build: bump mako from 1.2.2 to 1.3.11 (#44286)

Bumps mako from 1.2.2 to 1.3.11.

Release notes

1.3.11

Released: Tue Apr 14 2026

bug

[bug] [template] Fixed issue in TemplateLookup where a URI with a double-slash prefix (e.g. //../../) could bypass the directory traversal check in Template, allowing reads of arbitrary files outside of the template directory. The issue was caused by an inconsistency in how leading slashes were stripped between TemplateLookup.get_template() and Template initialization.

References: #434

1.3.10

Released: Thu Apr 10 2025

bug

[bug] [lexer] Fix undefined variable errors when strict_undefined=True when using a nested list comprehension. Pull request courtesy Sébastien Granjoux.

References: #418

1.3.9

Released: Tue Feb 4 2025

bug

[bug] [tests] Fixed test suite to not rely upon ancient "future division" statement to test the Template.future_imports feature. The test is replaced with one that tests only the rendering, not the ultimate effect.

References: #408

1.3.8

Released: Sat Dec 7 2024

bug

[bug] [lexer] Reverted the fix for #140 released in Mako 1.3.7 as it produced regressions in existing user code.

... (truncated)

Commits

See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don’t alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.

Signed-off-by: dependabot[bot] support@github.com Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

The Servo Parallel Browser Engine Project

Servo is a prototype web browser engine written in the Rust language. It is currently developed on 64-bit macOS, 64-bit Linux, 64-bit Windows, 64-bit OpenHarmony, and Android.

Servo welcomes contribution from everyone. Check out:

The Servo Book for documentation
servo.org for news and guides

Coordination of Servo development happens:

Here in the Github Issues
On the Servo Zulip
In video calls advertised in the Servo Project repo.

Getting started

For more detailed build instructions, see the Servo Book under Getting the Code and Building Servo.

macOS

Download and install Xcode and brew.
Install uv: curl -LsSf https://astral.sh/uv/install.sh | sh
Install rustup: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
Restart your shell to make sure cargo is available
Install the other dependencies: ./mach bootstrap
Build servoshell: ./mach build

Linux

Install curl:
- Arch: sudo pacman -S --needed curl
- Debian, Ubuntu: sudo apt install curl
- Fedora: sudo dnf install curl
- Gentoo: sudo emerge net-misc/curl
Install uv: curl -LsSf https://astral.sh/uv/install.sh | sh
Install rustup: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
Restart your shell to make sure cargo is available
Install the other dependencies: ./mach bootstrap
Build servoshell: ./mach build

Windows

Download uv, choco, and rustup
- Be sure to select Quick install via the Visual Studio Community installer
In the Visual Studio Installer, ensure the following components are installed:
- Windows 10/11 SDK (anything >= 10.0.19041.0) (Microsoft.VisualStudio.Component.Windows{10, 11}SDK.{>=19041})
- MSVC v143 - VS 2022 C++ x64/x86 build tools (Latest) (Microsoft.VisualStudio.Component.VC.Tools.x86.x64)
- C++ ATL for latest v143 build tools (x86 & x64) (Microsoft.VisualStudio.Component.VC.ATL)
Restart your shell to make sure cargo is available
Install the other dependencies: .\mach bootstrap
Build servoshell: .\mach build

Android

Ensure that the following environment variables are set:
- ANDROID_SDK_ROOT
- ANDROID_NDK_ROOT: $ANDROID_SDK_ROOT/ndk/28.2.13676358/ ANDROID_SDK_ROOT can be any directory (such as ~/android-sdk). All of the Android build dependencies will be installed there.
Install the latest version of the Android command-line tools to $ANDROID_SDK_ROOT/cmdline-tools/latest.

Run the following command to install the necessary components:

sudo $ANDROID_SDK_ROOT/cmdline-tools/latest/bin/sdkmanager --install \
 "build-tools;34.0.0" \
 "emulator" \
 "ndk;28.2.13676358" \
 "platform-tools" \
 "platforms;android-33" \
 "system-images;android-33;google_apis;x86_64"

Follow the instructions above for the platform you are building on

OpenHarmony

Follow the instructions above for the platform you are building on to prepare the environment.
Depending on the target distribution (e.g. HarmonyOS NEXT vs pure OpenHarmony) the build configuration will differ slightly.
Ensure that the following environment variables are set
- DEVECO_SDK_HOME (Required when targeting HarmonyOS NEXT)
- OHOS_BASE_SDK_HOME (Required when targeting OpenHarmony)
- OHOS_SDK_NATIVE (e.g. ${DEVECO_SDK_HOME}/default/openharmony/native or ${OHOS_BASE_SDK_HOME}/${API_VERSION}/native)
- SERVO_OHOS_SIGNING_CONFIG: Path to json file containing a valid signing configuration for the demo app.
Review the detailed instructions at [Building for OpenHarmony].
The target distribution can be modified by passing --flavor=<default|harmonyos> to mach <build|package|install>.