Skip to content

Bump the pip-major group across 1 directory with 3 updates#437

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/pip-major-a4c5db7564
Open

Bump the pip-major group across 1 directory with 3 updates#437
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/pip-major-a4c5db7564

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 8, 2026
edited
Loading

Bumps the pip-major group with 3 updates in the / directory: gunicorn, okta and mypy.

Updates gunicorn from 23.0.0 to 26.0.0

Release notes

Sourced from gunicorn's releases.

26.0.0

Breaking Changes

  • Eventlet worker removed: The eventlet worker class has been dropped. Migrate to gevent, gthread, or tornado.

New Features

  • ASGI Framework Compatibility Suite: New end-to-end compatibility test harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep. Current grid passes 438/444 tests (98%).
  • ASGI Test Suite Expansion: 134 additional ASGI unit tests covering protocol semantics, lifespan, websockets, and chunked framing.

Security

  • HTTP/1.1 Request-Target Validation (RFC 9112 sections 3.2.3, 3.2.4):
    • Reject authority-form request-target outside CONNECT
    • Reject asterisk-form request-target outside OPTIONS
    • Reject relative-reference request-targets
  • Header Field Hardening (RFC 9110):
    • Reject control characters in header field-value (section 5.5)
    • Reject forbidden trailer field-names (section 6.5.1)
    • Reject Content-Length list form (RFC 9112 section 6.3)
  • Request Smuggling Hardening:
    • Tighten keepalive gate and scope finish_body byte cap
    • Keep _body_receiver alive across the keepalive smuggling gate so pipelined requests cannot re-enter a closed body
    • Address parser/protocol findings from a six-point WSGI/ASGI audit
  • PROXY Protocol (ASGI): Enforce proxy_allow_ips and tighten v1/v2 parsing in the ASGI callback parser.
  • Connection Draining: Drain the connection on close per RFC 9112 section 9.6 to prevent reset-on-close truncation.

Bug Fixes

  • Body Framing on HEAD/204/304:
    • Keep Content-Length on HEAD and 304 responses (#3621)
    • Drop body framing on HEAD/204/304 even when the framework set it
    • Warn once when an ASGI app emits a body for a no-body response
  • HTTP/2 ASGI:
    • Fix _handle_stream_ended to set _body_complete in the async HTTP/2 handler so request bodies finalize correctly on stream end
    • Add InvalidChunkExtension mapping and fast-parser support in ASGI tests (#3565)
  • HTTP/1.1 100-Continue: Stop adding Transfer-Encoding: chunked to 100-Continue interim responses.
  • WebSocket Close Handshake (RFC 6455):
    • Comply with the close handshake state machine
    • Close the transport after the close handshake completes
    • Fix binary send when the text key is None
  • Early Hints: Validate headers in the early_hints callback to match process_headers; pass only the header name to InvalidHeader (#3588).
  • ASGI Framework Fixes:
    • Fix ASGI disconnect handling for Django-style apps
    • Fix Litestar request handling (use raw ASGI receive for body/headers)
    • Fix Litestar HTTP endpoints for compatibility tests
    • Fix Quart headers endpoint to normalize keys to lowercase
    • Fix Quart WebSocket close test app (missing accept())
    • Fix duplicate Transfer-Encoding header for BlackSheep streaming

... (truncated)

Commits
  • 5d819cf release: 26.0.0
  • b45c70d Merge pull request #3611 from zc-mattcen/docs-typo
  • 99c8d48 Merge pull request #3623 from benoitc/chore/drop-eventlet-add-h2-uvloop-test-...
  • 5a655af Merge pull request #3622 from benoitc/test/docker-port-and-ipv4-fixes
  • 201df19 chore: remove eventlet worker; add h2 and uvloop to test deps
  • f4ac8e1 test: pass action name to dirty client and stabilize after TTOU spam
  • 54d38af test: unblock docker fixtures on macOS hosts
  • 68843c8 Merge pull request #3621 from benoitc/fix/asgi-preserve-content-length-on-hea...
  • 31f2618 Merge pull request #3620 from benoitc/fix/asgi-proxy-protocol-trust-and-parsing
  • 41ec752 fix: keep Content-Length on HEAD and 304 responses
  • Additional commits viewable in compare view

Updates okta from 2.9.8 to 3.4.3

Release notes

Sourced from okta's releases.

v3.4.3

What's Changed

Full Changelog: okta/okta-sdk-python@v3.4.2...v3.4.3

v3.4.2

What's Changed

Full Changelog: okta/okta-sdk-python@v3.4.1...v3.4.2

v3.4.1

What's Changed

Full Changelog: okta/okta-sdk-python@v3.4.0...v3.4.1

v3.4.0

What's Changed

Full Changelog: okta/okta-sdk-python@v3.3.0...v3.4.0

v3.3.0

What's Changed

Full Changelog: okta/okta-sdk-python@v3.2.0...v3.3.0

... (truncated)

Changelog

Sourced from okta's changelog.

3.4.3

Bug Fixes

  • Fixed a deserialization crash in list_applications() that occurred when processing partially configured SAML applications. The SamlApplicationSettingsSignOn schema was updated to remove overly strict required constraints on 10 fields (including audience, idpIssuer, ssoAcsUrl, and recipient), allowing the SDK to successfully parse valid API responses without throwing validation errors (#536).

Security & Dependencies

  • Upgraded package dependencies to resolve flagged Dependabot security alerts (#537, #538).

3.4.2

Security

  • Resolved Dependabot security alerts by upgrading runtime dependencies to their latest secure versions: aenum 3.1.16, aiohttp 3.13.4, pydash 8.0.6, PyJWT 2.12.0, PyYAML 6.0.3, requests 2.33.0, and xmltodict 1.0.2. (#525)
  • Upgraded pytest to 9.0.3 and pytest-asyncio to 1.3.0 to address security and vulnerability concerns. (#527)

Changed

  • Bumped development and testing dependencies: flake8 7.3.0, pyfakefs 5.10.2, pytest-mock 3.15.1, pytest-recording 0.13.4, tox 4.30.3, and twine 6.2.0. (#525)
  • Upgraded GitHub Actions to current major releases: actions/checkout v6 and actions/setup-python v6 to resolve Node.js runtime deprecation warnings. (#525)
  • Updated OpenAPI Generator mustache templates (requirements.mustache, setup.mustache, pyproject.mustache, test-requirements.mustache) to reflect the new dependency versions for consistent future code generation. (#525)

3.4.1

Fixed

  • Fixed Primitive Fallback for oneOf Deserialization in Device Assurance Model.

3.4.0

Added

  • Implemented Demonstrating Proof-of-Possession (DPoP) for OAuth 2.0 (RFC 9449 compliant) to cryptographically bind access tokens to client keys and prevent token theft and replay attacks.
  • Added a thread-safe DPoPProofGenerator class featuring automatic key rotation, nonce management with auto-retry, and access token hash computation.
  • Introduced a new get_oauth_token() method that returns a 3-tuple including token_type.
  • Added support for a new tuple-based file upload format [(field_name, (filename, filedata, mimetype))] for multipart requests.
  • Added Pillow as an optional dependency, allowing users to install it via pip install okta[images].
  • Added the CAA DNS record type to the DNSRecordTypeDomains enum to support custom domain operations returning CAA records.

Changed

  • Maintained backward compatibility for the legacy get_access_token() method, which continues to return a 2-tuple.
  • Replaced bare except clauses with specific exceptions and swapped bypassable assert statements for proper security exceptions.
  • Updated Mustache templates to preserve DPoP configurations in code generation.

Fixed

  • Fixed multipart file upload handling (such as theme image uploads) by removing the manual Content-Type header, which allows aiohttp to automatically set the proper boundary parameters.
  • Removed the minLength: 5 constraint from UserProfile.secondEmail in the OpenAPI spec and Pydantic models to correctly deserialize user profiles with empty string secondary emails.
  • Fixed critical Pydantic validation errors on custom domain API endpoints (create, get, replace, verify, and list) by properly deserializing CAA records.
  • Fixed a bug where the request_executor timeout returned a raw string instead of an Exception.
  • Fixed invalid default parameter usage in cache.get() and restored cache cleanup logic to prevent the reuse of expired tokens.
  • Removed threading.RLock to prevent asyncio deadlocks and consolidated duplicate access token hash computations.
  • Fixed a redundant get_dpop_error_message() call in the oauth module.

3.3.0

... (truncated)

Commits
  • a5908d4 Release v3.4.3
  • 30f7e04 fix: upgrade dependencies to resolve Dependabot security alerts (#543)
  • 4c5e79d fix: remove required constraints from SamlApplicationSettingsSignOn schema (#...
  • 30ef4ee Resolve Dependabot Alerts: Upgrade Dependencies (#534)
  • aef7b0d Release v3.4.2 changes (#528)
  • fd23c7d Fix: Security vulnerability (#527)
  • ad029ba Resolve Dependabot Alerts: Upgrade Dependencies & GitHub Actions (#525)
  • 4a51a31 Release v3.4.1 changes (#524)
  • 1eb3cc9 Fix: Primitive Fallback for oneOf Deserialization in Device Assurance Models ...
  • b4e620f Release v3.4.0 changes (#522)
  • Additional commits viewable in compare view

Updates mypy from 1.13.0 to 2.1.0

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next Release

Mypy 2.1

We’ve just uploaded mypy 2.1.0 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance improvements and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

librt.vecs: Fast Growable Array Type for Mypyc

The new librt.vecs module provides an efficient growable array type vec that is optimized for mypyc use. It provides fast, packed arrays with integer and floating point value types, which can be several times faster than list, and tens of times faster than array.array in code compiled using mypyc. It also supports nested vec objects and non-value-type items, such as vec[vec[str]].

Refer to the documentation for the details.

Contributed by Jukka Lehtosalo.

librt.random: Fast Pseudo-Random Number Generation

The new librt.random module provides fast pseudo-random number generation that is optimized for code compiled using mypyc. It can be 3x to 10x faster than the stdlib random module in compiled code.

Refer to the documentation for the details.

Contributed by Jukka Lehtosalo (PR 21433).

Mypyc Improvements

  • Make compilation order with multiple files consistent (Piotr Sawicki, PR 21419)
  • Fix crash on accessing StopAsyncIteration (Piotr Sawicki, PR 21406)
  • Fix incremental compilation with separate flag (Vaggelis Danias, PR 21299)

Fixes to Crashes

  • Fix crash on partial type with --allow-redefinition and global declaration (Jukka Lehtosalo, PR 21428)
  • Fix broken awaitable generator patching (Ivan Levkivskyi, PR 21435)

Changes to Messages

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels May 8, 2026
@dependabot dependabot Bot force-pushed the dependabot/pip/pip-major-a4c5db7564 branch 2 times, most recently from d67dd8a to a5fea47 Compare May 18, 2026 15:52
@dependabot dependabot Bot force-pushed the dependabot/pip/pip-major-a4c5db7564 branch from a5fea47 to de5a356 Compare May 20, 2026 05:26
@dependabot
Bump the pip-major group across 1 directory with 3 updates
5464a60 
Bumps the pip-major group with 3 updates in the / directory: [gunicorn](https://github.com/benoitc/gunicorn), [okta](https://github.com/okta/okta-sdk-python) and [mypy](https://github.com/python/mypy).


Updates `gunicorn` from 23.0.0 to 26.0.0
- [Release notes](https://github.com/benoitc/gunicorn/releases)
- [Commits](benoitc/gunicorn@23.0.0...26.0.0)

Updates `okta` from 2.9.8 to 3.4.3
- [Release notes](https://github.com/okta/okta-sdk-python/releases)
- [Changelog](https://github.com/okta/okta-sdk-python/blob/master/CHANGELOG.md)
- [Commits](okta/okta-sdk-python@v2.9.8...v3.4.3)

Updates `mypy` from 1.13.0 to 2.1.0
- [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md)
- [Commits](python/mypy@v1.13.0...v2.1.0)

---
updated-dependencies:
- dependency-name: gunicorn
  dependency-version: 26.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: pip-major
- dependency-name: mypy
  dependency-version: 2.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: pip-major
- dependency-name: okta
  dependency-version: 3.4.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: pip-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/pip/pip-major-a4c5db7564 branch from de5a356 to 5464a60 Compare May 27, 2026 03:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants