Skip to content

Bump the pip-major group across 1 directory with 3 updates#416

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/pip-major-97fbc3f72a
Open

Bump the pip-major group across 1 directory with 3 updates#416
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/pip-major-97fbc3f72a

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 15, 2026
edited
Loading

Bumps the pip-major group with 3 updates in the / directory: gunicorn, marshmallow and okta.

Updates gunicorn from 23.0.0 to 25.3.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 25.3.0

Bug Fixes

  • HTTP/2 ASGI Body Duplication: Fix request body being received twice in HTTP/2 ASGI requests, causing JSON parsing errors with "Extra data" messages (#3558)

  • ASGI Chunked EOF Handling: Add finish() method to callback parser to handle chunked encoding edge case where connection closes before final CRLF after zero-chunk

  • HTTP/2 Documentation: Fix http_protocols examples to use comma-separated string instead of list syntax (#3561)

  • Chunked Encoding: Reject chunk extensions containing bare CR bytes per RFC 9112 (#3556)

  • Request Line Limit: Fix --limit-request-line 0 to mean unlimited as documented, instead of using default maximum. Works with both Python and fast C parser. (#3563)

Security

  • ASGI Parser Header Validation: Add security checks per RFC 9110/9112:
    • Reject duplicate Content-Length headers
    • Reject requests with both Content-Length and Transfer-Encoding
    • Reject chunked transfer encoding in HTTP/1.0
    • Reject stacked chunked encoding
    • Validate Transfer-Encoding values
    • Strict chunk size validation

Changes

  • Fast HTTP Parser: Update to gunicorn_h1c >= 0.6.3 for asgi_headers property and InvalidChunkExtension validation for bare CR rejection

  • ASGI PROXY Protocol: Add PROXY protocol v1/v2 support to callback parser

  • Docker Images: Update to Python 3.14

Gunicorn 25.2.0

New Features

  • Fast HTTP Parser (gunicorn_h1c 0.4.1): Integrate new exception types and limit parameters from gunicorn_h1c 0.4.1 for both WSGI and ASGI workers
    • Requires gunicorn_h1c >= 0.4.1 for http_parser='fast'
    • Falls back to Python parser in auto mode if version not met
    • Proper HTTP status codes for limit errors (414, 431)

Bug Fixes

  • uWSGI Async Workers: Fix InvalidUWSGIHeader: incomplete header error when using gevent or gthread workers with uwsgi protocol behind nginx. (#3552, [PR #3554](benoitc/gunicorn#3554))

... (truncated)

Commits
  • 9bce72c Update changelog with missing 25.3.0 changes
  • 2a15fdb Fix pylint isinstance-second-argument-not-valid-type warning
  • 8d08aaa Fix --limit-request-line 0 to mean unlimited
  • d40a374 Fix pytest-asyncio configuration and treq_asgi hex escapes
  • da8bd48 Remove unused AsyncRequest class
  • b00f125 Integrate gunicorn_h1c 0.6.3 with InvalidChunkExtension support
  • bdb2ebd Reject chunk extensions with bare CR bytes (RFC 9112)
  • 7057fc9 Fix http_protocols documentation to use string syntax
  • d43acb8 Update to gunicorn_h1c >= 0.6.2 for asgi_headers support
  • cbd27e8 Merge pull request #3559 from benleembruggen/fix/http2-asgi-body-duplication
  • Additional commits viewable in compare view

Updates marshmallow from 3.26.2 to 4.3.0

Changelog

Sourced from marshmallow's changelog.

4.3.0 (2026-04-03)

Features:

  • Add pre_load and post_load parameters to marshmallow.fields.Field for field-level pre- and post-processing (:issue:2787).
  • Typing: improvements to marshmallow.validate (:pr:2940).

4.2.4 (2026-04-02)

Bug fixes:

  • marshmallow.validate.URL and marshmallow.validate.Email accept Internationalized Domain Names (IDNs) (:issue:2821, :issue:2936). marshmallow.validate.Email also correctly rejects IDN domains with leading/trailing hyphens. Thanks :user:touhidurrr for the report.
  • Typing: Fix typing of nested in marshmallow.fields.Nested (:pr:2935).

4.2.3 (2026-03-25)

Bug fixes:

  • Make marshmallow.fields.Number and marshmallow.fields.Mapping abstract base classes to prevent using them within Schemas (:issue:2924). Thanks :user:MartingaleCoda for reporting.
  • Allow required to be set on marshmallow.fields.Contant (:issue:2900). Thanks :user:nosnickid for the report and :user:worksbyfriday for the PR.
  • Fix marshmallow.validate.OneOf emitting extra pairs when labels outnumber choices (:issue:2869). Thanks: user:T90REAL for the report and :user:rstar327 for the PR.
  • Fix behavior when passing a dot-delimited attribute name to partial for a key with data_key set (:pr:2903). Thanks :user:bysiber for the PR.
  • Fix Enum field by-name lookup to only return actual members (:pr:2902). Thanks :user:bysiber for the PR.
  • marshmallow.fields.DateTime with format="timestamp_ms" properly rejects bool values (:pr:2904). Thanks :user:bysiber for the PR.
  • Fix typing of error_messages argument to marshmallow.fields.Field (:pr:1636). Thanks :user:repole for reporting and :user:dhruvildarji for the PR.

Other changes:

  • Add ipaddress.* to marshmallow.Schema.TYPE_MAPPING (:issue:1695). Thanks :user:liberforce for the suggestion and :user:dhruvildarji for the PR.

4.2.2 (2026-02-04)

Bug fixes:

  • Fix behavior of fields.Contant(None) (:issue:2868).

... (truncated)

Commits

Updates okta from 2.9.8 to 3.4.2

Release notes

Sourced from okta's releases.

v3.4.2

What's Changed

Full Changelog: okta/okta-sdk-python@v3.4.1...v3.4.2

v3.4.1

What's Changed

Full Changelog: okta/okta-sdk-python@v3.4.0...v3.4.1

v3.4.0

What's Changed

Full Changelog: okta/okta-sdk-python@v3.3.0...v3.4.0

v3.3.0

What's Changed

Full Changelog: okta/okta-sdk-python@v3.2.0...v3.3.0

v3.2.0

What's Changed

... (truncated)

Changelog

Sourced from okta's changelog.

3.4.2

Security

  • Resolved Dependabot security alerts by upgrading runtime dependencies to their latest secure versions: aenum 3.1.16, aiohttp 3.13.4, pydash 8.0.6, PyJWT 2.12.0, PyYAML 6.0.3, requests 2.33.0, and xmltodict 1.0.2. (#525)
  • Upgraded pytest to 9.0.3 and pytest-asyncio to 1.3.0 to address security and vulnerability concerns. (#527)

Changed

  • Bumped development and testing dependencies: flake8 7.3.0, pyfakefs 5.10.2, pytest-mock 3.15.1, pytest-recording 0.13.4, tox 4.30.3, and twine 6.2.0. (#525)
  • Upgraded GitHub Actions to current major releases: actions/checkout v6 and actions/setup-python v6 to resolve Node.js runtime deprecation warnings. (#525)
  • Updated OpenAPI Generator mustache templates (requirements.mustache, setup.mustache, pyproject.mustache, test-requirements.mustache) to reflect the new dependency versions for consistent future code generation. (#525)

3.4.1

Fixed

  • Fixed Primitive Fallback for oneOf Deserialization in Device Assurance Model.

3.4.0

Added

  • Implemented Demonstrating Proof-of-Possession (DPoP) for OAuth 2.0 (RFC 9449 compliant) to cryptographically bind access tokens to client keys and prevent token theft and replay attacks.
  • Added a thread-safe DPoPProofGenerator class featuring automatic key rotation, nonce management with auto-retry, and access token hash computation.
  • Introduced a new get_oauth_token() method that returns a 3-tuple including token_type.
  • Added support for a new tuple-based file upload format [(field_name, (filename, filedata, mimetype))] for multipart requests.
  • Added Pillow as an optional dependency, allowing users to install it via pip install okta[images].
  • Added the CAA DNS record type to the DNSRecordTypeDomains enum to support custom domain operations returning CAA records.

Changed

  • Maintained backward compatibility for the legacy get_access_token() method, which continues to return a 2-tuple.
  • Replaced bare except clauses with specific exceptions and swapped bypassable assert statements for proper security exceptions.
  • Updated Mustache templates to preserve DPoP configurations in code generation.

Fixed

  • Fixed multipart file upload handling (such as theme image uploads) by removing the manual Content-Type header, which allows aiohttp to automatically set the proper boundary parameters.
  • Removed the minLength: 5 constraint from UserProfile.secondEmail in the OpenAPI spec and Pydantic models to correctly deserialize user profiles with empty string secondary emails.
  • Fixed critical Pydantic validation errors on custom domain API endpoints (create, get, replace, verify, and list) by properly deserializing CAA records.
  • Fixed a bug where the request_executor timeout returned a raw string instead of an Exception.
  • Fixed invalid default parameter usage in cache.get() and restored cache cleanup logic to prevent the reuse of expired tokens.
  • Removed threading.RLock to prevent asyncio deadlocks and consolidated duplicate access token hash computations.
  • Fixed a redundant get_dpop_error_message() call in the oauth module.

3.3.0

Features & Enhancements

  • Implemented forward compatibility for Application models to gracefully handle unknown signOnMode values. By introducing ApplicationJsonConverter, the SDK now routes and preserves unrecognized sign-on modes without triggering Pydantic validation errors, matching the behavior of the .NET SDK.
  • Added the FAILED_TO_VERIFY value to the DomainValidationStatus enum to properly track and handle domain validation failure scenarios.

Bug Fixes

  • Fixed a ValueError crash in list_applications() that occurred when processing pre-existing OIDC apps with null JWKS fields (e.g., use, kty, alg, e, n, crv). The OpenAPI spec and code generation templates were updated to properly handle nullable discriminator fields.
  • Fixed a deserialization bug where EmailDomain and EmailDomainResponse models were silently dropping critical fields (such as id, domain, validationStatus, and dnsValidationRecords). The root cause—incorrect YAML indentation in the OpenAPI allOf composition—was corrected, restoring complete data for the create, replace, and verify email domain endpoints.

... (truncated)

Commits
  • aef7b0d Release v3.4.2 changes (#528)
  • fd23c7d Fix: Security vulnerability (#527)
  • ad029ba Resolve Dependabot Alerts: Upgrade Dependencies & GitHub Actions (#525)
  • 4a51a31 Release v3.4.1 changes (#524)
  • 1eb3cc9 Fix: Primitive Fallback for oneOf Deserialization in Device Assurance Models ...
  • b4e620f Release v3.4.0 changes (#522)
  • 14996a2 Revert changes for EmailDomainDNSRecordType schema (#521)
  • 9b477eb Fix multipart file upload handling in HTTP client (#516)
  • cc03347 Add CAA DNS Record Type Support for Custom Domain Operations (#519)
  • a35bcf9 Remove minLength validation for the secondEmail attribute from the OpenAPI sp...
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Apr 15, 2026
@dependabot dependabot Bot force-pushed the dependabot/pip/pip-major-97fbc3f72a branch 2 times, most recently from 07c52e3 to 69b7bd0 Compare April 22, 2026 00:08
@dependabot
Bump the pip-major group across 1 directory with 3 updates
4da69c0 
Bumps the pip-major group with 3 updates in the / directory: [gunicorn](https://github.com/benoitc/gunicorn), [marshmallow](https://github.com/marshmallow-code/marshmallow) and [okta](https://github.com/okta/okta-sdk-python).


Updates `gunicorn` from 23.0.0 to 25.3.0
- [Release notes](https://github.com/benoitc/gunicorn/releases)
- [Commits](benoitc/gunicorn@23.0.0...25.3.0)

Updates `marshmallow` from 3.26.2 to 4.3.0
- [Changelog](https://github.com/marshmallow-code/marshmallow/blob/dev/CHANGELOG.rst)
- [Commits](marshmallow-code/marshmallow@3.26.2...4.3.0)

Updates `okta` from 2.9.8 to 3.4.2
- [Release notes](https://github.com/okta/okta-sdk-python/releases)
- [Changelog](https://github.com/okta/okta-sdk-python/blob/master/CHANGELOG.md)
- [Commits](okta/okta-sdk-python@v2.9.8...v3.4.2)

---
updated-dependencies:
- dependency-name: gunicorn
  dependency-version: 25.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: pip-major
- dependency-name: marshmallow
  dependency-version: 4.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: pip-major
- dependency-name: okta
  dependency-version: 3.4.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: pip-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/pip/pip-major-97fbc3f72a branch from 69b7bd0 to 4da69c0 Compare April 29, 2026 00:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants