Bump the dependencies group across 1 directory with 7 updates

[dependabot]

Bumps the dependencies group with 7 updates in the /admin-system/backend directory:

Package	From	To
sqlalchemy	2.0.32	2.0.36
pillow	10.4.0	11.0.0
werkzeug	3.0.4	3.1.0
torch	2.4.0+cpu	2.5.1
torchvision	0.19.0+cpu	0.20.1
pytest	8.3.2	8.3.3
pytest-cov	5.0.0	6.0.0

Updates sqlalchemy from 2.0.32 to 2.0.36

Release notes

Sourced from sqlalchemy's releases.

2.0.36

Released: October 15, 2024

orm

• [orm] [usecase] Added new parameter _orm.mapped_column.hash to ORM constructs such as _orm.mapped_column(), _orm.relationship(), etc., which is interpreted for ORM Native Dataclasses in the same way as other dataclass-specific field parameters.

  References: #11923

• [orm] [bug] Fixed bug in ORM bulk update/delete where using RETURNING with bulk update/delete in combination with populate_existing would fail to accommodate the populate_existing option.

  References: #11912

• [orm] [bug] Continuing from #11912, columns marked with mapped_column.onupdate, mapped_column.server_onupdate, or Computed are now refreshed in ORM instances when running an ORM enabled UPDATE with WHERE criteria, even if the statement does not use RETURNING or populate_existing.

  References: #11917

• [orm] [bug] Fixed regression caused by fixes to joined eager loading in #11449 released in 2.0.31, where a particular joinedload case could not be asserted correctly. We now have an example of that case so the assertion has been repaired to allow for it.

  References: #11965

• [orm] [bug] Improved the error message emitted when trying to map as dataclass a class while also manually providing the __table__ attribute. This usage is currently not supported.

  References: #11973

• [orm] [bug] Refined the check which the ORM lazy loader uses to detect "this would be loading by primary key and the primary key is NULL, skip loading" to take into account the current setting for the orm.Mapper.allow_partial_pks parameter. If this parameter is False, then a composite PK value that has partial NULL elements should also be skipped. This can apply to some composite overlapping foreign key configurations.

... (truncated)

Commits

• See full diff in compare view

Updates pillow from 10.4.0 to 11.0.0

Release notes

Sourced from pillow's releases.

11.0.0

https://pillow.readthedocs.io/en/stable/releasenotes/11.0.0.html

Changes

• Do not create core image in TIFF seek() #8392 [@​radarhere]
• Removed custom build_openjpeg #8365 [@​radarhere]
• Support writing LONG8 offsets in AppendingTiffWriter #8417 [@​radarhere]
• Use ImageFile.MAXBLOCK when saving TIFF images #8461 [@​radarhere]
• Always raise warnings for deprecated feature checks #8459 [@​radarhere]
• Do not close provided file handles with libtiff when saving #8458 [@​radarhere]
• Revert "Skip QEMU-emulated wheels on workflow dispatch event" #8455 [@​radarhere]
• Support ImageFilter.BuiltinFilter for I;16* images #8438 [@​radarhere]
• [pre-commit.ci] pre-commit autoupdate #8448 [@​pre-commit-ci]
• Use ImagingCore.ptr instead of ImagingCore.id #8341 [@​homm]
• Simplified code #8445 [@​radarhere]
• Removed unused code #8447 [@​radarhere]
• Updated EPS mode when opening images without transparency #8281 [@​Yay295]
• Use transparency when combining P frames from APNGs #8443 [@​radarhere]
• Generate and upload attestations to PyPI #8441 [@​hugovk]
• Do not convert images unnecessarily in ImageEnhance #8431 [@​radarhere]
• Raise an error if path is compacted during mapping #8416 [@​radarhere]
• Support all resampling filters when resizing I;16* images #8422 [@​radarhere]
• Free memory on early return #8413 [@​radarhere]
• Cast int before potentially exceeding INT_MAX #8402 [@​radarhere]
• Prevent division by zero #8408 [@​radarhere]
• Check image value before use #8400 [@​radarhere]
• Use ruff check #8423 [@​radarhere]
• Change harfbuzz versions in wheels #8421 [@​radarhere]
• Use Capsule for WebP saving #8386 [@​homm]
• Fixed writing multiple StripOffsets to TIFF #8317 [@​Yay295]
• Updated macOS deployment target for PyPy on Intel to 10.15 #8414 [@​radarhere]
• Fix dereference before checking for NULL in ImagingTransformAffine #8398 [@​PavlNekrasov]
• Use transposed size after opening for TIFF images #8390 [@​radarhere]
• Improve ImageFont error messages #8338 [@​yngvem]
• Mention MAX_TEXT_CHUNK limit in PNG error message #8391 [@​radarhere]
• Cast Dib handle to int #8385 [@​radarhere]
• Updated macOS deployment target for Python >= 3.12 on Intel to 10.13 #8379 [@​radarhere]
• Removed unused ImagePath variable #8377 [@​radarhere]
• Change macos-14 to macos-latest #8376 [@​radarhere]
• Accept float stroke widths #8369 [@​radarhere]
• Remove comments #8370 [@​radarhere]
• Removed libffi-dev #8368 [@​radarhere]
• Improved handling of RGBA palettes when saving GIF images #8366 [@​radarhere]
• Support converting more modes to LAB by converting to RGBA first #8358 [@​radarhere]
• Optimize getbbox() and getextrema() routines #8194 [@​homm]
• Removed unused TiffImagePlugin IFD_LEGACY_API #8355 [@​radarhere]
• Handle duplicate EXIF header #8350 [@​zakajd]
• Use (void) for empty function parameters #8002 [@​Yay295]
• Return early from BoxBlur if either width or height is zero #8347 [@​radarhere]

... (truncated)

Changelog

Sourced from pillow's changelog.

11.0.0 (2024-10-15)

• Update licence to MIT-CMU #8460 [hugovk]

• Conditionally define ImageCms type hint to avoid requiring core #8197 [radarhere]

• Support writing LONG8 offsets in AppendingTiffWriter #8417 [radarhere]

• Use ImageFile.MAXBLOCK when saving TIFF images #8461 [radarhere]

• Do not close provided file handles with libtiff when saving #8458 [radarhere]

• Support ImageFilter.BuiltinFilter for I;16* images #8438 [radarhere]

• Use ImagingCore.ptr instead of ImagingCore.id #8341 [homm, radarhere, hugovk]

• Updated EPS mode when opening images without transparency #8281 [Yay295, radarhere]

• Use transparency when combining P frames from APNGs #8443 [radarhere]

• Support all resampling filters when resizing I;16* images #8422 [radarhere]

• Free memory on early return #8413 [radarhere]

• Cast int before potentially exceeding INT_MAX #8402 [radarhere]

• Check image value before use #8400 [radarhere]

• Improved copying imagequant libraries #8420 [radarhere]

• Use Capsule for WebP saving #8386 [homm, radarhere]

• Fixed writing multiple StripOffsets to TIFF #8317 [Yay295, radarhere]

... (truncated)

Commits

• 204aae6 11.0.0 version bump
• f2cc87b Update CHANGES.rst [ci skip]
• c855e8e Merge pull request #8464 from radarhere/imagemath_type_hint
• dc37515 Merge pull request #8463 from hugovk/update-3.13-date
• c3d81d6 Update Python 3.13 release date
• a60610c Added type hints
• a5c58f2 Merge pull request #8460 from hugovk/mit-cmu
• e74994e Update licence to MIT-CMU
• b5e1115 Update CHANGES.rst [ci skip]
• 686b5e2 Merge pull request #8392 from radarhere/tiff_seek
• Additional commits viewable in compare view

Updates werkzeug from 3.0.4 to 3.1.0

Release notes

Sourced from werkzeug's releases.

3.1.0

This is the Werkzeug 3.1.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecations, or introduce potentially breaking changes. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

PyPI: https://pypi.org/project/Werkzeug/3.1.0/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-1-0 Milestone: https://github.com/pallets/werkzeug/milestone/34?closed=1

• Drop support for Python 3.8. #2966
• Remove previously deprecated code. #2967
• Request.max_form_memory_size defaults to 500kB instead of unlimited. Non-file form fields over this size will cause a RequestEntityTooLarge error. #2964
• OrderedMultiDict and ImmutableOrderedMultiDict are deprecated. Use MultiDict and ImmutableMultiDict instead. #2968
• Behavior of properties on request.cache_control and response.cache_control has been significantly adjusted.
  • Dict values are always str | None. Setting properties will convert the value to a string. Setting a property to False is equivalent to setting it to None. Getting typed properties will return None if conversion raises ValueError, rather than the string. #2980
  • max_age is None if present without a value, rather than -1. #2980
  • no_cache is a boolean for requests, it is True instead of "*" when present. It remains a string for responses. #2980
  • max_stale is True if present without a value, rather than "*". #2980
  • no_transform is a boolean. Previously it was mistakenly always None. #2881
  • min_fresh is None if present without a value, rather than "*". #2881
  • private is True if present without a value, rather than "*". #2980
  • Added the must_understand property. #2881
  • Added the stale_while_revalidate, and stale_if_error properties. #2948
  • Type annotations more accurately reflect the values. #2881
• Support Cookie CHIPS (Partitioned Cookies). #2797
• Add 421 MisdirectedRequest HTTP exception. #2850
• Increase default work factor for PBKDF2 to 1,000,000 iterations. #2969
• Inline annotations for datastructures, removing stub files. #2970
• MultiDict.getlist catches TypeError in addition to ValueError when doing type conversion. #2976
• Implement | and |= operators for MultiDict, Headers, and CallbackDict, and disallow |= on immutable types. #2977

3.0.6

This is the Werkzeug 3.0.6 security fix release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.6/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-0-6

• Fix how max_form_memory_size is applied when parsing large non-file fields. GHSA-q34m-jh98-gwm2
• safe_join catches certain paths on Windows that were not caught by ntpath.isabs on Python < 3.11. GHSA-f9vj-2wh5-fj8j

3.0.5

This is the Werkzeug 3.0.5 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.5/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-0-5 Milestone: https://github.com/pallets/werkzeug/milestone/37?closed=1

• The Watchdog reloader ignores file closed no write events. #2945
• Logging works with client addresses containing an IPv6 scope. #2952
• Ignore invalid authorization parameters. #2955
• Improve type annotation fore SharedDataMiddleware. #2958
• Compatibility with Python 3.13 when generating debugger pin and the current UID does not have an associated name. #2957

Changelog

Sourced from werkzeug's changelog.

Version 3.1.0

Released 2024-10-31

• Drop support for Python 3.8. :pr:2966

• Remove previously deprecated code. :pr:2967

• Request.max_form_memory_size defaults to 500kB instead of unlimited. Non-file form fields over this size will cause a RequestEntityTooLarge error. :issue:2964

• OrderedMultiDict and ImmutableOrderedMultiDict are deprecated. Use MultiDict and ImmutableMultiDict instead. :issue:2968

• Behavior of properties on request.cache_control and response.cache_control has been significantly adjusted.

  • Dict values are always str | None. Setting properties will convert the value to a string. Setting a property to False is equivalent to setting it to None. Getting typed properties will return None if conversion raises ValueError, rather than the string. :issue:2980
  • max_age is None if present without a value, rather than -1. :issue:2980
  • no_cache is a boolean for requests, it is True instead of "*" when present. It remains a string for responses. :issue:2980
  • max_stale is True if present without a value, rather than "*". :issue:2980
  • no_transform is a boolean. Previously it was mistakenly always None. :issue:2881
  • min_fresh is None if present without a value, rather than "*". :issue:2881
  • private is True if present without a value, rather than "*". :issue:2980
  • Added the must_understand property. :issue:2881
  • Added the stale_while_revalidate, and stale_if_error properties. :issue:2948
  • Type annotations more accurately reflect the values. :issue:2881

• Support Cookie CHIPS (Partitioned Cookies). :issue:2797

• Add 421 MisdirectedRequest HTTP exception. :issue:2850

• Increase default work factor for PBKDF2 to 1,000,000 iterations. :issue:2969

• Inline annotations for datastructures, removing stub files. :issue:2970

• MultiDict.getlist catches TypeError in addition to ValueError when doing type conversion. :issue:2976

• Implement | and |= operators for MultiDict, Headers, and CallbackDict, and disallow |= on immutable types. :issue:2977

Version 3.0.6

... (truncated)

Commits

• df655e6 release version 3.1.0
• 564835a add docstring changelogs
• 1735b75 more cache-control cleanup (#2983)
• b0f361c more cache-control cleanup
• fa38728 more cache-control cleanup (#2981)
• e3a50c9 more cache-control cleanup
• 1eb7ada implement or and ior operators (#2979)
• b65b587 implement or and ior operators
• 862cb19 getlist catches TypeError (#2978)
• e550ef8 getlist catches TypeError
• Additional commits viewable in compare view

Updates torch from 2.4.0+cpu to 2.5.1

Release notes

Sourced from torch's releases.

PyTorch 2.5.1: bug fix release

This release is meant to fix the following regressions:

• Wheels from PyPI are unusable out of the box on PRM-based Linux distributions: pytorch/pytorch#138324
• PyPI arm64 distribution logs cpuinfo error on import: pytorch/pytorch#138333
• Crash When Using torch.compile with Math scaled_dot_product_attention in AMP Mode: pytorch/pytorch#133974
• [MPS] Internal crash due to the invalid buffer size computation if sliced API is used: pytorch/pytorch#137800
• Several issues related to CuDNN Attention: pytorch/pytorch#138522

Besides the regression fixes, the release includes several documentation updates.

See release tracker pytorch/pytorch#132400 for additional information.

PyTorch 2.5.0 Release, SDPA CuDNN backend, Flex Attention

PyTorch 2.5 Release Notes

• Highlights
• Backwards Incompatible Change
• Deprecations
• New Features
• Improvements
• Bug fixes
• Performance
• Documentation
• Developers
• Security

Highlights

We are excited to announce the release of PyTorch® 2.5! This release features a new CuDNN backend for SDPA, enabling speedups by default for users of SDPA on H100s or newer GPUs. As well, regional compilation of torch.compile offers a way to reduce the cold start up time for torch.compile by allowing users to compile a repeated nn.Module (e.g. a transformer layer in LLM) without recompilations. Finally, TorchInductor CPP backend offers solid performance speedup with numerous enhancements like FP16 support, CPP wrapper, AOT-Inductor mode, and max-autotune mode. This release is composed of 4095 commits from 504 contributors since PyTorch 2.4. We want to sincerely thank our dedicated community for your contributions. As always, we encourage you to try these out and report any issues as we improve 2.5. More information about how to get started with the PyTorch 2-series can be found at our Getting Started page. As well, please check out our new ecosystem projects releases with TorchRec and TorchFix.

Beta	Prototype
CuDNN backend for SDPA	FlexAttention
torch.compile regional compilation without recompilations	Compiled Autograd
TorchDynamo added support for exception handling & MutableMapping types	Flight Recorder
TorchInductor CPU backend optimization	Max-autotune Support on CPU with GEMM Template
	TorchInductor on Windows
	FP16 support on CPU path for both eager mode and TorchInductor CPP backend
	Autoload Device Extension
	Enhanced Intel GPU support

*To see a full list of public feature submissions click here.

BETA FEATURES

[Beta] CuDNN backend for SDPA

The cuDNN "Fused Flash Attention" backend was landed for torch.nn.functional.scaled_dot_product_attention. On NVIDIA H100 GPUs this can provide up to 75% speed-up over FlashAttentionV2. This speedup is enabled by default for all users of SDPA on H100 or newer GPUs.

[Beta] torch.compile regional compilation without recompilations

Regional compilation without recompilations, via torch._dynamo.config.inline_inbuilt_nn_modules which default to True in 2.5+. This option allows users to compile a repeated nn.Module (e.g. a transformer layer in LLM) without recompilations. Compared to compiling the full model, this option can result in smaller compilation latencies with 1%-5% performance degradation compared to full model compilation.

... (truncated)

Commits

• See full diff in compare view

Updates torchvision from 0.19.0+cpu to 0.20.1

Release notes

Sourced from torchvision's releases.

Torchvision 0.20 release

Highlights

Encoding / Decoding images

Torchvision is further extending its encoding/decoding capabilities. For this version, we added a WEBP decoder, and a batch JPEG decoder on CUDA GPUs, which can lead to 10X speed-ups over CPU decoding.

We have also improved the UX of our decoding APIs to be more user-friendly. The main entry point is now torchvision.io.decode_image(), and it can take as input either a path (as str or pathlib.Path), or a tensor containing the raw encoded data.

Read more on the docs!

We also added support for HEIC and AVIF decoding, but these are currently only available when building from source. We are working on making those available directly in the upcoming releases. Stay tuned!

Detailed changes

Bug Fixes

[datasets] Update URL of SBDataset train_noval (#8551) [datasets] EuroSAT: fix SSL certificate issues (#8563) [io] Check average_rate availability in video reader (#8548)

New Features

[io] Add batch JPEG GPU decoding (decode_jpeg()) (#8496) [io] Add WEBP image decoder: decode_image(), decode_webp() (#8527, #8612, #8610) [io] Add HEIC and AVIF decoders, only available when building from source (#8597, #8596, #8647, #8613, #8621)

Improvements

[io] Add support for decoding 16bits png (#8524) [io] Allow decoding functions to accept the mode parameter as a string (#8627) [io] Allow decode_image() to support paths (#8624) [io] Automatically send video to CPU in io.write_video (#8537) [datasets] Better progress bar for file downloading (#8556) [datasets] Add Path type annotation for ImageFolder (#8526) [ops] Register nms and roi_align Autocast policy for PyTorch Intel GPU backend (#8541) [transforms] Use Sequence for parameters type checking in transforms.RandomErase (#8615) [transforms] Support v2.functional.gaussian_blur backprop (#8486) [transforms] Expose transforms.v2 utils for writing custom transforms. (#8670) [utils] Fix f-string in color error message (#8639) [packaging] Revamped and improved debuggability of setup.py build (#8535, #8581, #8581, #8582, #8590, #8533, #8528, #8659) [Documentation] Various documentation improvements (#8605, #8611, #8506, #8507, #8539, #8512, #8513, #8583, #8633) [tests] Various tests improvements (#8580, #8553, #8523, #8617, #8518, #8579, #8558, #8617, #8641) [code quality] Various code quality improvements (#8552, #8555, #8516, #8526, #8602, #8615, #8639, #8532) [ci] #8562, #8644, #8592, #8542, #8594, #8530, #8656

... (truncated)

Commits

• See full diff in compare view

Updates pytest from 8.3.2 to 8.3.3

Release notes

Sourced from pytest's releases.

8.3.3

pytest 8.3.3 (2024-09-09)

Bug fixes

• #12446: Avoid calling @property (and other instance descriptors) during fixture discovery -- by asottile{.interpreted-text role="user"}

• #12659: Fixed the issue of not displaying assertion failure differences when using the parameter --import-mode=importlib in pytest>=8.1.

• #12667: Fixed a regression where type change in [ExceptionInfo.errisinstance]{.title-ref} caused [mypy]{.title-ref} to fail.

• #12744: Fixed typing compatibility with Python 3.9 or less -- replaced [typing.Self]{.title-ref} with [typing_extensions.Self]{.title-ref} -- by Avasam{.interpreted-text role="user"}

• #12745: Fixed an issue with backslashes being incorrectly converted in nodeid paths on Windows, ensuring consistent path handling across environments.

• #6682: Fixed bug where the verbosity levels where not being respected when printing the "msg" part of failed assertion (as in assert condition, msg).

• #9422: Fix bug where disabling the terminal plugin via -p no:terminal would cause crashes related to missing the verbose option.

  -- by GTowers1{.interpreted-text role="user"}

Improved documentation

• #12663: Clarify that the [pytest_deselected]{.title-ref} hook should be called from [pytest_collection_modifyitems]{.title-ref} hook implementations when items are deselected.
• #12678: Remove erroneous quotes from [tmp_path_retention_policy]{.title-ref} example in docs.

Miscellaneous internal changes

• #12769: Fix typos discovered by codespell and add codespell to pre-commit hooks.

Commits

• d0f136f build(deps): Bump pypa/gh-action-pypi-publish from 1.10.0 to 1.10.1 (#12790)
• 972f307 Prepare release version 8.3.3
• 0dabdcf Include co-authors in release announcement (#12795) (#12797)
• a9910a4 Do not discover properties when iterating fixtures (#12781) (#12788)
• 0f10b6b Fix issue with slashes being turned into backslashes on Windows (#12760) (#12...
• 300d13d Merge pull request #12785 from pytest-dev/patchback/backports/8.3.x/57cccf7f4...
• e5d32c7 Merge pull request #12784 from svenevs/fix/docs-example-parametrize-minor-typo
• bc913d1 Streamline checks for verbose option (#12706) (#12778)
• 01cfcc9 Fix typos and introduce codespell pre-commit hook (#12769) (#12774)
• 4873394 doc: Remove past training (#12772) (#12773)
• Additional commits viewable in compare view

Updates pytest-cov from 5.0.0 to 6.0.0

Changelog

Sourced from pytest-cov's changelog.

6.0.0 (2024-10-29)

• Updated various documentation inaccuracies, especially on subprocess handling.
• Changed fail under checks to use the precision set in the coverage configuration. Now it will perform the check just like coverage report would.
• Added a --cov-precision cli option that can override the value set in your coverage configuration.
• Dropped support for now EOL Python 3.8.

Commits

• 9540437 Bump version: 5.0.0 → 6.0.0
• 9f81754 Further trim down envs and drop Python 3.8.
• b12b5ec Update conf.
• 23f4b27 Update changelog.
• 291a04f Bump test deps and trim config.
• 08f1101 Add --cov-precision option. Close #655.
• 76fe2a7 Move the warnings/errors in a place that doesn't import anything.
• a9ea7b7 Implement error/warning for the bad dynamic_context being set in config.
• c299e01 Add explicit suffixing to make it easier to see the identify the sources/usag...
• c87e546 Add reproducer for weird xdist dynamic_context interaction. Ref #604.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[netlify]

✅ Deploy Preview for 3fa canceled.

Name	Link
🔨 Latest commit	d5d9c7e
🔍 Latest deploy log	https://app.netlify.com/sites/3fa/deploys/6724abc3e8a4b2000896684a

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.