Update marshmallow requirement from <4 to <5 in /server

[dependabot]

Updates the requirements on marshmallow to permit the latest version.

Changelog

Sourced from marshmallow's changelog.

4.0.0 (2025-04-16)

---

See :ref:upgrading_4_0 for a guide on updating your code.

Features:

• Typing: Add types to all Field <marshmallow.fields.Field> constructor kwargs (:issue:2285). Thanks :user:navignaw for the suggestion.
• DateTime <marshmallow.fields.DateTime>, Date <marshmallow.fields.Date>, Time <marshmallow.fields.Time>, TimeDelta <marshmallow.fields.TimeDelta>, and Enum <marshmallow.fields.Enum> accept their internal value types as valid input (:issue:1415). Thanks :user:bitdancer for the suggestion.
• @validates <marshmallow.validates> accepts multiple field names (:issue:1960). Backwards-incompatible: Decorated methods now receive data_key as a keyword argument. Thanks :user:dpriskorn for the suggestion and :user:dharani7998 for the PR.

Other changes:

• Typing: Field <marshmallow.fields.Field> is now a generic type with a type argument for the internal value type.

• marshmallow.fields.UUID no longer subclasses marshmallow.fields.String.

• marshmallow.Schema.load no longer silently fails to call schema validators when a generator is passed (:issue:1898). The typing of data is also updated to be more accurate. Thanks :user:ziplokk1 for reporting.

• Backwards-incompatible: Use datetime.date.fromisoformat, datetime.time.fromisoformat, and datetime.datetime.fromisoformat from the standard library to deserialize dates, times and datetimes (:pr:2078). As a consequence of this change:

  • Time with time offsets are now supported.
  • YYYY-MM-DD is now accepted as a datetime and deserialized as naive 00:00 AM.
  • from_iso_date, from_iso_time and from_iso_datetime are removed from marshmallow.utils.

• Remove isoformat, to_iso_time and to_iso_datetime from marshmallow.utils (:pr:2766).

• Remove from_rfc, and rfcformat from marshmallow.utils (:pr:2767).

• Remove is_keyed_tuple from marshmallow.utils (:pr:2768).

• Remove get_fixed_timezone from marshmallow.utils (:pr:2773).

• Backwards-incompatible: marshmallow.fields.Boolean no longer serializes non-boolean values (:pr:2725).

• Backwards-incompatible: Rename schema parameter to parent in marshmallow.fields.Field._bind_to_schema (:issue:1360).

• Backwards-incompatible: Rename pass_many parameter to pass_collection in pre/post processing methods (:issue:1369).

• Backwards-incompatible: marshmallow.fields.TimeDelta no longer truncates float values when deserializing (:pr:2654). This allows microseconds to be preserved, e.g.

.. code-block:: python

from marshmallow import fields
field = fields.TimeDelta()
Before
field.deserialize(12.9)
datetime.timedelta(seconds=12)
datetime.timedelta(seconds=12)

... (truncated)

Commits

• 84b1596 Bump version and update changelog
• a715b9e Bump sphinx-issues from 5.0.0 to 5.0.1 (#2819)
• 5c136b1 [pre-commit.ci] pre-commit autoupdate (#2817)
• df1daf0 Bump sphinxext-opengraph from 0.9.1 to 0.10.0 (#2818)
• 2fc8207 @​validates accepts multiple field names (#1965)
• b7026f3 Bump sphinx from 8.1.3 to 8.2.3
• c495e52 [pre-commit.ci] pre-commit autoupdate
• f0c6afb Add missing fields to all (#2809)
• ef06fbe [pre-commit.ci] pre-commit autoupdate (#2808)
• ffedbfe Merge branch '3.x-line' into dev
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Test Results

4 tests   - 14   0 ✅  - 18   1s ⏱️ -1s
1 suites ± 0   0 💤 ± 0 
1 files   ± 0   0 ❌ ± 0   4 🔥 +4 

For more details on these errors, see this check.

Results for commit 2668015. ± Comparison against base commit 57215f1.

[github-actions]

Test Results

4 tests   - 14   0 ✅  - 18   1s ⏱️ -1s
1 suites ± 0   0 💤 ± 0 
1 files   ± 0   0 ❌ ± 0   4 🔥 +4 

For more details on these errors, see this check.

Results for commit 2668015. ± Comparison against base commit 57215f1.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.