Update Python Packages Updates (minor/patch)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
aiostream	==0.4.5 → ==0.7.1
appy	==1.0.19 → ==1.0.20
arrow	==1.3.0 → ==1.4.0
asgiref (changelog)	==3.8.1 → ==3.11.1
attrs (changelog)	==25.3.0 → ==25.4.0
beautifulsoup4 (changelog)	==4.11.2 → ==4.14.3
billiard	==4.2.2 → ==4.2.4
btrees (changelog)	==6.1 → ==6.3
caldav (changelog)	==1.4.0 → ==1.6.0
celery (source, changelog)	==5.5.3 → ==5.6.2
certifi	==2025.4.26 → ==2025.11.12
charset-normalizer (changelog)	==3.4.3 → ==3.4.4
click (changelog)	==8.1.8 → ==8.3.1
coverage	==7.8.0 → ==7.13.4
cssselect2 (changelog)	==0.8.0 → ==0.9.0
dill	==0.4.0 → ==0.4.1
dj-rest-auth	==7.0.1 → ==7.1.1
django-cors-headers (changelog)	==4.7.0 → ==4.9.0
django-crispy-forms (changelog)	==2.4 → ==2.6
django-filer	==3.3.2 → ==3.4.4
django-modelcluster	==6.4 → ==6.4.1
django-oauth-toolkit	==3.0.1 → ==3.2.0
django-select2-forms	==3.0.0 → ==3.1.0
django-stubs-ext (changelog)	==5.2.7 → ==5.2.9
django-tables2 (changelog)	==2.7.5 → ==2.8.0
django-tasks (changelog)	==0.7.0 → ==0.12.0
django-treebeard	==4.7.1 → ==4.8.0
django-unfold (changelog)	==0.78.1 → ==0.81.0
fonttools	==4.61.0 → ==4.61.1
frozenlist	==1.6.0 → ==1.8.0
greenlet (changelog)	==3.2.4 → ==3.3.2
icalendar (changelog)	==6.3.1 → ==6.3.2
idna (changelog)	==3.10 → ==3.11
isort (changelog)	==6.0.1 → ==6.1.0
json5 (changelog)	==0.12.1 → ==0.13.0
kaleido	==0.2.1 → ==0.2.1.post1
kombu (source)	==5.5.4 → ==5.6.2
matplotlib	==3.10.6 → ==3.10.8
multidict	==6.4.3 → ==6.7.1
mysqlclient	==2.2.7 → ==2.2.8
narwhals	==1.39.1 → ==1.48.1
numpy (changelog)	==2.3.3 → ==2.4.2
oauthlib	==3.2.2 → ==3.3.1
persistent (changelog)	==6.1.1 → ==6.5
platformdirs (changelog)	==4.3.8 → ==4.9.2
plotly (changelog)	==6.0.1 → ==6.5.2
propcache	==0.3.2 → ==0.4.1
pycparser	==2.22 → ==2.23
pylint (changelog)	==3.3.8 → ==3.3.9
pyparsing	==3.2.5 → ==3.3.2
pysaml2	==7.5.2 → ==7.5.4
python-stdnum	==2.1 → ==2.2
qrbill (changelog)	==1.1.0 → ==1.2.0
recurring-ical-events (changelog)	==3.7.0 → ==3.8.1
redis (changelog)	==5.2.1 → ==5.3.1
regex	==2025.10.23 → ==2025.11.3
reportlab	==4.4.4 → ==4.4.10
rocketchat-api	==1.35.1 → ==1.37.0
ruff (source, changelog)	==0.12.10 → ==0.15.4
soupsieve	==2.7 → ==2.8.3
sqlalchemy-utils	==0.41.2 → ==0.42.1
sqlparse (changelog)	==0.5.4 → ==0.5.5
svglib	==1.5.1 → ==1.6.0
tinycss2 (changelog)	==1.4.0 → ==1.5.1
tomlkit	==0.13.3 → ==0.14.0
tqdm (changelog)	==4.67.1 → ==4.67.3
types-python-dateutil (changelog)	==2.9.0.20250822 → ==2.9.0.20260302
typing-extensions (changelog)	==4.13.2 → ==4.15.0
tzdata	==2025.2 → ==2025.3
vdirsyncer	==0.19.3 → ==0.20.0
wagtail (changelog)	==7.0.6 → ==7.3
wagtailmenus	==4.0.4 → ==4.0.6
wcwidth	==0.2.13 → ==0.6.0
whitenoise (changelog)	==6.6.0 → ==6.12.0
willow (changelog)	==1.11.0 → ==1.12.0
yarl	==1.20.1 → ==1.23.0
zconfig	==4.2 → ==4.3
zodb (changelog)	==6.0.1 → ==6.2
zodbpickle (changelog)	==4.2 → ==4.3
zope-deferredimport (changelog)	==5.0 → ==5.1

---

Release Notes

vxgmichel/aiostream (aiostream)

v0.7.1

Compare Source

What's Changed

• Fix typing for stream.create.just by @​vxgmichel in #​134
• Fix: strict zip of items that fail on __eq__ by @​vthemelis in #​135
• Fix: Use is instead of isinstance by @​vthemelis in #​136
• Add python 3.14 support by @​vxgmichel in #​138

New Contributors

• @​vthemelis made their first contribution in #​135

Full Changelog: vxgmichel/aiostream@v0.7.0...v0.7.1

v0.7.0

Compare Source

What's Changed

• Improve performance for sequential combine operations (task_limit=1) by @​vxgmichel in #​131
• Raise a ValueError when 'task_limit' or 'ordered' arguments are provided with a sync function by @​vxgmichel in #​132

Full Changelog: vxgmichel/aiostream@v0.6.4...v0.7.0

v0.6.4

Compare Source

What's Changed

• Drop support for python 3.8, add support for python 3.13 by @​fpgmaas in #​123

New Contributors

• @​fpgmaas made their first contribution in #​123

Full Changelog: vxgmichel/aiostream@v0.6.3...v0.6.4

v0.6.3

Compare Source

What's Changed

• Add MANIFEST.in to include tests/conftests.py in source dist by @​vxgmichel (issue #​121, PR #​122)

Full Changelog: vxgmichel/aiostream@v0.6.2...v0.6.3

v0.6.2

Compare Source

What's Changed

• Fixing the issue of the lack of installation sections by @​thepapermen in #​113
• Configure pytest test paths so test_utils.py is not mistaken for a test file by @​vxgmichel in #​117
• Add strict parameter to stream.zip by @​smheidrich in #​119

New Contributors

• @​thepapermen made their first contribution in #​113
• @​smheidrich made their first contribution in #​119

Full Changelog: vxgmichel/aiostream@v0.6.1...v0.6.2

v0.6.1

Compare Source

Changes:

• Fix documentation build (42f9119)
• Expose Stream and sources_operator in the aiostream package (e029efd)

v0.6.0

Compare Source

Changes:

• Support python 3.12 (PR #​93)
• Support pyright and improve typing in general (PR #​99)
• Move from setup.* to pyproject.toml (PR #​101, #​102, #​103, #​110)
• Add typing to aiostream.test_utils (PR #​104)
• Make operators a singleton object instead of a class (PR #​106)
• Add sources operator to fix a breaking change in v0.5.x (PR #​108, issue #​95)

Thanks to @​hf-kklein for the valuable contributions :)

v0.5.2

Compare Source

Changes:

• Properly expose pipe methods in aiostream.pipe (PR #​88, issue #​87)

[!WARNING]
The 0.5.x releases are affected by an unintentional breaking change, see the v0.5.0 release for more information.

v0.5.1

Compare Source

Changes:

• Expose pipable_operator at package level (46ddb24)
• Modernize examples (a704e9a)

[!WARNING]
The 0.5.x releases are affected by an unintentional breaking change, see the v0.5.0 release for more information.

v0.5.0

Compare Source

Changes:

• Drop python 3.7 support
• Add type annotations (issue #​36, PR #​84)
• Add task_limit argument to action operator (issue #​85, PR #​86)

[!WARNING]
A breaking change has slipped into this release: The merge, chain and ziplatest operators used to work with no sources provided:

 assert await (stream.merge() | pipe.list()) == []
 assert await (stream.chain() | pipe.list()) == []
 assert await (stream.ziplatest() | pipe.list()) == []

This is no longer the case for releases 0.5.x, where at least one async iterable has to be provided for those operators.
This can be a problem for code that passes an arbitrary list of arguments to the operator, as this list might be empty.
A workaround exists for the merge operator, which works by adding stream.empty() to the list of arguments:

 args = []
 new_args = stream.empty(), *args
 assert await (stream.merge(*new_args) | pipe.list()) == []

The zip operator should have also been affected, although the former version had a bug that caused an empty zip to block indefinitely.

This change has been fixed in v0.6.0

arrow-py/arrow (arrow)

v1.4.0

Compare Source

• [ADDED] Added week_start parameter to floor() and ceil() methods. PR #&#8203;1222 <https://github.com/arrow-py/arrow/pull/1222>_
• [ADDED] Added FORMAT_RFC3339_STRICT with a T separator. PR #&#8203;1201 <https://github.com/arrow-py/arrow/pull/1201>_
• [ADDED] Added Macedonian in Latin locale support. PR #&#8203;1200 <https://github.com/arrow-py/arrow/pull/1200>_
• [ADDED] Added Persian/Farsi locale support. PR #&#8203;1190 <https://github.com/arrow-py/arrow/pull/1190>_
• [ADDED] Added week and weeks to Thai locale timeframes. PR #&#8203;1218 <https://github.com/arrow-py/arrow/pull/1218>_
• [ADDED] Added weeks to Catalan locale. PR #&#8203;1189 <https://github.com/arrow-py/arrow/pull/1189>_
• [ADDED] Added Persian names of months, month-abbreviations and day-abbreviations in Gregorian calendar. PR #&#8203;1172 <https://github.com/arrow-py/arrow/pull/1172>_
• [CHANGED] Migrated Arrow to use ZoneInfo for timezones instead of pytz. PR #&#8203;1217 <https://github.com/arrow-py/arrow/pull/1217>_
• [FIXED] Fixed humanize month limits. PR #&#8203;1224 <https://github.com/arrow-py/arrow/pull/1224>_
• [FIXED] Fixed type hint of Arrow.__getattr__. PR #&#8203;1171 <https://github.com/arrow-py/arrow/pull/1171>_
• [FIXED] Fixed spelling and removed poorly used expressions in Korean locale. PR #&#8203;1181 <https://github.com/arrow-py/arrow/pull/1181>_
• [FIXED] Updated shift() method for issue #​1145. PR #&#8203;1194 <https://github.com/arrow-py/arrow/pull/1194>_
• [FIXED] Improved Greek locale translations (seconds, days, "ago", and month typo). PR #&#8203;1184 <https://github.com/arrow-py/arrow/pull/1184>, PR #&#8203;1186 <https://github.com/arrow-py/arrow/pull/1186>
• [FIXED] Addressed datetime.utcnow deprecation warning. PR #&#8203;1182 <https://github.com/arrow-py/arrow/pull/1182>_
• [INTERNAL] Added codecov test results. PR #&#8203;1223 <https://github.com/arrow-py/arrow/pull/1223>_
• [INTERNAL] Updated CI dependencies (actions/setup-python, actions/checkout, codecov/codecov-action, actions/cache).
• [INTERNAL] Added docstrings to parser.py. PR #&#8203;1010 <https://github.com/arrow-py/arrow/pull/1010>_
• [INTERNAL] Updated Python versions support and bumped CI dependencies. PR #&#8203;1177 <https://github.com/arrow-py/arrow/pull/1177>_
• [INTERNAL] Added dependabot for GitHub actions. PR #&#8203;1193 <https://github.com/arrow-py/arrow/pull/1193>_
• [INTERNAL] Moved dateutil types to test requirements. PR #&#8203;1183 <https://github.com/arrow-py/arrow/pull/1183>_
• [INTERNAL] Added documentation link for arrow.format. PR #&#8203;1180 <https://github.com/arrow-py/arrow/pull/1180>_

django/asgiref (asgiref)

v3.11.1

Compare Source

• SECURITY FIX CVE-2025-14550: There was a potential DoS vector for users of
  the asgiref.wsgi.WsgiToAsgi adapter. Malicious requests, including an unreasonably
  large number of values for the same header, could lead to resource exhaustion
  when building the WSGI environment.

  To mitigate this, the algorithm is changed to be more efficient, and
  WsgiToAsgi gains a new optional duplicate_header_limit parameter,
  which defaults to 100. This specifies the number of times a single header may
  be repeated before the request is rejected as malformed.

  You may override duplicate_header_limit when configuring your application::

  application = WsgiToAsgi(wsgi_app, duplicate_header_limit=200)
  

  Set duplicate_header_limit=None if you wish to disable this check.

• Fixed a regression in 3.11.0 in sync_to_async when wrapping a callable
  with an attribute named context. (#​537)

v3.11.0

Compare Source

• sync_to_async gains a context parameter, similar to those for
  asyncio.create_task, TaskGroup &co, that can be used on Python 3.11+ to
  control the context used by the underlying task.

  The parent context is already propagated by default but the additional
  control is useful if multiple sync_to_async calls need to share the same
  context, e.g. when used with asyncio.gather().

v3.10.0

Compare Source

• Added AsyncSingleThreadContext context manager to ensure multiple AsyncToSync
  invocations use the same thread. (#​511)

v3.9.2

Compare Source

• Adds support for Python 3.14.

• Fixes wsgi.errors file descriptor in WsgiToAsgi adapter.

v3.9.1

Compare Source

• Fixed deletion of Local values affecting other contexts. (#​523)

• Skip CPython specific garbage collection test on pypy. (#​521)

v3.9.0

Compare Source

• Adds support for Python 3.13.

• Drops support for (end-of-life) Python 3.8.

• Fixes an error with conflicting kwargs between AsyncToSync and the wrapped
  function. (#​471)

• Fixes Local isolation between asyncio Tasks. (#​478)

• Fixes a reference cycle in Local (#​508)

• Fixes a deadlock in CurrentThreadExecutor with nested async_to_sync →
  sync_to_async → async_to_sync → create_task calls. (#​494)

• The ApplicationCommunicator testing utility will now return the task result
  if it's already completed on send_input and receive_nothing. You may need to
  catch (e.g.) the asyncio.exceptions.CancelledError if sending messages to
  already finished consumers in your tests. (#​505)

python-attrs/attrs (attrs)

v25.4.0

Compare Source

Backwards-incompatible Changes

• Class-level kw_only=True behavior is now consistent with dataclasses.

  Previously, a class that sets kw_only=True makes all attributes keyword-only, including those from base classes.
  If an attribute sets kw_only=False, that setting is ignored, and it is still made keyword-only.

  Now, only the attributes defined in that class that doesn't explicitly set kw_only=False are made keyword-only.

  This shouldn't be a problem for most users, unless you have a pattern like this:

  @​attrs.define(kw_only=True)
  class Base:
      a: int
      b: int = attrs.field(default=1, kw_only=False)
  
  @​attrs.define
  class Subclass(Base):
      c: int

  Here, we have a kw_only=True attrs class (Base) with an attribute that sets kw_only=False and has a default (Base.b), and then create a subclass (Subclass) with required arguments (Subclass.c).
  Previously this would work, since it would make Base.b keyword-only, but now this fails since Base.b is positional, and we have a required positional argument (Subclass.c) following another argument with defaults.
  #​1457

Changes

• Values passed to the __init__() method of attrs classes are now correctly passed to __attrs_pre_init__() instead of their default values (in cases where kw_only was not specified).
  #​1427

• Added support for Python 3.14 and PEP 749.
  #​1446,
  #​1451

• attrs.validators.deep_mapping() now allows to leave out either key_validator xor value_validator.
  #​1448

• attrs.validators.deep_iterator() and attrs.validators.deep_mapping() now accept lists and tuples for all validators and wrap them into a attrs.validators.and_().
  #​1449

• Added a new experimental way to inspect classes:

  attrs.inspect(cls) returns the effective class-wide parameters that were used by attrs to construct the class.

  The returned class is the same data structure that attrs uses internally to decide how to construct the final class.
  #​1454

• Fixed annotations for attrs.field(converter=...).
  Previously, a tuple of converters was only accepted if it had exactly one element.
  #​1461

• The performance of attrs.asdict() has been improved by 45–260%.
  #​1463

• The performance of attrs.astuple() has been improved by 49–270%.
  #​1469

• The type annotation for attrs.validators.or_() now allows for different types of validators.

  This was only an issue on Pyright.
  #​1474

celery/billiard (billiard)

v4.2.4

Compare Source

• Eliminate usage of 'return' in 'finally' blocks (#​438)
• Prepare for release: v4.2.4 (#​439)

v4.2.3

Compare Source

• Ensure that task results are delivered during pool shutdown (#​435)
• Prepare for release: v4.2.3 (#​436)

zopefoundation/BTrees (btrees)

v6.3

Compare Source

• Move all supported package metadata into pyproject.toml.

v6.2

Compare Source

• Drop support for Python 3.8, 3.9.

• Add support for Python 3.14.

python-caldav/caldav (caldav)

v1.6.0

Compare Source

This will be the last minor release before 2.0. The scheduling support has been fixed up a bit, and saving a single recurrence does what it should do, rather than messing up the whole series.

Fixed

• Save single recurrence. I can't find any information in the RFCs on this, but all servers I've tested does the wrong thing - when saving a single recurrence (with RECURRENCE-ID set but without RRULE), then the original event (or task) will be overwritten (and the RRULE disappear), which is most likely not what one wants. New logic in place (with good test coverage) to ensure only the single instance is saved. Issue #​379, pull request #​500
• Scheduling support. It was work in progress many years ago, but uncompleted work was eventually committed to the project. I managed to get a DAViCal test server up and running with three test accounts, ran through the tests, found quite some breakages, but managed to fix up. #​497

Added

• New option event.save(all_recurrences=True) to edit the whole series when saving a modified recurrence. Part of #​500
• New methods Event.set_dtend and CalendarObjectResource.set_end. #​499

Refactoring and tests

• Partially tossed out all internal usage of vobject, #​476. Refactoring and removing unuseful code. Parts of this work was accidentally committed directly to master, 2f61dc7, the rest was piggybaced in through #​500.
• Server-specific setup- and teardown-methods (used for spinning up test servers in the tests) is now executed through the DAVClient context manager. This will allow doctests to run easily.
• Made exception for new task.uncomplete-check for GMX server - #​525

Time spent and roadmap

Maintainer put down ten hours of effort for the 1.6-release. The estimate was 12 hours.

v1.5.0

Compare Source

I'm working on a caldav compatibility checker side project. While doing so, I'm working on redefining the "compatibility matrix". This should only affect the test code. If you maintain a file tests/conf_private.py, chances are that the latest changesets will break Since "running tests towards private CalDAV servers" is not considered to be part of the public API, I deem this to be allowed without bumping the major version number. If you are affected and can't figure out of it, reach out by email, GitHub issue or GitHub discussions. (Frankly, I'm interessted if anyone except me uses this, so feel free to reach out also if you can figure out of it).

As always, the new release comes with quite some bugfixes, compatibility fixes and workarounds improving the support for various calendar servers observed in the wild.

Breaking Changes

• As mentioned above, if you maintain a file tests/conf_private.py, chances are that your test runs will break. Does anyone except me maintain a tests/conf_private.py-file? Please reach out by email, GitHub issues or GitHub discussions.

Changed

• The search for pending tasks will not do send any complicated search requests to the server if it's flagged that the server does not support such requests. (automatically setting such flags will come in a later version)
• If the server is flagged not to support MKCALENDAR but supporting MKCOL instead (baikal), then it will use MKCOL when creating a calendar. (automatically setting such flags will come in a later version)
• In 1.5.0, I moved the compability matrix from the tests directory and into the project itself - now I'm doing a major overhaul of it. This change is much relevant for end users yet - but already now it's possible to configure "compatibility hints" when setting up the davclient, and the idea is that different kind of workarounds may be applied depending on the compatibility-matrix. Search without comp-type is wonky on many servers, now the search-method will automatically deliver a union of a search of the three different comp-types if a comp-type is not set in the parameters and it's declared that the compatibility matrix does not work. In parallel I'm developing a stand-alone tool caldav-server-tester to check the compatibility of a caldav server. #​532 / #​537
• Littered the code with try: import niquests as requests except: import requests, making it easier to flap between requests and niquests.
• Use the "caldav" logger consistently instead of global logging. #​543 - fixed by Thomas Lovden

Fixes

• A search without filtering on comp-type on a calendar containing a mix of events, journals and tasks should return a mix of such. (All the examples in the RFC includes the comp-type filter, so many servers does not support this). There were a bug in the auto-detection of comp-type, so tasks would typically be wrapped as events or vice-versa. #​540
• Tweaks to support upcoming version 7 of the icalendar library.
• Compatibility-tweaks for baikal, but as for now manual intervention is needed - see #​556 and #​553
• @​thyssentishman found a missing import after the old huge objects.py was broken up in smaller files. Which again highlights that I probably have some dead, moot code in the project. #​554
• Bugfix on authentication - things broke on Baikal if authentication method (i.e. digest) was set in the config. I found a quite obvious bug, I did not investigate why the test code has been passing on all the other servers. Weird thing.
• Bugfix in the davclient.principals-method, allowing it to work on more servers - #​559
• Quite some compatibility-fixing of the test code

Added

• Support for creating a CalendarObjectResource from an icalendar Event, Todo etc, and not only Calendar. Arguably a bugfix as it would be silently accepted and throw some arbitrary error, very confusing for end users. #​546

Other

• Example code: Basic usage examples have been brushed up, thanks to David Greaves - #​534
• PEP 639 conforming license expression in the pyproject.toml, thanks to Marc Mueller - #​538

celery/celery (celery)

v5.6.2

Compare Source

=====

:release-date: 2026-01-04
:release-by: Tomer Nosrati

What's Changed

- Fix recursive WorkController instantiation in DjangoWorkerFixup + AttributeError when pool_cls is a string (#​10045)
- Bugfix: Revoked tasks now immediately update backend status to REVOKED (#​9869)
- Prepare for release: v5.6.2 (#​10049)

.. _version-5.6.1:

5.6.1
=====

:release-date: 2025-12-29
:release-by: Tomer Nosrati

What's Changed

• Fix Redis Sentinel ACL authentication support (#​10013)
• Fix: Broker heartbeats not sent during graceful shutdown (#​9986)
• docs #​5410 -- Document confirm_publish broker transport option (#​10016)
• close DB pools only in prefork mode (#​10020)
• Fix: Avoid unnecessary Django database connection creation during cleanup (#​10015)
• reliable prefork detection (#​10023)
• better coverage (#​10029)
• Docs: clarify result_extended vs periodic task metadata and show headers["periodic_task_name"] example (#​10030)
• Stop importing pytest_subtests (#​10032)
• Only use exceptiongroup backport for Python < 3.11 (#​10033)
• Prepare for release: v5.6.1 (#​10037)

.. _version-5.6.0:

v5.6.1

Compare Source

=====

:release-date: 2025-12-29
:release-by: Tomer Nosrati

What's Changed

- Fix Redis Sentinel ACL authentication support (#​10013)
- Fix: Broker heartbeats not sent during graceful shutdown (#​9986)
- docs #​5410 -- Document confirm_publish broker transport option (#​10016)
- close DB pools only in pref