Bump mako from 1.2.2 to 1.3.12 in /requirements

[dependabot]

Bumps mako from 1.2.2 to 1.3.12.

Release notes

Sourced from mako's releases.

1.3.12

Released: Tue Apr 28 2026

bug

• [bug] [template] Fixed issue in TemplateLookup where a URI with backslash path separators (e.g. \..\secret.txt) could bypass the directory traversal check on Windows, allowing reads of arbitrary files outside of the template directory. Backslash characters in URIs are now normalized to forward slashes before path resolution.

  References: #435

1.3.11

Released: Tue Apr 14 2026

bug

• [bug] [template] Fixed issue in TemplateLookup where a URI with a double-slash prefix (e.g. //../../) could bypass the directory traversal check in Template, allowing reads of arbitrary files outside of the template directory. The issue was caused by an inconsistency in how leading slashes were stripped between TemplateLookup.get_template() and Template initialization.

  References: #434

1.3.10

Released: Thu Apr 10 2025

bug

• [bug] [lexer] Fix undefined variable errors when strict_undefined=True when using a nested list comprehension. Pull request courtesy Sébastien Granjoux.

  References: #418

1.3.9

Released: Tue Feb 4 2025

bug

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[marcospri]

Full changelog:

https://github.com/sqlalchemy/mako/blob/main/doc/build/changelog.rst

.. changelog::
    :version: 1.3.12
    :released: Tue Apr 28 2026

    .. change::
        :tags: bug, template
        :tickets: 435

        Fixed issue in :class:`.TemplateLookup` where a URI with backslash path
        separators (e.g. ``\..\secret.txt``) could bypass the directory traversal
        check on Windows, allowing reads of arbitrary files outside of the template
        directory.  Backslash characters in URIs are now normalized to forward
        slashes before path resolution.

.. changelog::
    :version: 1.3.11
    :released: Tue Apr 14 2026

    .. change::
        :tags: bug, template
        :tickets: 434

        Fixed issue in :class:`.TemplateLookup` where a URI with a double-slash
        prefix (e.g. ``//../../``) could bypass the directory traversal check in
        :class:`.Template`, allowing reads of arbitrary files outside of the
        template directory. The issue was caused by an inconsistency in how leading
        slashes were stripped between :meth:`.TemplateLookup.get_template` and
        :class:`.Template` initialization.

.. changelog::
    :version: 1.3.10
    :released: Thu Apr 10 2025

    .. change::
        :tags: bug, lexer
        :tickets: 418

        Fix undefined variable errors when ``strict_undefined=True`` when using a
        nested list comprehension.  Pull request courtesy Sébastien Granjoux.


.. changelog::
    :version: 1.3.9
    :released: Tue Feb 4 2025

    .. change::
        :tags: bug, tests
        :tickets: 408

        Fixed test suite to not rely upon ancient "future division" statement to
        test the :paramref:`.Template.future_imports` feature.   The test is
        replaced with one that tests only the rendering, not the ultimate effect.

.. changelog::
    :version: 1.3.8
    :released: Sat Dec 7 2024

    .. change::
        :tags: bug, lexer
        :tickets: 415, 140

        Reverted the fix for :ticket:`140` released in Mako 1.3.7 as it produced
        regressions in existing user code.


.. changelog::
    :version: 1.3.7 (yanked)
    :released: Tue Dec 3 2024

    .. change::
        :tags: bug, lexer, codegen
        :tickets: 140

        During the lexical analysis phase, add an additional prefix for undeclared
        identifiers that have the same name as built-in flags, and determine the
        final filter to be used during the code generation phase based on the
        context provided by the user. Pull request by Hai Zhu.

    .. change::
        :tags: bug, lexer
        :tickets: 400, 401

        Support the direct passing of dictionary literals when calling functions
        and fix the errors caused by nested braces.   This revises the fix that was
        released in 1.3.4 and then reverted in 1.3.5. Pull request by Hai Zhu and
        Jose Galvez.

.. changelog::
    :version: 1.3.6
    :released: Mon Oct 21 2024

    .. change::
        :tags: bug, lexer
        :tickets: 412

        Fixed long standing bug where the sequence ``<&`` would be misinterpreted
        by the lexer.   It's not clear why the ampersand character was part of the
        characters being consumed here and it may have been an inadvertent bit of
        code from one of Mako's predecessor languages.

.. changelog::
    :version: 1.3.5
    :released: Tue May 14 2024

    .. change::
        :tags: bug, lexer, regression
        :tickets: 400, 401

        Reverted the fix for :ticket:`400` as it caused new issues when traversing
        some bracketed situations.


.. changelog::
    :version: 1.3.4 (yanked)
    :released: Mon May 13 2024

    .. change::
        :tags: bug, lexer
        :tickets: 398

        Fixed regression caused by the fix for :ticket:`320` where new logic added
        to interpret list and dictionary comprehensions would fail for expression
        oriented keys.  As the parsing in question was not necessary for these
        keys, it's been removed.  Pull request courtesy Sébastien Granjoux.

    .. change::
        :tags: bug, lexer
        :tickets: 400

        Fixed issue where a parsed expression which contained sub-brackets, such as
        dictionary literals, would fail to be interpreted correctly even though the
        initial parsing is correct. Pull request courtesy Jose Galvez.

        .. note:: this change was **reverted** and release 1.3.4 was yanked as
           this fix caused regressions.

.. changelog::
    :version: 1.3.3
    :released: Wed Apr 10 2024

    .. change::
        :tags: bug, codegen
        :tickets: 146

        Fixed unexpected error when use control lines which the
        first control block with no bodies other than comments,
        as `pass` is now added to the first empty block.
        Pull request courtesy Hai Zhu.

    .. change::
        :tags: bug, parser
        :tickets: 320

        Fixed unexpected syntax error in strict_undefined mode that occurred
        when using comprehensions within a function in a Mako Python code block.
        Now, the local variable in comprehensions won't be added to the checklist
        when using strict_undefined mode.
        Pull request courtesy Hai Zhu.

.. changelog::
    :version: 1.3.2
    :released: Tue Jan 30 2024

    .. change::
        :tags: bug, lexer
        :tickets: 323

        Fixed parsing issue where attempting to render a single percent sign %
        using an escaped percent %% would not function correctly if the escaped
        percent were not the first character on a line.  Note that this is a revised
        version of a similar change made in Mako 1.3.1 which caused unexpected
        parsing regressions, resulting in the release being yanked.
        Pull request courtesy Hai Zhu.

.. changelog::
    :version: 1.3.1
    :released: Mon Jan 22 2024

    .. change::
        :tags: bug, lexer
        :tickets: 323

        Fixed parsing issue where attempting to render a single percent sign ``%``
        using an escaped percent ``%%`` would not function correctly if the escaped
        percent were not the first character on a line.  Pull request courtesy Hai
        Zhu.

        .. note::  Mako 1.3.1 was yanked from pypi and this change was reverted,
           replaced with a modified version for Mako 1.3.2.

.. changelog::
    :version: 1.3.0
    :released: Wed Nov 8 2023

    .. change::
        :tags: change, installation

        Mako 1.3.0 bumps the minimum Python version to 3.8, as 3.7 is EOL as of
        2023-06-27.   Python 3.12 is now supported explicitly.

1.2
.. changelog::
    :version: 1.2.4
    :released: Tue Nov 15 2022

    .. change::
        :tags: bug, codegen
        :tickets: 368

        Fixed issue where unpacking nested tuples in a for loop using would raise a
        "couldn't apply loop context" error if the loop context was used. The regex
        used to match the for loop expression now allows the list of loop variables
        to contain parenthesized sub-tuples. Pull request courtesy Matt Trescott.


.. changelog::
    :version: 1.2.3
    :released: Thu Sep 22 2022

    .. change::
        :tags: bug, lexer
        :tickets: 367

        Fixed issue in lexer in the same category as that of :ticket:`366` where
        the regexp used to match an end tag didn't correctly organize for matching
        characters surrounded by whitespace, leading to high memory / interpreter
        hang if a closing tag incorrectly had a large amount of unterminated space
        in it. Credit to Sebastian Chnelik for locating the issue.

        As Mako templates inherently render and directly invoke arbitrary Python
        code from the template source, it is **never** appropriate to create
        templates that contain untrusted input.

[marcospri]

While the changes are big here this is a transitive dep via alembic, I think we should merge.

[wojcikstefan]

While the changes are big here this is a transitive dep via alembic, I think we should merge.

Agreed.