build(deps): bump the production-dependencies group across 1 directory with 4 updates

[dependabot]

Bumps the production-dependencies group with 4 updates in the / directory: certifi, jinja2, python-engineio and urllib3.

Updates certifi from 2024.2.2 to 2024.6.2

Commits

• 124f4ad 2024.06.02 (#291)
• c2196ce --- (#290)
• fefdeec Bump actions/checkout from 4.1.4 to 4.1.5 (#289)
• 3c5fb15 Bump actions/download-artifact from 4.1.6 to 4.1.7 (#286)
• 4a9569a Bump actions/checkout from 4.1.2 to 4.1.4 (#287)
• 1fc8086 Bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 (#288)
• ad52dce Bump peter-evans/create-pull-request from 6.0.3 to 6.0.4 (#283)
• 651904f Bump actions/upload-artifact from 4.3.1 to 4.3.3 (#284)
• 84fcfba Bump actions/download-artifact from 4.1.4 to 4.1.6 (#285)
• 46b8057 Bump peter-evans/create-pull-request from 6.0.2 to 6.0.3 (#282)
• Additional commits viewable in compare view

Updates jinja2 from 3.1.3 to 3.1.4

Release notes

Sourced from jinja2's releases.

3.1.4

This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Jinja2/3.1.4/ Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

• The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj

Changelog

Sourced from jinja2's changelog.

Version 3.1.4

Released 2024-05-05

• The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. :ghsa:h75v-3vvj-5mfj

Commits

• dd4a8b5 release version 3.1.4
• 0668239 Merge pull request from GHSA-h75v-3vvj-5mfj
• d655030 disallow invalid characters in keys to xmlattr filter
• a7863ba add ghsa links
• b5c98e7 start version 3.1.4
• da3a9f0 update project files (#1968)
• 0ee5eb4 satisfy formatter, linter, and strict mypy
• 20477c6 update project files (#5457)
• e491223 update pyyaml dev dependency
• 36f9885 fix pr link
• Additional commits viewable in compare view

Updates python-engineio from 4.9.0 to 4.9.1

Release notes

Sourced from python-engineio's releases.

Release 4.9.1

See CHANGES.md for release notes.

Changelog

Sourced from python-engineio's changelog.

python-engineio change log

Release 4.9.1 - 2024-05-18

• Fix inverted shutdown logic in async service task #354 (commit)
• More robust WebSocket close detection in the sync client #346 (commit)
• Option to disable routing in ASGIApp #345 (commit) (thanks Rodja Trappe!)

Release 4.9.0 - 2024-02-05

• More robust handling of polling disconnects #254 (commit)
• Clearer client logs after disconnect #342 (commit)

Release 4.8.2 - 2024-01-06

• Combine ssl_verify with other SSL options (commit) (thanks Simon Fonteneau!)
• Hold references to background tasks to avoid garbage collection (commit)
• Clearer documentation for the max_http_buffer_size argument (commit)

Release 4.8.1 - 2023-12-28

• Fix invalid WebSocket responses #331 #332 #338 (commit)

Release 4.8.0 - 2023-10-14

• Return consistent responses after Websocket connection ends (commit)
• Migrate Python package metadata to pyproject.toml (commit)
• Remove Python 3.7 from builds (commit)
• Internal code restructure (no functional changes) ([commit #1](miguelgrinberg/python-engineio@e26163c)) ([commit #2](miguelgrinberg/python-engineio@f15527b)) ([commit #3](miguelgrinberg/python-engineio@5c996be)) ([commit #4](miguelgrinberg/python-engineio@ca9ca5b))

Release 4.7.1 - 2023-09-12

• Replace gevent-websocket with simple-websocket when using gevent (commit)
• Catch and log all errors that occur in event handlers (commit)
• Use daemon threads for background tasks also in the threaded client (commit)
• Silence exception on websocket exit when using uWSGI #330 (commit)

Release 4.7.0 - 2023-09-03

• Added send_packet() method (commit)
• Fixed race condition when lots of connections are ended at the same time #328 (commit)
• Workaround for strange memory leak in Eventlet's Thread class #328 (commit)
• Use daemon threads for background tasks in threading mode (commit)
• Upgrade to pypy-3.9 in unit tests (commit)

Release 4.6.1 - 2023-08-23

• Fix double close of websockets in ASGI adapter #327 (commit)

Release 4.6.0 - 2023-08-21

... (truncated)

Commits

• 629ee17 Release 4.9.1
• 8e688ba Fix inverted shutdown logic in async service task (Fixes #354)
• 942da84 use codecov token for coverage uploads #nolog
• 77e09b3 Bump aiohttp from 3.9.2 to 3.9.4 in /examples/server/aiohttp (#351) #nolog
• d23093d Bump werkzeug from 2.2.3 to 2.3.8 in /examples/server/wsgi (#350) #nolog
• e1acb23 Bump eventlet from 0.20.1 to 0.35.2 in /examples/server/wsgi (#349) #nolog
• 012e398 Bump express from 4.18.2 to 4.19.2 in /examples/client/javascript (#347) #nolog
• 35d0842 Bump express from 4.18.2 to 4.19.2 in /examples/server/javascript (#348) #nolog
• ec2df3f more robust WebSocket close detection in the sync client (Fixes #346)
• 1dbd573 Option to disable routing in ASGIApp (Fixes #345)
• Additional commits viewable in compare view

Updates urllib3 from 1.26.18 to 1.26.19

Release notes

Sourced from urllib3's releases.

1.26.19

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support for 2023. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.

Full Changelog: urllib3/urllib3@1.26.18...1.26.19

Note that due to an issue with our release automation, no multiple.intoto.jsonl file is available for this release.

Changelog

Sourced from urllib3's changelog.

1.26.19 (2024-06-17)

• Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.
• Fixed handling of OpenSSL 3.2.0 new error message for misconfiguring an HTTP proxy as HTTPS. ([#3405](https://github.com/urllib3/urllib3/issues/3405) <https://github.com/urllib3/urllib3/issues/3405>__)

Commits

• d9d85c8 Release 1.26.19
• 8528b63 [1.26] Fix downstream tests (#3409)
• 40b6d16 Merge pull request from GHSA-34jh-p97f-mpxf
• 29cfd02 Fix handling of OpenSSL 3.2.0 new error message "record layer failure" (#3405)
• b600643 [1.26] Bump RECENT_DATE (#3404)
• 7e2d389 [1.26] Fix running CPython 2.7 tests in CI (#3137)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Superseded by #1015.