Accepting request 1329533 from devel:languages:python

- update to 3.1.5:
  * safe_join on Windows does not allow more special device
    names, regardless of extension or surrounding spaces.
    :ghsa:`87hc-h4r5-73f7`
  * Fix AttributeError when initializing DebuggedApplication with
    pin_security=False. :issue:`3075`

  * drops 0001-limit-the-maximum-number-of-multipart-form-parts.patch
    stream that may not return the requested size in one
  * Type checking FileStorage accepts os.PathLike. #2418
    :issue:`2397`
    - Fix type annotation for send_file max_age callable. Don’t pass
    - Mark top-level names as exported so type checking understands imports
    - cached_property is generic over its return type, properties decorated
    - Fix multipart parsing bug when boundary contains special regex
    - Type checking understands that calling headers.get with a string
    - If HTTPException.description is not a string, get_description will
    - Deprecate the environ["werkzeug.server.shutdown"] function that is
    - Deprecate the useragents module and the built-in user agent parser. Use
      a dedicated parser library instead by subclassing user_agent.UserAgent
    - All datetime values are timezone-aware with tzinfo=timezone.utc. This
      applies to anything using http.parse_date: Request.date,
      .if_modified_since, .if_unmodified_since; Response.date, .expires,
      .last_modified, .retry_after; parse_if_range_header, and IfRange.date.
      When comparing values, the other values must also be aware, or these
      values must be made naive. When passing parameters or setting
    - Merge all request and response wrapper mixin code into single Request
      and Response classes. Using the mixin classes is no longer necessary
      and will show a deprecation warning. Checking isinstance or issubclass
      against BaseRequest and BaseResponse will show a deprecation warning

OBS-URL: https://build.opensuse.org/request/show/1329533
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Werkzeug?expand=0&rev=52

python-Werkzeug.changes

@@ -1,3 +1,30 @@
+-------------------------------------------------------------------
+Tue Jan 27 16:24:20 UTC 2026 - Dirk Müller <dmueller@suse.com>
+
+- update to 3.1.5:
+  * safe_join on Windows does not allow more special device
+    names, regardless of extension or surrounding spaces.
+    :ghsa:`87hc-h4r5-73f7`
+  * Fix AttributeError when initializing DebuggedApplication with
+    pin_security=False. :issue:`3075`
+
+-------------------------------------------------------------------
+Wed Jan  7 15:28:53 UTC 2026 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 3.1.4
+  * ``safe_join`` on Windows does not allow special device names. This prevents
+    reading from these when using `send_from_directory`. ``secure_filename``
+    already prevented writing to these. :ghsa:`hgf8-39gv-g3f2`
+  * The debugger pin fails after 10 attempts instead of 11. :pr:`3020`
+  * The multipart form parser handles a ``\r\n`` sequence at a chunk boundary.
+    :issue:`3065`
+  * Improve CPU usage during Watchdog reloader. :issue:`3054`
+  * `Request.json` annotation is more accurate. :issue:`3067`
+  * Traceback rendering handles when the line number is beyond the available
+    source lines. :issue:`3044`
+  * `HTTPException.get_response` annotation and doc better conveys the
+    distinction between WSGI and sans-IO responses. :issue:`3056`
+
 -------------------------------------------------------------------
 Tue Nov 12 07:59:40 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
 
@@ -320,7 +347,7 @@ Thu Apr 13 22:45:56 UTC 2023 - Matej Cepl <mcepl@suse.com>
 Mon Mar 13 18:48:22 UTC 2023 - Dirk Müller <dmueller@suse.com>
 
 - update to 2.2.3 (bsc#1208283, CVE-2023-25577):
-  * drops 0001-limit-the-maximum-number-of-multipart-form-parts.patch 
+  * drops 0001-limit-the-maximum-number-of-multipart-form-parts.patch
     in older dists
   * Ensure that URL rules using path converters will redirect
     with strict slashes when the trailing slash is missing.
@@ -338,7 +365,7 @@ Mon Mar 13 18:48:22 UTC 2023 - Dirk Müller <dmueller@suse.com>
   * Fix handling of header extended parameters such that they
     are no longer quoted.
   * ``LimitedStream.read`` works correctly when wrapping a
-    stream that may not return the requested size in one 
+    stream that may not return the requested size in one
     ``read`` call.
   * A cookie header that starts with ``=`` is treated as an
     empty key and discarded, rather than stripping the leading ``==``.
@@ -393,7 +420,7 @@ Fri Sep  9 15:52:29 UTC 2022 - Yogalakshmi Arunachalam <yarunachalam@suse.com>
   * Added Sans-IO is_resource_modified and parse_cookie functions based on WSGI versions. #2408
   * Added Sans-IO get_content_length function. #2415
   * Don’t assume a mimetype for test responses. #2450
-  * Type checking FileStorage accepts os.PathLike. #2418 
+  * Type checking FileStorage accepts os.PathLike. #2418
 
 -------------------------------------------------------------------
 Fri Jul 29 10:58:49 UTC 2022 - Torsten Gruner <simmphonie@opensuse.org>
@@ -412,7 +439,7 @@ Wed May 11 10:40:41 UTC 2022 - Dirk Müller <dmueller@suse.com>
     :issue:`2379`
   * Disable ``keep-alive`` connections in the development server, which
     are not supported sufficiently by Python's ``http.server``.
-    :issue:`2397` 
+    :issue:`2397`
 - drop 2402-dev_server.patch (upstream)
 
 -------------------------------------------------------------------
@@ -588,18 +615,18 @@ Sat Jun 19 07:42:14 UTC 2021 - Michael Ströder <michael@stroeder.com>
 - updated upstream project URL
 - Update to 2.0.1
   * Version 2.0.1
-    - Fix type annotation for send_file max_age callable. Don’t pass 
+    - Fix type annotation for send_file max_age callable. Don’t pass
       pathlib.Path to max_age. #2119
-    - Mark top-level names as exported so type checking understands imports 
+    - Mark top-level names as exported so type checking understands imports
       in user projects. #2122
     - Fix some types that weren’t available in Python 3.6.0. #2123
-    - cached_property is generic over its return type, properties decorated 
+    - cached_property is generic over its return type, properties decorated
       with it report the correct type. #2113
-    - Fix multipart parsing bug when boundary contains special regex 
+    - Fix multipart parsing bug when boundary contains special regex
       characters. #2125
-    - Type checking understands that calling headers.get with a string 
+    - Type checking understands that calling headers.get with a string
       default will always return a string. #2128
-    - If HTTPException.description is not a string, get_description will 
+    - If HTTPException.description is not a string, get_description will
       convert it to a string. #2115
   * Version 2.0.0
     - Drop support for Python 2 and 3.5. #1693
@@ -609,148 +636,148 @@ Sat Jun 19 07:42:14 UTC 2021 - Michael Ströder <michael@stroeder.com>
     - Deprecate utils.HTMLBuilder. #1761
     - Deprecate utils.escape() and utils.unescape(), use MarkupSafe instead. #1758
     - Deprecate the undocumented python -m werkzeug.serving CLI. #1834
-    - Deprecate the environ["werkzeug.server.shutdown"] function that is 
+    - Deprecate the environ["werkzeug.server.shutdown"] function that is
       available when running the development server. #1752
-    - Deprecate the useragents module and the built-in user agent parser. Use 
+    - Deprecate the useragents module and the built-in user agent parser. Use
-      a dedicated parser library instead by subclassing user_agent.UserAgent 
+      a dedicated parser library instead by subclassing user_agent.UserAgent
       and setting Request.user_agent_class. #2078
     - Remove the unused, internal posixemulation module. #1759
-    - All datetime values are timezone-aware with tzinfo=timezone.utc. This 
+    - All datetime values are timezone-aware with tzinfo=timezone.utc. This
-      applies to anything using http.parse_date: Request.date, 
+      applies to anything using http.parse_date: Request.date,
-      .if_modified_since, .if_unmodified_since; Response.date, .expires, 
+      .if_modified_since, .if_unmodified_since; Response.date, .expires,
-      .last_modified, .retry_after; parse_if_range_header, and IfRange.date. 
+      .last_modified, .retry_after; parse_if_range_header, and IfRange.date.
-      When comparing values, the other values must also be aware, or these 
+      When comparing values, the other values must also be aware, or these
-      values must be made naive. When passing parameters or setting 
+      values must be made naive. When passing parameters or setting
       attributes, naive values are still assumed to be in UTC. #2040
-    - Merge all request and response wrapper mixin code into single Request 
+    - Merge all request and response wrapper mixin code into single Request
-      and Response classes. Using the mixin classes is no longer necessary 
+      and Response classes. Using the mixin classes is no longer necessary
-      and will show a deprecation warning. Checking isinstance or issubclass 
+      and will show a deprecation warning. Checking isinstance or issubclass
-      against BaseRequest and BaseResponse will show a deprecation warning 
+      against BaseRequest and BaseResponse will show a deprecation warning
       and check against Request or Response instead. #1963
-    - JSON support no longer uses simplejson if it’s installed. To use 
+    - JSON support no longer uses simplejson if it’s installed. To use
-      another JSON module, override Request.json_module and 
+      another JSON module, override Request.json_module and
       Response.json_module. #1766
-    - Response.get_json() no longer caches the result, and the cache 
+    - Response.get_json() no longer caches the result, and the cache
       parameter is removed. #1698
-    - Response.freeze() generates an ETag header if one is not set. The 
+    - Response.freeze() generates an ETag header if one is not set. The
-      no_etag parameter (which usually wasn’t visible anyway) is no longer 
+      no_etag parameter (which usually wasn’t visible anyway) is no longer
       used. #1963
     - Add a url_scheme argument to build() to override the bound scheme. #1721
-    - Passing an empty list as a query string parameter to build() won’t 
+    - Passing an empty list as a query string parameter to build() won’t
-      append an unnecessary ?. Also drop any number of None items in a list. 
+      append an unnecessary ?. Also drop any number of None items in a list.
       #1992
-    - When passing a Headers object to a test client method or 
+    - When passing a Headers object to a test client method or
-      EnvironBuilder, multiple values for a key are joined into one comma 
+      EnvironBuilder, multiple values for a key are joined into one comma
-      separated value. This matches the HTTP spec on multi-value headers. 
+      separated value. This matches the HTTP spec on multi-value headers.
       #1655
-    - Setting Response.status and status_code uses identical parsing and 
+    - Setting Response.status and status_code uses identical parsing and
       error checking. #1658, #1728
-    - MethodNotAllowed and RequestedRangeNotSatisfiable take a response 
+    - MethodNotAllowed and RequestedRangeNotSatisfiable take a response
       kwarg, consistent with other HTTP errors. #1748
-    - The response generated by Unauthorized produces one WWW-Authenticate 
+    - The response generated by Unauthorized produces one WWW-Authenticate
-      header per value in www_authenticate, rather than joining them into a 
+      header per value in www_authenticate, rather than joining them into a
-      single value, to improve interoperability with browsers and other 
+      single value, to improve interoperability with browsers and other
       clients. #1755
-    - If parse_authorization_header can’t decode the header value, it returns 
+    - If parse_authorization_header can’t decode the header value, it returns
       None instead of raising a UnicodeDecodeError. #1816
     - The debugger no longer uses jQuery. #1807
     - The test client includes the query string in REQUEST_URI and RAW_URI. #1781
-    - Switch the parameter order of default_stream_factory to match the order 
+    - Switch the parameter order of default_stream_factory to match the order
       used when calling it. #1085
-    - Add send_file function to generate a response that serves a file. 
+    - Add send_file function to generate a response that serves a file.
       Adapted from Flask’s implementation. #265, #1850
-    - Add send_from_directory function to safely serve an untrusted path 
+    - Add send_from_directory function to safely serve an untrusted path
       within a trusted directory. Adapted from Flask’s implementation. #1880
-    - send_file takes download_name, which is passed even if 
+    - send_file takes download_name, which is passed even if
-      as_attachment=False by using Content-Disposition: inline. download_name 
+      as_attachment=False by using Content-Disposition: inline. download_name
       replaces Flask’s attachment_filename. #1869
-    - send_file sets conditional=True and max_age=None by default. 
+    - send_file sets conditional=True and max_age=None by default.
-      Cache-Control is set to no-cache if max_age is not set, otherwise 
+      Cache-Control is set to no-cache if max_age is not set, otherwise
-      public. This tells browsers to validate conditional requests instead of 
+      public. This tells browsers to validate conditional requests instead of
-      using a timed cache. max_age=None replaces Flask’s cache_timeout=43200. 
+      using a timed cache. max_age=None replaces Flask’s cache_timeout=43200.
       #1882
-    - send_file can be called with etag="string" to set a custom ETag instead 
+    - send_file can be called with etag="string" to set a custom ETag instead
       of generating one. etag replaces Flask’s add_etags. #1868
-    - send_file sets the Content-Encoding header if an encoding is returned 
+    - send_file sets the Content-Encoding header if an encoding is returned
       when guessing mimetype from download_name. #3896
-    - Update the defaults used by generate_password_hash. Increase PBKDF2 
+    - Update the defaults used by generate_password_hash. Increase PBKDF2
-      iterations to 260000 from 150000. Increase salt length to 16 from 8. 
+      iterations to 260000 from 150000. Increase salt length to 16 from 8.
       Use secrets module to generate salt. #1935
     - The reloader doesn’t crash if sys.stdin is somehow None. #1915
-    - Add arguments to delete_cookie to match set_cookie and the attributes 
+    - Add arguments to delete_cookie to match set_cookie and the attributes
       modern browsers expect. #1889
-    - utils.cookie_date is deprecated, use utils.http_date instead. The value 
+    - utils.cookie_date is deprecated, use utils.http_date instead. The value
       for Set-Cookie expires is no longer “-” delimited. #2040
     - Use request.headers instead of request.environ to look up header attributes. #1808
-    - The test Client request methods (client.get, etc.) always return an 
+    - The test Client request methods (client.get, etc.) always return an
-      instance of TestResponse. In addition to the normal behavior of 
+      instance of TestResponse. In addition to the normal behavior of
-      Response, this class provides request with the request that produced 
+      Response, this class provides request with the request that produced
-      the response, and history to track intermediate responses when 
+      the response, and history to track intermediate responses when
       follow_redirects is used. #763, #1894
-    - The test Client request methods takes an auth parameter to add an 
+    - The test Client request methods takes an auth parameter to add an
-      Authorization header. It can be an Authorization object or a (username, 
+      Authorization header. It can be an Authorization object or a (username,
       password) tuple for Basic auth. #1809
-    - Calling response.close() on a response from the test Client will close 
+    - Calling response.close() on a response from the test Client will close
-      the request input stream. This matches file behavior and can prevent a 
+      the request input stream. This matches file behavior and can prevent a
       ResourceWarning in some cases. #1785
-    - EnvironBuilder.from_environ decodes values encoded for WSGI, to avoid 
+    - EnvironBuilder.from_environ decodes values encoded for WSGI, to avoid
       double encoding the new values. #1959
-    - The default stat reloader will watch Python files under 
+    - The default stat reloader will watch Python files under
-      non-system/virtualenv sys.path entries, which should contain most user 
+      non-system/virtualenv sys.path entries, which should contain most user
-      code. It will also watch all Python files under directories given in 
+      code. It will also watch all Python files under directories given in
       extra_files. #1945
     - The reloader ignores __pycache__ directories again. #1945
-    - run_simple takes exclude_patterns a list of fnmatch patterns that will 
+    - run_simple takes exclude_patterns a list of fnmatch patterns that will
       not be scanned by the reloader. #1333
-    - Cookie names are no longer unquoted. This was against RFC 6265 and 
+    - Cookie names are no longer unquoted. This was against RFC 6265 and
       potentially allowed setting __Secure prefixed cookies. #1965
     - Fix some word matches for user agent platform when the word can be a substring. #1923
     - The development server logs ignored SSL errors. #1967
-    - Temporary files for form data are opened in rb+ instead of wb+ mode for 
+    - Temporary files for form data are opened in rb+ instead of wb+ mode for
       better compatibility with some libraries. #1961
-    - Use SHA-1 instead of MD5 for generating ETags and the debugger pin, and 
+    - Use SHA-1 instead of MD5 for generating ETags and the debugger pin, and
-      in some tests. MD5 is not available in some environments, such as FIPS 
+      in some tests. MD5 is not available in some environments, such as FIPS
-      140. This may invalidate some caches since the ETag will be different. 
+      140. This may invalidate some caches since the ETag will be different.
       #1897
-    - Add Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy 
+    - Add Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy
       response header properties. #2008
-    - run_simple tries to show a valid IP address when binding to all 
+    - run_simple tries to show a valid IP address when binding to all
-      addresses, instead of 0.0.0.0 or ::. It also warns about not running 
+      addresses, instead of 0.0.0.0 or ::. It also warns about not running
       the development server in production in this case. #1964
-    - Colors in the development server log are displayed if Colorama is 
+    - Colors in the development server log are displayed if Colorama is
-      installed on Windows. For all platforms, style support no longer 
+      installed on Windows. For all platforms, style support no longer
       requires Click. #1832
-    - A range request for an empty file (or other data with length 0) will 
+    - A range request for an empty file (or other data with length 0) will
       return a 200 response with the empty file instead of a 416 error. #1937
-    - New sans-IO base classes for Request and Response have been extracted 
+    - New sans-IO base classes for Request and Response have been extracted
-      to contain all the behavior that is not WSGI or IO dependent. These are 
+      to contain all the behavior that is not WSGI or IO dependent. These are
-      not a public API, they are part of an ongoing refactor to let ASGI 
+      not a public API, they are part of an ongoing refactor to let ASGI
       frameworks use Werkzeug. #2005
-    - Parsing multipart/form-data has been refactored to use sans-io 
+    - Parsing multipart/form-data has been refactored to use sans-io
-      patterns. This should also make parsing forms with large binary file 
+      patterns. This should also make parsing forms with large binary file
       uploads significantly faster. #1788, #875
-    - LocalProxy matches the current Python data model special methods, 
+    - LocalProxy matches the current Python data model special methods,
-      including all r-ops, in-place ops, and async. __class__ is proxied, so 
+      including all r-ops, in-place ops, and async. __class__ is proxied, so
-      the proxy will look like the object in more cases, including 
+      the proxy will look like the object in more cases, including
-      isinstance. Use issubclass(type(obj), LocalProxy) to check if an object 
+      isinstance. Use issubclass(type(obj), LocalProxy) to check if an object
       is actually a proxy. #1754
     - Local uses ContextVar on Python 3.7+ instead of threading.local. #1778
-    - request.values does not include form for GET requests (even though GET 
+    - request.values does not include form for GET requests (even though GET
-      bodies are undefined). This prevents bad caching proxies from caching 
+      bodies are undefined). This prevents bad caching proxies from caching
       form data instead of query strings. #2037
-    - The development server adds the underlying socket to environ as 
+    - The development server adds the underlying socket to environ as
-      werkzeug.socket. This is non-standard and specific to the dev server, 
+      werkzeug.socket. This is non-standard and specific to the dev server,
-      other servers may expose this under their own key. It is useful for 
+      other servers may expose this under their own key. It is useful for
       handling a WebSocket upgrade request. #2052
     - URL matching assumes websocket=True mode for WebSocket upgrade requests. #2052
     - Updated UserAgentParser to handle more cases. #1971
     - werzeug.DechunkedInput.readinto will not read beyond the size of the buffer. #2021
     - Fix connection reset when exceeding max content size. #2051
-    - pbkdf2_hex, pbkdf2_bin, and safe_str_cmp are deprecated. hashlib and 
+    - pbkdf2_hex, pbkdf2_bin, and safe_str_cmp are deprecated. hashlib and
       hmac provide equivalents. #2083
     - invalidate_cached_property is deprecated. Use del obj.name instead. #2084
     - Href is deprecated. Use werkzeug.routing instead. #2085
-    - Request.disable_data_descriptor is deprecated. Create the request with 
+    - Request.disable_data_descriptor is deprecated. Create the request with
       shallow=True instead. #2085
     - HTTPException.wrap is deprecated. Create a subclass manually instead. #2085
 
@@ -1243,7 +1270,7 @@ Mon Jun 22 14:22:45 UTC 2015 - tbechtold@suse.com
      object (pull request ``#583``).
    - The ``qop`` parameter for ``WWW-Authenticate`` headers is now always quoted,
      as required by RFC 2617 (issue ``#633``).
-   - Fix bug in ``werkzeug.contrib.cache.SimpleCache`` with Python 3 where add/set 
+   - Fix bug in ``werkzeug.contrib.cache.SimpleCache`` with Python 3 where add/set
      may throw an exception when pruning old entries from the cache (pull request
      ``#651``).
 

python-Werkzeug.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-Werkzeug
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -27,7 +27,7 @@
 
 %{?sle15_python_module_pythons}
 Name:           python-Werkzeug%{psuffix}
-Version:        3.1.3
+Version:        3.1.5
 Release:        0
 Summary:        The Swiss Army knife of Python web development
 License:        BSD-3-Clause

werkzeug-3.1.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6a548b0e88955dd07ccb25539d7d0cc97417ee9e179677d22c7041c8f078ce67
+size 864754