build(deps): bump the production-dependencies group across 1 directory with 8 updates

[dependabot]

Bumps the production-dependencies group with 8 updates in the / directory:

Package	From	To
grpcio	1.78.1	1.80.0
grpcio-testing	1.78.1	1.80.0
grpcio-tools	1.78.1	1.80.0
gunicorn	25.1.0	25.3.0
peewee	4.0.0	4.0.3
phonenumbers	9.0.24	9.0.26
pyopenssl	25.3.0	26.0.0
requests	2.32.5	2.33.1

Updates grpcio from 1.78.1 to 1.80.0

Release notes

Sourced from grpcio's releases.

Release v1.80.0

This is release 1.80.0 (glimmering) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

• [ssl] Implement TLS private key signer in Python. (#41701)
• [TLS Credentials]: Private Key Offload Implementation. (#41606)
• Fix max sockaddr struct size on OpenBSD. (#40454)
• [core] Enable EventEngine for Python by default, and EventEngine fork support in Python and Ruby. (#41432)
• [TLS Credentials]: Create InMemoryCertificateProvider to update certificates independently. (#41484)
• [Ruby] Build/test ruby 4.0 and build native gems with Ruby 4.0 support. (#41324)
• [EventEngine] Remove an incorrect std::move in DNSServiceResolver constructor. (#41502)
• [RR and WRR] enable change to connect from a random index. (#41472)
• [xds] Implement gRFC A101. (#41051)

C++

• [C++] Add SNI override option to C++ channel credentials options API. (#41460)

C#

• [C# tools] Option to append Async to server side method names #39010. (#39797)
• [C# tools] Fix Grpc.Tools 2.69.0 stops working on ARM64 (#41543)

Objective-C

• [Fix][Compiler] Plugins fall back to the edition 2023 for older protobuf. (#41357)

PHP

• [PHP] Disable php infinite recursion check for callback from Core to PHP. (#41835)
• [PHP] Fix runtime error with PHp8.5 alpha because zend_exception_get_defaul…. (#40337)

Python

• [Python] Fix GRPC_TRACE not working when absl log initialized in cython. (#41814)
• Revert "[Python] Align GRPC_ENABLE_FORK_SUPPORT env defaults in core and python (#41455)". (#41769)
• [Python] Fix AsyncIO Server maximum_concurrent_rpcs enforcement preventing negative active_rpcs count. (#41532)
• [Python] Docs: correct grpc.Compression references. (#41705)

... (truncated)

Commits

• f5e2d6e [Release] Bump version to 1.80.0 (on v1.80.x branch) (#41857)
• 938cfec [subchannel connection scaling] fix when we reset backoff (#41935)
• 91778be [Backport][v1.80.x][Python] New _create method for aio.Metadata (#41888)
• f10b9f2 [bzlmod] upgrade rules_swift to avoid BCR CI breakage on Windows with bazel 7...
• be4c1c5 [subchannel] fix crash in connection scaling code (#41853)
• a71df73 [Release] Bump version to 1.80.0-pre1 (on v1.80.x branch) (#41844)
• 3ca09e4 [Python] Fix GRPC_TRACE and add test to check the GRPC_TRACE logs print (#41814)
• 260c6fd [PHP] Disable php infinite recursion check for callback from Core to PHP (#41...
• 50957c5 [Flakiness] Delete flaky iomgr fd_conservation_posix_test and create an Event...
• e1e1d0a [Bzlmod] Turn off bzlmod for PSM python tests. (#41810)
• Additional commits viewable in compare view

Updates grpcio-testing from 1.78.1 to 1.80.0

Updates grpcio-tools from 1.78.1 to 1.80.0

Release notes

Sourced from grpcio-tools's releases.

Release v1.80.0

This is release 1.80.0 (glimmering) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

• [ssl] Implement TLS private key signer in Python. (#41701)
• [TLS Credentials]: Private Key Offload Implementation. (#41606)
• Fix max sockaddr struct size on OpenBSD. (#40454)
• [core] Enable EventEngine for Python by default, and EventEngine fork support in Python and Ruby. (#41432)
• [TLS Credentials]: Create InMemoryCertificateProvider to update certificates independently. (#41484)
• [Ruby] Build/test ruby 4.0 and build native gems with Ruby 4.0 support. (#41324)
• [EventEngine] Remove an incorrect std::move in DNSServiceResolver constructor. (#41502)
• [RR and WRR] enable change to connect from a random index. (#41472)
• [xds] Implement gRFC A101. (#41051)

C++

• [C++] Add SNI override option to C++ channel credentials options API. (#41460)

C#

• [C# tools] Option to append Async to server side method names #39010. (#39797)
• [C# tools] Fix Grpc.Tools 2.69.0 stops working on ARM64 (#41543)

Objective-C

• [Fix][Compiler] Plugins fall back to the edition 2023 for older protobuf. (#41357)

PHP

• [PHP] Disable php infinite recursion check for callback from Core to PHP. (#41835)
• [PHP] Fix runtime error with PHp8.5 alpha because zend_exception_get_defaul…. (#40337)

Python

• [Python] Fix GRPC_TRACE not working when absl log initialized in cython. (#41814)
• Revert "[Python] Align GRPC_ENABLE_FORK_SUPPORT env defaults in core and python (#41455)". (#41769)
• [Python] Fix AsyncIO Server maximum_concurrent_rpcs enforcement preventing negative active_rpcs count. (#41532)
• [Python] Docs: correct grpc.Compression references. (#41705)

... (truncated)

Commits

• f5e2d6e [Release] Bump version to 1.80.0 (on v1.80.x branch) (#41857)
• a71df73 [Release] Bump version to 1.80.0-pre1 (on v1.80.x branch) (#41844)
• 1299baa [Python] Add language features to exported proto files (#41501)
• 522dbbb [Release] Bump version to 1.79.0-dev (on master branch) (#41291)
• See full diff in compare view

Updates gunicorn from 25.1.0 to 25.3.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 25.3.0

Bug Fixes

• HTTP/2 ASGI Body Duplication: Fix request body being received twice in HTTP/2 ASGI requests, causing JSON parsing errors with "Extra data" messages (#3558)

• ASGI Chunked EOF Handling: Add finish() method to callback parser to handle chunked encoding edge case where connection closes before final CRLF after zero-chunk

• HTTP/2 Documentation: Fix http_protocols examples to use comma-separated string instead of list syntax (#3561)

• Chunked Encoding: Reject chunk extensions containing bare CR bytes per RFC 9112 (#3556)

• Request Line Limit: Fix --limit-request-line 0 to mean unlimited as documented, instead of using default maximum. Works with both Python and fast C parser. (#3563)

Security

• ASGI Parser Header Validation: Add security checks per RFC 9110/9112:
  • Reject duplicate Content-Length headers
  • Reject requests with both Content-Length and Transfer-Encoding
  • Reject chunked transfer encoding in HTTP/1.0
  • Reject stacked chunked encoding
  • Validate Transfer-Encoding values
  • Strict chunk size validation

Changes

• Fast HTTP Parser: Update to gunicorn_h1c >= 0.6.3 for asgi_headers property and InvalidChunkExtension validation for bare CR rejection

• ASGI PROXY Protocol: Add PROXY protocol v1/v2 support to callback parser

• Docker Images: Update to Python 3.14

Gunicorn 25.2.0

New Features

• Fast HTTP Parser (gunicorn_h1c 0.4.1): Integrate new exception types and limit parameters from gunicorn_h1c 0.4.1 for both WSGI and ASGI workers
  • Requires gunicorn_h1c >= 0.4.1 for http_parser='fast'
  • Falls back to Python parser in auto mode if version not met
  • Proper HTTP status codes for limit errors (414, 431)

Bug Fixes

• uWSGI Async Workers: Fix InvalidUWSGIHeader: incomplete header error when using gevent or gthread workers with uwsgi protocol behind nginx. (#3552, [PR #3554](benoitc/gunicorn#3554))

... (truncated)

Commits

• 9bce72c Update changelog with missing 25.3.0 changes
• 2a15fdb Fix pylint isinstance-second-argument-not-valid-type warning
• 8d08aaa Fix --limit-request-line 0 to mean unlimited
• d40a374 Fix pytest-asyncio configuration and treq_asgi hex escapes
• da8bd48 Remove unused AsyncRequest class
• b00f125 Integrate gunicorn_h1c 0.6.3 with InvalidChunkExtension support
• bdb2ebd Reject chunk extensions with bare CR bytes (RFC 9112)
• 7057fc9 Fix http_protocols documentation to use string syntax
• d43acb8 Update to gunicorn_h1c >= 0.6.2 for asgi_headers support
• cbd27e8 Merge pull request #3559 from benleembruggen/fix/http2-asgi-body-duplication
• Additional commits viewable in compare view

Updates peewee from 4.0.0 to 4.0.3

Release notes

Sourced from peewee's releases.

4.0.3

• Refactor test suite - this was a mechanical refactor, just moving things around and trying to group things more clearly. Also added new tests covering some gaps.
• Expand multi-value types to include generator expressions, so you can write stuff like .in(a for a in iterable if cond).
• Ensure quotes embedded in entity names are escaped.
• Improved specification of FOR UPDATE clauses.
• Fix for negative values in paginate() method.
• Fix for newer MySQL server versions in feature detection code.
• More robust handling of unusual aliases / invalid attr names in cursor wrapper.
• Better handling of duplicated column names in cursor wrapper implementations.
• Improve performance of ModelCursorWrapper when reconstructing model instance graphs after multi-table selects.
• If only psycopg3 is installed, use it by default (#3036)

View commits

4.0.2

• Remove all Python 2.x compatibility code.
• Add streaming result cursors to pwasyncio module via db.iterate(query).
• Better serialization and deserialization of datetimes and binary data in the DataSet module. Previously binary data was encoded as base64, going forward hex is the new default. For base64 specify base64_bytes=True.
• Improvements to Postgres BinaryJSONField, support atomic removal of sub-elements, as well as alternate helper for extracting sub-elements and querying array length.
• Pydantic integration

View commits

4.0.1

• Ensure gr_context is set on greenlet in greenlet_spawn so that contextvars will be operable in sync handlers.
• Removed SqliteExtDatabase (it basically served no purpose in 4.0). Use SqliteDatabase instead.
• Moved driver and extension-specific pooled implementations into the corresponding extension module rather than putting all into playhouse.pool.
• Restore custom dumps option for postgres JSON fields.
• Major docs rewrite / reorganization.

View commits

Changelog

Sourced from peewee's changelog.

4.0.3

• Refactor test suite - this was a mechanical refactor, just moving things around and trying to group things more clearly. Also added new tests covering some gaps.
• Expand multi-value types to include generator expressions, so you can write stuff like .in(a for a in iterable if cond).
• Ensure quotes embedded in entity names are escaped.
• Improved specification of FOR UPDATE clauses.
• Fix for negative values in paginate() method.
• Fix for newer MySQL server versions in feature detection code.
• More robust handling of unusual aliases / invalid attr names in cursor wrapper.
• Better handling of duplicated column names in cursor wrapper implementations.
• Improve performance of ModelCursorWrapper when reconstructing model instance graphs after multi-table selects.
• If only psycopg3 is installed, use it by default (#3036)

View commits

4.0.2

• Remove all Python 2.x compatibility code.
• Add streaming result cursors to pwasyncio module via db.iterate(query).
• Better serialization and deserialization of datetimes and binary data in the DataSet module. Previously binary data was encoded as base64, going forward hex is the new default. For base64 specify base64_bytes=True.
• Improvements to Postgres BinaryJSONField, support atomic removal of sub-elements, as well as alternate helper for extracting sub-elements and querying array length.
• Pydantic integration

View commits

4.0.1

• Ensure gr_context is set on greenlet in greenlet_spawn so that contextvars will be operable in sync handlers.
• Removed SqliteExtDatabase (it basically served no purpose in 4.0). Use SqliteDatabase instead.
• Moved driver and extension-specific pooled implementations into the corresponding extension module rather than putting all into playhouse.pool.
• Restore custom dumps option for postgres JSON fields.
• Major docs rewrite / reorganization.

View commits

Commits

• bd0e434 4.0.3
• 89f3031 Use psycopg3 if psycopg2 is not installed.
• 007fd50 Just some housekeeping
• eda231b Update changelog, fix failing crdb sql test.
• 071d0a0 Cleanup cruft in sql and merge it into appropriate cases.
• ab9a943 Test cleanup in prefetch
• 2d20c8a Updates to tests, gone through model_sql and cleaned-up.
• c8c09ca First pass cleaning up models.py
• 5f222d6 Fixup some tests that were being flaky, reorg
• c604a45 Manual cleanup in manytomany tests.
• Additional commits viewable in compare view

Updates phonenumbers from 9.0.24 to 9.0.26

Commits

• 07e2c75 Prep for 9.0.26 release
• 55522da Generated files for metadata
• 8ca762b Merge metadata changes from upstream 9.0.26
• c4d8bac Prep for 9.0.25 release
• 17db646 Generated files for metadata
• d08f6b4 Merge metadata changes from upstream 9.0.25
• See full diff in compare view

Updates pyopenssl from 25.3.0 to 26.0.0

Changelog

Sourced from pyopenssl's changelog.

26.0.0 (2026-03-15)

Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Dropped support for Python 3.7.
• The minimum cryptography version is now 46.0.0.

Deprecations: ^^^^^^^^^^^^^

Changes: ^^^^^^^^

• Added support for using aws-lc instead of OpenSSL.
• Properly raise an error if a DTLS cookie callback returned a cookie longer than DTLS1_COOKIE_LENGTH bytes. Previously this would result in a buffer-overflow. Credit to dark_haxor for reporting the issue. CVE-2026-27459
• Added OpenSSL.SSL.Connection.get_group_name to determine which group name was negotiated.
• Context.set_tlsext_servername_callback now handles exceptions raised in the callback by calling sys.excepthook and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded. Credit to Leury Castillo for reporting this issue. CVE-2026-27448

Commits

• 358cbf2 Prepare for 26.0.0 release (#1487)
• a8d28e7 Bump actions/cache from 4 to 5 (#1486)
• 6fefff0 Add aws-lc compatibility to tests and CI (#1476)
• a739f96 Bump actions/download-artifact from 8.0.0 to 8.0.1 (#1485)
• 8b4c66b Bump actions/upload-artifact in /.github/actions/upload-coverage (#1484)
• 02a5c78 Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#1483)
• d973387 Bump actions/download-artifact from 7.0.0 to 8.0.0 (#1482)
• 57f09bb Fix buffer overflow in DTLS cookie generation callback (#1479)
• d41a814 Handle exceptions in set_tlsext_servername_callback callbacks (#1478)
• 7b29beb Fix not using a cryptography wheel on uv (#1475)
• Additional commits viewable in compare view

Updates requests from 2.32.5 to 2.33.1

Release notes

Sourced from requests's releases.

v2.33.1

2.33.1 (2026-03-30)

Bugfixes

• Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
• Fixed Content-Type header parsing for malformed values. (#7309)
• Improved error consistency for malformed header values. (#7308)

New Contributors

• @​ferdnyc made their first contribution in psf/requests#7277

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2331-2026-03-30

v2.33.0

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

New Contributors

• @​M0d3v1 made their first contribution in psf/requests#6865
• @​aminvakil made their first contribution in psf/requests#7220
• @​E8Price made their first contribution in psf/requests#6960
• @​mitre88 made their first contribution in psf/requests#7244
• @​magsen made their first contribution in psf/requests#6553
• @​Rohan5commit made their first contribution in psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

Changelog

Sourced from requests's changelog.

2.33.1 (2026-03-30)

Bugfixes

• Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
• Fixed Content-Type header parsing for malformed values. (#7309)
• Improved error consistency for malformed header values. (#7308)

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

Commits

• 111d2b7 v2.33.1
• f0198e6 Fix malformed value parsing for Content-Type (#7309)
• bc7dd0f Fix cosmetic header validity parsing regex (#7308)
• 4443b1a Fix unintended test extra (#7306)
• 389eea5 Cleanup extracted file after extract_zipped_path test (#7305)
• 7407309 Packaging: DRY out extras definition (#7277)
• bc04dfd v2.33.0
• 66d21cb Merge commit from fork
• 8b9bc8f Move badges to top of README (#7293)
• e331a28 Remove unused extraction call (#7292)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions