chore(deps): bump dulwich from 1.2.1 to 1.2.3

[dependabot]

Bumps dulwich from 1.2.1 to 1.2.3.

Changelog

Sourced from dulwich's changelog.

1.2.3 2026-05-20

• Raise GitProtocolError when a protocol v2 ref advertisement contains an ERR line, aligning v2 error handling with v1. (Antoine Lambert)

• Return Self from __enter__ on context managers across the API, so subclasses get the correct type. (Stephen Finucane)

• Match C git's xutftowcsn fallback when a tree path is not valid UTF-8 on Windows, and let UnicodeDecodeError propagate from _fs_to_tree_path rather than being swallowed. (Jelmer Vernooij)

• Thread object_format through PackInflater / DeltaChainIterator and ShaFile.from_raw_chunks so trees in SHA-256 repositories are parsed with the correct OID length. (Jelmer Vernooij)

• Extend the per-test OSError handlers in the three non-UTF8 filename tests (test_index.test_no_decode_encode, test_refs.test_cyrillic, test_repository.test_commit_no_encode_decode) to also skip on errno.EILSEQ, so they pass on Linux filesystems that reject non-UTF-8 names (e.g. OpenZFS with utf8only=on). (Matt Van Horn, #2174)

• HARDEN: Reject ref names with empty path components (e.g. refs//a) or with .lock as a non-final component (e.g. refs/a.lock/a) in check_ref_format, matching git check-ref-format. (Jelmer Vernooij; reported by Christopher Toth)

• HARDEN: Reject unsafe tree paths in dulwich.archive.tar_stream (e.g. ../evil, .git/..., embedded \ or :) instead of emitting them as tar member names. Reported by Christopher Toth. (Jelmer Vernooij)

• Honour GIT_CONFIG_COUNT / GIT_CONFIG_KEY_<n> / GIT_CONFIG_VALUE_<n> in porcelain entry points, via the new opt-in config.env_config helper. (Jelmer Vernooij, #2168)

• Reject delta-resolved commit/tree/tag objects with a zero-byte payload in DeltaChainIterator, and turn a delta truncated mid-size-header into a typed ApplyDeltaError. (Jelmer Vernooij; reported by Christopher Toth)

• Verify the trailing pack checksum in MemoryObjectStore.add_pack so a non-thin fetch into a MemoryRepo no longer accepts a pack with a truncated trailer. (Jelmer Vernooij; reported by Christopher Toth)

• Inflate every object in DiskObjectStore._complete_pack so malformed trees (and other payloads MemoryObjectStore and

... (truncated)

Commits

• afa8e31 Release 1.2.3
• 4e13f3c Return Self from enter (#2190)
• f9d9ec8 Use build instead of calling setup.py
• 09c2522 Return Self from enter
• 6c8c9b9 client: Raise GitProtocolError when an error occurs with protocol v2 (#2189)
• 0ee3371 client: Raise GitProtocolError when an error occurs with protocol v2
• d414a5a tests: skip non-UTF8 filename tests on UTF-8-only filesystems (#2174) (#2181)
• 284e88b Merge branch 'main' into fix/2174-skip-on-non-utf8-filesystem
• 3b531b5 refs: reject names with empty or .lock components (#2186)
• 7a2f4f7 config: Let internal helpers take an explicit Config (#2188)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)