Bump the pip group across 1 directory with 2 updates

[dependabot]

Bumps the pip group with 2 updates in the /apiserver directory: python-jose and starlette.

Updates python-jose from 3.3.0 to 3.4.0

Release notes

Sourced from python-jose's releases.

3.4.0

News

• Remove support for Python 3.6 and 3.7
• Added support for Python 3.10 and 3.11

Bug fixes and Improvements

• Updating CryptographyAESKey::encrypt to generate 96 bit IVs for GCM block cipher mode
• Fix for PEM key comparisons caused by line lengths and new lines
• Fix for CVE-2024-33664 - JWE limited to 250KiB
• Fix for CVE-2024-33663 - signing JWT with public key is now forbidden
• Replace usage of deprecated datetime.utcnow() with datetime.now(UTC)

Housekeeping

• Updated Github Actions Workflows
• Updated to use tox 4.x
• Revise codecov integration
• Fixed DeprecationWarnings

Changelog

Sourced from python-jose's changelog.

3.4.0 -- 2025-02-14

News

• Remove support for Python 3.6 and 3.7
• Added support for Python 3.10 and 3.11

Bug fixes and Improvements

• Updating CryptographyAESKey::encrypt to generate 96 bit IVs for GCM block cipher mode
• Fix for PEM key comparisons caused by line lengths and new lines
• Fix for CVE-2024-33664 - JWE limited to 250KiB
• Fix for CVE-2024-33663 - signing JWT with public key is now forbidden
• Replace usage of deprecated datetime.utcnow() with datetime.now(UTC)

Housekeeping

• Updated Github Actions Workflows
• Updated to use tox 4.x
• Revise codecov integration
• Fixed DeprecationWarnings

Commits

• 82cd15f Added release date to CHANGELOG.md for 3.4.0 (#371)
• 4e01847 Prepare 3.4.0 release (#370)
• 0360fa3 Replace usage of deprecated datetime.utcnow() with datetime.now(UTC) (#360)
• 12f30c8 Fix for CVE-2024-33663 (forbid public key for HMAC) (#369)
• 638d047 Bump cryptography from 42.0.4 to 43.0.1 (#368)
• 8e1f521 Fix for CVE-2024-33664. JWE limited to 250K (#352)
• c9403b5 Bump cryptography from 41.0.3 to 42.0.4 (#358)
• 58e543e Bump cryptography from 39.0.1 to 41.0.3
• 50d1997 Disabling test build for Python 3.7 on OS X since arm64 is no longer supporte...
• 1967754 Adding get_pem_for_key and normalize_pem methods to normalize PEM formatt...
• Additional commits viewable in compare view

Updates starlette from 0.40.0 to 0.46.0

Release notes

Sourced from starlette's releases.

Version 0.46.0

Added

• GZipMiddleware: Make sure Vary header is always added if a response can be compressed #2865.

Fixed

• Raise exception from background task on BaseHTTPMiddleware #2812.
• GZipMiddleware: Don't compress on server sent events #2871.

Changed

• MultiPartParser: Rename max_file_size to spool_max_size #2780.

Deprecated

• Add deprecated warning to TestClient(timeout=...) #2840.

New Contributors

• @​musicinmybrain made their first contribution in encode/starlette#2855
• @​WilliamDEdwards made their first contribution in encode/starlette#2870
• @​mattmess1221 made their first contribution in encode/starlette#2865

Full Changelog: Kludex/starlette@0.45.3...0.46.0

Version 0.45.3

Fixed

• Turn directory into string on lookup_path on commonpath comparison by @​Kludex in encode/starlette#2851

---

Full Changelog: Kludex/starlette@0.45.2...0.45.3

Version 0.45.2

Fixed

• Make create_memory_object_stream compatible with old anyio versions once again, and bump anyio minimum version to 3.6.2 by @​graingert in #2833.

Full Changelog: Kludex/starlette@0.45.1...0.45.2

Version 0.45.1

Fixed

• Collect errors more reliably from WebSocket test client by @​graingert in encode/starlette#2814
• Fix unclosed MemoryObjectReceiveStream upon exception in BaseHTTPMiddleware children by @​Kludex in encode/starlette#2813

Refactor

• Use a pair of memory object streams instead of two queues by @​graingert in encode/starlette#2829

... (truncated)

Changelog

Sourced from starlette's changelog.

0.46.0 (February 22, 2025)

Added

• GZipMiddleware: Make sure Vary header is always added if a response can be compressed #2865.

Fixed

• Raise exception from background task on BaseHTTPMiddleware #2812.
• GZipMiddleware: Don't compress on server sent events #2871.

Changed

• MultiPartParser: Rename max_file_size to spool_max_size #2780.

Deprecated

• Add deprecated warning to TestClient(timeout=...) #2840.

0.45.3 (January 24, 2025)

Fixed

• Turn directory into string on lookup_path on commonpath comparison #2851.

0.45.2 (January 4, 2025)

Fixed

• Make create_memory_object_stream compatible with old anyio versions once again, and bump anyio minimum version to 3.6.2 #2833.

0.45.1 (December 30, 2024)

Fixed

• Close MemoryObjectReceiveStream left unclosed upon exception in BaseHTTPMiddleware children #2813.
• Collect errors more reliably from the WebSocket logic on the TestClient #2814.

Refactor

• Use a pair of memory object streams instead of two queues on the TestClient #2829.

0.45.0 (December 29, 2024)

Removed

• Drop Python 3.8 support #2823.
• Remove ExceptionMiddleware import proxy from starlette.exceptions module #2826.
• Remove deprecated WS_1004_NO_STATUS_RCVD and WS_1005_ABNORMAL_CLOSURE #2827.

... (truncated)

Commits

• a404872 Version 0.46.0 (#2883)
• 9a8e929 Document how to resize the threadpool (#2881)
• 5cc4ddf Raise exception from background task on BaseHTTPMiddleware (#2812)
• f13d354 fix(gzip): Make sure Vary header is always added if a response can be compres...
• abe3554 Add notes about the GZip middleware (#2880)
• a9a8dab Don't compress on server sent events (#2871)
• 4ae3213 Rename max_file_size to spool_max_size (#2780)
• 4e1c3c2 Document HTTPException for WebSockets Denial Response (#2879)
• 53aef69 Add Discord as chat instead of Gitter (#2878)
• 135e3af Add deprecated warnings to TestClient on use of timeout argument (#2840)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.