Merge branch 'stable'

Author: davidism

.github/workflows/pre-commit.yaml

@@ -20,6 +20,6 @@ jobs:
         with:
           path: ~/.cache/pre-commit
           key: pre-commit|${{ hashFiles('pyproject.toml', '.pre-commit-config.yaml') }}
-      - run: uv run --locked --group pre-commit pre-commit run --show-diff-on-failure --color=always --all-files
+      - run: uv run --locked --no-default-groups --group pre-commit pre-commit run --show-diff-on-failure --color=always --all-files
       - uses: pre-commit-ci/lite-action@5d6cc0eb514c891a40562a58a8e71576c5c7fb43 # v1.1.0
         if: ${{ !cancelled() }}

.github/workflows/publish.yaml

@@ -5,8 +5,12 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    outputs:
+      artifact-id: ${{ steps.upload-artifact.outputs.artifact-id }}
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          persist-credentials: false
       - uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4
         with:
           enable-cache: true
@@ -17,17 +21,23 @@ jobs:
       - run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
       - run: uv build
       - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        id: upload-artifact
         with:
-          path: ./dist
+          name: dist
+          path: dist/
+          if-no-files-found: error
   create-release:
     needs: [build]
     runs-on: ubuntu-latest
     permissions:
       contents: write
     steps:
       - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          artifact-ids: ${{ needs.build.outputs.artifact-id }}
+          path: dist/
       - name: create release
-        run: gh release create --draft --repo ${{ github.repository }} ${{ github.ref_name }} artifact/*
+        run: gh release create --draft --repo ${{ github.repository }} ${{ github.ref_name }} dist/*
         env:
           GH_TOKEN: ${{ github.token }}
   publish-pypi:
@@ -40,6 +50,9 @@ jobs:
       id-token: write
     steps:
       - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          artifact-ids: ${{ needs.build.outputs.artifact-id }}
+          path: dist/
       - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
-          packages-dir: artifact/
+          packages-dir: "dist/"

.github/workflows/tests.yaml

@@ -13,9 +13,12 @@ jobs:
       fail-fast: false
       matrix:
         include:
+          - {python: '3.14'}
+          - {python: '3.14t'}
+          - {name: Windows, python: '3.14', os: windows-latest}
+          # server tests are very slow on macos-latest/-15/-26
+          - {name: Mac, python: '3.14', os: macos-14}
           - {python: '3.13'}
-          - {name: Windows, python: '3.13', os: windows-latest}
-          - {name: Mac, python: '3.13', os: macos-latest}
           - {python: '3.12'}
           - {python: '3.11'}
           - {python: '3.10'}
@@ -30,7 +33,7 @@ jobs:
       - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: ${{ matrix.python }}
-      - run: uv run --locked tox run -e ${{ matrix.tox || format('py{0}', matrix.python) }}
+      - run: uv run --locked --no-default-groups --group dev tox run -e ${{ matrix.tox || format('py{0}', matrix.python) }}
   typing:
     runs-on: ubuntu-latest
     steps:
@@ -47,4 +50,4 @@ jobs:
         with:
           path: ./.mypy_cache
           key: mypy|${{ hashFiles('pyproject.toml') }}
-      - run: uv run --locked tox run -e typing
+      - run: uv run --locked --no-default-groups --group dev tox run -e typing

.pre-commit-config.yaml

@@ -1,11 +1,11 @@
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: fa1ed65ba95bfa7771a71003a9d74402541f5a5c  # frozen: v0.14.6
+    rev: 36243b70e5ce219623c3503f5afba0f8c96fda55  # frozen: v0.14.7
     hooks:
       - id: ruff-check
       - id: ruff-format
   - repo: https://github.com/astral-sh/uv-pre-commit
-    rev: 016d6d8dbc18eb9cc42594297fa8af0c79f6df72  # frozen: 0.9.12
+    rev: ed07c6e8889cf83a7245866d1dd007d1f93bf55e  # frozen: 0.9.13
     hooks:
       - id: uv-lock
   - repo: https://github.com/pre-commit/pre-commit-hooks

CHANGES.rst

@@ -6,6 +6,25 @@ Version 3.2.0
 Unreleased
 
 
+Version 3.1.4
+-------------
+
+Released 2025-11-28
+
+-   ``safe_join`` on Windows does not allow special device names. This prevents
+    reading from these when using `send_from_directory`. ``secure_filename``
+    already prevented writing to these. :ghsa:`hgf8-39gv-g3f2`
+-   The debugger pin fails after 10 attempts instead of 11. :pr:`3020`
+-   The multipart form parser handles a ``\r\n`` sequence at a chunk boundary.
+    :issue:`3065`
+-   Improve CPU usage during Watchdog reloader. :issue:`3054`
+-   `Request.json` annotation is more accurate. :issue:`3067`
+-   Traceback rendering handles when the line number is beyond the available
+    source lines. :issue:`3044`
+-   `HTTPException.get_response` annotation and doc better conveys the
+    distinction between WSGI and sans-IO responses. :issue:`3056`
+
+
 Version 3.1.3
 -------------
 

docs/tutorial.rst

@@ -265,7 +265,7 @@ The way we will do it in this tutorial is by calling the method ``on_``
             return e
 
 We bind the URL map to the current environment and get back a
-:class:`~werkzeug.routing.URLAdapter`.  The adapter can be used to match
+:class:`~werkzeug.routing.MapAdapter`.  The adapter can be used to match
 the request but also to reverse URLs.  The match method will return the
 endpoint and a dictionary of values in the URL.  For instance the rule for
 ``follow_short_link`` has a variable part called ``short_id``.  When we go

pyproject.toml

@@ -158,7 +158,9 @@ order-by-type = false
 
 [tool.tox]
 env_list = [
-    "py3.13", "py3.12", "py3.11", "py3.10", "py3.9",
+    "py3.14", "py3.14t",
+    "py3.13",
+    "py3.12", "py3.11", "py3.10", "py3.9",
     "pypy3.11",
     "style",
     "typing",
@@ -179,6 +181,13 @@ commands = [[
     {replace = "posargs", default = [], extend = true},
 ]]
 
+[tool.tox.env.py3.14t]
+commands_pre = [
+    # watchdog doesn't support free threading yet, no marker to exclude it yet
+    # watchdog_fsevents.c extension on macOS, and stability on Windows.
+    ["uv", "pip", "uninstall", "watchdog"],
+]
+
 [tool.tox.env.style]
 description = "run all pre-commit hooks on all files"
 dependency_groups = ["pre-commit"]

src/werkzeug/_reloader.py

@@ -26,6 +26,9 @@
 
 _stat_ignore_scan = tuple(prefix)
 del prefix
+# Ignore __pycache__ since a change there will always have a change to
+# the source file (or initial pyc file) as well. Ignore common version control
+# internals. Ignore common tool caches.
 _ignore_common_dirs = {
     "__pycache__",
     ".git",
@@ -86,9 +89,6 @@ def _find_stat_paths(
         parent_has_py = {os.path.dirname(path): True}
 
         for root, dirs, files in os.walk(path):
-            # Optimizations: ignore system prefixes, __pycache__ will
-            # have a py or pyc module at the import path, ignore some
-            # common known dirs such as version control and tool caches.
             if (
                 root.startswith(_stat_ignore_scan)
                 or os.path.basename(root) in _ignore_common_dirs
@@ -325,7 +325,7 @@ def __init__(self, *args: t.Any, **kwargs: t.Any) -> None:
         trigger_reload = self.trigger_reload
 
         class EventHandler(PatternMatchingEventHandler):
-            def on_any_event(self, event: FileModifiedEvent):  # type: ignore
+            def on_any_event(self, event: FileModifiedEvent) -> None:  # type: ignore[override]
                 if event.event_type not in {
                     EVENT_TYPE_CLOSED,
                     EVENT_TYPE_CREATED,
@@ -345,26 +345,21 @@ def on_any_event(self, event: FileModifiedEvent):  # type: ignore
 
         self.name = f"watchdog ({reloader_name})"
         self.observer = Observer()
-        # Extra patterns can be non-Python files, match them in addition
-        # to all Python files in default and extra directories. Ignore
-        # __pycache__ since a change there will always have a change to
-        # the source file (or initial pyc file) as well. Ignore Git and
-        # Mercurial internal changes.
-        extra_patterns = [p for p in self.extra_files if not os.path.isdir(p)]
+        extra_patterns = (p for p in self.extra_files if not os.path.isdir(p))
         self.event_handler = EventHandler(
             patterns=["*.py", "*.pyc", "*.zip", *extra_patterns],
             ignore_patterns=[
                 *[f"*/{d}/*" for d in _ignore_common_dirs],
                 *self.exclude_patterns,
             ],
         )
-        self.should_reload = False
+        self.should_reload = threading.Event()
 
     def trigger_reload(self, filename: str | bytes) -> None:
         # This is called inside an event handler, which means throwing
         # SystemExit has no effect.
         # https://github.com/gorakhargosh/watchdog/issues/294
-        self.should_reload = True
+        self.should_reload.set()
         self.log_reload(filename)
 
     def __enter__(self) -> ReloaderLoop:
@@ -377,9 +372,8 @@ def __exit__(self, exc_type, exc_val, exc_tb):  # type: ignore
         self.observer.join()
 
     def run(self) -> None:
-        while not self.should_reload:
+        while not self.should_reload.wait(timeout=self.interval):
             self.run_step()
-            time.sleep(self.interval)
 
         sys.exit(3)
 
@@ -393,7 +387,7 @@ def run_step(self) -> None:
                         self.event_handler, path, recursive=True
                     )
                 except OSError:
-                    # Clear this path from list of watches We don't want
+                    # Clear this path from list of watches. We don't want
                     # the same error message showing again in the next
                     # iteration.
                     self.watches[path] = None

src/werkzeug/debug/__init__.py

@@ -441,6 +441,11 @@ def check_pin_trust(self, environ: WSGIEnvironment) -> bool | None:
         """
         if self.pin is None:
             return True
+
+        # If we failed too many times, then we're locked out.
+        if self._failed_pin_auth.value >= 10:
+            return False
+
         val = parse_cookie(environ).get(self.pin_cookie_name)
         if not val or "|" not in val:
             return False
@@ -490,7 +495,7 @@ def pin_auth(self, request: Request) -> Response:
             auth = True
 
         # If we failed too many times, then we're locked out.
-        elif self._failed_pin_auth.value > 10:
+        elif self._failed_pin_auth.value >= 10:
             exhausted = True
 
         # Otherwise go through pin based authentication

src/werkzeug/debug/tbtools.py

@@ -420,7 +420,7 @@ def render_line(line: str, cls: str) -> None:
                 f"{arrow if arrow else ''}</pre>"
             )
 
-        if lines:
+        if line_idx < len(lines):
             for line in lines[start_idx:line_idx]:
                 render_line(line, "before")