Accepting request 1329533 from devel:languages:python

- update to 3.1.5:
  * safe_join on Windows does not allow more special device
    names, regardless of extension or surrounding spaces.
    :ghsa:`87hc-h4r5-73f7`
  * Fix AttributeError when initializing DebuggedApplication with
    pin_security=False. :issue:`3075`

  * drops 0001-limit-the-maximum-number-of-multipart-form-parts.patch
    stream that may not return the requested size in one
  * Type checking FileStorage accepts os.PathLike. #2418
    :issue:`2397`
    - Fix type annotation for send_file max_age callable. Don’t pass
    - Mark top-level names as exported so type checking understands imports
    - cached_property is generic over its return type, properties decorated
    - Fix multipart parsing bug when boundary contains special regex
    - Type checking understands that calling headers.get with a string
    - If HTTPException.description is not a string, get_description will
    - Deprecate the environ["werkzeug.server.shutdown"] function that is
    - Deprecate the useragents module and the built-in user agent parser. Use
      a dedicated parser library instead by subclassing user_agent.UserAgent
    - All datetime values are timezone-aware with tzinfo=timezone.utc. This
      applies to anything using http.parse_date: Request.date,
      .if_modified_since, .if_unmodified_since; Response.date, .expires,
      .last_modified, .retry_after; parse_if_range_header, and IfRange.date.
      When comparing values, the other values must also be aware, or these
      values must be made naive. When passing parameters or setting
    - Merge all request and response wrapper mixin code into single Request
      and Response classes. Using the mixin classes is no longer necessary
      and will show a deprecation warning. Checking isinstance or issubclass
      against BaseRequest and BaseResponse will show a deprecation warning

OBS-URL: https://build.opensuse.org/request/show/1329533
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Werkzeug?expand=0&rev=52

python-Werkzeug.changes

@@ -1,3 +1,127 @@
+-------------------------------------------------------------------
+Tue Jan 27 16:24:20 UTC 2026 - Dirk Müller <dmueller@suse.com>
+
+- update to 3.1.5:
+  * safe_join on Windows does not allow more special device
+    names, regardless of extension or surrounding spaces.
+    :ghsa:`87hc-h4r5-73f7`
+  * Fix AttributeError when initializing DebuggedApplication with
+    pin_security=False. :issue:`3075`
+
+-------------------------------------------------------------------
+Wed Jan  7 15:28:53 UTC 2026 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 3.1.4
+  * ``safe_join`` on Windows does not allow special device names. This prevents
+    reading from these when using `send_from_directory`. ``secure_filename``
+    already prevented writing to these. :ghsa:`hgf8-39gv-g3f2`
+  * The debugger pin fails after 10 attempts instead of 11. :pr:`3020`
+  * The multipart form parser handles a ``\r\n`` sequence at a chunk boundary.
+    :issue:`3065`
+  * Improve CPU usage during Watchdog reloader. :issue:`3054`
+  * `Request.json` annotation is more accurate. :issue:`3067`
+  * Traceback rendering handles when the line number is beyond the available
+    source lines. :issue:`3044`
+  * `HTTPException.get_response` annotation and doc better conveys the
+    distinction between WSGI and sans-IO responses. :issue:`3056`
+
+-------------------------------------------------------------------
+Tue Nov 12 07:59:40 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 3.1.3
+  * Initial data passed to ``MultiDict`` and similar interfaces only accepts
+    ``list``, ``tuple``, or ``set`` when passing multiple values. It had been
+    changed to accept any ``Collection``, but this matched types that should be
+    treated as single values, such as ``bytes``. :issue:`2994`
+  * When the ``Host`` header is not set and ``Request.host`` falls back to the
+    WSGI ``SERVER_NAME`` value, if that value is an IPv6 address it is wrapped
+    in ``[]`` to match the ``Host`` header. :issue:`2993`
+- from version 3.1.2
+  * Improve type annotation for ``TypeConversionDict.get`` to allow the ``type``
+    parameter to be a callable. :issue:`2988`
+  * ``Headers`` does not inherit from ``MutableMapping``, as it is does not
+    exactly match that interface. :issue:`2989`
+
+-------------------------------------------------------------------
+Mon Nov  4 10:57:09 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 3.1.1
+  * Fix an issue that caused ``str(Request.headers)`` to always appear empty.
+    :issue:`2985`
+- from version 3.1.0
+  * Drop support for Python 3.8. :pr:`2966`
+  * Remove previously deprecated code. :pr:`2967`
+  * ``Request.max_form_memory_size`` defaults to 500kB instead of unlimited.
+    Non-file form fields over this size will cause a ``RequestEntityTooLarge``
+    error. :issue:`2964`
+  * ``OrderedMultiDict`` and ``ImmutableOrderedMultiDict`` are deprecated.
+    Use ``MultiDict`` and ``ImmutableMultiDict`` instead. :issue:`2968`
+  * Behavior of properties on ``request.cache_control`` and
+    ``response.cache_control`` has been significantly adjusted.
+    * Dict values are always ``str | None``. Setting properties will convert
+      the value to a string. Setting a property to ``False`` is equivalent to
+      setting it to ``None``. Getting typed properties will return ``None`` if
+      conversion raises ``ValueError``, rather than the string. :issue:`2980`
+    * ``max_age`` is ``None`` if present without a value, rather than ``-1``.
+      :issue:`2980`
+    * ``no_cache`` is a boolean for requests, it is ``True`` instead of
+      ``"*"`` when present. It remains a string for responses. :issue:`2980`
+    * ``max_stale`` is ``True`` if present without a value, rather
+      than ``"*"``. :issue:`2980`
+    * ``no_transform`` is a boolean. Previously it was mistakenly always
+      ``None``. :issue:`2881`
+    * ``min_fresh`` is ``None`` if present without a value, rather than
+      ``"*"``. :issue:`2881`
+    * ``private`` is ``True`` if present without a value, rather than ``"*"``.
+      :issue:`2980`
+    * Added the ``must_understand`` property. :issue:`2881`
+    * Added the ``stale_while_revalidate``, and ``stale_if_error``
+      properties. :issue:`2948`
+    * Type annotations more accurately reflect the values. :issue:`2881`
+  * Support Cookie CHIPS (Partitioned Cookies). :issue:`2797`
+  * Add 421 ``MisdirectedRequest`` HTTP exception. :issue:`2850`
+  * Increase default work factor for PBKDF2 to 1,000,000 iterations.
+    :issue:`2969`
+  * Inline annotations for ``datastructures``, removing stub files.
+    :issue:`2970`
+  * ``MultiDict.getlist`` catches ``TypeError`` in addition to ``ValueError``
+    when doing type conversion. :issue:`2976`
+  * Implement ``|`` and ``|=`` operators for ``MultiDict``, ``Headers``, and
+    ``CallbackDict``, and disallow ``|=`` on immutable types. :issue:`2977`
+
+-------------------------------------------------------------------
+Mon Oct 28 12:57:32 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Update to 3.0.6 (bsc#1232449, CVE-2024-49767):
+  * Fix how max_form_memory_size is applied when parsing large
+    non-file fields. GHSA-q34m-jh98-gwm2
+  * safe_join catches certain paths on Windows that were not caught by
+    ntpath.isabs on Python < 3.11. GHSA-f9vj-2wh5-fj8j
+- 3.0.5:
+  * The Watchdog reloader ignores file closed no write events. #2945
+  * Logging works with client addresses containing an IPv6 scope.
+    #2952
+  * Ignore invalid authorization parameters. #2955
+  * Improve type annotation fore SharedDataMiddleware. #2958
+  * Compatibility with Python 3.13 when generating debugger pin and
+    the current UID does not have an associated name. #2957
+
+-------------------------------------------------------------------
+Mon Aug 26 14:36:39 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 3.0.4
+  * Restore behavior where parsing `multipart/x-www-form-urlencoded` data with
+    invalid UTF-8 bytes in the body results in no form data parsed rather than a
+    413 error. :issue:`2930`
+  * Improve ``parse_options_header`` performance when parsing unterminated
+    quoted string values. :issue:`2904`
+  * Debugger pin auth is synchronized across threads/processes when tracking
+    failed entries. :issue:`2916`
+  * Dev server handles unexpected `SSLEOFError` due to issue in Python < 3.13.
+    :issue:`2926`
+  * Debugger pin auth works when the URL already contains a query string.
+    :issue:`2918`
+
 -------------------------------------------------------------------
 Tue May  7 06:01:38 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
 

python-Werkzeug.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-Werkzeug
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -27,7 +27,7 @@
 
 %{?sle15_python_module_pythons}
 Name:           python-Werkzeug%{psuffix}
-Version:        3.0.3
+Version:        3.1.5
 Release:        0
 Summary:        The Swiss Army knife of Python web development
 License:        BSD-3-Clause
@@ -109,6 +109,7 @@ donttest+=" or test_wrong_protocol"
 donttest+=" or test_content_type_and_length"
 donttest+=" or test_multiple_headers_concatenated"
 donttest+=" or test_multiline_header_folding"
+donttest+=" or test_host_with_ipv6_scope"
 %pytest -k "not ($donttest)"
 %endif
 

werkzeug-3.1.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6a548b0e88955dd07ccb25539d7d0cc97417ee9e179677d22c7041c8f078ce67
+size 864754