Update dependency werkzeug to v3.1.6 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
werkzeug (changelog)	3.1.5 → 3.1.6

GitHub Vulnerability Alerts

CVE-2026-27199

Werkzeug's safe_join function allows Windows device names as filenames if when preceded by other path segments.

This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that safe_join accepts paths with multiple segments, such as example/NUL.

send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.

---

Release Notes

pallets/werkzeug (werkzeug)

v3.1.6

Compare Source

Released 2026-02-19

• safe_join on Windows does not allow special devices names in
  multi-segment paths. :ghsa:29vq-49wr-vm6x

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying selfie with    Cloudflare Pages

Latest commit:	4379195
Status:	✅  Deploy successful!
Preview URL:	https://6e3d5066.selfie-4ye.pages.dev
Branch Preview URL:	https://renovate-pypi-werkzeug-vulne.selfie-4ye.pages.dev

View logs