Bump the pip group across 1 directory with 4 updates

[dependabot]

Bumps the pip group with 4 updates in the / directory: flask-cors, python-socketio, sentry-sdk and marshmallow.

Updates flask-cors from 4.0.0 to 6.0.0

Release notes

Sourced from flask-cors's releases.

6.0.0

Breaking

Path specificity ordering has changed to improve specificity. This may break users who expected the previous incorrect ordering.

• [CVE-2024-6839] Sort Paths by Regex Specificity by @​adrianosela in corydolphin/flask-cors#391
• [CVE-2024-6844] Replace use of (urllib) unquote_plus with unquote by @​adrianosela in corydolphin/flask-cors#389

What's Changed

• [CVE-2024-6866] Case Sensitive Request Path Matching by @​adrianosela in corydolphin/flask-cors#390

Full Changelog: corydolphin/flask-cors@5.0.1...6.0.0

5.0.1

What's Changed

This primarily changes packaging to use uv and a new release pipeline, along with some small documentation improvements

• [Docs] Fix links to documentation by @​coren-frankel in corydolphin/flask-cors#369
• Fix minor typos by @​kkirsche in corydolphin/flask-cors#371
• Migrate packaging and environment management to use uv by @​corydolphin in corydolphin/flask-cors#377
• Fix release pipeline by @​corydolphin in corydolphin/flask-cors#378
• Always use trusted publishing by @​corydolphin in corydolphin/flask-cors#379
• Workaround license publishing issue by @​corydolphin in corydolphin/flask-cors#380
• Fix packaging: missing source files by @​corydolphin in corydolphin/flask-cors#381

New Contributors

• @​coren-frankel made their first contribution in corydolphin/flask-cors#369
• @​kkirsche made their first contribution in corydolphin/flask-cors#371

Full Changelog: corydolphin/flask-cors@5.0.0...5.0.01

5.0.0

What's Changed

• Breaking: Change default to disable private network access by @​corydolphin in corydolphin/flask-cors#368 This effectively resolves GHSA-hxwh-jpp2-84pm https://osv.dev/vulnerability/PYSEC-2024-71

Full Changelog: corydolphin/flask-cors@4.0.2...5.0.0

4.0.2

What's Changed

• Bump requests from 2.31.0 to 2.32.0 in /docs by @​dependabot in corydolphin/flask-cors#358
• Backwards Compatible Fix for CVE-2024-6221 by @​adrianosela in corydolphin/flask-cors#363
• Add unit tests for Private-Network by @​corydolphin in corydolphin/flask-cors#367

New Contributors

• @​dependabot made their first contribution in corydolphin/flask-cors#358
• @​adrianosela made their first contribution in corydolphin/flask-cors#363

Full Changelog: corydolphin/flask-cors@4.0.1...4.0.2

... (truncated)

Changelog

Sourced from flask-cors's changelog.

Change Log

4.0.1

Security

• Address CVE-2024-1681 which is a log injection vulnerability when the log level is set to debug by @​aneshujevic in corydolphin/flask-cors#351

Commits

• 35d8753 [CVE-2024-6844] Replace use of (urllib) unquote_plus with unquote for paths (...
• e970988 [CVE-2024-6839] Sort Paths by Regex Specificity (#391)
• eb39516 [CVE-2024-6866] Case Sensitive Request Path Matching (#390)
• 5da9be4 Fix packaging: missing source files (#381)
• 65a5132 Workaround license publishing issue (#380)
• 7127e7e Always use trusted publishing (#379)
• 01e2e68 Fix release pipeline (#378)
• ade65a1 Major Packaging Refactor: migrate to uv (#377)
• eb44bff fix: typos (#371)
• 1225e78 replace documentation links in README (#369)
• Additional commits viewable in compare view

Updates python-socketio from 5.9.0 to 5.14.0

Release notes

Sourced from python-socketio's releases.

Release 5.14.0

See CHANGES.md for release notes.

Release 5.13.0

See CHANGES.md for release notes.

Release 5.12.1

See CHANGES.md for release notes.

Release 5.12.0

See CHANGES.md for release notes.

Release 5.11.4

See CHANGES.md for release notes.

Release 5.11.3

See CHANGES.md for release notes.

Release 5.11.2

See CHANGES.md for release notes.

Release 5.11.1

See CHANGES.md for release notes.

Release 5.11.0

See CHANGES.md for release notes.

Release 5.10.0

See CHANGES.md for release notes.

Changelog

Sourced from python-socketio's changelog.

python-socketio change log

Release 5.16.1 - 2026-02-06

• Use configured JSON module in managers #1549 (commit)
• Admin UI fixes: remove duplicate tasks, report transport upgrades (commit)
• Switch to Furo documentation template (commit)
• Add Python free-threading to CI #1554 (commit)

Release 5.16.0 - 2025-12-24

• Address deprecation warnings (commit)
• Drop Python 3.8 and 3.9 from CI builds (commit)

Release 5.15.1 - 2025-12-16

• Restore support multiple arguments via pubsub emits #1540 (commit)

Release 5.15.0 - 2025-11-22

• Retry initial Redis connection #1534 ([commit #1](miguelgrinberg/python-socketio@1e903e1) [commit #2](miguelgrinberg/python-socketio@5e898a9))
• Correctly regenerate RabbitMQ binding after a connection failure #1516 (commit) (thanks Gritty_dev!)
• Support ext_type in the MsgPackPacket class #1521 (commit)
• Support sending bytesarrays when using pub/sub managers (commit)
• Fix typos in documentation #1520 (commit) (thanks Lê Nam Khánh!)
• Improvements to the logging documentation (commit)

Release 5.14.3 - 2025-10-29

• Support Python's native ConnectionRefusedError exception to reject a connection #1515 (commit)
• Push binary data to the aiopika client manager #1514 (commit)

Release 5.14.2 - 2025-10-15

• Restore binary message support in message queue setups #1509 (commit)
• Fix formatting of client connection error #1507 (commit)
• Add 3.14 and pypy-3.11 CI tasks (commit)
• Improve documentation of the BaseManager.get_participants() method (commit)

Release 5.14.1 - 2025-10-02

• Restore support for rediss:// URLs, and add support for valkeys:// as well (commit)
• Add support for Redis connections using unix sockets #1503 (commit) (thanks Darren Chang!)

Release 5.14.0 - 2025-09-30

• Replace pickle with json in message queue communications #1502 (commit)
• Add support for Valkey in the Redis client managers #1488 (commit) (thanks phi-friday!)
• Keep track of which namespaces failed to connect #1496 (commit)
• Fixed transport property of the simple clients to be a string as documented #1499 (commit)

... (truncated)

Commits

• 400200e Release 5.14.0
• 53f6be0 Replace pickle with json (#1502)
• a59c6f5 Fix: SimpleClient.call does not raise TimeoutError on timeout (#1501)
• f61e0be wait for client to end background tasks on disconnect (#1500)
• 23556fb Fixed transport property of the simple clients to be a string as documented (...
• e59acf1 Address failures of test suite on Mac (#1497)
• 36a8922 Add support for valkey in the Redis client managers (#1488)
• 5dc2aea keep track of which namespaces failed to connect (#1496)
• b3da354 Add message queue deployment recommendations
• 3625fe8 Bump eventlet from 0.35.2 to 0.40.3 in /examples/server/wsgi (#1491) #nolog
• Additional commits viewable in compare view

Updates sentry-sdk from 1.38.0 to 1.45.1

Release notes

Sourced from sentry-sdk's releases.

1.45.1

This is a security backport release.

• Don't send full env to subprocess (892dd800) by @​kmichel-aiven

  See also GHSA-g92j-qhmh-64v2

1.45.0

This is the final 1.x release for the forseeable future. Development will continue on the 2.x release line. The first 2.x version will be available in the next few weeks.

Various fixes & improvements

• Allow to upsert monitors (#2929) by @​sentrivana

  It's now possible to provide monitor_config to the monitor decorator/context manager directly:

  from sentry_sdk.crons import monitor
  All keys except schedule are optional
  monitor_config = {
  "schedule": {"type": "crontab", "value": "0 0 * * *"},
  "timezone": "Europe/Vienna",
  "checkin_margin": 10,
  "max_runtime": 10,
  "failure_issue_threshold": 5,
  "recovery_threshold": 5,
  }
  @​monitor(monitor_slug='<monitor-slug>', monitor_config=monitor_config)
  def tell_the_world():
  print('My scheduled task...')

  Check out the cron docs for details.

• Add Django signals_denylist to filter signals that are attached to by signals_spans (#2758) by @​lieryan

  If you want to exclude some Django signals from performance tracking, you can use the new signals_denylist Django option:

  import django.db.models.signals
  import sentry_sdk
  sentry_sdk.init(
  ...
  integrations=[
  DjangoIntegration(
  ...
  signals_denylist=[

... (truncated)

Changelog

Sourced from sentry-sdk's changelog.

1.45.1

This is a security backport release.

• Don't send full env to subprocess (892dd800) by @​kmichel-aiven

  See also GHSA-g92j-qhmh-64v2

1.45.0

This is the final 1.x release for the forseeable future. Development will continue on the 2.x release line. The first 2.x version will be available in the next few weeks.

Various fixes & improvements

• Allow to upsert monitors (#2929) by @​sentrivana

  It's now possible to provide monitor_config to the monitor decorator/context manager directly:

  from sentry_sdk.crons import monitor
  All keys except schedule are optional
  monitor_config = {
  "schedule": {"type": "crontab", "value": "0 0 * * *"},
  "timezone": "Europe/Vienna",
  "checkin_margin": 10,
  "max_runtime": 10,
  "failure_issue_threshold": 5,
  "recovery_threshold": 5,
  }
  @​monitor(monitor_slug='<monitor-slug>', monitor_config=monitor_config)
  def tell_the_world():
  print('My scheduled task...')

  Check out the cron docs for details.

• Add Django signals_denylist to filter signals that are attached to by signals_spans (#2758) by @​lieryan

  If you want to exclude some Django signals from performance tracking, you can use the new signals_denylist Django option:

  import django.db.models.signals
  import sentry_sdk
  sentry_sdk.init(
  ...
  integrations=[
  DjangoIntegration(

... (truncated)

Commits

• 282b8f7 Update CHANGELOG.md
• 6c867c4 release: 1.45.1
• 388e68e Fix tests (#3341)
• dfcab26 Run integrations tests on 1.x
• 2812640 Run CI on 1.x branch
• 892dd80 fix(integrations): don't send full env to subprocess
• 51a906c Update CHANGELOG.md
• 7570e39 release: 1.45.0
• e22abb6 fix(metrics): Change data_category from statsd to metric_bucket (#2954)
• fab65e6 feat(metrics): New normalization of keys, values, units (#2946)
• Additional commits viewable in compare view

Updates marshmallow from 3.20.1 to 3.26.2

Changelog

Sourced from marshmallow's changelog.

3.26.2 (2025-12-19)

Bug fixes:

• :cve:2025-68480: Merge error store messages without rebuilding collections. Thanks 카푸치노 for reporting and :user:deckar01 for the fix.

3.26.1 (2025-02-03)

Bug fixes:

• Typing: Fix type annotations for class Meta <marshmallow.Schema.Meta> options (:issue:2804). Thanks :user:lawrence-law for reporting.

Other changes:

• Remove default value for the data param of Nested._deserialize <marshmallow.fields.Nested._deserialize> (:issue:2802). Thanks :user:gbenson for reporting.

3.26.0 (2025-01-22)

Features:

• Typing: Add type annotations and improved documentation for class Meta <marshmallow.Schema.Meta> options (:pr:2760).
• Typing: Improve type coverage of marshmallow.Schema.SchemaMeta (:pr:2761).
• Typing: marshmallow.Schema.loads parameter allows bytes and bytesarray (:pr:2769).

Bug fixes:

• Respect data_key when schema validators raise a ValidationError <marshmallow.exceptions.ValidationError> with a field_name argument (:issue:2170). Thanks :user:matejsp for reporting.
• Correctly handle multiple @post_load <marshmallow.post_load> methods where one method appends to the data and another passes pass_original=True (:issue:1755). Thanks :user:ghostwheel42 for reporting.
• URL fields now properly validate file paths (:issue:2249). Thanks :user:0xDEC0DE for reporting and fixing.

Documentation:

• Add :doc:upgrading guides <upgrading> for 3.24 and 3.26 (:pr:2780).
• Various documentation improvements (:pr:2757, :pr:2759, :pr:2765, :pr:2774, :pr:2778, :pr:2783, :pr:2796).

Deprecations:

• The ordered class Meta <marshmallow.Schema.Meta> option is deprecated (:issue:2146, :pr:2762). Field order is already preserved by default. Set marshmallow.Schema.dict_class to collections.OrderedDict

... (truncated)

Commits

• 1407d51 Merge pull request #2878 from marshmallow-code/3.x-mypy-unreachable
• b2292f5 Fix mypy errors
• 8acd211 Merge pull request #2877 from marshmallow-code/3.x-delint
• b4bcb4a [pre-commit.ci] auto fixes from pre-commit.com hooks
• b78af7a Delint
• 2c4451e Merge commit from fork
• 86d101a Bump version and update changelog
• 489a8d4 Only deep copy error message collections
• 6d4a17d Add test coverage for error message modification
• 0356a3f Merge error store messages without rebuilding collections
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.