deps(deps): bump the python-minor-and-patch group across 1 directory with 12 updates

[dependabot]

Bumps the python-minor-and-patch group with 12 updates in the / directory:

Package	From	To
numpy	2.4.4	2.4.6
django-denorm-iplweb	1.10.2	1.11.1
django-reversion	6.1.0	6.2.0
requests	2.34.0	2.34.2
django-multiseek	0.9.49	0.10.1
django-formtools	2.5.1	2.6.1
django-site-blog	0.2.0	0.2.1
django-first-run-wizard	0.1.0	0.1.1
ruff	0.15.12	0.15.13
playwright	1.59.0	1.60.0
pytest-playwright	0.7.2	0.8.0
django-dev-helpers	0.1.10	0.1.11

Updates numpy from 2.4.4 to 2.4.6

Release notes

Sourced from numpy's releases.

v2.4.6 (May 18, 2026)

NumPy 2.4.6 Release Notes

NumPy 2.4.6 is a quick release that fixes a regression discovered in the 2.4.5 release.

This release supports Python versions 3.11-3.14

Contributors

A total of 4 people contributed to this release. People with a "+" by their names contributed a patch for the first time.

• !EarlMilktea
• Charles Harris
• Sebastian Berg
• Warren Weckesser

Pull requests merged

A total of 4 pull requests were merged for this release.

• #31444: MAINT: Prepare 2.4.x for further development
• #31453: BUG: Fix regression in arr.conj()
• #31459: BUG: np.linalg.svd(..., hermitian=True) returns non-unitary...
• #31460: BUG: Don't call INCREF/DECREF on descr in NpyStringAcquireAllocator...

v2.4.5 (May 15, 2026)

NumPy 2.4.5 Release Notes

NumPy 2.4.5 is a patch release that fixes bugs discovered after the 2.4.4 release, has some typing improvements, and maintains infrastructure.

This release supports Python versions 3.11-3.14

Contributors

A total of 17 people contributed to this release. People with a "+" by their names contributed a patch for the first time.

• Aleksei Nikiforov
• Anarion Zuo +
• Ankit Ahlawat
• Breno Favaretto +
• Charles Harris
• Igor Krivenko +
• Ijtihed Kilani +
• Joren Hammudoglu
• Maarten Baert +

... (truncated)

Commits

• b832a09 Merge pull request #31462 from charris/prepare-2.4.6
• 57cc147 REL: Prepare for the NumPy 2.4.6 release
• 0c72b0b Merge pull request #31459 from charris/backport-31347
• 9778d26 BUG: core: Don't call INCREF/DECREF on descr in NpyStringAcquireAllocator. (#...
• e0e3876 BUG: core: Don't call INCREF/DECREF on descr in NpyStringAcquireAllocator. (#...
• d1bffeb BUG: np.linalg.svd(..., hermitian=True) returns non-unitary vh (#31347)
• 8d8d7e5 Merge pull request #31453 from seberg/issue-31452
• bddaab7 BUG: Fix regression in arr.conj()
• 37a1ecc Merge pull request #31444 from charris/begin-2.4.6
• 3c0e043 MAINT: Prepare 2.4.x for further development
• Additional commits viewable in compare view

Updates django-denorm-iplweb from 1.10.2 to 1.11.1

Release notes

Sourced from django-denorm-iplweb's releases.

1.11.0 — race conditions & deadlock handling

Bug fixes (race conditions & deadlocks in the flush pipeline)

Reported symptom: OperationalError: deadlock detected leaking from denorm_queue workers under concurrent load. Root-cause audit produced 13 distinct test reproducers under a real Postgres via pytest-testcontainers-django; all 15 tests now pass.

• flush_single now retries on Postgres 40001 / 40P01 with exponential backoff + jitter via the new denorm.retry_on_serialization_failure decorator. Skips retry when already inside an outer transaction.atomic() because Postgres aborts the whole top-level tx and SAVEPOINT rollback can't recover it — callers in that situation should wrap their outer atomic in the same decorator.

• Lock and delete only the DirtyInstance PKs we explicitly claimed in flush_single (was: re-evaluate the queryset at delete time, silently wiping rows inserted by triggers during obj.save() or by another worker).

• Distinguish "row is locked elsewhere" from "row truly gone" in flush_single's DoesNotExist branch — orphan markers are now cleaned up instead of churning through every future flush cycle.

• Replace suppress_autotime() with update_fields exclusion. The old approach mutated class-level Field.auto_now and leaked across threads in the same process, silently dropping timestamp updates on concurrent saves.

• flush_via_queue dedupes the fan-out: one Celery subtask per distinct (content_type, object_id) via Min(pk), not per DirtyInstance row.

• DirtyInstance.content_object_for_update uses skip_locked=True — contending workers skip the row instead of blocking on it.

• denorm_queue command survives connection loss (DB restart, pg_terminate_backend, pooler reconnect, network blip) via a reconnect-with-backoff wrapper around the LISTEN/poll loop.

• DenormMiddleware stops swallowing DatabaseError — with retry now internal to flush_single, anything that still raises is retry-exhausted or non-retryable and must surface to the caller.

• New migration 0017_dirtyinstance_unique_index: functional unique index on (content_type_id, COALESCE(object_id, -1), COALESCE(func_name, '')). Activates the previously-dead EXCEPTION WHEN unique_violation handler in TriggerActionInsert; enables ignore_conflicts=True in rebuild_instances_of for concurrent rebuild idempotency.

New public API

from denorm import retry_on_serialization_failure
@​retry_on_serialization_failure
def transfer_funds(...):
with transaction.atomic():
# any code whose denorm triggers might deadlock
...

Compatibility

The unique index in migration 0017 deletes pre-existing duplicate DirtyInstance rows (a.id < b.id AND content_type_id = AND object_id IS NOT DISTINCT FROM AND func_name IS NOT DISTINCT FROM) before creating the index. No data loss for live operation — duplicate rows represented the same "dirty" state. Run python manage.py migrate denorm after upgrading.

Changelog

Sourced from django-denorm-iplweb's changelog.

1.11.1

• fix: denorm.tasks.flush_single is now keyed by the logical (content_type_id, object_id) pair instead of a representative DirtyInstance pk. Previously, if the captured marker was deleted by a concurrent flush path between flush_via_queue enqueue and task execution, and a fresh marker for the same pair was inserted in the meantime, the queued task aborted on DoesNotExist and the new marker was orphaned until the next flush cycle.
• fix: denorm/templates/denorm/dirty_instances_count.html is now included in the built wheel via [tool.setuptools.package-data]. Without it, dirty_instances_count raised TemplateDoesNotExist for users installing from PyPI.
• CI: tests/test_deadlocks.py (deadlock and race-regression suite) is now executed by tox alongside the existing test_app suite.

1.11.0

• Fix race conditions and deadlock handling in the flush pipeline (retry on serialization failures, deletion-by-pk after select_for_update, deduplicated subtask fan-out, no global Field.auto_now mutation during flush).
• Add dirty_instances_count view with a configurable access policy (DENORM_DIRTY_INSTANCES_VIEW_ACCESS = staff / authenticated / public).

Commits

• a59e677 bump version 1.11.0 -> 1.11.1
• 85025e4 Fix flush_via_queue race, missing template in wheel, and wire deadlock tests ...
• dc30922 bump version 1.10.2 -> 1.11.0
• d58d6d0 Fix race conditions and deadlock handling in flush pipeline
• f10770c Add dirty_instances_count view with configurable access policy
• See full diff in compare view

Updates django-reversion from 6.1.0 to 6.2.0

Release notes

Sourced from django-reversion's releases.

v6.2.0

What's Changed

• Add explicit Django versions to classifiers by @​Michael-Deveau in etianen/django-reversion#995
• Added tests for Django 6.0 by @​etianen in etianen/django-reversion#996
• Feature: add custom object id field by @​philippeducasse in etianen/django-reversion#999

New Contributors

• @​Michael-Deveau made their first contribution in etianen/django-reversion#995
• @​philippeducasse made their first contribution in etianen/django-reversion#999

Full Changelog: etianen/django-reversion@v6.1.0...v6.2.0

Changelog

Sourced from django-reversion's changelog.

6.2.0 - 2026-05-12

• Added object_id_field to reversion.register() (@​philippeducasse).

Commits

• cfbba63 v6.2.0
• 9d31110 Merge pull request #999 from philippeducasse/feat/object-id-field
• 7d81001 docs: document object_id_field parameter in register()
• d27560a perf: skip db query when object_id_field is pk in admin views
• b1e3f67 refactor: resolve object_id_field to concrete field at registration
• d5c51ae fix: linting error
• e13bb70 fix: apply object_id_field to get_deleted and get_for_object
• d3fbf84 fix: refactored code to simplify logic
• 9d0936f test: move CustomObjectId admin registration to setUp/tearDown
• eedcbef style: fix flake8 line length and blank line issues
• Additional commits viewable in compare view

Updates requests from 2.34.0 to 2.34.2

Release notes

Sourced from requests's releases.

v2.34.2

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2342-2026-05-14

v2.34.1

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

New Contributors

• @​k223kim made their first contribution in psf/requests#7433

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2341-2026-05-13

Changelog

Sourced from requests's changelog.

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

Commits

• 6e83187 v2.34.2
• 84d10f0 Move Request.headers back to Mapping (#7441)
• b7b549b v2.34.1
• e511bc7 Fix mutability issues with headers input types (#7431)
• 5691f59 Update JsonType containers to read-based collections (#7436)
• 2144213 Constrain Response.reason to str (#7437)
• 6404f34 Fix prepare_body stream detection for __getattr__-based file wrappers (#7...
• See full diff in compare view

Updates django-multiseek from 0.9.49 to 0.10.1

Changelog

Sourced from django-multiseek's changelog.

0.10.1

multiseek core:

• MultiseekRegistry.get_query_recursive no longer flags a clause with impacts_query() == False (e.g. CONTAINS with an empty value) as an UnknownOperation error. It's now a silent no-op, matching what the semantics always claimed. Previously users saw an "Errors occurred" banner the moment they clicked Send Query on the default empty field.
• UnknownOperation raised in parse_field now includes the list of valid operators for the offending field, instead of just naming the invalid one.
• Parse failures inside get_query_recursive are logged at WARNING with exc_info=True so the server log shows traceback / context instead of a bare UnknownOperation().

Example projects (under examples/, not shipped on PyPI):

• Four runnable reference frontends — Foundation 6 + jQuery (vendored), Bootstrap 5 + jQuery, Bootstrap 5 + Alpine.js, and pure htmx — plus a run_example.sh setup/run/test helper at the repo root.
• Each ships a manage.py fetch_assets command that downloads its JS/CSS dependencies into static/multiseek/vendor/ so the demos don't depend on public CDNs at runtime (and CI doesn't fail when an egress is blocked).
• Playwright smoke tests for every variant.

0.10.0

Security & correctness:

• CSRF protection enforced on /results/ and /save_form/. Previously every multiseek URL was wrapped in csrf_exempt. Downstream projects with custom templates must include {% csrf_token %} and surface the token to their JS layer. The bundled templates handle this automatically.
• Concurrency race fixed on the cached MultiseekRegistry: parse errors no longer live on shared instance state. get_query() and get_query_for_model() accept an optional errors= list parameter. Backwards compatible for callers that ignore it.
• XSS escape in describe_multiseek_data(): user-supplied prev_op and operator are HTML-escaped before being inlined into the description rendered with |safe. StringQueryObject.value_for_description now returns a SafeString.
• URL routing: load_form/<pk> no longer accepts trailing path segments. All url()/re_path patterns migrated to path() with <int:> converters where applicable.
• Manual-exclusion list-full returns HTTP 400 (Bad Request) instead of 403 (Forbidden).

... (truncated)

Commits

• 16defa0 Bump version 0.10.0 -> 0.10.1
• 54bfc09 HISTORY.rst entry for 0.10.1; ruff format on logic.py
• 3ddc666 Document examples/ + run_example.sh in README
• 06b8ce6 Add run_example.sh — set up / run / test the example projects
• d88e9dc Untrack bootstrap vendor JS/CSS (accidentally committed last round)
• 8947247 Add fetch_assets command + switch every example to local frontend deps
• dca3c8c htmx: add Sort by + Report type UI
• 34374c0 Make "report type" actually change the rendering
• 2b85779 Load select2 in Foundation + Bootstrap examples — autocomplete now works
• ca9350d Richer demo dataset + real htmx autocomplete (no degradation)
• Additional commits viewable in compare view

Updates django-formtools from 2.5.1 to 2.6.1

Changelog

Sourced from django-formtools's changelog.

2.6.1 (2026-05-16)

• Add missing .mo files for translations updated in 2.6

• Add support for Django 6.0

2.6 (2026-05-16)

• Fix form validation in default templates (#265)

• Exclude tests from wheels

• Improved performance when using condition_dict (#291)

• Dropped support for Python < 3.9 and Django < 4.2

• Added support for Django 5.1/5.2

• Updated translations

Commits

• cd973c0 Updated Changelog for the 2.6.1 release
• 4f0c2b3 Add support for Django 6.0
• 20a4b80 Add forgotten .mo files when updating translations
• 71ae863 Updated Changelog for the 2.6 release
• 58c65e4 Updated translations from Tranifex
• a68af7b Add test to cover cached data
• a26136a Possibly more widely-applicable fix
• d0083b4 Fix edge case with popping form_list
• b20f8b5 Formatting
• d879b9b Improve formatting
• Additional commits viewable in compare view

Updates django-site-blog from 0.2.0 to 0.2.1

Changelog

Sourced from django-site-blog's changelog.

[0.2.1] - 2026-05-13

Added

• ArticleQuerySet.published() and ArticleQuerySet.visible_on_site(site), exposed via Article.objects as chainable methods. Centralizes the inverted-M2M visibility query so list / detail / feed views can share one implementation without re-deriving it (and without accidentally reaching for Article.on_site, which drops "visible everywhere" articles). visible_on_site() accepts a Site instance or its primary key.

Changed

• ArticleDetailView.get_queryset and the demo HomeListView both switched to Article.objects.published().visible_on_site(site), so the two views share a single source of truth for the visibility semantics.

Documentation

• README: corrected django-model-utils version range to >=5,<6 (matches pyproject.toml; the 0.2.0 release notes already documented the bump but the version table was missed). Rewrote the "How site assignment works" section around get_current_site(request) instead of the obsolete direct-SITE_ID example, and showcased the new chained queryset API. Added a "Security — trust boundary on article_body" section calling out the |safe rendering path.

Fixed

• Article.article_body admin help text: removed "displaythe" concatenation typo (missing space between two adjacent translatable string literals). Same correction applied to the frozen help text in 0001_initial; the migration change is state-only (no SQL effect).

Commits

• 57f8ae2 chore(release): 0.2.1 — centralized queryset + doc fixes
• See full diff in compare view

Updates django-first-run-wizard from 0.1.0 to 0.1.1

Changelog

Sourced from django-first-run-wizard's changelog.

[0.1.1] - 2026-05-13

Fixed

• AdminUserCreationForm now passes an unsaved User(username=…, email=…) instance to password_validation.validate_password() so UserAttributeSimilarityValidator actually fires — previously a password identical to the username silently passed. This matches the contract used by django.contrib.auth.forms.UserCreationForm, the Django admin, and the createsuperuser management command.

Changed

• Example project (example/example_project/settings.py) now ships the Django default AUTH_PASSWORD_VALIDATORS (UserAttributeSimilarity, MinimumLength, CommonPassword, NumericPassword) so the wizard's first- superuser step enforces the same rules out of the box.

Infrastructure

• Test settings (tests/settings.py) gained the same default AUTH_PASSWORD_VALIDATORS block, and the suite now exercises too-short-password and password-equals-username rejection paths.

Commits

• 33ef8db Release 0.1.1: enforce AUTH_PASSWORD_VALIDATORS in admin-user step
• d55cdae Modernize GH Actions: Node 24 runtime + correct uv cache key
• b9d1a02 Fix CI: install gettext + format the auto-generated migration
• See full diff in compare view

Updates ruff from 0.15.12 to 0.15.13

Release notes

Sourced from ruff's releases.

0.15.13

Release Notes

Released on 2026-05-14.

Preview features

• Add a rule to flag lazy imports that are eagerly evaluated (#25016)
• [pylint] Standardize diagnostic message (PLR0914, PLR0917) (#24996)

Bug fixes

• Fix F811 false positive for class methods (#24933)
• Fix setting selection for multi-folder workspace (#24819)
• [eradicate] Fix false positive for lines with leading whitespace (ERA001) (#25122)
• [flake8-pyi] Fix false positive for f-string debug specifier (PYI016) (#24098)

Rule changes

• Always include panic payload in panic diagnostic message (#24873)
• Restrict PYI034 for in-place operations to enclosing class (#24511)
• Improve error message for parameters that are declared global (#24902)
• Update known stdlib (#25103)

Performance

• [isort] Avoid constructing glob::Patterns for literal known modules (#25123)

CLI

• Add TOML examples to --config help text (#25013)
• Colorize ruff check 'All checks passed' (#25085)

Configuration

• Increase max allowed value of line-length setting (#24962)

Documentation

• Add D203 to rules that conflict with the formatter (#25044)
• Clarify COM819 and formatter interaction (#25045)
• Clarify that NotImplemented is a value, not an exception (F901) (#25054)
• Update number of lint rules supported (#24942)

Other changes

• Simplify the playground's markdown template (#24924)

Contributors

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.13

Released on 2026-05-14.

Preview features

• Add a rule to flag lazy imports that are eagerly evaluated (#25016)
• [pylint] Standardize diagnostic message (PLR0914, PLR0917) (#24996)

Bug fixes

• Fix F811 false positive for class methods (#24933)
• Fix setting selection for multi-folder workspace (#24819)
• [eradicate] Fix false positive for lines with leading whitespace (ERA001) (#25122)
• [flake8-pyi] Fix false positive for f-string debug specifier (PYI016) (#24098)

Rule changes

• Always include panic payload in panic diagnostic message (#24873)
• Restrict PYI034 for in-place operations to enclosing class (#24511)
• Improve error message for parameters that are declared global (#24902)
• Update known stdlib (#25103)

Performance

• [isort] Avoid constructing glob::Patterns for literal known modules (#25123)

CLI

• Add TOML examples to --config help text (#25013)
• Colorize ruff check 'All checks passed' (#25085)

Configuration

• Increase max allowed value of line-length setting (#24962)

Documentation

• Add D203 to rules that conflict with the formatter (#25044)
• Clarify COM819 and formatter interaction (#25045)
• Clarify that NotImplemented is a value, not an exception (F901) (#25054)
• Update number of lint rules supported (#24942)

Other changes

• Simplify the playground's markdown template (#24924)

Contributors

• @​MichaReiser

... (truncated)

Commits

• 2afb467 Bump 0.15.13 (#25157)
• 3008796 [ty] classify TypeVar semantic tokens as type parameters (#24891)
• 79470e3 [isort] Avoid constructing glob::Patterns for literal known modules (#25123)
• 2522549 Remove shellcheck from prek (#25154)
• 7db7170 [ty] Support TypedDict key completions in incomplete, anonymous contexts (#25...
• bb3dd53 [ty] Run full iteration analysis on narrowed typevars (#25143)
• 828cdb7 [ty] Isolate file-watching test environment (#25151)
• 89e1d86 [ty] Preserve TypedDict keys through dict unpacking (#24523)
• 86f3064 [ty] Avoid accessing args[0] for static_assert (#25149)
• ed819f9 [ty] Treat custom enum __new__ values as dynamic (#25136)
• Additional commits viewable in compare view

Updates playwright from 1.59.0 to 1.60.0

Release notes

Sourced from playwright's releases.

v1.60.0

🐍 Python improvements

• New FormData class for building multipart/form-data request bodies — pass to api_request_context.post(form=…) etc.
• expect.soft(...) soft assertions collect multiple failures in a test instead of stopping at the first one. Requires up-to-date pytest integration to work.
• All timeout parameters now accept datetime.timedelta — applies wherever a timeout is taken, e.g. page.goto(), locator.click(), expect(...).to_be_visible().
• Async context manager support across more APIs — async with now works for objects returned from screencast.show_actions(), screencast.show_overlays(), etc.
• page.expect_request(...) and page.expect_response(...) now accept async predicates.
• Typed overloads for expect_event / wait_for_event so the event payload type is inferred per event name.

🌐 HAR recording on Tracing

tracing.start_har() / tracing.stop_har() expose HAR recording as a first-class tracing API, with the same content, mode and url_filter options as record_har:

context.tracing.start_har("trace.har")
page = context.new_page()
page.goto("https://playwright.dev")
context.tracing.stop_har()

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic DataTransfer in the page context — works cross-browser and is great for testing upload zones:

page.locator("#dropzone").drop(
    files={"name": "note.txt", "mime_type": "text/plain", "buffer": b"hello"},
)
page.locator("#dropzone").drop(
data={
"text/plain": "hello world",
"text/uri-list": "https://example.com",
},
)

🎯 Aria snapshots

• expect(page).to_match_aria_snapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator("body").
• New boxes option on locator.aria_snapshot() / page.aria_snapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

New APIs

Browser, Context and Page

• Event browser.on("context") — fired when a new context is created on the browser.
• BrowserContext now mirrors lifecycle events from its pages: browser_context.on("download"), browser_context.on("frameattached"), browser_context.on("framedetached"), browser_context.on("framenavigated"), browser_context.on("pageclose"), browser_context.on("pageload").

Locators and Assertions

... (truncated)

Commits

• 93f3201 chore: roll driver to 1.60.0 (#3079)
• 0ebdf2d feat(assertions): add expect.soft() for collecting multiple failures (#3065)
• 18810d8 feat: add FormData class for form and multipart requests (#3060)
• b846cee chore: roll to 1.60.0-beta-1778142790000 (#3069)
• 873c5c7 fix(setup): update auditwheel to 6.4.0 for InWheel tempdir fix (#3063)
• 9df9fac feat: accept datetime.timedelta for timeout parameters (#3059)
• 856ae37 devops: Update EsrpRelease (#3064)
• 161bd3d build(deps): bump flake8 from 7.2.0 to 7.3.0 (#2896)
• ac9bf29 build(deps): bump types-requests from 2.32.4.20250809 to 2.32.4.20260107 (#2975)
• deb2df8 build(deps): bump pytest-cov from 6.3.0 to 7.1.0 (#2976)
• Additional commits viewable in compare view

Updates pytest-playwright from 0.7.2 to 0.8.0

Release notes

Sourced from pytest-playwright's releases.

v0.8.0

Adds support for expect.soft() soft assertions.

Commits

• 703c884 feat: aggregate expect.soft() failures per test (#312)
• See full diff in compare view

Updates django-dev-helpers from 0.1.10 to 0.1.11

Changelog

Sourced from django-dev-helpers's changelog.

[0.1.11] — 2026-05-13

Added

• New django_dev_helpers.allowed_hosts.inject_allowed_hosts() reads the DEV_HELPERS_ALLOWED_HOSTS env var (comma-separated list set by run-site >= 0.13.0 when binding to a non-loopback address) and unions the entries into settings.ALLOWED_HOSTS from AppConfig.ready(). Lets the dev server be reached from phones / other LAN devices without per-project ALLOWED_HOSTS edits. Idempotent, gated by is_active(), and a no-op when settings already contain * or the var is unset.

Commits

• See full diff in compare view

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.