chore(deps): bump the pip group across 1 directory with 5 updates

[dependabot]

Bumps the pip group with 5 updates in the / directory:

Package	From	To
python-multipart	0.0.20	0.0.27
requests	2.32.5	2.33.0
marshmallow	4.0.1	4.1.2
python-dotenv	1.0.0	1.2.2
weasyprint	60.2	68.0

Updates python-multipart from 0.0.20 to 0.0.27

Release notes

Sourced from python-multipart's releases.

0.0.27

What's Changed

• Pass parse offsets via constructors by @​Kludex in Kludex/python-multipart#268
• Add multipart header limits by @​Kludex in Kludex/python-multipart#267

Full Changelog: Kludex/python-multipart@0.0.26...0.0.27

Version 0.0.26

What's Changed

• Skip preamble before first multipart boundary by @​Kludex in Kludex/python-multipart#262
• Silently discard epilogue data after the closing boundary by @​Kludex in Kludex/python-multipart#259

Full Changelog: Kludex/python-multipart@0.0.25...0.0.26

Version 0.0.25

What's Changed

• Apply Apache-2.0 properly by @​Kludex in Kludex/python-multipart#247
• Handle multipart headers case-insensitively by @​Kludex in Kludex/python-multipart#252
• Emit field_end for trailing bare field names on finalize by @​bysiber in Kludex/python-multipart#230
• Add UPLOAD_DELETE_TMP to FormParser config by @​Kludex in Kludex/python-multipart#254
• Remove custom FormParser classes by @​Kludex in Kludex/python-multipart#257
• Handle CTE values case-insensitively by @​Kludex in Kludex/python-multipart#258
• Add MIME content type info to File by @​jhnstrk in Kludex/python-multipart#143

Full Changelog: Kludex/python-multipart@0.0.24...0.0.25

Version 0.0.24

What's Changed

• Validate chunk_size in parse_form() by @​Kludex in Kludex/python-multipart#244

Full Changelog: Kludex/python-multipart@0.0.23...0.0.24

Version 0.0.23

What's Changed

• Remove unused trust_x_headers parameter and X-File-Name fallback by @​jhnstrk in Kludex/python-multipart#196
• Return processed length from QuerystringParser._internal_write by @​bysiber in Kludex/python-multipart#229
• Cleanup metadata dunders from __init__.py by @​Chesars in Kludex/python-multipart#227

New Contributors

• @​Chesars made their first contribution in Kludex/python-multipart#227
• @​bysiber made their first contribution in Kludex/python-multipart#229

Full Changelog: Kludex/python-multipart@0.0.22...0.0.23

Version 0.0.22

What's Changed

... (truncated)

Changelog

Sourced from python-multipart's changelog.

0.0.27 (2026-04-27)

• Add multipart header limits #267.
• Pass parse offsets via constructors #268.

0.0.26 (2026-04-10)

• Skip preamble before the first multipart boundary more efficiently #262.
• Silently discard epilogue data after the closing multipart boundary #259.

0.0.25 (2026-04-10)

• Add MIME content type info to File #143.
• Handle CTE values case-insensitively #258.
• Remove custom FormParser classes #257.
• Add UPLOAD_DELETE_TMP to FormParser config #254.
• Emit field_end for trailing bare field names on finalize #230.
• Handle multipart headers case-insensitively #252.
• Apply Apache-2.0 properly #247.

0.0.24 (2026-04-05)

• Validate chunk_size in parse_form() #244.

0.0.23 (2026-04-05)

• Remove unused trust_x_headers parameter and X-File-Name fallback #196.
• Return processed length from QuerystringParser._internal_write #229.
• Cleanup metadata dunders from __init__.py #227.

0.0.22 (2026-01-25)

• Drop directory path from filename in File 9433f4b.

0.0.21 (2025-12-17)

• Add support for Python 3.14 and drop EOL 3.8 and 3.9 #216.

Commits

• 6d1d689 Version 0.0.27 (#272)
• 0b10220 Run CI on main branch pull requests (#271)
• 3e64f5f Add multipart header limits (#267)
• eb109cc Pass parse offsets via constructors (#268)
• 78e29ab Bump pytest from 9.0.2 to 9.0.3 (#266)
• b2ddd09 fuzz: Enhance fuzzing capabilities with new chunked and boundary tests (#264)
• 28f4785 Version 0.0.26 (#263)
• d4452a7 Silently discard epilogue data after the closing boundary (#259)
• 6a7b76d Skip preamble before first multipart boundary (#262)
• 4addb60 Version 0.0.25 (#261)
• Additional commits viewable in compare view

Updates requests from 2.32.5 to 2.33.0

Release notes

Sourced from requests's releases.

v2.33.0

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

New Contributors

• @​M0d3v1 made their first contribution in psf/requests#6865
• @​aminvakil made their first contribution in psf/requests#7220
• @​E8Price made their first contribution in psf/requests#6960
• @​mitre88 made their first contribution in psf/requests#7244
• @​magsen made their first contribution in psf/requests#6553
• @​Rohan5commit made their first contribution in psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

Changelog

Sourced from requests's changelog.

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

Commits

• bc04dfd v2.33.0
• 66d21cb Merge commit from fork
• 8b9bc8f Move badges to top of README (#7293)
• e331a28 Remove unused extraction call (#7292)
• 753fd08 docs: fix FAQ grammar in httplib2 example
• 774a0b8 docs(socks): same block as other sections
• 9c72a41 Bump github/codeql-action from 4.33.0 to 4.34.1
• ebf7190 Bump github/codeql-action from 4.32.0 to 4.33.0
• 0e4ae38 docs: exclude Response.is_permanent_redirect from API docs (#7244)
• d568f47 docs: clarify Quickstart POST example (#6960)
• Additional commits viewable in compare view

Updates marshmallow from 4.0.1 to 4.1.2

Changelog

Sourced from marshmallow's changelog.

4.1.2 (2025-12-19)

Bug fixes:

• :cve:2025-68480: Merge error store messages without rebuilding collections. Thanks 카푸치노 for reporting and :user:deckar01 for the fix.

4.1.1 (2025-11-05)

Bug fixes:

• Ensure URL validator is case-insensitive when using custom schemes (:pr:2874). Thanks :user:T90REAL for the PR.

4.1.0 (2025-11-01)

Other changes:

• Add __len__ implementation to missing so that it can be used with validate.Length <marshmallow.validate.Length> (:pr:2861). Thanks :user:agentgodzilla for the PR.
• Drop support for Python 3.9 (:pr:2363).
• Test against Python 3.14 (:pr:2864).

Commits

• 692e79d Merge pull request #2876 from marshmallow-code/delint
• 045c5f6 [pre-commit.ci] auto fixes from pre-commit.com hooks
• 94c4d98 Delint
• d24a0c9 Merge commit from fork
• 1682640 Bump version and update changelog
• 36f8787 Only deep copy error message collections
• 70141f4 Add test coverage for error message modification
• 218d98a Merge error store messages without rebuilding collections
• 80f1110 Bump version and update changelog
• 10fe10b Merge pull request #2874 from T90REAL/fix_case_sensitivity
• Additional commits viewable in compare view

Updates python-dotenv from 1.0.0 to 1.2.2

Release notes

Sourced from python-dotenv's releases.

v1.2.2

Added

• Support for Python 3.14, including the free-threaded (3.14t) build. (#)

Changed

• The dotenv run command now forwards flags directly to the specified command by @​bbc2 in theskumar/python-dotenv#607
• Improved documentation clarity regarding override behavior and the reference page.
• Updated PyPy support to version 3.11.
• Documentation for FIFO file support.
• Support for Python 3.9.

Fixed

• Improved set_key and unset_key behavior when interacting with symlinks by @​bbc2 in #790c5
• Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by @​JYOuyang in theskumar/python-dotenv#590

Breaking Changes

• dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

• In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

• dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

Misc

• skip 000 permission tests for root user by @​burnout-projects in theskumar/python-dotenv#561
• Bump actions/checkout from 5 to 6 in the github-actions group by @​dependabot[bot] in theskumar/python-dotenv#593
• Add Windows testing to CI by @​bbc2 in theskumar/python-dotenv#604
• Improve workflow efficiency with best practices by @​theskumar in theskumar/python-dotenv#609
• Remove the use of sh in tests by @​bbc2 in theskumar/python-dotenv#612

New Contributors

• @​JYOuyang made their first contribution in theskumar/python-dotenv#590
• @​burnout-projects made their first contribution in theskumar/python-dotenv#561
• @​cpackham-atlnz made their first contribution in theskumar/python-dotenv#597

Full Changelog: theskumar/python-dotenv@v1.2.1...v1.2.2

v1.2.1

What's Changed

... (truncated)

Changelog

Sourced from python-dotenv's changelog.

[1.2.2] - 2026-03-01

Added

• Support for Python 3.14, including the free-threaded (3.14t) build. (#588)

Changed

• The dotenv run command now forwards flags directly to the specified command by [@​bbc2] in #607
• Improved documentation clarity regarding override behavior and the reference page.
• Updated PyPy support to version 3.11.
• Documentation for FIFO file support.
• Dropped Support for Python 3.9.

Fixed

• Improved set_key and unset_key behavior when interacting with symlinks by [@​bbc2] in [790c5c0]
• Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by [@​JYOuyang] in #590

Breaking Changes

• dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

• In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

• dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

[1.2.1] - 2025-10-26

• Move more config to pyproject.toml, removed setup.cfg
• Add support for reading .env from FIFOs (Unix) by [@​sidharth-sudhir] in #586

[1.2.0] - 2025-10-26

• Upgrade build system to use PEP 517 & PEP 518 to use build and pyproject.toml by [@​EpicWink] in #583
• Add support for Python 3.14 by [@​23f3001135] in #579
• Add support for disabling of load_dotenv() using PYTHON_DOTENV_DISABLED env var. by [@​matthewfranglen] in #569

[1.1.1] - 2025-06-24

Fixed

• CLI: Ensure find_dotenv work reliably on python 3.13 by [@​theskumar] in #563

... (truncated)

Commits

• 36004e0 Bump version: 1.2.1 → 1.2.2
• eb20252 docs: update changelog for v1.2.2
• 790c5c0 Merge commit from fork
• 43340da Remove the use of sh in tests (#612)
• 09d7cee docs: clarify override behavior and document FIFO support (#610)
• c8de288 ci: improve workflow efficiency with best practices (#609)
• 7bd9e3d Add Windows testing to CI (#604)
• 1baaf04 Drop Python 3.9 support and update to PyPy 3.11 (#608)
• 4a22cf8 ci: enable testing on Python 3.14t (free-threaded) (#588)
• e2e8e77 Fix license specifier (#597)
• Additional commits viewable in compare view

Updates weasyprint from 60.2 to 68.0

Release notes

Sourced from weasyprint's releases.

v68.0

This is a security update (CVE-2025-68616).

We strongly recommend to upgrade WeasyPrint to the latest version if you use the default_url_fetcher function in your custom URL fetcher, or if you use the allowed_protocols parameter of the default_url_fetcher function.

Read about this release on our blog.

Security

• Always use URL fetcher for HTTP redirects

Python API

• default_url_fetcher() is deprecated, use the new URLFetcher class instead, see URL Fetchers for more information about URL fetchers
• DocumentMetadata.generate_rdf_metadata is now a method that can be overridden instead of a parameter, see Factur-X / ZUGFeRD (Electronic Invoices) for examples to create e-invoices

Features

• #2609, #2603, #351: Refactor URL fetcher API
• #2632: Support legacy 0 value for angles
• #2627: Add font-face support to SVG
• #2646, #2255: Add font shorthand support for SVG text elements
• #2590, #1749: Honor language-specific rules for text-transform
• #2645, #2613: Improve SVG and SVG emojis rendering
• #2658, #2583: Add CLI for Factur-X / ZUGFeRD e-invoices

Bug fixes

• #2649: Refactor URL fetcher API
• #2643, #2628: Handle box-sizing: border-box in grid layout
• #2641, #1875: Process whitespace after checking all pending targets
• #2488, #2485: Preserve page groups during layout repagination
• #2642, #2631: Don’t use isolated transparency groups
• #2637: Fix repeating radial gradients rendering
• #2622: Fix validation of colors
• #2626: Share grid items rendering advancement between a box and its copies
• #2621: Correctly handle fallback values of attr()
• #2619: Fix SVG fonts
• #2629: Always define extra skip height that may be used after
• #2648: Fix numbers validation in font-feature-settings
• #2648: Fix keyword values for text-decoration-thickness
• #2661: Respect inline images when defining minimum table width

Documentation

• #2638: Update Python command for Windows installation steps

Contributors

• Guillaume Ayoub

... (truncated)

Changelog

Sourced from weasyprint's changelog.

Version 68.0

Released on 2026-01-19.

This is a security update (CVE-2025-68616).

We strongly recommend to upgrade WeasyPrint to the latest version if you use the default_url_fetcher function in your custom URL fetcher, or if you use the allowed_protocols parameter of the default_url_fetcher function.

Security:

• Always use URL fetcher for HTTP redirects

Python API:

• default_url_fetcher() is deprecated, use the new URLFetcher class instead, see :ref:URL Fetchers for more information about URL fetchers
• DocumentMetadata.generate_rdf_metadata is now a method that can be overridden instead of a parameter, see :ref:Factur-X / ZUGFeRD (Electronic Invoices) for examples to create e-invoices

Features:

• [#2609](https://github.com/Kozea/WeasyPrint/issues/2609) <https://github.com/Kozea/WeasyPrint/pull/2609>, [#2603](https://github.com/Kozea/WeasyPrint/issues/2603) <https://github.com/Kozea/WeasyPrint/issues/2603>, [#351](https://github.com/Kozea/WeasyPrint/issues/351) <https://github.com/Kozea/WeasyPrint/issues/351>_: Refactor URL fetcher API
• [#2632](https://github.com/Kozea/WeasyPrint/issues/2632) <https://github.com/Kozea/WeasyPrint/pull/2632>_: Support legacy 0 value for angles
• [#2627](https://github.com/Kozea/WeasyPrint/issues/2627) <https://github.com/Kozea/WeasyPrint/pull/2627>_: Add font-face support to SVG
• [#2646](https://github.com/Kozea/WeasyPrint/issues/2646) <https://github.com/Kozea/WeasyPrint/pull/2646>, [#2255](https://github.com/Kozea/WeasyPrint/issues/2255) <https://github.com/Kozea/WeasyPrint/issues/2255>: Add font shorthand support for SVG text elements
• [#2590](https://github.com/Kozea/WeasyPrint/issues/2590) <https://github.com/Kozea/WeasyPrint/pull/2590>, [#1749](https://github.com/Kozea/WeasyPrint/issues/1749) <https://github.com/Kozea/WeasyPrint/issues/1749>: Honor language-specific rules for text-transform
• [#2645](https://github.com/Kozea/WeasyPrint/issues/2645) <https://github.com/Kozea/WeasyPrint/pull/2645>, [#2613](https://github.com/Kozea/WeasyPrint/issues/2613) <https://github.com/Kozea/WeasyPrint/issues/2613>: Improve SVG and SVG emojis rendering
• [#2658](https://github.com/Kozea/WeasyPrint/issues/2658) <https://github.com/Kozea/WeasyPrint/pull/2658>, [#2583](https://github.com/Kozea/WeasyPrint/issues/2583) <https://github.com/Kozea/WeasyPrint/issues/2583>: Add CLI for Factur-X / ZUGFeRD e-invoices

Bug fixes:

• [#2649](https://github.com/Kozea/WeasyPrint/issues/2649) <https://github.com/Kozea/WeasyPrint/issues/2649>_: Refactor URL fetcher API

... (truncated)

Commits

• e9352be Version 68.0
• b6a14f0 Merge remote-tracking branch 'security/filter-redirections'
• 1140eba Update changelog for version 68.0
• 52c02a6 Update changelog
• de248a5 Merge pull request #2645 from Kozea/faster-svg-emojis
• fb046b2 Merge pull request #2658 from Kozea/factur-x-cli
• 8c899a9 Follow parent’s white-space value when breaking before replaced box
• afe532b Fix default media type CLI value
• 9546e6e Update changelog
• 1d012f3 Fix keyword values for text-decoration-thickness
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.