chore(deps): bump the pip group across 3 directories with 5 updates

[dependabot]

Bumps the pip group with 5 updates in the /api directory:

Package	From	To
certifi	2023.7.22	2024.7.4
h11	0.12.0	0.16.0
jinja2	3.1.4	3.1.6
python-multipart	0.0.26	0.0.27
starlette	0.37.2	0.49.1

Bumps the pip group with 2 updates in the /functions-python directory: python-multipart and starlette.
Bumps the pip group with 2 updates in the /functions-python/operations_api directory: python-multipart and starlette.

Updates certifi from 2023.7.22 to 2024.7.4

Commits

• bd81538 2024.07.04 (#295)
• 06a2cbf Bump peter-evans/create-pull-request from 6.0.5 to 6.1.0 (#294)
• 13bba02 Bump actions/checkout from 4.1.6 to 4.1.7 (#293)
• e8abcd0 Bump pypa/gh-action-pypi-publish from 1.8.14 to 1.9.0 (#292)
• 124f4ad 2024.06.02 (#291)
• c2196ce --- (#290)
• fefdeec Bump actions/checkout from 4.1.4 to 4.1.5 (#289)
• 3c5fb15 Bump actions/download-artifact from 4.1.6 to 4.1.7 (#286)
• 4a9569a Bump actions/checkout from 4.1.2 to 4.1.4 (#287)
• 1fc8086 Bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 (#288)
• Additional commits viewable in compare view

Updates h11 from 0.12.0 to 0.16.0

Commits

• 1c5b075 this time for surer
• d9c3699 this time for sure...
• d91b9dd blacken
• 5a4683c Soothe mypy
• 9c9567f Bump version to 0.16.0
• 114803a Merge commit from fork
• 9462006 Bump version to 0.15.0
• 70a96be Merge pull request #181 from Julien00859/Julien00859/get_int_max_str_digits
• 60782ad Reject Content-Length longer 1 billion TB
• dff7cc3 Validate Chunked-Encoding chunk footer
• Additional commits viewable in compare view

Updates jinja2 from 3.1.4 to 3.1.6

Release notes

Sourced from jinja2's releases.

3.1.6

This is the Jinja 3.1.6 security release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.6/ Changes: https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6

• The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. GHSA-cpwx-vrp4-4pq7

3.1.5

This is the Jinja 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.5/ Changes: https://jinja.palletsprojects.com/changes/#version-3-1-5 Milestone: https://github.com/pallets/jinja/milestone/16?closed=1

• The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. GHSA-q2x7-8rv6-6q7h
• Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. #1792, GHSA-gmj6-6f8f-6699
• Sandbox does not allow clear and pop on known mutable sequence types. #2032
• Calling sync render for an async template uses asyncio.run. #1952
• Avoid unclosed auto_aiter warnings. #1960
• Return an aclose-able AsyncGenerator from Template.generate_async. #1960
• Avoid leaving root_render_func() unclosed in Template.generate_async. #1960
• Avoid leaving async generators unclosed in blocks, includes and extends. #1960
• The runtime uses the correct concat function for the current environment when calling block references. #1701
• Make |unique async-aware, allowing it to be used after another async-aware filter. #1781
• |int filter handles OverflowError from scientific notation. #1921
• Make compiling deterministic for tuple unpacking in a {% set ... %} call. #2021
• Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. #2025
• Fix copy/pickle support for the internal missing object. #2027
• Environment.overlay(enable_async) is applied correctly. #2061
• The error message from FileSystemLoader includes the paths that were searched. #1661
• PackageLoader shows a clearer error message when the package does not contain the templates directory. #1705
• Improve annotations for methods returning copies. #1880
• urlize does not add mailto: to values like @a@b. #1870
• Tests decorated with @pass_context can be used with the |select filter. #1624
• Using set for multiple assignment (a, b = 1, 2) does not fail when the target is a namespace attribute. #1413
• Using set in all branches of {% if %}{% elif %}{% else %} blocks does not cause the variable to be considered initially undefined. #1253

Changelog

Sourced from jinja2's changelog.

Version 3.1.6

Released 2025-03-05

• The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. :ghsa:cpwx-vrp4-4pq7

Version 3.1.5

Released 2024-12-21

• The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. :ghsa:q2x7-8rv6-6q7h
• Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. :issue:1792, :ghsa:gmj6-6f8f-6699
• Sandbox does not allow clear and pop on known mutable sequence types. :issue:2032
• Calling sync render for an async template uses asyncio.run. :pr:1952
• Avoid unclosed auto_aiter warnings. :pr:1960
• Return an aclose-able AsyncGenerator from Template.generate_async. :pr:1960
• Avoid leaving root_render_func() unclosed in Template.generate_async. :pr:1960
• Avoid leaving async generators unclosed in blocks, includes and extends. :pr:1960
• The runtime uses the correct concat function for the current environment when calling block references. :issue:1701
• Make |unique async-aware, allowing it to be used after another async-aware filter. :issue:1781
• |int filter handles OverflowError from scientific notation. :issue:1921
• Make compiling deterministic for tuple unpacking in a {% set ... %} call. :issue:2021
• Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. :issue:2025
• Fix copy/pickle support for the internal missing object. :issue:2027
• Environment.overlay(enable_async) is applied correctly. :pr:2061
• The error message from FileSystemLoader includes the paths that were searched. :issue:1661
• PackageLoader shows a clearer error message when the package does not contain the templates directory. :issue:1705
• Improve annotations for methods returning copies. :pr:1880
• urlize does not add mailto: to values like @a@b. :pr:1870

... (truncated)

Commits

• 1520688 release version 3.1.6
• 90457bb Merge commit from fork
• 065334d attr filter uses env.getattr
• 033c200 start version 3.1.6
• bc68d4e use global contributing guide (#2070)
• 247de5e use global contributing guide
• ab8218c use project advisory link instead of global
• b4ffc8f release version 3.1.5 (#2066)
• 877f6e5 release version 3.1.5
• 8d58859 remove test pypi
• Additional commits viewable in compare view

Updates python-multipart from 0.0.26 to 0.0.27

Release notes

Sourced from python-multipart's releases.

0.0.27

What's Changed

• Pass parse offsets via constructors by @​Kludex in Kludex/python-multipart#268
• Add multipart header limits by @​Kludex in Kludex/python-multipart#267

Full Changelog: Kludex/python-multipart@0.0.26...0.0.27

Changelog

Sourced from python-multipart's changelog.

0.0.27 (2026-04-27)

• Add multipart header limits #267.
• Pass parse offsets via constructors #268.

Commits

• 6d1d689 Version 0.0.27 (#272)
• 0b10220 Run CI on main branch pull requests (#271)
• 3e64f5f Add multipart header limits (#267)
• eb109cc Pass parse offsets via constructors (#268)
• 78e29ab Bump pytest from 9.0.2 to 9.0.3 (#266)
• b2ddd09 fuzz: Enhance fuzzing capabilities with new chunked and boundary tests (#264)
• See full diff in compare view

Updates starlette from 0.37.2 to 0.49.1

Release notes

Sourced from starlette's releases.

Version 0.49.1

This release fixes a security vulnerability in the parsing logic of the Range header in FileResponse.

You can view the full security advisory: GHSA-7f5h-v6xp-fcq8

Fixed

• Optimize the HTTP ranges parsing logic 4ea6e22b489ec388d6004cfbca52dd5b147127c5

---

Full Changelog: Kludex/starlette@0.49.0...0.49.1

Version 0.49.0

Added

• Add encoding parameter to Config class #2996.
• Support multiple cookie headers in Request.cookies #3029.
• Use Literal type for WebSocketEndpoint encoding values #3027.

Changed

• Do not pollute exception context in Middleware when using BaseHTTPMiddleware #2976.

---

New Contributors

• @​TheWesDias made their first contribution in Kludex/starlette#3017
• @​gmos2104 made their first contribution in Kludex/starlette#3027
• @​secrett2633 made their first contribution in Kludex/starlette#2996
• @​adam-sikora made their first contribution in Kludex/starlette#2976

Full Changelog: Kludex/starlette@0.48.0...0.49.0

Version 0.48.0

Added

• Add official Python 3.14 support #3013.

Changed

• Implement RFC9110 http status names #2939.

---

New Contributors

• @​yakimka made their first contribution in Kludex/starlette#2943
• @​mbeijen made their first contribution in Kludex/starlette#2939

Full Changelog: Kludex/starlette@0.47.3...0.48.0

... (truncated)

Changelog

Sourced from starlette's changelog.

0.49.1 (October 28, 2025)

This release fixes a security vulnerability in the parsing logic of the Range header in FileResponse.

You can view the full security advisory: GHSA-7f5h-v6xp-fcq8

Fixed

• Optimize the HTTP ranges parsing logic 4ea6e22b489ec388d6004cfbca52dd5b147127c5

0.49.0 (October 28, 2025)

Added

• Add encoding parameter to Config class #2996.
• Support multiple cookie headers in Request.cookies #3029.
• Use Literal type for WebSocketEndpoint encoding values #3027.

Changed

• Do not pollute exception context in Middleware when using BaseHTTPMiddleware #2976.

0.48.0 (September 13, 2025)

Added

• Add official Python 3.14 support #3013.

Changed

• Implement RFC9110 http status names #2939.

0.47.3 (August 24, 2025)

Fixed

• Use asyncio.iscoroutinefunction for Python 3.12 and older #2984.

0.47.2 (July 20, 2025)

Fixed

• Make UploadFile check for future rollover #2962.

0.47.1 (June 21, 2025)

Fixed

• Use Self in TestClient.__enter__ #2951.
• Allow async exception handlers to type-check #2949.

... (truncated)

Commits

• 7e4b742 Version 0.49.1 (#3047)
• 4ea6e22 Merge commit from fork
• 7d88ea6 Version 0.49.0 (#3046)
• 26d66bb Do not pollute exception context in Middleware (#2976)
• a59397d Set encodings when reading config files (#2996)
• 3b7f0cb test: add test for unknown status (#3035)
• b09ce1a docs: fix legibility issues on sponsorship page (#3039)
• 0f0edcf Revert "Add Marcelo Trylesinski to the license (#3025)" (#3044)
• 3912d63 docs: add social icons (#3038)
• 4915a93 Add discord to README/docs (#3034)
• Additional commits viewable in compare view

Updates python-multipart from 0.0.26 to 0.0.27

Release notes

Sourced from python-multipart's releases.

0.0.27

What's Changed

• Pass parse offsets via constructors by @​Kludex in Kludex/python-multipart#268
• Add multipart header limits by @​Kludex in Kludex/python-multipart#267

Full Changelog: Kludex/python-multipart@0.0.26...0.0.27

Changelog

Sourced from python-multipart's changelog.

0.0.27 (2026-04-27)

• Add multipart header limits #267.
• Pass parse offsets via constructors #268.

Commits

• 6d1d689 Version 0.0.27 (#272)
• 0b10220 Run CI on main branch pull requests (#271)
• 3e64f5f Add multipart header limits (#267)
• eb109cc Pass parse offsets via constructors (#268)
• 78e29ab Bump pytest from 9.0.2 to 9.0.3 (#266)
• b2ddd09 fuzz: Enhance fuzzing capabilities with new chunked and boundary tests (#264)
• See full diff in compare view

Updates starlette from 0.40.0 to 0.49.1

Release notes

Sourced from starlette's releases.

Version 0.49.1

This release fixes a security vulnerability in the parsing logic of the Range header in FileResponse.

You can view the full security advisory: GHSA-7f5h-v6xp-fcq8

Fixed

• Optimize the HTTP ranges parsing logic 4ea6e22b489ec388d6004cfbca52dd5b147127c5

---

Full Changelog: Kludex/starlette@0.49.0...0.49.1

Version 0.49.0

Added

• Add encoding parameter to Config class #2996.
• Support multiple cookie headers in Request.cookies #3029.
• Use Literal type for WebSocketEndpoint encoding values #3027.

Changed

• Do not pollute exception context in Middleware when using BaseHTTPMiddleware #2976.

---

New Contributors

• @​TheWesDias made their first contribution in Kludex/starlette#3017
• @​gmos2104 made their first contribution in Kludex/starlette#3027
• @​secrett2633 made their first contribution in Kludex/starlette#2996
• @​adam-sikora made their first contribution in Kludex/starlette#2976

Full Changelog: Kludex/starlette@0.48.0...0.49.0

Version 0.48.0

Added

• Add official Python 3.14 support #3013.

Changed

• Implement RFC9110 http status names #2939.

---

New Contributors

• @​yakimka made their first contribution in Kludex/starlette#2943
• @​mbeijen made their first contribution in Kludex/starlette#2939

Full Changelog: Kludex/starlette@0.47.3...0.48.0

... (truncated)

Changelog

Sourced from starlette's changelog.

0.49.1 (October 28, 2025)

This release fixes a security vulnerability in the parsing logic of the Range header in FileResponse.

You can view the full security advisory: GHSA-7f5h-v6xp-fcq8

Fixed

• Optimize the HTTP ranges parsing logic 4ea6e22b489ec388d6004cfbca52dd5b147127c5

0.49.0 (October 28, 2025)

Added

• Add encoding parameter to Config class #2996.
• Support multiple cookie headers in Request.cookies #3029.
• Use Literal type for WebSocketEndpoint encoding values #3027.

Changed

• Do not pollute exception context in Middleware when using BaseHTTPMiddleware #2976.

0.48.0 (September 13, 2025)

Added

• Add official Python 3.14 support #3013.

Changed

• Implement RFC9110 http status names #2939.

0.47.3 (August 24, 2025)

Fixed

• Use asyncio.iscoroutinefunction for Python 3.12 and older #2984.

0.47.2 (July 20, 2025)

Fixed

• Make UploadFile check for future rollover #2962.

0.47.1 (June 21, 2025)

Fixed

• Use Self in TestClient.__enter__ #2951.
• Allow async exception handlers to type-check #2949.

... (truncated)

Commits

• 7e4b742 Version 0.49.1 (#3047)
• 4ea6e22 Merge commit from fork
• 7d88ea6 Version 0.49.0 (#3046)
• 26d66bb Do not pollute exception context in Middleware (#2976)
• a59397d Set encodings when reading config files (#2996)
• 3b7f0cb test: add test for unknown status (#3035)
• b09ce1a docs: fix legibility issues on sponsorship page (#3039)
• 0f0edcf Revert "Add Marcelo Trylesinski to the license (#3025)" (#3044)
• 3912d63 docs: add social icons (#3038)
• 4915a93 Add discord to README/docs (#3034)
• Additional commits viewable in compare view

Updates python-multipart from 0.0.26 to 0.0.27

Release notes

Sourced from python-multipart's releases.

0.0.27

What's Changed

• Pass parse offsets via constructors by @​Kludex in Kludex/python-multipart#268
• Add multipart header limits by @​Kludex in Kludex/python-multipart#267

Full Changelog: Kludex/python-multipart@0.0.26...0.0.27

Changelog

Sourced from python-multipart's changelog.

0.0.27 (2026-04-27)

• Add multipart header limits #267.
• Pass parse offsets via constructors #268.

Commits

• 6d1d689 Version 0.0.27 (#272)
• 0b10220 Run CI on main branch pull requests (#271)
• 3e64f5f Add multipart header limits (#267)
• eb109cc Pass parse offsets via constructors (#268)
• 78e29ab Bump pytest from 9.0.2 to 9.0.3 (#266)
• b2ddd09 fuzz: Enhance fuzzing capabilities with new chunked and boundary tests (#264)
• See full diff in compare view

Updates starlette from 0.40.0 to 0.49.1

Release notes

Sourced from starlette's releases.

Version 0.49.1

This release fixes a security vulnerability in the parsing logic of the Range header in FileResponse.

You can view the full security advisory: GHSA-7f5h-v6xp-fcq8

Fixed

• Optimize the HTTP ranges parsing logic 4ea6e22b489ec388d6004cfbca52dd5b147127c5

---

Full Changelog: Kludex/starlette@0.49.0...0.49.1

Version 0.49.0

Added

• Add encoding parameter to Config class #2996.
• Support multiple cookie headers in Request.cookies #3029.
• Use Literal type for WebSocketEndpoint encoding values #3027.

Changed

• Do not pollute exception context in Middleware when using BaseHTTPMiddleware #2976.

---

New Contributors

• @​TheWesDias made their first contribution in Kludex/starlette#3017
• @​gmos2104 made their first contribution in Kludex/starlette#3027
• @​secrett2633 made their first contribution in Kludex/starlette#2996
• @​adam-sikora made their first contribution in Kludex/starlette#2976

Full Changelog: Kludex/starlette@0.48.0...0.49.0

Version 0.48.0

Added

• Add official Python 3.14 support #3013.

Changed

• Implement RFC9110 http status names #2939.

---

New Contributors

• @​yakimka made their first contribution in Kludex/starlette#2943
• @​mbeijen made their first contribution in Kludex/starlette#2939

Full Changelog: Kludex/starlette@0.47.3...0.48.0

... (truncated)

Changelog

Sourced from starlette's changelog.

0.49.1 (October 28, 2025)

This release fixes a security vulnerability in the parsing logic of the Range header in FileResponse.

You can view the full security advisory: GHSA-7f5h-v6xp-fcq8

Fixed

• Optimize the HTTP ranges parsing logic 4ea6e22b489ec388d6004cfbca52dd5b147127c5

0.49.0 (October 28, 2025)

Added

• Add encoding parameter to Config class #2996.
• Support multiple cookie headers in Request.cookies #3029.
• Use Literal type for WebSocketEndpoint encoding values #3027.

Changed

• Do not pollute exception context in Middleware when using BaseHTTPMiddleware #2976.

0.48.0 (September 13, 2025)

Added

• Add official Python 3.14 support #3013.

Changed

• Implement RFC9110 http status names #2939.

0.47.3 (August 24, 2025)

Fixed

• Use asyncio.iscoroutinefunction for Python 3.12 and older #2984.

0.47.2 (July 20, 2025)

Fixed

• Make UploadFile check for future rollover #2962.

0.47.1 (June 21, 2025)

Fixed

• Use Self in TestClient.__enter__ #2951.
• Allow async exception handlers to type-check #2949.

... (truncated)

Commits

• 7e4b742 Version 0.49.1 (#3047)
• 4ea6e22 Merge commit from fork
• 7d88ea6 Version 0.49.0 (#3046)
• 26d66bb Do not pollute exception context in Middleware (#2976)
• a59397d Set encodings when reading config files (#2996)
• 3b7f0cb test: add test for unknown status (#3035)
• b09ce1a docs: fix legibility issues on sponsorship page (#3039)
• 0f0edcf Revert "Add Marcelo Trylesinski to the license (#3025)" (#3044)
• 3912d63 docs: add social icons (#3038)
• 4915a93 Add discord to README/docs (#3034)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.