chore: bump the python-dependencies group with 10 updates

[dependabot]

Updates the requirements on django, pytz, gunicorn, django-upgrade, whitenoise, django-structlog, django-allauth[socialaccount], sentry-sdk[django], pytest and django-import-export[all] to permit the latest version.
Updates django from 5.2.11 to 6.0.6

Commits

• ee93f65 [6.0.x] Bumped version for 6.0.6 release.
• 1721035 [6.0.x] Fixed CVE-2026-48587 -- Ignored whitespace padding when checking Vary...
• 664652f [6.0.x] Fixed CVE-2026-35193 -- Varied on Authorization when caching non-publ...
• b433025 [6.0.x] Fixed CVE-2026-8404 -- Used Cache-Control directives case-insensitive...
• 625a670 [6.0.x] Fixed CVE-2026-7666 -- Delayed setting SMTP connection until fully co...
• c807d9c [6.0.x] Fixed CVE-2026-6873 -- Prevented signed cookie salt namespace collisi...
• 98a75e3 [6.0.x] Included commit hash in checksum file when building artifacts for rel...
• dd895d6 [6.0.x] Updated translations from Transifex.
• 49ca2db [6.0.x] Updated links to severity levels in release notes.
• c9f32a2 [6.0.x] Added stub release notes and release date for 6.0.6 and 5.2.15.
• Additional commits viewable in compare view

Updates pytz from 2025.2 to 2026.2

Commits

• 45957c5 Bump github actions/checkout to @​v6
• 8e927c6 Bump version numbers to 2026.2 (IANA 2026b)
• 6f08ade IANA 2026b
• edbfbdf Squashed 'tz/' changes from dd6be6d155..8be0d5483d
• a148b03 Fix typo in README
• b841195 fix typo
• 02509d0 Update test runners for new Pythons and github actions
• 43c1cb2 Bump version number to 2026.1.post1
• 6ee7e56 Try to access resource using importlib.resources
• 95fe75d Bump version number to 2026.1 (2026a)
• Additional commits viewable in compare view

Updates gunicorn from 25.1.0 to 26.0.0

Release notes

Sourced from gunicorn's releases.

26.0.0

Breaking Changes

• Eventlet worker removed: The eventlet worker class has been dropped. Migrate to gevent, gthread, or tornado.

New Features

• ASGI Framework Compatibility Suite: New end-to-end compatibility test harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep. Current grid passes 438/444 tests (98%).
• ASGI Test Suite Expansion: 134 additional ASGI unit tests covering protocol semantics, lifespan, websockets, and chunked framing.

Security

• HTTP/1.1 Request-Target Validation (RFC 9112 sections 3.2.3, 3.2.4):
  • Reject authority-form request-target outside CONNECT
  • Reject asterisk-form request-target outside OPTIONS
  • Reject relative-reference request-targets
• Header Field Hardening (RFC 9110):
  • Reject control characters in header field-value (section 5.5)
  • Reject forbidden trailer field-names (section 6.5.1)
  • Reject Content-Length list form (RFC 9112 section 6.3)
• Request Smuggling Hardening:
  • Tighten keepalive gate and scope finish_body byte cap
  • Keep _body_receiver alive across the keepalive smuggling gate so pipelined requests cannot re-enter a closed body
  • Address parser/protocol findings from a six-point WSGI/ASGI audit
• PROXY Protocol (ASGI): Enforce proxy_allow_ips and tighten v1/v2 parsing in the ASGI callback parser.
• Connection Draining: Drain the connection on close per RFC 9112 section 9.6 to prevent reset-on-close truncation.

Bug Fixes

• Body Framing on HEAD/204/304:
  • Keep Content-Length on HEAD and 304 responses (#3621)
  • Drop body framing on HEAD/204/304 even when the framework set it
  • Warn once when an ASGI app emits a body for a no-body response
• HTTP/2 ASGI:
  • Fix _handle_stream_ended to set _body_complete in the async HTTP/2 handler so request bodies finalize correctly on stream end
  • Add InvalidChunkExtension mapping and fast-parser support in ASGI tests (#3565)
• HTTP/1.1 100-Continue: Stop adding Transfer-Encoding: chunked to 100-Continue interim responses.
• WebSocket Close Handshake (RFC 6455):
  • Comply with the close handshake state machine
  • Close the transport after the close handshake completes
  • Fix binary send when the text key is None
• Early Hints: Validate headers in the early_hints callback to match process_headers; pass only the header name to InvalidHeader (#3588).
• ASGI Framework Fixes:
  • Fix ASGI disconnect handling for Django-style apps
  • Fix Litestar request handling (use raw ASGI receive for body/headers)
  • Fix Litestar HTTP endpoints for compatibility tests
  • Fix Quart headers endpoint to normalize keys to lowercase
  • Fix Quart WebSocket close test app (missing accept())
  • Fix duplicate Transfer-Encoding header for BlackSheep streaming

... (truncated)

Commits

• 5d819cf release: 26.0.0
• b45c70d Merge pull request #3611 from zc-mattcen/docs-typo
• 99c8d48 Merge pull request #3623 from benoitc/chore/drop-eventlet-add-h2-uvloop-test-...
• 5a655af Merge pull request #3622 from benoitc/test/docker-port-and-ipv4-fixes
• 201df19 chore: remove eventlet worker; add h2 and uvloop to test deps
• f4ac8e1 test: pass action name to dirty client and stabilize after TTOU spam
• 54d38af test: unblock docker fixtures on macOS hosts
• 68843c8 Merge pull request #3621 from benoitc/fix/asgi-preserve-content-length-on-hea...
• 31f2618 Merge pull request #3620 from benoitc/fix/asgi-proxy-protocol-trust-and-parsing
• 41ec752 fix: keep Content-Length on HEAD and 304 responses
• Additional commits viewable in compare view

Updates django-upgrade from 1.29.1 to 1.30.0

Changelog

Sourced from django-upgrade's changelog.

1.30.0 (2026-02-24)

• Support parsing Django versions without a minor part from pyproject.toml. For example, django>=6 will be parsed as for Django 6.0+.

  PR [#625](https://github.com/adamchainz/django-upgrade/issues/625) <https://github.com/adamchainz/django-upgrade/pull/625>__.

• Drop Python 3.9 support.

Commits

• 1db0cbd Version 1.30.0
• b5daf9e Remove unused Coverage exclusion comment (#627)
• 2a6c4e8 Remove tokenization fallback branch (#626)
• 79e4450 Support parsing Django versions without a minor part (#625)
• 97a600d Upgrade dependencies (#624)
• 539e59a [pre-commit.ci] pre-commit autoupdate (#623)
• 36288c6 Bump the github-actions group with 2 updates (#621)
• 966b32b [pre-commit.ci] pre-commit autoupdate (#622)
• 47de383 Remove tokenize-rt from test dependency group (#620)
• 1f491fc Add Django 6.0 classifier (#619)
• Additional commits viewable in compare view

Updates whitenoise from 6.11.0 to 6.12.0

Changelog

Sourced from whitenoise's changelog.

6.12.0 (2026-02-27)

• Drop Python 3.9 support.
• Fix potential unauthorised file access vulnerability in "autorefesh" mode. See PR [#684](https://github.com/evansd/whitenoise/issues/684) <https://github.com/evansd/whitenoise/pull/684>__ for details, and a reminder that autorefresh mode has always been documented as unsuitable for production use. Thanks Seth Larson for reporting.

Commits

• 1e3a30b Version 6.12.0
• bc4c738 Merge pull request #684 from evansd/use-commonpath
• 505ed8d Use os.path.commonpath() to identify child paths
• b6d8ed4 Upgrade dependencies (#683)
• edc79de [pre-commit.ci] pre-commit autoupdate (#682)
• 79fb2f1 Bump the github-actions group with 2 updates (#680)
• 2b245df [pre-commit.ci] pre-commit autoupdate (#681)
• dcb50f3 Upgrade dependencies (#678)
• 1c4a746 [pre-commit.ci] pre-commit autoupdate (#677)
• e7f970a Bump actions/checkout from 5 to 6 in the github-actions group (#676)
• Additional commits viewable in compare view

Updates django-structlog from 10.0.0 to 10.1.0

Changelog

Sourced from django-structlog's changelog.

10.1.0 (May 30, 2025)

New: - Add settings to configure the logging levels for the request middleware and celery task events. See [#1022](https://github.com/jrobichaud/django-structlog/issues/1022) <https://github.com/jrobichaud/django-structlog/issues/1022>_.

Commits

• a53b04e Bump version
• 4c2e49a Merge pull request #1024 from offbyone/push-tkpuvxrrvkvu
• 770a6b2 Make the log level for the request middleware fully configurable
• dd60535 Merge pull request #1001 from jrobichaud/dependabot/pip/docs/sphinx-9.1.0
• 1cc4dc0 Merge pull request #1011 from jrobichaud/dependabot/pip/requirements/coverage...
• e110580 Merge pull request #1012 from jrobichaud/dependabot/github_actions/peter-evan...
• 960a1ea Merge pull request #1014 from jrobichaud/dependabot/pip/docs/importlib-metada...
• f0c6d5c Merge pull request #1015 from jrobichaud/dependabot/github_actions/codecov/co...
• d3383c0 Merge pull request #1016 from jrobichaud/dependabot/pip/docs/celery-5.6.3
• 944199e chore(deps): bump celery from 5.6.2 to 5.6.3 in /docs
• Additional commits viewable in compare view

Updates django-allauth[socialaccount] to 65.18.0

Commits

• See full diff in compare view

Updates sentry-sdk[django] to 2.61.1

Release notes

Sourced from sentry-sdk[django]'s releases.

2.61.1

Internal Changes 🔧

Rq

• Pin fakeredis<2.36.0 in tests by @​alexander-alderman-webb in #6454
• Unpin redis and fakeredis for tests by @​alexander-alderman-webb in #6443

Other

• (aiohttp) Unfurl spans explicitly instead of using pop() by @​sentrivana in #6435
• (tox) Migrate from pip to uv via tox-uv by @​sentry-junior in #6390
• Pin redis<8 for rq by @​sl0thentr0py in #6438

Changelog

Sourced from sentry-sdk[django]'s changelog.

2.61.1

Internal Changes 🔧

Rq

• Pin fakeredis<2.36.0 in tests by @​alexander-alderman-webb in #6454
• Unpin redis and fakeredis for tests by @​alexander-alderman-webb in #6443

Other

• (aiohttp) Unfurl spans explicitly instead of using pop() by @​sentrivana in #6435
• (tox) Migrate from pip to uv via tox-uv by @​sentry-junior in #6390
• Pin redis<8 for rq by @​sl0thentr0py in #6438

2.61.0

New Features ✨

• Add server.address to transformed spans when stream_gen_ai_spans=True by @​alexander-alderman-webb in #6307

• Allow integrations to define control flow exceptions by @​sentrivana in #6425

• Disable string truncation for events by default by @​alexander-alderman-webb in #6290

  Following a previous significant increase of the string truncation limit, we've now completely removed the limit by default. In case you have large strings in your events, you should now be able to see them.

  In rare cases, if you have really long strings (or a lot of them), you might see envelopes being dropped because of their size. If that happens, you can set the max_value_length init option to the previous value of 100_000:

  sentry_sdk.init(
      ...,
      max_value_length=100_000,
  )

Bug Fixes 🐛

Langchain

• Stop setting transaction status when child span fails by @​alexander-alderman-webb in #6301
• Catch TypeError on langchain.agents import by @​alexander-alderman-webb in #6268

Openai Agents

• Handle starting_agent keyword argument in runner patches by @​ericapisani in #6428
• Remove hosted MCP tool spans by @​alexander-alderman-webb in #6391
• Use name, not description in start_span by @​sentrivana in #6323
• Stop setting transaction status when child span fails by @​alexander-alderman-webb in #6303

... (truncated)

Commits

• 5c95559 Update CHANGELOG.md
• b98bcb1 release: 2.61.1
• 504cbe9 ci(rq): Pin fakeredis<2.36.0 in tests (#6454)
• 1f3f3eb fix(sampling): Attribute backpressure as unsampling reason more accurately ...
• 2ce26d1 ci(tox): migrate from pip to uv via tox-uv (#6390)
• 8a4062b ci(rq): Unpin redis and fakeredis for tests (#6443)
• 8d442df fix(span-first): Set user.ip_address on all streamed spans (#6434)
• e8d67d8 feat(rust-tracing): Support span streaming (#6433)
• 0749d3e feat(litellm): Support span streaming (#6317)
• b4e0367 test(aiohttp): Unfurl spans explicitly instead of using pop() (#6435)
• Additional commits viewable in compare view

Updates pytest from 9.0.2 to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

• #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

  -- by aleguy02

Commits

• a7d58d7 Prepare release version 9.0.3
• 089d981 Merge pull request #14366 from bluetech/revert-14193-backport
• 8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
• 99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
• ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
• 74eac69 doc: Update training info (#14298) (#14301)
• f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
• 7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
• 37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
• c34bfa3 Add explanation for string context diffs (#14257) (#14266)
• Additional commits viewable in compare view

Updates django-import-export[all] to 4.4.1

Release notes

Sourced from django-import-export[all]'s releases.

4.4.1

• Changelog

Changelog

Sourced from django-import-export[all]'s changelog.

4.4.1 (2026-05-05)

• Refactor lookup value retrieval in Field and CachedForeignKeyWidget (2146 <https://github.com/django-import-export/django-import-export/pull/2146>_)
• Fix IncorrectLookupParameters when exporting from filtered change view (2154 <https://github.com/django-import-export/django-import-export/pull/2154>_)
• Fix console error 'resource select input not found' on export (2158 <https://github.com/django-import-export/django-import-export/pull/2158>_)
• Fix CachedForeignKeyWidget type mismatch on non-string lookup fields (2159 <https://github.com/django-import-export/django-import-export/pull/2159>_)

4.4.0 (2026-01-10)

• Added CachedForeignKeyWidget (2142 <https://github.com/django-import-export/django-import-export/pull/2142>_)

4.3.14 (2025-11-13)

• Add Ukrainian translation (2132 <https://github.com/django-import-export/django-import-export/pull/2132>_)

4.3.13 (2025-10-31)

• Fix: file_name is None in before_import_row when skip_import_confirm=True (2129 <https://github.com/django-import-export/django-import-export/pull/2129>_)

4.3.12 (2025-10-19)

• Minor documentation fix

4.3.11 (2025-10-19)

• Fix for export not retaining URI query params (2097 <https://github.com/django-import-export/django-import-export/pull/2097>_)

4.3.10 (2025-09-26)

• Improved field value extraction for dict-based querysets (2098 <https://github.com/django-import-export/django-import-export/pull/2098>_)
• Performance improvements for membership checks (2090 <https://github.com/django-import-export/django-import-export/pull/2090>_)
• Fix ForeignKeyWidget export issue (2117 <https://github.com/django-import-export/django-import-export/pull/2117>_)
• Improved documentation for clean() methods (2115 <https://github.com/django-import-export/django-import-export/pull/2115>_)
• Documentation updates: JSONField export with attribute syntax (2100 <https://github.com/django-import-export/django-import-export/pull/2100>_)
• Documentation updates: handling TooManyFieldsSent (2103 <https://github.com/django-import-export/django-import-export/pull/2103>_)
• Updated Turkish translation (2101 <https://github.com/django-import-export/django-import-export/pull/2101>_)
• Updated Czech translation (2111 <https://github.com/django-import-export/django-import-export/pull/2111>_)

4.3.9 (2025-07-21)

• Allow specifying meta options in the :ref:model_resourcefactory<using_modelresource_factory> (2078 <https://github.com/django-import-export/django-import-export/pull/2078>_)
• Allow custom fields and methods in :ref:model_resourcefactory<using_modelresource_factory> (2081 <https://github.com/django-import-export/django-import-export/pull/2081>_)

... (truncated)

Commits

• f4cfc4d updated changelog
• a31ac47 corrected release date
• c088cf6 Added CachedForeignKeyWidget
• b438b97 added CachedForeignKeyWidget (#2142)
• 7422d0e updated changelog
• 9cd201d Fix: file_name is None in before_import_row when skip_import_confirm=True (#2...
• 3cc1be8 updated changelog
• 3b17353 minor documentation fix
• 2ad9bf8 corrected documentation
• 6e89f0e Fix retain query string params in export action (#2121)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions