  influenced URIs cannot read local files or reach unintended schemes via
  urllib's default ``file://`` / ``ftp://`` / ``data:`` handlers. Reported
  by @KEIJOT in `GHSA-993g-76c3-p5m4 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4>`__.
- Preserve the cached JWK Set on fetch errors in ``PyJWKClient.fetch_data``.
  The previous ``finally``-block ``put(None)`` pattern cleared the cache
  on any transient outage, turning one bad JWKS request into application-
  wide auth failure. Reported by @eddieran in `GHSA-fhv5-28vv-h8m8 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8>`__.
- Skip the unconditional base64 decode of the compact-form payload segment
  when ``b64=false`` is set in the protected header, and require that
  segment to be empty (RFC 7515 Appendix F detached form). Closes an
  unauthenticated DoS amplifier. Reported by @thesmartshadow in
  `GHSA-w7vc-732c-9m39 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39>`__.
Fixed

- Reject empty HMAC keys outright in ``HMACAlgorithm.prepare_key`` with
  ``InvalidKeyError`` instead of accepting them with only a warning.
  Thanks to @SnailSploit and @spartan8806 for independently flagging the
  footgun.
- Forward per-call ``options`` (including ``enforce_minimum_key_length``)
  from ``PyJWT.decode`` through to ``PyJWS._verify_signature`` so the
  option actually takes effect when set at the call site rather than only
  on the ``PyJWT`` instance. Thanks to @WLUB for the report.
- RFC 7797 §3 compliance for ``b64=false``: the encoder now auto-adds
  ``&quot;b64&quot;`` to the ``crit`` header parameter, and the decoder rejects
  tokens that set ``b64=false`` without listing it in ``crit``. Thanks to
  @MachineLearning-Nerd for the report.
Changed



Migrate the dev, docs, and tests package extras to dependency groups by @​kurtmckee in [#1152](https://github.com/jpadilla/pyjwt/issues/1152) &lt;https://github.com/jpadilla/pyjwt/pull/1152&gt;__

v2.12.1 &lt;https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1&gt;__
</tr></table>

... (truncated)

Commits

• 7144e45 Apply ruff format
• d2f4bec Restore cast() calls with cross-version type: ignore for prepare_key
• 22f478c Remove redundant casts in RSAAlgorithm.prepare_key and `ECAlgorithm.prepare...
• 95791b1 Bundle security fixes and hardening into 2.13.0
• dcc27a9 [pre-commit.ci] pre-commit autoupdate (#1155)
• 9d08a9a [pre-commit.ci] pre-commit autoupdate (#1146)
• b87c100 Bump codecov/codecov-action from 5 to 6 (#1154)
• 40e3147 Migrate development extras to dependency groups (#1152)
• a4e1a3d Add typing_extensions dependency for Python < 3.11 (#1151)
• bd9700c Use PyJWK algorithm when encoding without explicit algorithm (#1148)
• Additional commits viewable in compare view

Updates bcrypt from 4.0.1 to 5.0.0

Changelog

Sourced from bcrypt's changelog.

5.0.0

• Bumped MSRV to 1.74.
• Added support for Python 3.14 and free-threaded Python 3.14.
• Added support for Windows on ARM.
• Passing hashpw a password longer than 72 bytes now raises a ValueError. Previously the password was silently truncated, following the behavior of the original OpenBSD bcrypt implementation.

4.3.0

• Dropped support for Python 3.7.
• We now support free-threaded Python 3.13.
• We now support PyPy 3.11.
• We now publish wheels for free-threaded Python 3.13, for PyPy 3.11 on manylinux, and for ARMv7l on manylinux.

4.2.1

• Bump Rust dependency versions - this should resolve crashes on Python 3.13 free-threaded builds.
• We no longer build manylinux wheels for PyPy 3.9.

4.2.0

• Bump Rust dependency versions
• Removed the BCRYPT_ALLOW_RUST_163 environment variable.

4.1.3

• Bump Rust dependency versions

4.1.2

• Publish both py37 and py39 wheels. This should resolve some errors relating to initializing a module multiple times per process.

4.1.1

• Fixed the type signature on the kdf method.
• Fixed packaging bug on Windows.
• Fixed incompatibility with passlib package detection assumptions.

... (truncated)

Commits

• 5060bce 5.0.0 release (#1078)
• e43f568 Bump actions/cache from 4.2.4 to 4.3.0 (#1077)
• fc9f680 Bump libc from 0.2.175 to 0.2.176 in /src/_bcrypt (#1075)
• 633f46f Add support for Python 3.14 (#1073)
• a2fefbb Remove pypy310 builds (#1074)
• f60707e Bump wasi from 0.14.5+wasi-0.2.4 to 0.14.7+wasi-0.2.4 in /src/_bcrypt (#1071)
• c790eed Bump unicode-ident from 1.0.18 to 1.0.19 in /src/_bcrypt (#1070)
• 122cbdc Bump target-lexicon from 0.13.2 to 0.13.3 in /src/_bcrypt (#1069)
• 2bd208d Bump wasi from 0.14.4+wasi-0.2.4 to 0.14.5+wasi-0.2.4 in /src/_bcrypt (#1068)
• e1aa9e8 remove poinless cargo cache paths from CI (#1067)
• Additional commits viewable in compare view

Updates alembic to 1.18.4

Release notes

Sourced from alembic's releases.

1.18.4

Released: February 10, 2026

bug

• [bug] [operations] Reverted the behavior of Operations.add_column() that would automatically render the "PRIMARY KEY" keyword inline when a Column with primary_key=True is added. The automatic behavior, added in version 1.18.2, is now opt-in via the new Operations.add_column.inline_primary_key parameter. This change restores the ability to render a PostgreSQL SERIAL column, which is required to be primary_key=True, while not impacting the ability to render a separate primary key constraint. This also provides consistency with the Operations.add_column.inline_references parameter and gives users explicit control over SQL generation.

  To render PRIMARY KEY inline, use the Operations.add_column.inline_primary_key parameter set to True:

  op.add_column( "my_table", Column("id", Integer, primary_key=True), inline_primary_key=True )References: #1232

Commits

• See full diff in compare view

Updates slowapi to 0.1.10

Release notes

Sourced from slowapi's releases.

v0.1.10

What's Changed

• chore: Update warn to warning py3.11 deprecation by @​kevin868 in laurentS/slowapi#200
• feat: allow Requests to be sent to exempt_when by @​colin99d in laurentS/slowapi#160
• ci: drop python 3.7 and 3.8 from CI checks by @​laurentS in laurentS/slowapi#238
• chore: prepare 0.1.10 release by @​ecly in laurentS/slowapi#212

New Contributors

• @​kevin868 made their first contribution in laurentS/slowapi#200
• @​colin99d made their first contribution in laurentS/slowapi#160
• @​ecly made their first contribution in laurentS/slowapi#212

Full Changelog: laurentS/slowapi@v0.1.9...v0.1.10

Changelog

Sourced from slowapi's changelog.

[0.1.10] - 2026-06-13

Changed

• Added: allow usage of the request object in the except_when function (thanks @​colin99d)
• Added more test exemption logic (thanks @​colin99)
• Fix logger warning for Python 3.11 deprecation (thanks @​kevin868)

[0.1.9] - 2024-02-05

Added

• Fix limit_value typehint in limit() function (thanks @​PookieBuns)
• Fix limit_value typehint in shared_limit() function (thanks @​aberlioz)
• Only pass ".env" to starlette Config if ".env" file exists (thanks @​daniellok-db)

[0.1.8] - 2023-04-07

Added

• Loosen restriction on the limits dependency (thanks @​sanders41)
• Fix redis install error (thanks @​sanders41)
• Add Python 3.11 support (thanks @​sanders41)

[0.1.7] - 2022-11-09

Added

• Added ASGI middleware alternative (thanks @​thentgesMindee)
• Added support for custom cost per hit (thanks @​nootr)
• Added key_style parameter to choose between endpoint or url (thanks @​thentgesMindee)

[0.1.6] - 2022-08-20

Added

• Added feature to support providing functions for dynamically defined limits (thanks @​maratsarbasov)
• Added github action to check for unused imports (thanks @​twcurrie)
• Added coverage report in CI (thanks @​karlnewell)
• Added Python 3.10 to CI (thanks @​Reuben Thomas-Davis)

Changed

• Shifted redis to extras, removed test imports of library (thanks @​ME-ON1)
• Upgraded dependencies (thanks @​dependabot, @​Rested, @​laurents)
• Updated documentation and example code (thanks @​Dustyposa, @​laurents, @​nootr)
• Set minimum Python version to 3.6.2 (thanks @​Rested)

Fixed

• Fixed exempt decorator for async routes (thanks @​laurents)
• Handled newly raised exception from parsing library (thanks @​Rested)

... (truncated)

Commits

• 75799a3 Update changelog
• 6f22eab Merge pull request #212 from ecly/release-v0.1.10
• 5e2b9c1 Merge pull request #238 from laurentS/drop-old-python
• a83ec72 Update README
• d1a20b6 Drop python 3.7 and 3.8 from CI checks
• 8bf8b2e Make exempt_when with request backwards compatible
• eaf5ba7 Bump version and update changelog
• a72bcc6 Merge pull request #160 from colin99d/master
• 42330fc Merge branch 'laurentS:master' into master
• 91145c0 Fixed mypy error
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions