Update dependency quart to ^0.20.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
quart (changelog)	^0.18.4 → ^0.20.0

---

Werkzeug possible resource exhaustion when parsing file data in forms

CVE-2024-49767 / GHSA-q34m-jh98-gwm2

More information

Details

Applications using Werkzeug to parse multipart/form-data requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the Request.max_form_memory_size setting.

The Request.max_content_length setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

• https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2
• https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee
• https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b
• https://nvd.nist.gov/vuln/detail/CVE-2024-49767
• https://github.com/pallets/werkzeug/releases/tag/3.0.6
• https://github.com/pallets/quart/commit/abb04a512496206de279225340ed022852fbf51f
• https://security.netapp.com/advisory/ntap-20250103-0007
• https://github.com/advisories/GHSA-q34m-jh98-gwm2

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

pallets/quart (quart)

v0.20.0

Compare Source

Released 2024-12-23

• Drop support for Python 3.8.
• Fix deprecated asyncio.iscoroutinefunction for Python 3.14.
• Allow AsyncIterable to be passed to Response.
• Support max_form_parts and max_form_memory_size.

v0.19.9

Compare Source

Released 2024-11-14

• Fix missing PROVIDE_AUTOMATIC_OPTIONS config for compatibility with
  Flask 3.1.

v0.19.8

Compare Source

Released 2024-10-25

• Fix missing check that caused the previous fix to raise an error.

v0.19.7

Compare Source

Released 2024-10-25

• Fix how max_form_memory_size is applied when parsing large non-file fields.
  GHSA-q34m-jh98-gwm2

v0.19.6

Compare Source

Released 2024-05-19

• Use ContentRange in the right way.
• Hold a strong reference to background tasks.
• Avoid ResourceWarning in DataBody.__aiter__.

v0.19.5

Compare Source

Released 2024-04-01

• Address DeprecationWarning from datetime.utcnow().
• Ensure request files are closed.
• Fix development server restarting when commands are passed.
• Restore teardown_websocket methods.
• Correct the config_class type.
• Allow kwargs to be passed to the test client (matches Flask API).

v0.19.4

Compare Source

Released 2023-11-19

• Fix program not closing on Ctrl+C in Windows.
• Fix the typing for AfterWebsocket functions.
• Improve the typing of the ensure_async method.
• Add a shutdown event to the app.

v0.19.3

Compare Source

Released 2023-10-04

• Update the default config to better match Flask.

v0.19.2

Compare Source

Released 2023-10-01

• Restore the app after_/before_websocket methods.
• Correctly set the cli group in Quart.

v0.19.1

Compare Source

Released 2023-09-30

• Remove QUART_ENV and env usage.

v0.19.0

Compare Source

Released 2023-09-30

• Remove Flask-Patch. It has been replaced with the Quart-Flask-Patch extension.
• Remove references to first request, as per Flask.
• Await the background tasks before calling the after serving functions.
• Don't copy the app context into the background task.
• Allow background tasks a grace period to complete during shutdown.
• Base Quart on Flask, utilising Flask code where possible. This introduces a
  dependency on Flask.
• Fix trailing slash issue in URL concatenation for empty path.
• Use only CR in SSE documentation.
• Fix typing for websocket to accept auth data.
• Ensure subdomains apply to nested blueprints.
• Ensure make_response errors if the value is incorrect.
• Fix propagated exception handling.
• Ensure exceptions propagate before logging.
• Cope with scope extension value being None.
• Ensure the conditional 304 response is empty.
• Handle empty path in URL concatenation.
• Corrected typing hint for abort method.
• Fix root_path usage.
• Fix Werkzeug deprecation warnings.
• Add .svg to Jinja's autoescaping.
• Improve the WebsocketResponse error, by including the response.
• Add a file mode parameter to the config.from_file method.
• Show the subdomain or host in the routes command output.
• Upgrade to Blinker 1.6.
• Require Werkzeug 3.0.0 and Flask 3.0.0.
• Use tomllib rather than toml.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.