Bump the python-dependencies group with 9 updates

[dependabot]

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

---

Bumps the python-dependencies group with 9 updates:

Package	From	To
asgiref	3.10.0	3.11.1
dj-database-url	3.0.1	3.1.2
django	5.2.7	6.0.4
gunicorn	23.0.0	25.3.0
packaging	25.0	26.2
psycopg2-binary	2.9.11	2.9.12
python-dotenv	1.1.1	1.2.2
sqlparse	0.5.3	0.5.5
whitenoise	6.11.0	6.12.0

Updates asgiref from 3.10.0 to 3.11.1

Changelog

Sourced from asgiref's changelog.

3.11.1 (2026-02-03)

• SECURITY FIX CVE-2025-14550: There was a potential DoS vector for users of the asgiref.wsgi.WsgiToAsgi adapter. Malicious requests, including an unreasonably large number of values for the same header, could lead to resource exhaustion when building the WSGI environment.

  To mitigate this, the algorithm is changed to be more efficient, and WsgiToAsgi gains a new optional duplicate_header_limit parameter, which defaults to 100. This specifies the number of times a single header may be repeated before the request is rejected as malformed.

  You may override duplicate_header_limit when configuring your application::

  application = WsgiToAsgi(wsgi_app, duplicate_header_limit=200)
  

  Set duplicate_header_limit=None if you wish to disable this check.

• Fixed a regression in 3.11.0 in sync_to_async when wrapping a callable with an attribute named context. (#537)

3.11.0 (2025-11-19)

• sync_to_async gains a context parameter, similar to those for asyncio.create_task, TaskGroup &co, that can be used on Python 3.11+ to control the context used by the underlying task.

  The parent context is already propagated by default but the additional control is useful if multiple sync_to_async calls need to share the same context, e.g. when used with asyncio.gather().

Commits

• d97a733 Releasing 3.11.1.
• a50968a CVE-2025-14550: Fixed duplicate header handling in WsgiToAsgi.
• 0fb85a4 Fixed sync_to_async wrapping callables with attribute named context.
• 2b28409 Updated Hypercorn homepage URL (#539)
• b7b15b2 Releasing 3.11.0.
• 901ee4f Added a custom context parameter for the sync_to_async (#536)
• 2138f03 Fixed typo in test file comment.
• See full diff in compare view

Updates dj-database-url from 3.0.1 to 3.1.2

Release notes

Sourced from dj-database-url's releases.

v3.1.2

What's Changed

• Bump cryptography from 46.0.3 to 46.0.5 by @​dependabot[bot] in jazzband/dj-database-url#293
• Bump django from 5.2.9 to 5.2.11 by @​dependabot[bot] in jazzband/dj-database-url#294
• Bump urllib3 from 2.6.2 to 2.6.3 by @​dependabot[bot] in jazzband/dj-database-url#295
• Bump wheel from 0.45.1 to 0.46.2 by @​dependabot[bot] in jazzband/dj-database-url#296
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jazzband/dj-database-url#297

New Contributors

• @​dependabot[bot] made their first contribution in jazzband/dj-database-url#293

Full Changelog: jazzband/dj-database-url@v3.1.1...v3.1.2

v3.1.1

What's Changed

• Add tests directory to source distribution by @​yohaann196 in jazzband/dj-database-url#285
• Switch linting and formatting from flake8+isort+black to ruff; add typos to pre-commit; fix typos by @​akx in jazzband/dj-database-url#281
• Add project URLs to pyproject.toml by @​luzfcb in jazzband/dj-database-url#287
• Update .pre-commit-config.yaml to use pinned version numbers. by @​mattseymour in jazzband/dj-database-url#289
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jazzband/dj-database-url#291

New Contributors

• @​yohaann196 made their first contribution in jazzband/dj-database-url#285
• @​luzfcb made their first contribution in jazzband/dj-database-url#287

Full Changelog: jazzband/dj-database-url@v3.1.0...v3.1.1

v3.1.0

What's Changed

• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jazzband/dj-database-url#268
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jazzband/dj-database-url#270
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jazzband/dj-database-url#276
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jazzband/dj-database-url#278
• Update license to BSD-3-Clause in setup.py by @​GabrielBarrantes in jazzband/dj-database-url#279
• CI: run typechecks only once, not for each Django/Python version by @​akx in jazzband/dj-database-url#274

New Contributors

• @​GabrielBarrantes made their first contribution in jazzband/dj-database-url#279
• @​akx made their first contribution in jazzband/dj-database-url#274

Full Changelog: jazzband/dj-database-url@v3.0.1...v3.1.0

Changelog

Sourced from dj-database-url's changelog.

CHANGELOG

v3.1.0 (2026-01-03)

• Add support for Django 6.0
• Update CI structure.
• Migrate to UV for dependency management and builds.
• Python >3.10 support.

Commits

• e77149f [pre-commit.ci] pre-commit autoupdate (#297)
• 6beffe6 Fix a regression in adding tests/ dir to source package
• f9c3130 Bump wheel from 0.45.1 to 0.46.2 (#296)
• 5337838 Bump urllib3 from 2.6.2 to 2.6.3 (#295)
• 6fc3664 Bump django from 5.2.9 to 5.2.11 (#294)
• 19805c9 Bump cryptography from 46.0.3 to 46.0.5 (#293)
• 1b102cd Update project URLs in pyproject.toml
• e41afda [pre-commit.ci] pre-commit autoupdate (#291)
• dba6077 Update .pre-commit-config.yaml to use pinned version numbers. (#289)
• e6f4ccc Add pytest to dependencies
• Additional commits viewable in compare view

Updates django from 5.2.7 to 6.0.4

Commits

• 141e791 [6.0.x] Bumped version for 6.0.4 release.
• 393dbc5 [6.0.x] Fixed CVE-2026-33034 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE on body ...
• 0910af6 [6.0.x] Fixed CVE-2026-33033 -- Mitigated potential DoS in MultiPartParser.
• 428c48f [6.0.x] Fixed CVE-2026-4292 -- Disallowed instance creation via ModelAdmin.li...
• 08a752c [6.0.x] Fixed CVE-2026-4277 -- Checked add permissions in GenericInlineModelA...
• a623c39 [6.0.x] Fixed CVE-2026-3902 -- Ignored headers with underscores in ASGIRequest.
• ffc83c5 [6.0.x] Refs #36949 -- Removed hardcoded pks in modeladmin tests.
• 4eb38f6 [6.0.x] Fixed #36973 -- Made fields.E348 check detect further clashes between...
• 640c431 [6.0.x] Refs #36862 -- Reiterated security note on both variants of RemoteUse...
• ea8e293 [6.0.x] Fixed #36949 -- Improved RelatedFieldWidgetWrapper <label>s.
• Additional commits viewable in compare view

Updates gunicorn from 23.0.0 to 25.3.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 25.3.0

Bug Fixes

• HTTP/2 ASGI Body Duplication: Fix request body being received twice in HTTP/2 ASGI requests, causing JSON parsing errors with "Extra data" messages (#3558)

• ASGI Chunked EOF Handling: Add finish() method to callback parser to handle chunked encoding edge case where connection closes before final CRLF after zero-chunk

• HTTP/2 Documentation: Fix http_protocols examples to use comma-separated string instead of list syntax (#3561)

• Chunked Encoding: Reject chunk extensions containing bare CR bytes per RFC 9112 (#3556)

• Request Line Limit: Fix --limit-request-line 0 to mean unlimited as documented, instead of using default maximum. Works with both Python and fast C parser. (#3563)

Security

• ASGI Parser Header Validation: Add security checks per RFC 9110/9112:
  • Reject duplicate Content-Length headers
  • Reject requests with both Content-Length and Transfer-Encoding
  • Reject chunked transfer encoding in HTTP/1.0
  • Reject stacked chunked encoding
  • Validate Transfer-Encoding values
  • Strict chunk size validation

Changes

• Fast HTTP Parser: Update to gunicorn_h1c >= 0.6.3 for asgi_headers property and InvalidChunkExtension validation for bare CR rejection

• ASGI PROXY Protocol: Add PROXY protocol v1/v2 support to callback parser

• Docker Images: Update to Python 3.14

Gunicorn 25.2.0

New Features

• Fast HTTP Parser (gunicorn_h1c 0.4.1): Integrate new exception types and limit parameters from gunicorn_h1c 0.4.1 for both WSGI and ASGI workers
  • Requires gunicorn_h1c >= 0.4.1 for http_parser='fast'
  • Falls back to Python parser in auto mode if version not met
  • Proper HTTP status codes for limit errors (414, 431)

Bug Fixes

• uWSGI Async Workers: Fix InvalidUWSGIHeader: incomplete header error when using gevent or gthread workers with uwsgi protocol behind nginx. (#3552, [PR #3554](benoitc/gunicorn#3554))

... (truncated)

Commits

• 9bce72c Update changelog with missing 25.3.0 changes
• 2a15fdb Fix pylint isinstance-second-argument-not-valid-type warning
• 8d08aaa Fix --limit-request-line 0 to mean unlimited
• d40a374 Fix pytest-asyncio configuration and treq_asgi hex escapes
• da8bd48 Remove unused AsyncRequest class
• b00f125 Integrate gunicorn_h1c 0.6.3 with InvalidChunkExtension support
• bdb2ebd Reject chunk extensions with bare CR bytes (RFC 9112)
• 7057fc9 Fix http_protocols documentation to use string syntax
• d43acb8 Update to gunicorn_h1c >= 0.6.2 for asgi_headers support
• cbd27e8 Merge pull request #3559 from benleembruggen/fix/http2-asgi-body-duplication
• Additional commits viewable in compare view

Updates packaging from 25.0 to 26.2

Release notes

Sourced from packaging's releases.

26.2

What's Changed

Fixes:

• Fix incorrect sysconfig var name for pyemscripten by @​ryanking13 in pypa/packaging#1160
• Make Version, Specifier, SpecifierSet, Tag, Marker, and Requirement pickle-safe and backward-compatible with pickles created in 25.0-26.1 (including references to the removed packaging._structures module) by @​eachimei and @​henryiii in pypa/packaging#1163, pypa/packaging#1168, pypa/packaging#1170, and pypa/packaging#1171
• fix: re-export ExceptionGroup for now by @​henryiii in pypa/packaging#1164

Documentation:

• docs: add errors section and fix missing details by @​henryiii in pypa/packaging#1159
• docs(dev): document property-based test suite by @​r266-tech in pypa/packaging#1167
• Fix typo in DirectUrl documentation by @​sbidoul in pypa/packaging#1169
• docs(specifiers): add is_unsatisfiable() usage example by @​r266-tech in pypa/packaging#1166

Internal:

• Enable the auditor persona on zizmor by @​henryiii in pypa/packaging#1158
• Test new pickle guarantees by @​henryiii in pypa/packaging#1174
• Use native uv integration in rtd by @​henryiii in pypa/packaging#1175

New Contributors

• @​ryanking13 made their first contribution in pypa/packaging#1160
• @​eachimei made their first contribution in pypa/packaging#1163

Full Changelog: pypa/packaging@26.1...26.2

26.1

Features:

• PEP 783: add handling for Emscripten wheel tags by @​hoodmane in pypa/packaging#804 (old name used in implementation, will be fixed in next release)
• PEP 803: add handling for the abi3.abi3t free-threading tag by @​ngoldbaum in pypa/packaging#1099
• PEP 723: add packaging.dependency_groups module, based on the dependency-groups package by @​sirosen in pypa/packaging#1065
• Add the packaging.direct_url module by @​sbidoul in pypa/packaging#944
• Add the packaging.errors module by @​henryiii in pypa/packaging#1071
• Add SpecifierSet.is_unsatisfiable using ranges (new internals that will be expanded in future versions) by @​notatallshaw in pypa/packaging#1119
• Add create_compatible_tags_selector to select compatible tags by @​sbidoul in pypa/packaging#1110
• Add a key argument to SpecifierSet.filter() by @​frostming in pypa/packaging#1068
• Support & and | for Marker's by @​henryiii in pypa/packaging#1146
• Normalize Version.__replace__ and add Version.from_parts by @​henryiii in pypa/packaging#1078
• Add an option to validate compressed tag set sort order in parse_wheel_filename by @​r266-tech in pypa/packaging#1150

Behavior adaptations:

• Narrow exclusion of pre-releases for <V.postN to match spec by @​notatallshaw in pypa/packaging#1140

... (truncated)

Changelog

Sourced from packaging's changelog.

26.2 - 2026-04-24

Fixes:

Fix incorrect sysconfig var name for pyemscripten in (:pull:1160)
Make Version, Specifier, SpecifierSet, Tag, Marker, and Requirement pickle-safe

and backward-compatible with pickles created in 25.0-26.1 (including references to the removed

packaging._structures module) (:pull:1163, :pull:1168, :pull:1170, :pull:1171)
Re-export ExceptionGroup in metadata for now in (:pull:1164)

Documentation:

Add errors section and fix missing details in (:pull:1159)
Document our property-based test suite in (:pull:1167)
Fix a DirectUrl typo in (:pull:1167)
Add example of is_unsatisfiable in (:pull:1166)

Internal:

Enable the auditor persona on zizmor in (:pull:1158)
Test new pickle guarantees in (:pull:1174)
Use new native ReadTheDocs uv integration in (:pull:1175)

26.1 - 2026-04-14

Features:

• PEP 783: add handling for Emscripten wheel tags in (:pull:804) (old name used in implementation, fixed in next release)
• PEP 803: add handling for the abi3.abi3t free-threading tag in (:pull:1099)
• PEP 723: add packaging.dependency_groups module, based on the dependency-groups package in (:pull:1065)
• Add the packaging.direct_url module in (:pull:944)
• Add the packaging.errors module in (:pull:1071)
• Add SpecifierSet.is_unsatisfiable using ranges (new internals that will be expanded in future versions) in (:pull:1119)
• Add create_compatible_tags_selector to select compatible tags in (:pull:1110)
• Add a key argument to SpecifierSet.filter() in (:pull:1068)
• Support & and | for Marker's in (:pull:1146)
• Normalize Version.__replace__ and add Version.from_parts in (:pull:1078)
• Add an option to validate compressed tag set sort order in parse_wheel_filename in (:pull:1150)

Behavior adaptations:

• Narrow exclusion of pre-releases for <V.postN to match spec in (:pull:1140)
• Narrow exclusion of post-releases for >V to match spec in (:pull:1141)
• Rename format_full_version to _format_full_version to make it visibly private in (:pull:1125)
• Restrict local version to ASCII in (:pull:1102)

Pylock (PEP 751) updates:

... (truncated)

Commits

• 84a87ee Bump for release
• 4a616b6 docs: a few more updates to prepare for 26.2 (#1176)
• 9de6f44 ci: use native uv integration in rtd (#1175)
• bc76e14 chore: update changelog for 26.2 (#1161)
• 3f00091 tests: add a pickle check (#1174)
• 48a8a06 fix: make Requirements/Markers pickle-safe (#1171)
• 823b44e fix: make Tags pickle-safe (#1170)
• 4bed32d fix: make Specifier / SpecifierSet pickle-safe (#1168)
• 963118e fix: re-export ExceptionGroup for now (#1164)
• 66e34a8 docs(specifiers): add is_unsatisfiable() usage example (#1166)
• Additional commits viewable in compare view

Updates psycopg2-binary from 2.9.11 to 2.9.12

Changelog

Sourced from psycopg2-binary's changelog.

Current release

What's new in psycopg 2.9.12 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Fix infinite loop with malformed interval (:ticket:1835).

What's new in psycopg 2.9.11 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Add support for Python 3.14.
• Avoid a segfault passing more arguments than placeholders if Python is built with assertions enabled (:ticket:[#1791](https://github.com/psycopg/psycopg2/issues/1791)).
• Add riscv64 platform binary packages (:ticket:[#1813](https://github.com/psycopg/psycopg2/issues/1813)).
• ~psycopg2.errorcodes map and ~psycopg2.errors classes updated to PostgreSQL 18.
• Drop support for Python 3.8.

What's new in psycopg 2.9.10 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Add support for Python 3.13.
• Receive notifications on commit (:ticket:[#1728](https://github.com/psycopg/psycopg2/issues/1728)).
• ~psycopg2.errorcodes map and ~psycopg2.errors classes updated to PostgreSQL 17.
• Drop support for Python 3.7.

What's new in psycopg 2.9.9 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Add support for Python 3.12.
• Drop support for Python 3.6.

What's new in psycopg 2.9.8 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Wheel package bundled with PostgreSQL 16 libpq in order to add support for recent features, such as sslcertmode.

What's new in psycopg 2.9.7 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Fix propagation of exceptions raised during module initialization (:ticket:[#1598](https://github.com/psycopg/psycopg2/issues/1598)).

... (truncated)

Commits

• 3a6d9d6 ci: include almalinux in whieel building
• ebca6bf chore: bump to version 3.9.12
• 0196f02 build(deps): bump pypa/cibuildwheel from 3.3.1 to 3.4.0
• d157bdc build(deps): bump docker/setup-qemu-action from 3 to 4
• 7fccc0f build(deps): bump actions/upload-artifact from 6 to 7
• d52a61e chore: bump dependency libraries
• b231d72 chore: fix building binary images
• 6d76e84 Merge pull request #1836 from psycopg/fix-1835
• f7e314c fix: overflow in malformed interval
• eb905c1 docs: replace bare except clause with except Exception
• Additional commits viewable in compare view

Updates python-dotenv from 1.1.1 to 1.2.2

Release notes

Sourced from python-dotenv's releases.

v1.2.2

Added

• Support for Python 3.14, including the free-threaded (3.14t) build. (#)

Changed

• The dotenv run command now forwards flags directly to the specified command by @​bbc2 in theskumar/python-dotenv#607
• Improved documentation clarity regarding override behavior and the reference page.
• Updated PyPy support to version 3.11.
• Documentation for FIFO file support.
• Support for Python 3.9.

Fixed

• Improved set_key and unset_key behavior when interacting with symlinks by @​bbc2 in #790c5
• Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by @​JYOuyang in theskumar/python-dotenv#590

Breaking Changes

• dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

• In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

• dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

Misc

• skip 000 permission tests for root user by @​burnout-projects in theskumar/python-dotenv#561
• Bump actions/checkout from 5 to 6 in the github-actions group by @​dependabot[bot] in theskumar/python-dotenv#593
• Add Windows testing to CI by @​bbc2 in theskumar/python-dotenv#604
• Improve workflow efficiency with best practices by @​theskumar in theskumar/python-dotenv#609
• Remove the use of sh in tests by @​bbc2 in theskumar/python-dotenv#612

New Contributors

• @​JYOuyang made their first contribution in theskumar/python-dotenv#590
• @​burnout-projects made their first contribution in theskumar/python-dotenv#561
• @​cpackham-atlnz made their first contribution in theskumar/python-dotenv#597

Full Changelog: theskumar/python-dotenv@v1.2.1...v1.2.2

v1.2.1

What's Changed

... (truncated)

Changelog

Sourced from python-dotenv's changelog.

[1.2.2] - 2026-03-01

Added

• Support for Python 3.14, including the free-threaded (3.14t) build. (#588)

Changed

• The dotenv run command now forwards flags directly to the specified command by [@​bbc2] in #607
• Improved documentation clarity regarding override behavior and the reference page.
• Updated PyPy support to version 3.11.
• Documentation for FIFO file support.
• Dropped Support for Python 3.9.

Fixed

• Improved set_key and unset_key behavior when interacting with symlinks by [@​bbc2] in [790c5c0]
• Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by [@​JYOuyang] in #590

Breaking Changes

• dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

• In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

• dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

[1.2.1] - 2025-10-26

• Move more config to pyproject.toml, removed setup.cfg
• Add support for reading .env from FIFOs (Unix) by [@​sidharth-sudhir] in #586

[1.2.0] - 2025-10-26

• Upgrade build system to use PEP 517 & PEP 518 to use build and pyproject.toml by [@​EpicWink] in #583
• Add support for Python 3.14 by [@​23f3001135] in #579
• Add support for disabling of load_dotenv() using PYTHON_DOTENV_DISABLED env var. by [@​matthewfranglen] in #569

Commits

• 36004e0 Bump version: 1.2.1 → 1.2.2
• eb20252 docs: update changelog for v1.2.2
• 790c5c0 Merge commit from fork
• 43340da Remove the use of sh in tests (#612)
• 09d7cee docs: clarify override behavior and document FIFO support (#610)
• c8de288 ci: improve workflow efficiency with best practices (#609)
• 7bd9e3d Add Windows testing to CI (#604)
• 1baaf04 Drop Python 3.9 support and update to PyPy 3.11 (#608)
• 4a22cf8 ci: enable testing on Python 3.14t (free-threaded) (#588)
• e2e8e77 Fix license specifier (#597)
• Additional commits viewable in compare view

Updates sqlparse from 0.5.3 to 0.5.5

Changelog

Sourced from sqlparse's changelog.

Release 0.5.5 (Dec 19, 2025)

Bug Fixes

• Fix DoS protection to raise SQLParseError instead of silently returning None when grouping limits are exceeded (issue827).
• Fix splitting of BEGIN TRANSACTION statements (issue826).

Release 0.5.4 (Nov 28, 2025)

Enhancements

• Add support for Python 3.14.
• Add type annotations to top-level API functions and include py.typed marker for PEP 561 compliance, enabling type checking with mypy and other tools (issue756).
• Add pre-commit hook support. sqlparse can now be used as a pre-commit hook to automatically format SQL files. The CLI now supports multiple files and an --in-place flag for in-place editing (issue537).
• Add ATTACH and DETACH to PostgreSQL keywords (pr808).
• Add INTERSECT to close keywords in WHERE clause (pr820).
• Support REGEXP BINARY comparison operator (pr817).

Bug Fixes

• Add additional protection against denial of service attacks when parsing very large lists of tuples. This enhances the existing recursion protections with configurable limits for token processing to prevent DoS through algorithmic complexity attacks. The new limits (MAX_GROUPING_DEPTH=100, MAX_GROUPING_TOKENS=10000) can be adjusted or disabled (by setting to None) if needed for legitimate large SQL statements.
• Remove shebang from cli.py and remove executable flag (pr818).
• Fix strip_comments not removing all comments when input contains only comments (issue801, pr803 by stropysh).
• Fix splitting statements with IF EXISTS/IF NOT EXISTS inside BEGIN...END blocks (issue812).
• Fix splitting on semicolons inside BEGIN...END blocks (issue809).

Commits

• 0d24023 Bump version to 0.5.5
• da67ac1 Enhance DoS protection by raising SQLParseError for exceeded grouping limits ...
• 5ca50a2 Fix splitting of BEGIN TRANSACTION statements (fixes #826).
• acd8e58 Back to development version.
• 14e300b Bump version.
• 96a67e2 Code cleanup.
• 1a3bfbd Fix handling of semicolons inside BEGIN...END blocks (fixes #809).
• e92a032 Fix handling of IF EXISTS statements in BEGIN...END blocks (fixes #812).
• 149bebf Update Changelog.
• 561a67e Update AUTHORS.
• Additional commits viewable in compare view

Updates whitenoise from 6.11.0 to 6.12.0

Changelog

Sourced from whitenoise's changelog.

6.12.0 (2026-02-27)

• Drop Python 3.9 support.
• Fix potential unauthorised file access vulnerability in "autorefesh" mode. See PR [#684](https://github.com/evansd/whitenoise/issues/684) <https://github.com/evansd/whitenoise/pull/684>__ for details, and a reminder that autorefresh mode has always been documented as unsuitable for production use. Thanks Seth Larson for reporting.

Commits

• 1e3a30b Version 6.12.0
• bc4c738 Merge pull request #684 from evansd/use-commonpath
• 505ed8d Use os.path.commonpath() to identify child paths
• b6d8ed4 Upgrade dependencies (#683)
• edc79de [pre-commit.ci] pre-commit autoupdate (#682)
• 79fb2f1 Bump the github-actions group with 2 updates (#680)
• 2b245df [pre-commit.ci] pre-commit autoupdate (#681)
• dcb50f3 Upgrade dependencies (#678)
• 1c4a746 [pre-commit.ci] pre-commit autoupdate (#677)
• e7f970a Bump actions/checkout from 5 to 6 in the github-actions group (#676)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are no longer being updated by Dependabot, so this is no longer needed.