Bump the dependencies group in /admin-system/backend with 4 updates

[dependabot]

Bumps the dependencies group in /admin-system/backend with 4 updates: sqlalchemy, flask-cors, werkzeug and pytest.

Updates sqlalchemy from 2.0.29 to 2.0.30

Release notes

Sourced from sqlalchemy's releases.

2.0.30

Released: May 5, 2024

orm

• [orm] [bug] Added new attribute _orm.ORMExecuteState.is_from_statement to detect statements created using _sql.Select.from_statement(), and enhanced FromStatement to set _orm.ORMExecuteState.is_select, _orm.ORMExecuteState.is_insert, _orm.ORMExecuteState.is_update, and _orm.ORMExecuteState.is_delete according to the element that is sent to the _sql.Select.from_statement() method itself.

  References: #11220

• [orm] [bug] Fixed issue in _orm.selectin_polymorphic() loader option where attributes defined with _orm.composite() on a superclass would cause an internal exception on load.

  References: #11291

• [orm] [bug] [regression] Fixed regression from 1.4 where using _orm.defaultload() in conjunction with a non-propagating loader like _orm.contains_eager() would nonetheless propagate the _orm.contains_eager() to a lazy load operation, causing incorrect queries as this option is only intended to come from an original load.

  References: #11292

• [orm] [bug] Fixed issue in ORM Annotated Declarative where typing issue where literals defined using PEP 695 type aliases would not work with inference of Enum datatypes. Pull request courtesy of Alc-Alc.

  References: #11305

• [orm] [bug] Fixed issue in _orm.selectin_polymorphic() loader option where the SELECT emitted would only accommodate for the child-most class among the result rows that were returned, leading intermediary-class attributes to be unloaded if there were no concrete instances of that intermediary-class present in the result. This issue only presented itself for multi-level inheritance hierarchies.

  References: #11327

• [orm] [bug] Fixed issue in _orm.Session.bulk_save_objects() where the form of the identity key produced when using return_defaults=True would be incorrect. This could lead to an errors during pickling as well as identity map mismatches.

... (truncated)

Commits

• See full diff in compare view

Updates flask-cors from 4.0.0 to 4.0.1

Release notes

Sourced from flask-cors's releases.

4.0.1

What's Changed

• Fix Read the Docs builds by @​kurtmckee in corydolphin/flask-cors#345
• Update extension.py to clean request.path before logging it by @​aneshujevic in corydolphin/flask-cors#351
• Update CI to include Python 3.12 and flask 3.0.3 by @​corydolphin in corydolphin/flask-cors#354
• Release 4.0.1 by @​corydolphin in corydolphin/flask-cors#353

New Contributors

• @​kurtmckee made their first contribution in corydolphin/flask-cors#345
• @​aneshujevic made their first contribution in corydolphin/flask-cors#351

Full Changelog: corydolphin/flask-cors@4.0.0...4.0.1

Changelog

Sourced from flask-cors's changelog.

4.0.1

Security

• Address CVE-2024-1681 which is a log injection vulnerability when the log level is set to debug by @​aneshujevic in corydolphin/flask-cors#351

Commits

• 1df178c Release 0.4.1 (#353)
• 5090b4a Update CI to include Python 3.12 and flask 3.0.3 (#354)
• 6172c20 Update extension.py to clean request.path before logging it (#351)
• cadade9 Fix Read the Docs builds (#345)
• See full diff in compare view

Updates werkzeug from 3.0.2 to 3.0.3

Release notes

Sourced from werkzeug's releases.

3.0.3

This is the Werkzeug 3.0.3 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.3/ Changes: https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-3 Milestone: https://github.com/pallets/werkzeug/milestone/35?closed=1

• Only allow localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger UI makes requests using the full URL rather than only the path. GHSA-2g68-c3qc-8985
• Make reloader more robust when "" is in sys.path. #2823
• Better TLS cert format with adhoc dev certs. #2891
• Inform Python < 3.12 how to handle itms-services URIs correctly, rather than using an overly-broad workaround in Werkzeug that caused some redirect URIs to be passed on without encoding. #2828
• Type annotation for Rule.endpoint and other uses of endpoint is Any. #2836

Changelog

Sourced from werkzeug's changelog.

Version 3.0.3

Released 2024-05-05

• Only allow localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger UI makes requests using the full URL rather than only the path. :ghsa:2g68-c3qc-8985

• Make reloader more robust when "" is in sys.path. :pr:2823

• Better TLS cert format with adhoc dev certs. :pr:2891

• Inform Python < 3.12 how to handle itms-services URIs correctly, rather than using an overly-broad workaround in Werkzeug that caused some redirect URIs to be passed on without encoding. :issue:2828

• Type annotation for Rule.endpoint and other uses of endpoint is Any. :issue:2836

• Make reloader more robust when "" is in sys.path. :pr:2823

Commits

• f9995e9 release version 3.0.3
• 3386395 Merge pull request from GHSA-2g68-c3qc-8985
• 890b6b6 only require trusted host for evalex
• 71b69df restrict debugger trusted hosts
• d2d3869 endpoint type is Any (#2895)
• 7080b55 endpoint type is Any
• 7555eff remove iri_to_uri redirect workaround (#2894)
• 97fb2f7 remove _invalid_iri_to_uri workaround
• 249527f make cn field a valid single hostname, and use wildcard in SANs field. (#2892)
• 793be47 update adhoc tls dev cert format
• Additional commits viewable in compare view

Updates pytest from 8.2.0 to 8.2.1

Release notes

Sourced from pytest's releases.

8.2.1

pytest 8.2.1 (2024-05-19)

Improvements

• #12334: Support for Python 3.13 (beta1 at the time of writing).

Bug Fixes

• #12120: Fix [PermissionError]{.title-ref} crashes arising from directories which are not selected on the command-line.
• #12191: Keyboard interrupts and system exits are now properly handled during the test collection.
• #12300: Fixed handling of 'Function not implemented' error under squashfuse_ll, which is a different way to say that the mountpoint is read-only.
• #12308: Fix a regression in pytest 8.2.0 where the permissions of automatically-created .pytest_cache directories became rwx------ instead of the expected rwxr-xr-x.

Trivial/Internal Changes

• #12333: pytest releases are now attested using the recent Artifact Attestation support from GitHub, allowing users to verify the provenance of pytest's sdist and wheel artifacts.

Commits

• 66ff8df Prepare release version 8.2.1
• 3ffcfd1 Merge pull request #12340 from pytest-dev/backport-12334-to-8.2.x
• 0b28313 [8.2.x] Add Python 3.13 (beta) support
• f3dd93a [8.2.x] Attest package provenance (#12335)
• bb5a125 [8.2.x] Spelling (#12331)
• f179bf2 Merge pull request #12327 from pytest-dev/backport-12325-to-8.2.x
• 2b671b5 [8.2.x] cacheprovider: fix .pytest_cache not being world-readable
• 65ab7cb Merge pull request #12324 from pytest-dev/backport-12320-to-8.2.x
• 4d5fb7d Merge pull request #12319 from pytest-dev/backport-12311-to-8.2.x
• cbe5996 [8.2.x] changelog: document unittest 8.2 change as breaking
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[netlify]

✅ Deploy Preview for 3fa canceled.

Name	Link
🔨 Latest commit	105a0f5
🔍 Latest deploy log	https://app.netlify.com/sites/3fa/deploys/665af8d85294f200088b64b7