chore(deps): update dependency bandit to v1.11.1

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
bandit (source)	prod	minor	1.10.1 → == 1.11.1

---

Release Notes

mtrudel/bandit (bandit)

v1.11.1

Compare Source

Fixes

• Improve handling of large chunked request bodies (CVE-2026-39803, #​585, thanks @​PJUllrich & @​maennchen!)
• Improve handling of request trailers (CVE-2026-39806, #​585, thanks @​PJUllrich & @​maennchen!)

Changes

• We no longer disallow . and .. path components in HTTP/2 absolute paths (#​581)

v1.11.0

Compare Source

Fixes

• Fix WebSocket inflate vulnerability (CVE-2026-39804, commit 8156921, thanks @​PJUllrich & @​maennchen!)
• Fix WebSocket continuation frame handling vulnerability (CVE-2026-42786, commit 21612c7, thanks @​PJUllrich & @​maennchen!)
• Fix HTTP/2 frame size parsing vulnerability (CVE-2026-42788, commit 1e8e559, thanks @​PJUllrich & @​maennchen!)
• Improve handling of zero/negative length & offset parameters to send_file (#​580, thanks @​PJUllrich & @​maennchen!)

Enhancements

• Define a new max_inflate_ratio WebSocket configuration option that defines a
  maximum allowable decompression ratio to help mitigate inflate bombing. Defaults to 25:1
• Define a new max_fragmented_message_size WebSocket configuration option
  which defines the maximum allowed WebSocket frame size (inclusive of
  continuation frames). Defaults to 8MB

v1.10.4

Compare Source

Enhancements

• Support {:shutdown, :disconnected} as a normal WebSocket result code (#​576, thanks @​wwitek-whatnot!)

v1.10.3

Compare Source

Enhancements

• Support authority form requests for CONNECT requests (#​571)
• Narrow acceptance of asterisk form requests to OPTIONS requests (#​571)
• Detect client disconnect on timeout in ensure_completed (#​566, thanks @​pepicrft!)
• Improve http2 sendfile streaming (#​565, thanks @​elibosley!)

v1.10.2

Compare Source

Enhancements

• Distinguish client disconnects from genuine body read timeouts (#​564, thanks @​pepicrft!)

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.