feat: update python-werkzeug to 3.1.3-2

.pre-commit-config.yaml

@@ -1,13 +1,11 @@
-ci:
-  autoupdate_schedule: monthly
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.3.5
+    rev: v0.7.1
     hooks:
       - id: ruff
       - id: ruff-format
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v5.0.0
     hooks:
       - id: check-merge-conflict
       - id: debug-statements

CHANGES.rst

@@ -1,5 +1,129 @@
 .. currentmodule:: werkzeug
 
+Version 3.1.3
+-------------
+
+Released 2024-11-08
+
+-   Initial data passed to ``MultiDict`` and similar interfaces only accepts
+    ``list``, ``tuple``, or ``set`` when passing multiple values. It had been
+    changed to accept any ``Collection``, but this matched types that should be
+    treated as single values, such as ``bytes``. :issue:`2994`
+-   When the ``Host`` header is not set and ``Request.host`` falls back to the
+    WSGI ``SERVER_NAME`` value, if that value is an IPv6 address it is wrapped
+    in ``[]`` to match the ``Host`` header. :issue:`2993`
+
+
+Version 3.1.2
+-------------
+
+Released 2024-11-04
+
+-   Improve type annotation for ``TypeConversionDict.get`` to allow the ``type``
+    parameter to be a callable. :issue:`2988`
+-   ``Headers`` does not inherit from ``MutableMapping``, as it is does not
+    exactly match that interface. :issue:`2989`
+
+
+Version 3.1.1
+-------------
+
+Released 2024-11-01
+
+-   Fix an issue that caused ``str(Request.headers)`` to always appear empty.
+    :issue:`2985`
+
+
+Version 3.1.0
+-------------
+
+Released 2024-10-31
+
+-   Drop support for Python 3.8. :pr:`2966`
+-   Remove previously deprecated code. :pr:`2967`
+-   ``Request.max_form_memory_size`` defaults to 500kB instead of unlimited.
+    Non-file form fields over this size will cause a ``RequestEntityTooLarge``
+    error. :issue:`2964`
+-   ``OrderedMultiDict`` and ``ImmutableOrderedMultiDict`` are deprecated.
+    Use ``MultiDict`` and ``ImmutableMultiDict`` instead. :issue:`2968`
+-   Behavior of properties on ``request.cache_control`` and
+    ``response.cache_control`` has been significantly adjusted.
+
+    -   Dict values are always ``str | None``. Setting properties will convert
+        the value to a string. Setting a property to ``False`` is equivalent to
+        setting it to ``None``. Getting typed properties will return ``None`` if
+        conversion raises ``ValueError``, rather than the string. :issue:`2980`
+    -   ``max_age`` is ``None`` if present without a value, rather than ``-1``.
+        :issue:`2980`
+    -   ``no_cache`` is a boolean for requests, it is ``True`` instead of
+        ``"*"`` when present. It remains a string for responses. :issue:`2980`
+    -   ``max_stale`` is ``True`` if present without a value, rather
+        than ``"*"``. :issue:`2980`
+    -   ``no_transform`` is a boolean. Previously it was mistakenly always
+        ``None``. :issue:`2881`
+    -   ``min_fresh`` is ``None`` if present without a value, rather than
+        ``"*"``. :issue:`2881`
+    -   ``private`` is ``True`` if present without a value, rather than ``"*"``.
+        :issue:`2980`
+    -   Added the ``must_understand`` property. :issue:`2881`
+    -   Added the ``stale_while_revalidate``, and ``stale_if_error``
+        properties. :issue:`2948`
+    -   Type annotations more accurately reflect the values. :issue:`2881`
+
+-   Support Cookie CHIPS (Partitioned Cookies). :issue:`2797`
+-   Add 421 ``MisdirectedRequest`` HTTP exception. :issue:`2850`
+-   Increase default work factor for PBKDF2 to 1,000,000 iterations.
+    :issue:`2969`
+-   Inline annotations for ``datastructures``, removing stub files.
+    :issue:`2970`
+-   ``MultiDict.getlist`` catches ``TypeError`` in addition to ``ValueError``
+    when doing type conversion. :issue:`2976`
+-   Implement ``|`` and ``|=`` operators for ``MultiDict``, ``Headers``, and
+    ``CallbackDict``, and disallow ``|=`` on immutable types. :issue:`2977`
+
+
+Version 3.0.6
+-------------
+
+Released 2024-10-25
+
+-   Fix how ``max_form_memory_size`` is applied when parsing large non-file
+    fields. :ghsa:`q34m-jh98-gwm2`
+-   ``safe_join`` catches certain paths on Windows that were not caught by
+    ``ntpath.isabs`` on Python < 3.11. :ghsa:`f9vj-2wh5-fj8j`
+
+
+Version 3.0.5
+-------------
+
+Released 2024-10-24
+
+-   The Watchdog reloader ignores file closed no write events. :issue:`2945`
+-   Logging works with client addresses containing an IPv6 scope :issue:`2952`
+-   Ignore invalid authorization parameters. :issue:`2955`
+-   Improve type annotation fore ``SharedDataMiddleware``. :issue:`2958`
+-   Compatibility with Python 3.13 when generating debugger pin and the current
+    UID does not have an associated name. :issue:`2957`
+
+
+Version 3.0.4
+-------------
+
+Released 2024-08-21
+
+-   Restore behavior where parsing `multipart/x-www-form-urlencoded` data with
+    invalid UTF-8 bytes in the body results in no form data parsed rather than a
+    413 error. :issue:`2930`
+-   Improve ``parse_options_header`` performance when parsing unterminated
+    quoted string values. :issue:`2904`
+-   Debugger pin auth is synchronized across threads/processes when tracking
+    failed entries. :issue:`2916`
+-   Dev server handles unexpected `SSLEOFError` due to issue in Python < 3.13.
+    :issue:`2926`
+-   Debugger pin auth works when the URL already contains a query string.
+    :issue:`2918`
+
+
 Version 3.0.3
 -------------
 
@@ -17,6 +141,7 @@ Released 2024-05-05
     URIs to be passed on without encoding. :issue:`2828`
 -   Type annotation for ``Rule.endpoint`` and other uses of ``endpoint`` is
     ``Any``. :issue:`2836`
+-   Make reloader more robust when ``""`` is in ``sys.path``. :pr:`2823`
 
 
 Version 3.0.2

debian/changelog

@@ -1,3 +1,36 @@
+python-werkzeug (3.1.3-2) unstable; urgency=medium
+
+  * Team upload
+  * Upload to unstable
+    Fixes CVE-2024-49767
+
+ -- Carsten Schoenert <[email protected]>  Mon, 25 Nov 2024 17:32:31 +0100
+
+python-werkzeug (3.1.3-1) experimental; urgency=medium
+
+  * Team upload
+  * [a3a30e6] d/control: Sort the binary packages alphabetical
+  * [f09c7a3] New upstream version 3.1.3
+    Fixes CVE-2024-49767
+    (Closes: #1086062)
+  * [8afd1df] Rebuild patch queue from patch-queue branch
+    Dropped patch (included upstream):
+    tests-Preserve-any-existing-PYTHONPATH-in-tests.patch
+  * [edf459d] d/rules: Add variable PYBUILD_TEST_ARGS
+    We need to ignore some tests at build time now.
+  * [1346e45] d/rules: Drop -D option from SPHINXOPTS
+  * [804f129] d/control: python3-werkzeug - Drop dep on jibjs-jquery
+    (Closes: #1065427)
+
+ -- Carsten Schoenert <[email protected]>  Sun, 24 Nov 2024 08:50:18 +0100
+
+python-werkzeug (3.0.4-1) unstable; urgency=medium
+
+  * Team upload
+  * [85ea57f] New upstream version 3.0.4
+
+ -- Carsten Schoenert <[email protected]>  Thu, 29 Aug 2024 17:44:25 +0200
+
 python-werkzeug (3.0.3-1) unstable; urgency=medium
 
   * Team upload

debian/control

@@ -30,10 +30,24 @@ Vcs-Browser: https://salsa.debian.org/python-team/packages/python-werkzeug
 Testsuite: autopkgtest-pkg-python
 Rules-Requires-Root: no
 
+Package: python-werkzeug-doc
+Section: doc
+Architecture: all
+Depends:
+ ${misc:Depends},
+ ${sphinxdoc:Depends},
+Multi-Arch: foreign
+Description: Documentation for the werkzeug Python library (docs)
+ Werkzeug is a lightweight library for interfacing with WSGI. It features
+ request and response objects, an interactive debugging system and a powerful
+ URI dispatcher. Combine with your choice of third party libraries and
+ middleware to easily create a custom application framework.
+ .
+ This package provides the Sphinx generated documentation for Werkzeug.
+
 Package: python3-werkzeug
 Architecture: all
 Depends:
- libjs-jquery,
  ${misc:Depends},
  ${python3:Depends},
 Recommends:
@@ -45,7 +59,7 @@ Suggests:
  python3-lxml,
  python3-pkg-resources,
  python3-watchdog,
-Description: collection of utilities for WSGI applications (Python 3.x)
+Description: Collection of utilities for WSGI applications (Python 3.x)
  The Web Server Gateway Interface (WSGI) is a standard interface between web
  server software and web applications written in Python.
  .
@@ -55,18 +69,3 @@ Description: collection of utilities for WSGI applications (Python 3.x)
  middleware to easily create a custom application framework.
  .
  This package contains the Python 3.x module.
-
-Package: python-werkzeug-doc
-Section: doc
-Architecture: all
-Depends:
- ${misc:Depends},
- ${sphinxdoc:Depends},
-Multi-Arch: foreign
-Description: documentation for the werkzeug Python library (docs)
- Werkzeug is a lightweight library for interfacing with WSGI. It features
- request and response objects, an interactive debugging system and a powerful
- URI dispatcher. Combine with your choice of third party libraries and
- middleware to easily create a custom application framework.
- .
- This package provides the Sphinx generated documentation for Werkzeug.

debian/patches/docs-Use-intersphix-with-Debian-packages.patch

@@ -8,11 +8,11 @@ Forwarded: not-needed
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/docs/conf.py b/docs/conf.py
-index d58c17e..813e1c5 100644
+index 5cbbd4f..4dbd1dd 100644
 --- a/docs/conf.py
 +++ b/docs/conf.py
 @@ -28,7 +28,7 @@ extlinks = {
-     "ghsa": ("https://github.com/advisories/%s", "GHSA-%s"),
+     "ghsa": ("https://github.com/advisories/GHSA-%s", "GHSA-%s"),
  }
  intersphinx_mapping = {
 -    "python": ("https://docs.python.org/3/", None),

debian/patches/series

@@ -1,2 +1 @@
-tests-Preserve-any-existing-PYTHONPATH-in-tests.patch
 docs-Use-intersphix-with-Debian-packages.patch

debian/rules

@@ -3,14 +3,15 @@
 
 #export DH_VERBOSE = 1
 
-include /usr/share/dpkg/pkg-info.mk
-
-BUILD_DATE  = $(shell LC_ALL=C date -u "+%d %B %Y" -d "@$(SOURCE_DATE_EPOCH)")
-SPHINXOPTS := -E -N -D html_last_updated_fmt="$(BUILD_DATE)"
+SPHINXOPTS := -E -N
 
 export PYBUILD_NAME=werkzeug
 export PYBUILD_TEST_PYTEST=1
 export PYBUILD_BEFORE_INSTALL=rm -rf {build_dir}/werkzeug/debug/shared/ICON_LICENSE.md
+export PYBUILD_TEST_ARGS=--ignore tests/middleware/test_http_proxy.py --ignore tests/test_serving.py \
+'-k not test_basic \
+and not test_server \
+'
 
 %:
 	dh $@ --buildsystem=pybuild

docs/conf.py

@@ -25,7 +25,7 @@
 extlinks = {
     "issue": ("https://github.com/pallets/werkzeug/issues/%s", "#%s"),
     "pr": ("https://github.com/pallets/werkzeug/pull/%s", "#%s"),
-    "ghsa": ("https://github.com/advisories/%s", "GHSA-%s"),
+    "ghsa": ("https://github.com/advisories/GHSA-%s", "GHSA-%s"),
 }
 intersphinx_mapping = {
     "python": ("https://docs.python.org/3/", None),

docs/datastructures.rst

@@ -27,10 +27,33 @@ General Purpose
    :members:
    :inherited-members:
 
-.. autoclass:: OrderedMultiDict
+.. class:: OrderedMultiDict
 
-.. autoclass:: ImmutableMultiDict
-   :members: copy
+    Works like a regular :class:`MultiDict` but preserves the
+    order of the fields.  To convert the ordered multi dict into a
+    list you can use the :meth:`items` method and pass it ``multi=True``.
+
+    In general an :class:`OrderedMultiDict` is an order of magnitude
+    slower than a :class:`MultiDict`.
+
+    .. admonition:: note
+
+       Due to a limitation in Python you cannot convert an ordered
+       multi dict into a regular dict by using ``dict(multidict)``.
+       Instead you have to use the :meth:`to_dict` method, otherwise
+       the internal bucket objects are exposed.
+
+    .. deprecated:: 3.1
+        Will be removed in Werkzeug 3.2. Use ``MultiDict`` instead.
+
+.. class:: ImmutableMultiDict
+
+    An immutable :class:`OrderedMultiDict`.
+
+    .. deprecated:: 3.1
+        Will be removed in Werkzeug 3.2. Use ``ImmutableMultiDict`` instead.
+
+    .. versionadded:: 0.6
 
 .. autoclass:: ImmutableOrderedMultiDict
    :members: copy
@@ -69,26 +92,14 @@ HTTP Related
 .. autoclass:: LanguageAccept
 
 .. autoclass:: RequestCacheControl
-   :members:
-
-   .. autoattribute:: no_cache
-
-   .. autoattribute:: no_store
-
-   .. autoattribute:: max_age
-
-   .. autoattribute:: no_transform
+    :members:
+    :inherited-members: ImmutableDictMixin, CallbackDict
+    :member-order: groupwise
 
 .. autoclass:: ResponseCacheControl
-   :members:
-
-   .. autoattribute:: no_cache
-
-   .. autoattribute:: no_store
-
-   .. autoattribute:: max_age
-
-   .. autoattribute:: no_transform
+    :members:
+    :inherited-members: CallbackDict
+    :member-order: groupwise
 
 .. autoclass:: ETags
    :members: