Skip to content

Bump servestatic[brotli] from 3.1.0 to 4.1.0 in /requirements#333

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/requirements/main/servestatic-brotli--4.1.0
Open

Bump servestatic[brotli] from 3.1.0 to 4.1.0 in /requirements#333
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/requirements/main/servestatic-brotli--4.1.0

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 9, 2026

Bumps servestatic[brotli] from 3.1.0 to 4.1.0.

Release notes

Sourced from servestatic[brotli]'s releases.

4.1.0

[!TIP] This release includes some changes to the default behavior of ServeStatic for security hardening. If you are affected by any of these changes, please read the relevant sections in the documentation on allow_unsafe_symlinks.

Added

  • Added support for zstd compression on Python 3.14+.
  • Added support for the top-level servestatic module to run as a Django app.
  • Added Django system checks to test for common misconfigurations.
  • Added allow_unsafe_symlinks configuration option for WSGI/ASGI
  • Added SERVESTATIC_ALLOW_UNSAFE_SYMLINKS configuration option for Django.
  • Added jxl image support.

Changed

  • Improved event-loop handling for ASGI file iterator.
  • Installing servestatic as a Django app is now the suggested configuration. A warning will appear if it is not detected in INSTALLED_APPS when DEBUG is True.
  • servestatic.runserver_nostatic is no longer the recommended Django app installation path. This import path will be retained to ease WhiteNoise to ServeStatic migration, but now the documentation recommends to use the top-level servestatic module instead.

Fixed

  • Fixed a range-request edge case where the last byte could be requested but would not be served.

Security

  • Hardened autorefresh path matching to prevent potential path traversal or path clobbering.
  • Hardened static file resolution to block symlink breakout by default. If your symlinks point to files outside of your static root, it is highly recommended to copy them instead.

4.0.0

Added

  • Added servestatic CLI command for creating manifests, hashing, and compressing for static files.

Changed

  • Minimum python version is now 3.10.
  • immutable_file_test now defaults to a regex matching the file name format generated by servestatic --hash (for example app.db8f2edc0c8a.js).

Deprecated

  • Calling the compression API via python -m servestatic.compress is now deprecated. Please use the servestatic --compress CLI instead.

Fixed

  • Fix race condition where ServeStatic could throw an exception when shutting down async file threads.
Changelog

Sourced from servestatic[brotli]'s changelog.

[4.1.0] - 2026-03-07

!!! tip

This release includes some changes to the default behavior of `ServeStatic` for security hardening. If you are affected by any of these changes, please read the relevant sections in the documentation on `allow_unsafe_symlinks`.

Added

  • Added support for zstd compression on Python 3.14+.
  • Added support for the top-level servestatic module to run as a Django app.
  • Added Django system checks to test for common misconfigurations.
  • Added a new allow_unsafe_symlinks configuration option for WSGI/ASGI
  • Added a new SERVESTATIC_ALLOW_UNSAFE_SYMLINKS configuration option for Django.
  • Added jxl image support.

Changed

  • Improved event-loop handling for ASGI file iterator.
  • Installing servestatic as a Django app is now the suggested configuration. A warning will appear if it is not detected in INSTALLED_APPS when DEBUG is True.
  • servestatic.runserver_nostatic is no longer the recommended Django app installation path. This import path will be retained to ease WhiteNoise to ServeStatic migration, but now the documentation recommends to use the top-level servestatic module instead.
  • For security purposes, ServeStatic will no longer follow unsafe symlinks by default. If your symlinks point to files outside of your static root, it is highly recommended to copy them instead. This behavior can be disabled for trusted deployments using allow_unsafe_symlinks / SERVESTATIC_ALLOW_UNSAFE_SYMLINKS.

Fixed

  • Fixed a range-request edge case where the last byte could be requested but would not be served.

Security

  • Hardened autorefresh path matching to prevent potential path traversal or path clobbering.
  • Hardened static file resolution to block symlink breakout by default.

[4.0.0] - 2026-03-05

Added

  • Added servestatic CLI command for creating manifests, hashing, and compressing for static files.

Changed

  • Minimum python version is now 3.10.
  • immutable_file_test now defaults to a regex matching the file name format generated by servestatic --hash (for example app.db8f2edc0c8a.js).

Deprecated

  • Calling the compression API via python -m servestatic.compress is now deprecated. Please use the servestatic --compress CLI instead.

Fixed

  • Fix race condition where ServeStatic could throw an exception when shutting down async file threads.
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump servestatic[brotli] from 3.1.0 to 4.1.0 in /requirements
8af5382 
Bumps [servestatic[brotli]](https://github.com/Archmonger/ServeStatic) from 3.1.0 to 4.1.0.
- [Release notes](https://github.com/Archmonger/ServeStatic/releases)
- [Changelog](https://github.com/Archmonger/ServeStatic/blob/main/CHANGELOG.md)
- [Commits](Archmonger/ServeStatic@3.1.0...4.1.0)

---
updated-dependencies:
- dependency-name: servestatic[brotli]
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Mar 9, 2026
@dependabot dependabot bot mentioned this pull request Mar 9, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants