chore(deps): bump the python-app-and-dev group in /Meshflow with 3 updates

[dependabot]

Updates the requirements on tqdm, daphne and uvicorn to permit the latest version.
Updates tqdm to 4.68.1

Release notes

Sourced from tqdm's releases.

tqdm v4.68.1 stable

• set name of monitor thread (#1669, #1752 <- #1435)
• fix monitor thread atexit deadlock (#1751 <- #528, #627, #1435, #1564)
• docs: minor copyediting

Commits

• 67cf355 Merge pull request #1751 from jaltmayerpizzorno/fix-atexit-monitor-deadlock
• cfa4a85 minor docstring updates
• f83290c Fix TMonitor deadlock at interpreter shutdown
• 59029c3 Set name for tqdm monitor thread (#1752)
• ef4a142 bump version, merge pull request #1760 from tqdm/devel
• 17f246b lint warning suppression
• c682c7b benchmarks: fix asv
• fc69588 CI: migrate to pre-commit.ci
• a31d97f more contrib.itertools
• e4d9742 soft-deprecate tqdm.utils.envwrap -> envwrap
• Additional commits viewable in compare view

Updates daphne to 4.2.2

Changelog

Sourced from daphne's changelog.

4.2.2 (2026-06-03)

• Fixed a denial of service vulnerability via unbounded WebSocket message sizes. Daphne previously passed no message or frame size limits to autobahn, whose defaults are unbounded. This allowed an unauthenticated client to exhaust server memory by sending a very large WebSocket messages/frames (CVE-2026-44545).

  Both limits now default to 1 MiB and can be configured via the new --websocket-max-message-size and --websocket-max-frame-size CLI flags (or the matching Server constructor arguments). Pass 0 to restore the previous unlimited behaviour.

  Thanks to ParkHyunWoo for the report.

• Fixed a header injection vulnerability on the WebSocket upgrade path (CVE-2026-44546).

  Header values containing \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 were parsed as a single header by Twisted but split into multiple headers by autobahn during the WebSocket handshake. An attacker could exploit this parser differential to smuggle additional headers (e.g. authentication tokens, X-Forwarded-For, Origin, Daphne-Root-Path) into the ASGI scope passed to the application.

  Daphne now rejects requests carrying these bytes in any header value with a 400 Bad Request response, as required by RFC 9110 §5.5.

  Thanks to Rene Henningsen for the report.

4.2.1 (2025-07-02)

• Fixed a packaging error in 4.2.0.

• Removed --nostatic and --insecure args to runserver command when staticfiles app is not installed.

4.2.0 (2025-05-16)

Daphne 4.2 is a maintenance release in the 4.x series.

• Added support for Python 3.13.

• Dropped support for EOL Python 3.8.

• Updated pyupgrade configuration to target Python 3.9.

... (truncated)

Commits

• c19f2f4 Bumped version for v4.2.2 release.
• 32f8be0 Fixed CVE-2026-44545: Limit WebSocket sizes in autobahn config.
• 2628b7b Fixed CVE-2026-44546: Prevent header injection on WebSocket upgrade path
• fef65a7 Added .DS_Store files to .gitignore.
• 8b56967 Bump actions/setup-python from 5 to 6 (#569)
• 032c560 Bump actions/checkout from 4 to 5 (#564)
• cb23638 [pre-commit.ci] pre-commit autoupdate (#563)
• See full diff in compare view

Updates uvicorn to 0.49.0

Release notes

Sourced from uvicorn's releases.

Version 0.49.0

What's Changed

• Bump httptools minimum version to 0.8.0 by @​Kludex in Kludex/uvicorn#2962
• Consume duplicate forwarding headers in ProxyHeadersMiddleware (reverses the 0.48.0 behavior of ignoring them) by @​Kludex in Kludex/uvicorn#2971

Full Changelog: Kludex/uvicorn@0.48.0...0.49.0

Changelog

Sourced from uvicorn's changelog.

0.49.0 (June 3, 2026)

Changed

• Bump httptools minimum version to 0.8.0 (#2962)
• Consume duplicate forwarding headers in ProxyHeadersMiddleware (reverses the 0.48.0 behavior of ignoring them) (#2971)

0.48.0 (May 24, 2026)

Changed

• Default ssl_ciphers to None and use OpenSSL defaults (#2940)

Fixed

• Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)

0.47.0 (May 14, 2026)

Added

• Add ssl_context_factory for custom SSLContext configuration (#2920)

Changed

• Eagerly import the ASGI app in the parent process (#2919)

Fixed

• Treat fd=0 as a valid file descriptor with reload/workers (#2927)

0.46.0 (April 23, 2026)

Added

• Support ws_max_size in wsproto implementation (#2915)
• Support ws_ping_interval and ws_ping_timeout in wsproto implementation (#2916)

Changed

• Use bytearray for incoming WebSocket message buffer in websockets-sansio (#2917)

0.45.0 (April 21, 2026)

Added

• Add --reset-contextvars flag to isolate ASGI request context (#2912)
• Accept os.PathLike for log_config (#2905)
• Accept log_level strings case-insensitively (#2907)

... (truncated)

Commits

• 3ef2e3e Version 0.49.0 (#2973)
• eeb64b1 Consume duplicate forwarding headers in ProxyHeadersMiddleware (#2971)
• 630f4ac Make the watchfiles reload tests deterministic (#2972)
• 9154922 chore(deps): bump the github-actions group across 1 directory with 6 updates ...
• 739727a Migrate docs deploy from Cloudflare Pages to Workers (#2967)
• be4a240 Gate docs preview deploy on Cloudflare token presence (#2966)
• c489d7e Bump httptools minimum version to 0.8.0 (#2962)
• 9f547bd Skip docs preview deploy for Dependabot PRs (#2961)
• 44446b8 Migrate documentation from MkDocs Material to Zensical (#2959)
• cfd659c Bump pymdown-extensions to 10.21.3 (#2958)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.