Bump the python-minor-patch group across 1 directory with 17 updates

[dependabot]

Bumps the python-minor-patch group with 17 updates in the / directory:

Package	From	To
sqlalchemy	2.0.43	2.0.50
werkzeug	3.1.3	3.1.8
flask-caching	2.3.1	2.4.0
flask-wtf	1.2.2	1.3.0
authlib	1.6.5	1.7.2
sqlalchemy-utils	0.41.2	0.42.1
requests	2.32.4	2.34.2
wtforms	3.2.1	3.2.2
docxtpl	0.20.1	0.20.2
celery	5.5.3	5.6.3
markupsafe	3.0.2	3.0.3
email-validator	2.2.0	2.3.0
python-dotenv	1.1.1	1.2.2
tox	4.31.0	4.55.1
coverage	7.11.0	7.14.1
pytest-cov	7.0.0	7.1.0
ruff	0.14.1	0.15.16

Updates sqlalchemy from 2.0.43 to 2.0.50

Release notes

Sourced from sqlalchemy's releases.

2.0.50

Released: May 24, 2026

orm

• [orm] [bug] Fixed issue where using _orm.joinedload() with PropComparator.of_type() targeting a joined-table subclass combined with PropComparator.and_() referencing a column on that subclass would generate invalid SQL, where the subclass column was not adapted to the subquery alias. Pull request courtesy Joaquin Hui Gomez.

  References: #13203

• [orm] [bug] Fixed issue where the presence of a SessionEvents.do_orm_execute() event hook would cause internal execution options such as yield_per and loader-specific state from the first orm_pre_session_exec pass to leak into the second pass, leading to errors when using relationship loaders such as selectinload() and immediateload(). The execution options passed to the second compilation pass are now based on the original options plus only the explicit updates made via ORMExecuteState.update_execution_options() within the event hook.

  References: #13301

• [orm] [bug] Fixed issue where using _orm.with_polymorphic() on a leaf class (a subclass with no further descendants) or a non-inherited class would fail with an AttributeError when used in an ORM statement, due to _orm.configure_mappers() not being triggered implicitly. The fix ensures that AliasedInsp participates in the _post_inspect hook, triggering mapper configuration during ORM statement compilation.

  References: #13319

sql

• [sql] [bug] Fixed issue where floor division (//) between a Float or Numeric numerator and an Integer denominator would omit the FLOOR() SQL wrapper on dialects where Dialect.div_is_floordiv is True (the default, including PostgreSQL and SQLite). FLOOR() is now applied if either the denominator or the numerator is a non-integer, so that expressions such as float_col // int_col render as FLOOR(float_col / int_col) instead of the incorrect float_col / int_col. Pull request courtesy r266-tech.

  References: #10528

postgresql

... (truncated)

Commits

• See full diff in compare view

Updates werkzeug from 3.1.3 to 3.1.8

Release notes

Sourced from werkzeug's releases.

3.1.8

This is the Werkzeug 3.1.8 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.8/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-8 Milestone: https://github.com/pallets/werkzeug/milestone/45?closed=1

• Request.host and get_host return the empty string if the header is missing or has invalid characters. #3142

3.1.7

This is the Werkzeug 3.1.7 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.7/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-7 Milestone: https://github.com/pallets/werkzeug/milestone/44?closed=1

• parse_list_header preserves partially quoted items, discards empty items, and returns empty for unclosed quoted values. #3128
• WWWAuthenticate.to_header does not produce a trailing space when there are no parameters. #3127
• Transfer-Encoding is parsed as a set. #3134
• Request.host, get_host, and host_is_trusted validate the characters of the value. An empty value is no longer allowed. A Unix socket server address is ignored. The trusted_list argument to host_is_trusted is optional. #3113
• Fix multipart form parser handling of newline at boundary. #3088
• Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. #3108
• merge_slashes merges any number of consecutive slashes. #3121

3.1.6

This is the Werkzeug 3.1.6 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.6/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-6

• safe_join on Windows does not allow special devices names in multi-segment paths. GHSA-29vq-49wr-vm6x

3.1.5

This is the Werkzeug 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.5/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-5 Milestone: https://github.com/pallets/werkzeug/milestone/43?closed=1

• safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. GHSA-87hc-h4r5-73f7
• The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. #3065 #3077
• Fix AttributeError when initializing DebuggedApplication with pin_security=False. #3075

3.1.4

This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.4/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-4 Milestone: https://github.com/pallets/werkzeug/milestone/42?closed=1

... (truncated)

Changelog

Sourced from werkzeug's changelog.

Version 3.1.8

Released 2026-04-02

• Request.host and get_host return the empty string if the header is missing or has invalid characters. :issue:3142

Version 3.1.7

Released 2026-03-23

• parse_list_header preserves partially quoted items, discards empty items, and returns empty for unclosed quoted values. :pr:3128
• WWWAuthenticate.to_header does not produce a trailing space when there are no parameters. :issue:3127
• Transfer-Encoding is parsed as a set. :pr:3134
• Request.host, get_host, and host_is_trusted validate the characters of the value. An empty value is no longer allowed. A Unix socket server address is ignored. The trusted_list argument to host_is_trusted is optional. :pr:3113
• Fix multipart form parser handling of newline at boundary. :issue:3088
• Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. :issue:3108
• merge_slashes merges any number of consecutive slashes. :issue:3121

Version 3.1.6

Released 2026-02-19

• safe_join on Windows does not allow special devices names in multi-segment paths. :ghsa:29vq-49wr-vm6x
• Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. :issue:3108

Version 3.1.5

Released 2026-01-08

• safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. :ghsa:87hc-h4r5-73f7
• The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. :issue:3065 :issue:3077

... (truncated)

Commits

• c1a26b4 release version 3.1.8
• 7926f0b relax get_host strictness (#3148)
• deab88f relax get_host strictness
• 65eb639 start version 3.1.8
• 7720b76 release version 3.1.7 (#3135)
• 005d93b release version 3.1.7
• c328342 merge any number of slashes (#3136)
• 23142a3 merge any number of slashes
• b913d68 always set accept-ranges header
• f282943 Correct 1049dd6b2a363e1ef302b4161c340fb8582f627a
• Additional commits viewable in compare view

Updates flask-caching from 2.3.1 to 2.4.0

Release notes

Sourced from flask-caching's releases.

2.4.0

https://github.com/pallets-eco/flask-caching/blob/v2.3.1/CHANGES.rst

Changelog

Sourced from flask-caching's changelog.

Version 2.4.0

2026-04-17

• Modernize project setup
• Update intersphinx_mapping for Sphinx 8 compatibility. :pr:599, :issue:598
• Pass CACHE_OPTIONS as kwargs to redis_from_url. :pr:591
• Pass sentinel_kwargs to redis client via CACHE_OPTIONS :pr:626
• Fix response_hit_indication return True always. :pr:579, :pr:596, :issue:595, :issue:570
• Use FORWARDREF annotation format when introspecting decorated functions so that @memoize / @cached work with TYPE_CHECKING-only annotations on Python 3.14. :issue:636

Commits

• 0573dc8 Update lock file
• d48c83d Version 2.4.0
• d9cdc84 Update changelog
• 001ed80 Add tests from #579
• 39e93b5 Fix response_hit_indication header value is true when "found" is false (#596)
• f39ac54 Modernize project setup (#635)
• b1cbcef Merge pull request #591 from foarsitter/redis_url_cache_options
• aa4189e Merge pull request #627 from cjproud/master
• 7e0d46d Merge pull request #599 from musicinmybrain/sphinx8
• 1f6557a Merge pull request #597 from felixhummel/master
• Additional commits viewable in compare view

Updates flask-wtf from 1.2.2 to 1.3.0

Release notes

Sourced from flask-wtf's releases.

v1.3.0

What's Changed

• pre-commit autoupdate by @​azmeuk in pallets-eco/flask-wtf#607
• remove slsa provenance by @​davidism in pallets-eco/flask-wtf#638
• Support for Python 3.14 by @​azmeuk in pallets-eco/flask-wtf#648
• Try not to read uploaded files into memory by @​Zverik in pallets-eco/flask-wtf#635
• Migrate the project to uv by @​azmeuk in pallets-eco/flask-wtf#649
• ReCaptcha field testing mode documentation by @​OmeirP in pallets-eco/flask-wtf#650
• Allow nonce in reCaptcha by @​kesara in pallets-eco/flask-wtf#312
• CSRF meta tag helper by @​azmeuk in pallets-eco/flask-wtf#674
• widget support the kwargs to add custom html attributes by @​thivolle-cazat-cedric in pallets-eco/flask-wtf#353
• Respect exempts in CSRFProtect.protect() by @​rauchy in pallets-eco/flask-wtf#419
• Adding RECAPTCHA_ENABLE to disable recaptcha by @​rnt in pallets-eco/flask-wtf#509
• Improve CSRF Documentation by @​israel-oye in pallets-eco/flask-wtf#584

New Contributors

• @​Zverik made their first contribution in pallets-eco/flask-wtf#635
• @​OmeirP made their first contribution in pallets-eco/flask-wtf#650
• @​kesara made their first contribution in pallets-eco/flask-wtf#312
• @​thivolle-cazat-cedric made their first contribution in pallets-eco/flask-wtf#353
• @​rauchy made their first contribution in pallets-eco/flask-wtf#419
• @​rnt made their first contribution in pallets-eco/flask-wtf#509
• @​israel-oye made their first contribution in pallets-eco/flask-wtf#584

Full Changelog: pallets-eco/flask-wtf@v1.2.2...v1.3.0

Changelog

Sourced from flask-wtf's changelog.

Version 1.3.0

Released 2026-04-23

• Don't read the whole uploaded files to know their size. :pr:635
• Stop support for Python 3.9. Start support for Python 3.14. :pr:648
• Migrate the project to uv. :pr:649
• Allow setting a nonce on :class:~flask_wtf.recaptcha.RecaptchaField (string or zero-argument callable) for nonce-based Content Security Policies. :pr:312
• Add csrf_meta_tag() helper and WTF_CSRF_META_NAME setting to render the CSRF token as an HTML <meta> tag.
• Forward keyword arguments passed to the reCAPTCHA widget as HTML attributes on the captcha <div>, with the field id used as a default id. :pr:353
• Add apply_exemptions parameter to :meth:~flask_wtf.csrf.CSRFProtect.protect so @csrf.exempt keeps working when validation is triggered manually. :pr:419
• Add RECAPTCHA_ENABLED setting. :pr:509

Commits

• 63eb4d3 chore: bump to v1.3.0
• 192ece3 Improve CSRF Documentation (#584)
• 1f8522d Adding RECAPTCHA_ENABLE to disable recaptcha (#509)
• 64b9215 Respect exempts in CSRFProtect.protect() (#419)
• adf674f widget support the kwargs to add custom html attributes (#353)
• ea1f797 feat: CSRF meta tag helper (#674)
• 412e3ef Allow nonce in reCaptcha (#312)
• a7b764a ReCaptcha field testing mode documentation (#650)
• c053c0e chore(deps-dev): bump pytest from 9.0.1 to 9.0.3 (#673)
• ca2216c chore(deps): bump uv from 0.9.11 to 0.11.6 (#672)
• Additional commits viewable in compare view

Updates authlib from 1.6.5 to 1.7.2

Release notes

Sourced from authlib's releases.

v1.7.2

What's Changed

• Fix the readme links by @​azmeuk in authlib/authlib#886
• Allow non-recommended algorithms in ClientSecretJWT and PrivateKey by @​azmeuk in authlib/authlib#887
• Validate BCP47 language tags with a regex by @​azmeuk in authlib/authlib#873
• Fix RFC7523 signing with non RSA keys by @​azmeuk in authlib/authlib#884

Full Changelog: authlib/authlib@v1.7.1...v1.7.2

v1.7.1

What's Changed

• Fix authlib.jose deprecation warning poping from _joserfc_helpers by @​azmeuk in authlib/authlib#881
• Fix redirecting to unvalidated redirect_uri on InvalidScopeError in OpenIDImplicitGrant and OpenIDHybridGrant.

Full Changelog: authlib/authlib@v1.7.0...v1.7.1

v1.7.0

What's Changed

• Authorization and token endpoints request empty scope parameter management by @​azmeuk in authlib/authlib#847
• Support from Python 3.10 to 3.14 by @​azmeuk in authlib/authlib#850
• Allow composition of AuthorizationServerMetadata by @​azmeuk in authlib/authlib#853
• Make require_oauth parenthesis optional by @​azmeuk in authlib/authlib#855
• Fix expires_at behavior when its value is 0 by @​azmeuk in authlib/authlib#854
• Migration to joserfc by @​lepture in authlib/authlib#852
• RP-initiated logout by @​frohrlich in authlib/authlib#849
• Fix get_jwt_config by @​lepture in authlib/authlib#858
• chore(ci): Update PyPy version from 3.10 to 3.11 by @​cclauss in authlib/authlib#863
• fix: remove "none" from default authlib.jose.jwt algorithms by @​lepture in authlib/authlib#860
• fix: normalize resolve_client_public_key method by @​lepture in authlib/authlib#861
• Implement rfc9700 PKCE downgrade countermeasure by @​azmeuk in authlib/authlib#864
• Use correct syntax for tox.requires in tox.ini by @​alex-ball in authlib/authlib#868
• Set client session User-Agent when fetching server metadata and JWKs by @​alex-ball in authlib/authlib#867
• fix: use the real application object for Flask by @​nblock in authlib/authlib#869
• Accept the issuer URL as a valid audience by @​azmeuk in authlib/authlib#865
• Don't nest InvalidTokenError extra attribute by @​azmeuk in authlib/authlib#872
• Documentation overhaul by @​azmeuk in authlib/authlib#875
• Update README.md docs.authlib.org/en/latest => docs.authlib.org/en/stable by @​guillett in authlib/authlib#876
• Merge release/1.6 branch by @​lepture in authlib/authlib#877

New Contributors

• @​frohrlich made their first contribution in authlib/authlib#849
• @​cclauss made their first contribution in authlib/authlib#863
• @​alex-ball made their first contribution in authlib/authlib#868
• @​nblock made their first contribution in authlib/authlib#869
• @​guillett made their first contribution in authlib/authlib#876

Full Changelog: authlib/authlib@v1.6.10...v1.7.0

v1.6.12

... (truncated)

Commits

• a0b76fa chore: bump to 1.7.2
• c85c7f2 Merge pull request #884 from azmeuk/852-rfc7523-key-import
• a3b2add Merge pull request #873 from azmeuk/bcp47
• f2578ea fix: Import RSAKey in auth.py for additional key support
• b57182c fix: fallback support RSAKey when client_secret is text
• 4e75902 Merge branch 'main' into 852-rfc7523-key-import
• 5eb4a86 Merge pull request #887 from azmeuk/883-alg
• 5633f37 fix: allow non-recommended algorithms in ClientSecretJWT and PrivateKeyJWT
• 4c8e7b3 Merge pull request #886 from azmeuk/885-readme
• 23b333e docs: fix the readme links
• Additional commits viewable in compare view

Updates sqlalchemy-utils from 0.41.2 to 0.42.1

Release notes

Sourced from sqlalchemy-utils's releases.

0.42.1

• Fix AttributeError with Sequence defaults in instant_defaults_listener by @​wadinj in kvesteri/sqlalchemy-utils#793

0.42.0

• Drop support for Python 3.7 and 3.8.
• Drop support for sqlalchemy 1.3.
• Add support for Python 3.12 and 3.13.
• Add a Read the Docs configuration file.
• Make documentation builds reproducible.
• Test documentation builds in CI.
• Fix Pendulum parsing of datetime instances with timezones. (#755)
• Migrate package metadata to PEP 621 format in pyproject.toml
• Migrate to ruff <https://docs.astral.sh/ruff/>_ for code linting and formatting, replacing flake8 and isort with a faster Rust-based tool.

Changelog

Sourced from sqlalchemy-utils's changelog.

0.42.1 (2025-12-12) ^^^^^^^^^^^^^^^^^^^

• Fix AttributeError with Sequence defaults in instant_defaults_listener (#793)

0.42.0 (2025-08-30) ^^^^^^^^^^^^^^^^^^^

• Drop support for Python 3.7 and 3.8.
• Drop support for sqlalchemy 1.3.
• Add support for Python 3.12 and 3.13.
• Add a Read the Docs configuration file.
• Make documentation builds reproducible.
• Test documentation builds in CI.
• Fix Pendulum parsing of datetime instances with timezones. (#755)
• Migrate package metadata to PEP 621 format in pyproject.toml
• Migrate to ruff <https://docs.astral.sh/ruff/>_ for code linting and formatting, replacing flake8 and isort with a faster Rust-based tool.

Commits

• ed0cc46 Bump version to 0.42.1
• 11cf519 Bump urllib3 from 2.5.0 to 2.6.0 in /requirements/docs
• 881fed4 Merge pull request #797 from kvesteri/dependabot/github_actions/github-action...
• 81a5f82 Bump actions/checkout from 5 to 6 in the github-actions group
• e8b12f8 Merge pull request #794 from kvesteri/dependabot/github_actions/github-action...
• 19570dc Bump actions/setup-python from 5 to 6 in the github-actions group
• 4a7d764 Fix AttributeError with Sequence defaults in instant_defaults_listener (#...
• 9645938 Fix AttributeError with Sequence defaults in instant_defaults_listener
• e4b9f72 Merge pull request #792 from kvesteri/dependabot/github_actions/github-action...
• 755064d Bump actions/checkout from 4 to 5 in the github-actions group
• Additional commits viewable in compare view

Updates requests from 2.32.4 to 2.34.2

Release notes

Sourced from requests's releases.

v2.34.2

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2342-2026-05-14

v2.34.1

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

New Contributors

• @​k223kim made their first contribution in psf/requests#7433

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2341-2026-05-13

v2.34.0

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The

... (truncated)

Changelog

Sourced from requests's changelog.

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The proxy_bypass implementation has been updated with CPython's fix from bpo-39057. (#7427)
• Requests no longer incorrectly strips duplicate leading slashes in URI paths. This should address user issues with specific presigned URLs. Note the full fix requires urllib3 2.7.0+. (#7315)

... (truncated)

Commits

• 6e83187 v2.34.2
• 84d10f0 Move Request.headers back to Mapping (#7441)
• b7b549b v2.34.1
• e511bc7 Fix mutability issues with headers input types (#7431)
• 5691f59 Update JsonType containers to read-based collections (#7436)
• 2144213 Constrain Response.reason to str (#7437)
• 6404f34 Fix prepare_body stream detection for __getattr__-based file wrappers (#7...
• 0b401c7 v2.34.0
• 86b378d Align Session.get parameters with requests.get (#7429)
• a4f9a59 Port bpo-39057 to Requests (#7427)
• Additional commits viewable in compare view

Updates wtforms from 3.2.1 to 3.2.2

Release notes

Sourced from wtforms's releases.

3.2.2

What's Changed

• remove slsa provenance by @​davidism in pallets-eco/wtforms#879
• fix(validators): Disabled validation with provided formdata by @​subnix in pallets-eco/wtforms#880
• Support Python versions from 3.10 to 3.14 by @​azmeuk in pallets-eco/wtforms#883
• Update FAQ to reflect 3.10+ support by @​kurtmckee in pallets-eco/wtforms#884
• GHA improvements by @​azmeuk in pallets-eco/wtforms#888

New Contributors

• @​subnix made their first contribution in pallets-eco/wtforms#880
• @​kurtmckee made their first contribution in pallets-eco/wtforms#884

Full Changelog: pallets-eco/wtforms@3.2.1...3.2.2

Changelog

Sourced from wtforms's changelog.

Version 3.2.2

Released 2026-05-03

• Fix :class:~validators.Disabled validation with provided formdata. :pr:880
• End support for Python 3.9, start support for Python 3.14. :pr:883
• Add Tamil and Serbian translations.

Commits

• ea57c11 chore: bump to 3.2.2
• 326dd44 chore: pre-commit update
• 414e41c doc: translation instructions and changelog
• 383cd0c Added translation using Weblate (Serbian)
• 40d5718 fix: readthedocs build
• 83a4412 chore: allow downstream tests to raise warnings
• 409edac Merge pull request #888 from azmeuk/gha-downstream
• 69b2e67 chore: pyproject and GHA cleaning
• 0117d4a chore: add GHA downstream tests
• e6b503c Merge pull request #884 from kurtmckee/rm-py39-refs
• Additional commits viewable in compare view

Updates docxtpl from 0.20.1 to 0.20.2

Changelog

Sourced from docxtpl's changelog.

0.20.2 (2025-11-13)

• Fix fix_tables()
• Move docxcompose to optional dependency (Thanks to Waket Zheng)

Commits

• cf5437b Merge pull request #623 from waketzheng/fix-subdoc
• fab696c Fix NameError: name Subdoc is not defined
• f96b0b6 Merge pull request #617 from waketzheng/project-section
• 560b4b3 Use poetry-dynamic-versioning instead of pdm
• e77cbf8 Fix pip install error with --editable
• 7a6ddbc Move docxcompose to optional dependency
• d9bb19c Update setup.py
• See full diff in compare view

Updates celery from 5.5.3 to 5.6.3

Release notes

Sourced from celery's releases.

v5.6.3

What's Changed

• Fix Django worker recursion bug + defensive checks for pool_cls.module by @​maycuatroi1 in celery/celery#10048
• Docs: Update user_preload_options example to use click. by @​jorsyk in celery/celery#10056
• Fix invalid configuration key "bootstrap_servers" in Kafka demo by @​jorsyk in celery/celery#10060
• Fix broken images on PyPI page by @​Timour-Ilyas in celery/celery#10066
• Remove broken reference. by @​sueannioanis in celery/celery#10071
• Removed --dist=loadscope from smoke tests by @​Nusnus in celery/celery#10073
• Docs: Clarify task_retry signal args may be None by @​GangEunzzang in celery/celery#10076
• Update example for Django by @​sbc-khacnha in celery/celery#10081
• Make tests compatible with pymongo >= 4.16 by @​cjwatson in celery/celery#10074
• fix: source install of cassandra-driver by @​Izzette in celery/celery#10105
• fix: register task cross-reference role in Sphinx extension by @​veeceey in celery/celery#10100
• fix: avoid cycle detection in native delayed delivery by @​Izzette in celery/celery#10095
• fix(asynpool): avoid AttributeError when proc lacks _sentinel_poll by @​mriddle in celery/celery#10086
• fix dusk_astronomical horizon sign (+18 -> -18) by @​Mr-Neutr0n in celery/celery#10121
• Fix/10106 onupdate col use lambda func by @​ChickenBenny in celery/celery#10108
• Fix warm shutdown RuntimeError with eventlet>=0.37.0 (#10083) by @​ChickenBenny in celery/celery#10123
• Fix 10109 db backend connection health by @​ChickenBenny in celery/celery#10124
• Database Backend filter unsupport sql engine arguments with nullpool #7355 by @​ChickenBenny in celery/celery#10134
• fix(beat): correct argument order in Service.reduce by @​bysiber in celery/celery#10137
• ci: declare explicit read-only token permissions in workflow jobs by @​Rohan5commit in celery/celery#10139
• chore: 'boto3to' to 'boto3 to' by @​cuiweixie in celery/celery#10133
• Database Backend: Add missing index on date_done (Fixes #10097) by @​ChickenBenny in celery/celery#10098
• docs: fix typo in CONTRIBUTING.rst by @​Rohan5commit in celery/celery#10141
• Refer to Flower / Prometheus for monitoring by @​WilliamDEdwards in celery/celery#10140
• docs: remove duplicated words in broker and routing docs by @​Rohan5commit in celery/celery#10146
• docs: fix stale version reference and grammar in README by @​kelsonbrito50 in celery/celery#10145
• docs: fix wording in Celery 5.3 worker pool notes by @​Rohan5commit in celery/celery#10149
• docs: fix duplicated wording in 3.1 changelog entry by @​Rohan5commit in celery/celery#10152
• docs: fix changelog typo in context manager wording by @​Rohan5commit in celery/celery#10144
• Fix/10096 worker fails to reconnect after redis failover by