chore(deps): update dependency werkzeug to v3.1.5 [security] (#4579)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [werkzeug](https://redirect.github.com/pallets/werkzeug)
([changelog](https://werkzeug.palletsprojects.com/page/changes/)) |
`==3.1.4` → `==3.1.5` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/werkzeug/3.1.5?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/werkzeug/3.1.4/3.1.5?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-21860](https://redirect.github.com/pallets/werkzeug/security/advisories/GHSA-87hc-h4r5-73f7)

Werkzeug's `safe_join` function allows path segments with Windows device
names that have file extensions or trailing spaces. On Windows, there
are special device names such as `CON`, `AUX`, etc that are implicitly
present and readable in every directory. Windows still accepts them with
any file extension, such as `CON.txt`, or trailing spaces such as `CON
`.

This was previously reported as
GHSA-hgf8-39gv-g3f2,
but the fix failed to account for compound extensions such as
`CON.txt.html` or trailing spaces. It also missed some additional
special names.

`send_from_directory` uses `safe_join` to safely serve files at
user-specified paths under a directory. If the application is running on
Windows, and the requested path ends with a special device name, the
file will be opened successfully, but reading will hang indefinitely.

---

### Release Notes

<details>
<summary>pallets/werkzeug (werkzeug)</summary>

###
[`v3.1.5`](https://redirect.github.com/pallets/werkzeug/blob/HEAD/CHANGES.rst#Version-315)

[Compare
Source](https://redirect.github.com/pallets/werkzeug/compare/3.1.4...3.1.5)

Released 2026-01-08

- `safe_join` on Windows does not allow more special device names,
regardless
  of extension or surrounding spaces. :ghsa:`87hc-h4r5-73f7`
- The multipart form parser handles a `\r\n` sequence at a chunk
boundary.
This fixes the previous attempt, which caused incorrect content lengths.
  :issue:`3065` :issue:`3077`
- Fix `AttributeError` when initializing `DebuggedApplication` with
  `pin_security=False`. :issue:`3075`

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Australia/Sydney,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/google/osv.dev).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi43NC41IiwidXBkYXRlZEluVmVyIjoiNDIuNzQuNSIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Author: renovate-bot

gcp/website/poetry.lock

@@ -5,7 +5,7 @@ dependencies = [
     "Flask==2.3.3",
     "Flask-Caching==2.3.1",
     "Flask-Compress==1.23",
-    "werkzeug==3.1.4",
+    "werkzeug==3.1.5",
     "google-auth==2.47.0",
     "google-cloud-ndb==2.4.0",
     "google-cloud-logging==3.13.0",