build(deps): bump the production-dependencies group across 1 directory with 12 updates

[dependabot]

Bumps the production-dependencies group with 12 updates in the / directory:

Package	From	To
beautifulsoup4	4.14.3	4.15.0
bleach	6.3.0	6.4.0
flask-cors	6.0.2	6.0.5
grpcio	1.80.0	1.81.0
grpcio-testing	1.80.0	1.81.0
grpcio-tools	1.80.0	1.81.0
idna	3.15	3.18
peewee	4.0.5	4.0.6
phonenumbers	9.0.30	9.0.32
pika	1.4.0	1.4.1
pymysql	1.1.3	1.2.0
tqdm	4.67.3	4.68.1

Updates beautifulsoup4 from 4.14.3 to 4.15.0

Updates bleach from 6.3.0 to 6.4.0

Changelog

Sourced from bleach's changelog.

Version 6.4.0 (June 5th, 2026)

NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future releases including for security issues. See issue: <https://github.com/mozilla/bleach/issues/698>__

Backwards incompatible changes

• Dropped support for pypy 3.10. (#764)

Security fixes

• Fix bug 2023812 / GHSA-8rfp-98v4-mmr6.

  Fix XSS issue with sanitize_uri_value where disallowed schemes with Unicode invisible characters wouldn't be rejected.

  For example::

  import bleach payload1 = 'Click' result1 = bleach.clean(payload1) print(repr(result1))

  outputs::

  'Click'

  See the advisory for details.

• Fix GHSA-gj48-438w-jh9v.

  Fix issue where URI sanitization wasn't happening in formaction attributes.

  See the advisory for details.

Bug fixes

• Add support for pypy 3.11. (#764)

• Drop version max in tinycss2 pin. (#772)

  This removes one of the things we had to keep checking and updating. Users now own the responsibility for correctness with the version of tinycss2 they're using.

Commits

• f0355a7 fix: fix last release date in CHANGES
• ae4e8a2 chore: bleach 6.4.0 and final release
• 970df58 fix: uri-sanitization in formaction attributes
• 7c4867c fix: xss bypass in allowed protocol test using unicode invisible characters
• 913ab75 fix: reduce redundancy in workflow jobs
• 218c15a fix: rework pip caching
• 4f0b097 fix: fix tox platform restrictions
• e95a79d chore: update pytest
• 91539d4 Bump actions/cache from 5.0.3 to 5.0.4
• cd47b4c fix: handle left-angle-bracket that's not a tag (#733)
• Additional commits viewable in compare view

Updates flask-cors from 6.0.2 to 6.0.5

Release notes

Sourced from flask-cors's releases.

6.0.5

Supersedes 6.0.4

What's Changed

• Add MyPy Typing and modernize options parsing by @​corydolphin in corydolphin/flask-cors#409 (this broke strict type checking when using Blueprints)
• Restore Blueprint support in CORS type signatures (#410) by @​corydolphin in corydolphin/flask-cors#411

Full Changelog: corydolphin/flask-cors@6.0.3...6.0.5

6.0.4

What's Changed

• Add MyPy Typing by @​corydolphin in corydolphin/flask-cors#409

Full Changelog: corydolphin/flask-cors@6.0.3...6.0.4

6.0.3

What's Changed

• Derive package version from git tag via setuptools-scm by @​corydolphin in corydolphin/flask-cors#405
• Improve CI/CD security with least privilege and build separation by @​corydolphin in corydolphin/flask-cors#406

Full Changelog: corydolphin/flask-cors@6.0.2...6.0.3

6.0.3-pre

What's Changed

• Derive package version from git tag via setuptools-scm by @​corydolphin in corydolphin/flask-cors#405
• Improve CI/CD security with least privilege and build separation by @​corydolphin in corydolphin/flask-cors#406

Full Changelog: corydolphin/flask-cors@6.0.2...6.0.3

Commits

• 91ebc49 Typing Hotfix: support blueprints in the type system
• d601665 Add strict MyPy Typing
• c8e8871 Harden release publishing workflow (#406)
• e1d4034 Derive package version from git tag via setuptools-scm (#405)
• See full diff in compare view

Updates grpcio from 1.80.0 to 1.81.0

Release notes

Sourced from grpcio's releases.

Release v1.81.0

This is release 1.81.0 (graphic) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

• [EventEngine] Fix a potential use-after-free error on Windows. (#42078)
• [ssl] Server side handshaker factory stores a map of key signers. (#42002)
• [Core] Fix completion queue shutdown race on weak memory models (ARM). (#41510)
• [EventEngine] Fix a Windows race that causes an assertion error. (#41563)
• [grpc_error] enable error_flatten experiment in OSS. (#41471)
• [Python] Trim Python2 backward compatiblity syntax - removed (object) inheritance. (#41708)

Objective-C

• [ObjC] Add receiveNextMessage to GRPCUnaryProtoCall. (#42260)

Python

• [Python] Add typing_extensions dep to aio Bazel target. (#42001)
• [Python] [Pyright] Part 1 - Pyright for src/python/grpcio/grpc/aio/_base_server.py. (#42240)
• [Python] Drop 3.9. (#42145)
• [Python] grpc-status: Relax protobuf dependency upper bound to allow 7.x. (#41948)
• [Python] [Typeguard] Part 5 - Add Typeguard SYNC Stack in tests. (#40278)
• [Python] Remove GIL from ReceiveMessageOperation.un_c method. (#41812)
• [Python] Support observability in AsyncIO stack. (#41573)

Ruby

• [Ruby] Drop support for EOL Ruby 3.1 and clean up. (#41435)
• [Ruby] Composed CallCredentials keep a reference to their source. (#41782)

Release v1.81.0-pre1

This is a prerelease of gRPC Core 1.81.0 (graphic).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This prerelease contains refinements, improvements, and bug fixes.

Commits

• 8bdf11e [Release] Bump version to 1.81.0 (on v1.81.x branch) (#42432)
• 0029e06 Move all gRPC Session classes to the experimental namespace (#42462)
• 1f18268 [CI] Fix Asan thread_stress_test error by reducing thread count (#42424) (#42...
• ee3fed7 Backport MacOS fix cl/917004588 to v1.81.x (#42441)
• 6244f3b [Release] Bump version to 1.81.0-pre1 (on v1.81.x branch) (#42378)
• 1108777 [Release] Bump core version to 54.0.0 for upcoming release (#42321)
• 74940e8 [fix] Add back the do-while loop that handles the TSI_RESULT correctly.
• 5c6185c [CHTTP2] Assert
• 51bc437 Automated rollback of commit aab1eab78f9fcb3fc6e0aa9c8d7a59de280dbe3f.
• 03a2dc7 [Cleanup] Reduce log noise in latent see.
• Additional commits viewable in compare view

Updates grpcio-testing from 1.80.0 to 1.81.0

Updates grpcio-tools from 1.80.0 to 1.81.0

Release notes

Sourced from grpcio-tools's releases.

Release v1.81.0

This is release 1.81.0 (graphic) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

• [EventEngine] Fix a potential use-after-free error on Windows. (#42078)
• [ssl] Server side handshaker factory stores a map of key signers. (#42002)
• [Core] Fix completion queue shutdown race on weak memory models (ARM). (#41510)
• [EventEngine] Fix a Windows race that causes an assertion error. (#41563)
• [grpc_error] enable error_flatten experiment in OSS. (#41471)
• [Python] Trim Python2 backward compatiblity syntax - removed (object) inheritance. (#41708)

Objective-C

• [ObjC] Add receiveNextMessage to GRPCUnaryProtoCall. (#42260)

Python

• [Python] Add typing_extensions dep to aio Bazel target. (#42001)
• [Python] [Pyright] Part 1 - Pyright for src/python/grpcio/grpc/aio/_base_server.py. (#42240)
• [Python] Drop 3.9. (#42145)
• [Python] grpc-status: Relax protobuf dependency upper bound to allow 7.x. (#41948)
• [Python] [Typeguard] Part 5 - Add Typeguard SYNC Stack in tests. (#40278)
• [Python] Remove GIL from ReceiveMessageOperation.un_c method. (#41812)
• [Python] Support observability in AsyncIO stack. (#41573)

Ruby

• [Ruby] Drop support for EOL Ruby 3.1 and clean up. (#41435)
• [Ruby] Composed CallCredentials keep a reference to their source. (#41782)

Release v1.81.0-pre1

This is a prerelease of gRPC Core 1.81.0 (graphic).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This prerelease contains refinements, improvements, and bug fixes.

Commits

• 8bdf11e [Release] Bump version to 1.81.0 (on v1.81.x branch) (#42432)
• 6244f3b [Release] Bump version to 1.81.0-pre1 (on v1.81.x branch) (#42378)
• 820f933 [Python] Drop 3.9 (#42145)
• 451521c [Core CI] Make windows python distrib tests use ccache. (#42171)
• cb09882 [Build] Upgrade protobuf to 33.5 (#41976)
• a2bf3f1 [Release] Bump version to 1.81.0-dev (on master branch) (#41843)
• See full diff in compare view

Updates idna from 3.15 to 3.18

Changelog

Sourced from idna's changelog.

3.18 (2026-06-02)

• When decoding a domain, add a display argument that will pass through invalid labels rather than raising an exception.

3.17 (2026-05-28)

• Substantial 75% reduction in memory usage through new data structures and some optimization in processing speed.
• Added a general 1024-character input length cap to the public validation, conversion, and codec entry points. This is well above any legitimate domain or label and guards against pathological inputs.

3.16 (2026-05-22)

• Add a command-line interface (python -m idna, also available as the idna script). Encodes or decodes one or more domains supplied as arguments or on standard input, with options to select A-label or U-label output and control error handling.
• Raise the minimum supported Python version to 3.9
• Various code quality improvements

Commits

• f39ea90 Release 3.18
• 40f4e40 Pre-release 3.18rc0
• 1a5bf80 Merge pull request #253 from kjd/lenient-decode
• 5bbb26f Merge branch 'master' into lenient-decode
• c532bae Rename decode() lenient= option to display= (issue #248)
• 0b1758b Merge pull request #252 from kjd/release-3.17
• f48619c Release 3.17
• 7421ba8 Pre-release 3.17rc0
• 22ebb73 Merge pull request #251 from kjd/structure-optimizations
• 2a7ac0a Drop redundant parallel-arrays comment from uts46data
• Additional commits viewable in compare view

Updates peewee from 4.0.5 to 4.0.6

Release notes

Sourced from peewee's releases.

4.0.6

• Add new methods to the postgres BinaryJSONField: helpers for in-place modifications (set, replace, insert, append, update).
• Also add json-path helpers to the postgres BinaryJSONField (path_exists, path_match, path_query, path_query_array, path_query_first).
• Quote path elements in SQLite's JSON field.
• Better and faster parsing of formatted date/times. Use the stdlib fromisoformat as a first attempt since it's faster and more robust.
• Ensure db.connection_context() can be nested cleanly, #3046.
• Fix potential deadlock in pool.close_all and pool.manual_close, #3047.
• Restore whitespace stripping in FixedCharField, #3048.

View commits

Changelog

Sourced from peewee's changelog.

4.0.6

• Add new methods to the postgres BinaryJSONField: helpers for in-place modifications (set, replace, insert, append, update).
• Also add json-path helpers to the postgres BinaryJSONField (path_exists, path_match, path_query, path_query_array, path_query_first).
• Quote path elements in SQLite's JSON field.
• Better and faster parsing of formatted date/times. Use the stdlib fromisoformat as a first attempt since it's faster and more robust.
• Ensure db.connection_context() can be nested cleanly, #3046.
• Fix potential deadlock in pool.close_all and pool.manual_close, #3047.
• Restore whitespace stripping in FixedCharField, #3048.

View commits

Commits

• 5a99f30 4.0.6
• 451f17b Update cl
• 63c4ded Restore whitespace stripping in FixedCharField.
• 2f460ad Fix deadlock in pool manual_close + close_all.
• 504f3c5 Fix pwasyncio failure w/conn context
• ef045af changelog update
• b1bc2cf Make connection_context() nest cleanly.
• be1dd2d Update changelog w/the last couple changes.
• 8a80798 Update docs, add path support to nested lookups as well.
• 98a0dd4 Add some helpers for json mutation + json-path to pg
• Additional commits viewable in compare view

Updates phonenumbers from 9.0.30 to 9.0.32

Commits

• facd74c Prep for 9.0.32 release
• 8ea3d6a Generated files for metadata
• 1d40b76 Merge metadata changes from upstream 9.0.32
• 43a9c86 Prep for 9.0.31 release
• 98c625e Generated files for metadata
• 9161226 Merge metadata changes from upstream 9.0.31
• See full diff in compare view

Updates pika from 1.4.0 to 1.4.1

Release notes

Sourced from pika's releases.

1.4.1

https://pypi.org/project/pika/1.4.1/ | GitHub milestone

Changelog

Sourced from pika's changelog.

1.4.1 (2026-05-22)

Merged pull requests:

• Fix Channel.close() for channels with multiple consumers #1596 (gbenson)

Commits

• 5f0ba9e Merge pull request #1597 from pika/pika-1.4.1
• 31d80a9 pika 1.4.1
• b7af301 Merge pull request #1596 from gbenson/main
• See full diff in compare view

Updates pymysql from 1.1.3 to 1.2.0

Release notes

Sourced from pymysql's releases.

v1.2.0

What's Changed

• Bump the all-dependencies group with 2 updates by @​dependabot[bot] in PyMySQL/PyMySQL#1232
• Reorganize TLS options: implement PREFERRED/REQUIRED SSL mode behavior by @​Copilot in PyMySQL/PyMySQL#1234
• Support MySQL 8 row/column alias syntax in executemany INSERT regex by @​Copilot in PyMySQL/PyMySQL#1235
• Expose SQLSTATE on MySQL protocol exceptions without changing exception formatting by @​Copilot in PyMySQL/PyMySQL#1236
• Reject non-finite decimal.Decimal query parameters (NaN, sNaN, ±Infinity) by @​Copilot in PyMySQL/PyMySQL#1237
• docs: update outdated requirements and reference links by @​Copilot in PyMySQL/PyMySQL#1239
• Prepare CHANGELOG for v1.2.0 release from v1.1.3 changes by @​Copilot in PyMySQL/PyMySQL#1238
• deprecate db and passwd again by @​methane in PyMySQL/PyMySQL#1240
• deprecate reconnect in Connection.ping() by @​methane in PyMySQL/PyMySQL#1241
• Deprecate Connection.set_charset() at runtime and document warning behavior by @​Copilot in PyMySQL/PyMySQL#1243
• Release v1.2.0 by @​methane in PyMySQL/PyMySQL#1244

New Contributors

• @​Copilot made their first contribution in PyMySQL/PyMySQL#1234

Full Changelog: PyMySQL/PyMySQL@v1.1.3...v1.2.0

Changelog

Sourced from pymysql's changelog.

v1.2.0

Release date: 2026-05-19

Breaking changes

• Connection.ping() change the default to not reconnect and deprecate reconnect argument. Create a new connection if you want to reconnect. (#1241)

• Error classes in Cursor class are removed. (#1240)

• connect() arguments db and passwd now emit DeprecationWarning. Use database and password instead. (#1240)

• Reorganize TLS connection behavior.

  • PyMySQL uses TLS by default when server supports it. Use ssl_disabled=True to prohibit SSL. (#1213)

  • When ssl_verify_cert=True, ssl_verify_identity=True, an ssl.SSLContext is passed, or when any other SSL option is configured, the connection requires SSL and raises OperationalError (CR_SSL_CONNECTION_ERROR) if the server doesn't support it. (#1234)

Other changes

• Support MySQL 8 row/column alias syntax in executemany INSERT regex. (#1235)
• Expose SQLSTATE on MySQL protocol exceptions without changing exception formatting. (#1236)
• Reject non-finite decimal.Decimal query parameters (NaN, sNaN, ±Infinity). (#1237)
• Connection.set_charset(charset) now emits DeprecationWarning.

Commits

• 0f1c324 use ubuntu-latest for pypi publishing
• 53b16b2 Release v1.2.0 (#1244)
• 637fe7e Deprecate Connection.set_charset() at runtime and document warning behavior...
• 23ca04a add AGENTS.md
• 7349a44 deprecate reconnect in Connection.ping() (#1241)
• ad5c50c update CHANGELOG
• c963edb Deprecation and removals (#1240)
• af6b9b4 Prepare CHANGELOG for v1.2.0 release from v1.1.3 changes (#1238)
• c7bf73f docs: update outdated requirements and reference links (#1239)
• c532b8d Reject non-finite decimal.Decimal query parameters (NaN, sNaN, `±Infini...
• Additional commits viewable in compare view

Updates tqdm from 4.67.3 to 4.68.1

Release notes

Sourced from tqdm's releases.

tqdm v4.68.1 stable

• set name of monitor thread (#1669, #1752 <- #1435)
• fix monitor thread atexit deadlock (#1751 <- #528, #627, #1435, #1564)
• docs: minor copyediting

tqdm v4.68.0 stable

• utils: simplify terminal size detection (#1760)
• contrib
  • itertools (#1760)
    • add chain, permutations, combinations, combinations_with_replacement, batched
    • add product(repeat=1) keyword argument (#1428)
  • fix discord, telegram error handling
  • fix discord, slack, telegram format for total=None
• soft-deprecate tqdm.utils.envwrap -> envwrap
• benchmarks: fix asv
• misc linting
• misc framework updates
  • CI: migrate manual job to pre-commit.ci
  • bump workflow actions & pre-commit hooks

Commits

• 67cf355 Merge pull request #1751 from jaltmayerpizzorno/fix-atexit-monitor-deadlock
• cfa4a85 minor docstring updates
• f83290c Fix TMonitor deadlock at interpreter shutdown
• 59029c3 Set name for tqdm monitor thread (#1752)
• ef4a142 bump version, merge pull request #1760 from tqdm/devel
• 17f246b lint warning suppression
• c682c7b benchmarks: fix asv
• fc69588 CI: migrate to pre-commit.ci
• a31d97f more contrib.itertools
• e4d9742 soft-deprecate tqdm.utils.envwrap -> envwrap
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions