Bump gdown from 4.0.2 to 5.2.2

[dependabot]

Bumps gdown from 4.0.2 to 5.2.2.

Release notes

Sourced from gdown's releases.

v5.2.2

Security

• Fix path traversal vulnerability in extractall() that allowed zip/tar archives with ../ entries to write files outside the target directory (GHSA-76hw-p97h-883f)
• Reject symlinks, hardlinks, and special files in tar archives
• Use Python 3.12+ filter="data" for safe tar extraction when available
• Sanitize filenames from HTTP responses and URLs to prevent path traversal via /, , .., and null bytes
• Sanitize root folder name in download_folder() before building directory paths

v5.2.1

Fixes

• cached_download: Verify file hash before moving to final location instead of after (wkentaro/gdown#417)
  • Previously, the hash was verified after moving to the final path, which could leave corrupted files in place if hash verification failed
• download: Fix speed limit throttling logic to use independent byte counter instead of pbar.n (wkentaro/gdown#407)
  • The speed limiter now correctly tracks downloaded bytes independently from the progress bar
  • Also fixes unnecessary sleep when resuming downloads with speed limit (since pbar.n includes start_size from resumed downloads)

Chores

• Fix missing space in --output help text (wkentaro/gdown#398)
• Fix concatenated string literal in extractall.py error message

v5.2.0

🚀 Features

• Feature: preserve GDrive's last modified time when downloading #351 (Thanks @​moulins)
• Feature: allow folders to be continued more usefully #288 (Thanks @​achadwick)

✨ Enhancement

• Show resume progress bar from the middle #361

🐛 Fixes

• Use importlib.metadata to get the version number from the installed package #319
• BUG: Download folder with "skip_download=True" creates an output folder #321 (Thanks @​o-laurent)

💬 Other

• Fix typos in README.md #323 (Thanks @​amorehead)
• Run GitHub Actions on macOS, Ubuntu, and Windows #324
• Support Windows and macOS in tests #359
• Typo in arg help text #343 (Thanks @​frosit)
• Trivial: Update the documentation for the output param #347 (Thanks @​abouelkhair5)

---

• To connect, check my Twitter.
• To support, check Sponsoring Page.

... (truncated)

Commits

• af569fc fix: prevent path traversal in archive extraction and filename handling
• 7f4cb68 Merge pull request #417 from wkentaro/fix_cached_download_verify_file_hash_be...
• 9697a53 fix(cached_download): verify file hash before moving to final location
• c7c1b9d Merge pull request #407 from wkentaro/fix_speed_limit
• 940bd40 Fix throttling logic to use independent byte counter instead of pbar.n
• a55ce67 Fix unnecessary sleep when resuming downloads with speed limit
• c3c8102 Merge pull request #398 from hmaarrfk/lint
• a095aaa chore: add missing space for help of --output
• 10e8c85 lint other files
• eeb6995 Use .part suffix to represent partially downloaded files
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.