Bump the pip group across 1 directory with 2 updates

[dependabot]

Updates the requirements on werkzeug and jinja2 to permit the latest version.
Updates werkzeug to 3.0.1

Release notes

Sourced from werkzeug's releases.

3.0.1

This is a security release for the 3.0.x feature branch.

• Changes: https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-1

Changelog

Sourced from werkzeug's changelog.

Version 3.0.1

Released 2023-10-24

• Fix slow multipart parsing for large parts potentially enabling DoS attacks. :cwe:CWE-407

Version 3.0.0

Released 2023-09-30

• Remove previously deprecated code. :pr:2768
• Deprecate the __version__ attribute. Use feature detection, or importlib.metadata.version("werkzeug"), instead. :issue:2770
• generate_password_hash uses scrypt by default. :issue:2769
• Add the "werkzeug.profiler" item to the WSGI environ dictionary passed to ProfilerMiddleware's filename_format function. It contains the elapsed and time values for the profiled request. :issue:2775
• Explicitly marked the PathConverter as non path isolating. :pr:2784

Version 2.3.8

Released 2023-11-08

• Fix slow multipart parsing for large parts potentially enabling DoS attacks. :cwe:CWE-407

Version 2.3.7

Released 2023-08-14

• Use flit_core instead of setuptools as build backend.
• Fix parsing of multipart bodies. :issue:2734
• Adjust index of last newline in data start. :issue:2761
• Parsing ints from header values strips spacing first. :issue:2734
• Fix empty file streaming when testing. :issue:2740
• Clearer error message when URL rule does not start with slash. :pr:2750
• Accept q value can be a float without a decimal part. :issue:2751

Version 2.3.6

Released 2023-06-08

... (truncated)

Commits

• ce4eff5 Release version 3.0.1
• b1916c0 Fix: slow multipart parsing for huge files with few CR/LF characters
• 726eaa2 Release version 3.0.0
• 6427542 Default the PathConverter (and descendants) to be non part isolating
• 4820d8c Provide elapsed and timestamp info to filename_format
• 599993d Bump pypa/gh-action-pypi-publish from 1.8.8 to 1.8.10 (#2780)
• a2394ed Bump slsa-framework/slsa-github-generator from 1.7.0 to 1.9.0 (#2779)
• 1efd6f3 Bump actions/checkout from 3.5.3 to 3.6.0 (#2778)
• 76a5419 Bump pypa/gh-action-pypi-publish from 1.8.8 to 1.8.10
• ce8cfe7 Bump slsa-framework/slsa-github-generator from 1.7.0 to 1.9.0
• Additional commits viewable in compare view

Updates jinja2 to 3.1.3

Release notes

Sourced from jinja2's releases.

3.1.3

This is a fix release for the 3.1.x feature branch.

• Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.
• Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-3
• Milestone: https://github.com/pallets/jinja/milestone/15?closed=1

Changelog

Sourced from jinja2's changelog.

Version 3.1.3

Released 2024-01-10

• Fix compiler error when checking if required blocks in parent templates are empty. :pr:1858
• xmlattr filter does not allow keys with spaces. GHSA-h5c8-rqwp-cp95
• Make error messages stemming from invalid nesting of {% trans %} blocks more helpful. :pr:1918

Version 3.1.2

Released 2022-04-28

• Add parameters to Environment.overlay to match __init__. :issue:1645
• Handle race condition in FileSystemBytecodeCache. :issue:1654

Version 3.1.1

Released 2022-03-25

• The template filename on Windows uses the primary path separator. :issue:1637

Version 3.1.0

Released 2022-03-24

• Drop support for Python 3.6. :pr:1534

• Remove previously deprecated code. :pr:1544

  • WithExtension and AutoEscapeExtension are built-in now.
  • contextfilter and contextfunction are replaced by pass_context. evalcontextfilter and evalcontextfunction are replaced by pass_eval_context. environmentfilter and environmentfunction are replaced by pass_environment.
  • Markup and escape should be imported from MarkupSafe.
  • Compiled templates from very old Jinja versions may need to be recompiled.
  • Legacy resolve mode for Context subclasses is no longer supported. Override resolve_or_missing instead of

... (truncated)

Commits

• d9de4bb release version 3.1.3
• 50124e1 skip test pypi
• 9ea7222 use trusted publishing
• da703f7 use trusted publishing
• bce1746 use trusted publishing
• 7277d80 update pre-commit hooks
• 5c8a105 Make nested-trans-block exceptions nicer (#1918)
• 19a55db Make nested-trans-block exceptions nicer
• 7167953 Merge pull request from GHSA-h5c8-rqwp-cp95
• 7dd3680 xmlattr filter disallows keys with spaces
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Superseded by #1067.