chore(deps): bump the python-packages group across 1 directory with 5 updates

[dependabot]

Bumps the python-packages group with 5 updates in the / directory:

Package	From	To
django	5.2.10	5.2.11
gunicorn	23.0.0	25.1.0
pytest-django	4.11.1	4.12.0
asgiref	3.11.0	3.11.1
django-environ	0.12.0	0.12.1

Updates django from 5.2.10 to 5.2.11

Commits

• 4a96a19 [5.2.x] Bumped version for 5.2.11 release.
• ab0ad8d [5.2.x] Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases...
• e863ee2 [5.2.x] Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via al...
• 3e68ccd [5.2.x] Fixed CVE-2026-1287 -- Protected against SQL injection in column alia...
• 9f2ada8 [5.2.x] Fixed CVE-2026-1285 -- Mitigated potential DoS in django.utils.text.T...
• 17a1d64 [5.2.x] Fixed CVE-2026-1207 -- Prevented SQL injections in RasterField lookup...
• 1ba9006 [5.2.x] Fixed CVE-2025-14550 -- Optimized repeated header parsing in ASGI req...
• 184e38a [5.2.x] Fixed CVE-2025-13473 -- Standardized timing of check_password() in mo...
• d8c551d [5.2.x] Added stub release notes and release date for 5.2.11 and 4.2.28.
• 3ea659d [5.2.x] Clarified regression nature of data loss bug in docs/releases/5.2.10....
• Additional commits viewable in compare view

Updates gunicorn from 23.0.0 to 25.1.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 25.1.0

New Features

• Control Interface (gunicornc): Add interactive control interface for managing running Gunicorn instances, similar to birdc for BIRD routing daemon ([PR #3505](benoitc/gunicorn#3505))

  • Unix socket-based communication with JSON protocol
  • Interactive mode with readline support and command history
  • Commands: show all/workers/dirty/config/stats/listeners
  • Worker management: worker add/remove/kill, dirty add/remove
  • Server control: reload, reopen, shutdown
  • New settings: --control-socket, --control-socket-mode, --no-control-socket
  • New CLI tool: gunicornc for connecting to control socket
  • See Control Interface Guide for details

• Dirty Stash: Add global shared state between workers via dirty.stash ([PR #3503](benoitc/gunicorn#3503))

  • In-memory key-value store accessible by all workers
  • Supports get, set, delete, clear, keys, and has operations
  • Useful for sharing state like feature flags, rate limits, or cached data

• Dirty Binary Protocol: Implement efficient binary protocol for dirty arbiter IPC using TLV (Type-Length-Value) encoding ([PR #3500](benoitc/gunicorn#3500))

  • More efficient than JSON for binary data
  • Supports all Python types: str, bytes, int, float, bool, None, list, dict
  • Better performance for large payloads

• Dirty TTIN/TTOU Signals: Add dynamic worker scaling for dirty arbiters ([PR #3504](benoitc/gunicorn#3504))

  • Send SIGTTIN to increase dirty workers
  • Send SIGTTOU to decrease dirty workers
  • Respects minimum worker constraints from app configurations

Changes

• ASGI Worker: Promoted from beta to stable
• Dirty Arbiters: Now marked as beta feature

Documentation

• Fix Markdown formatting in /configure documentation

25.0.3

What's Changed

Bug Fixes

• Fix RuntimeError when StopIteration raised in ASGI coroutine (#3484)
• Fix passing maxsplit in re.split() as positional argument (deprecated in Python 3.13)

... (truncated)

Commits

• 2d43101 docs: merge gunicornc into 25.1.0 release
• bf4ad8d docs: update 25.1.0 release date to 2026-02-13
• 730350e Merge pull request #3505 from benoitc/feature/gunicornc-control-interface
• 63df19b fix(tests): use process groups for reliable signal handling in PyPy
• cd77bcc fix(tests): increase wait time for all server tests
• 02ea985 fix(tests): improve server test reliability on FreeBSD
• 6d81c9e fix: resolve pylint warnings
• 7486baa fix: remove unused imports
• 3e60d29 docs: add gunicornc control interface guide
• e05e40d feat(ctl): add message-based dirty worker management
• Additional commits viewable in compare view

Updates pytest-django from 4.11.1 to 4.12.0

Changelog

Sourced from pytest-django's changelog.

v4.12.0 (2026-02-14)

Compatibility ^^^^^^^^^^^^^

• Official Python 3.14 support.
• Dropped support for Python 3.9, minimum version is now Python 3.10.
• Official Django 6.0 support.

Improvements ^^^^^^^^^^^^

• The :ref:multiple databases <multi-db> support added in v4.3.0 is no longer considered experimental.
• Added :func:@pytest.mark.django_isolate_apps <pytest.mark.django_isolate_apps> for isolating Django's app registry in pytest tests, and a :fixture:django_isolated_apps fixture to access the isolated Apps registry instance if needed.

Commits

• a2a9495 Release 4.12.0
• 020bc23 tests: make sure access to default can also be blocked
• bcefbe8 Add support for isolating apps in tests
• 39c8dcc plugin: add a note why we reorder tests
• 1830acd pyproject.toml: require pytest 9 for self tests, switch to native toml config...
• f19da08 Fix the order of the test cases that use the live_server fixture
• 92858ee docs: add pytest 9.0+ native TOML configuration format
• 3f550d9 build(deps): bump hynek/build-and-inspect-python-package
• 1f50dd2 Drop obsolete traces of Django 5.0 in CI
• 247ec1c Fix PytestCollectionWarning for TestRunner class (#1259)
• Additional commits viewable in compare view

Updates asgiref from 3.11.0 to 3.11.1

Changelog

Sourced from asgiref's changelog.

3.11.1 (2026-02-03)

• SECURITY FIX CVE-2025-14550: There was a potential DoS vector for users of the asgiref.wsgi.WsgiToAsgi adapter. Malicious requests, including an unreasonably large number of values for the same header, could lead to resource exhaustion when building the WSGI environment.

  To mitigate this, the algorithm is changed to be more efficient, and WsgiToAsgi gains a new optional duplicate_header_limit parameter, which defaults to 100. This specifies the number of times a single header may be repeated before the request is rejected as malformed.

  You may override duplicate_header_limit when configuring your application::

  application = WsgiToAsgi(wsgi_app, duplicate_header_limit=200)
  

  Set duplicate_header_limit=None if you wish to disable this check.

• Fixed a regression in 3.11.0 in sync_to_async when wrapping a callable with an attribute named context. (#537)

Commits

• d97a733 Releasing 3.11.1.
• a50968a CVE-2025-14550: Fixed duplicate header handling in WsgiToAsgi.
• 0fb85a4 Fixed sync_to_async wrapping callables with attribute named context.
• 2b28409 Updated Hypercorn homepage URL (#539)
• See full diff in compare view

Updates django-environ from 0.12.0 to 0.12.1

Release notes

Sourced from django-environ's releases.

v0.12.1

Changelog

Fixed

• Fixed PostgreSQL cluster URL parsing with bracketed IPv6 hosts in recent Python versions, preventing failures in runtime URL parsing and related regression tests [#574](https://github.com/joke2k/django-environ/issues/574) <https://github.com/joke2k/django-environ/issues/574>_.
• Fixed debug logging in Env.get_value() to avoid evaluating lazy default objects when DEBUG logging is enabled [#571](https://github.com/joke2k/django-environ/issues/571) <https://github.com/joke2k/django-environ/issues/571>_.

Changelog

Sourced from django-environ's changelog.

v0.12.1_ - 13-February-2026

Fixed +++++

• Fixed PostgreSQL cluster URL parsing with bracketed IPv6 hosts in recent Python versions, preventing failures in runtime URL parsing and related regression tests [#574](https://github.com/joke2k/django-environ/issues/574) <https://github.com/joke2k/django-environ/issues/574>_.
• Fixed debug logging in Env.get_value() to avoid evaluating lazy default objects when DEBUG logging is enabled [#571](https://github.com/joke2k/django-environ/issues/571) <https://github.com/joke2k/django-environ/issues/571>_.

Commits

• efab9d6 Merge pull request #576 from joke2k/develop
• feed770 docs(readme): replace archived Two Scoops link with official Feldroy page
• 2ebe6a2 docs(security): update vulnerability contact to project maintainer
• f4b9c36 chore(release): bump version to 0.12.1 and update maintainer metadata
• 079a2f1 Fix PostgreSQL cluster IPv6 parsing and lazy-default debug logging (#575)
• de337e0 Merge pull request #568 from gsmoon97/docs/fix-typo
• 14b45a8 docs: Fix typo in tips.rst
• 99872f5 add sphinx configuration for readthedocs
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml