fix(deps): update dependency werkzeug to v3.1.6 [security] (#4860)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [werkzeug](https://redirect.github.com/pallets/werkzeug)
([changelog](https://werkzeug.palletsprojects.com/page/changes/)) |
`==3.1.5` → `==3.1.6` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/werkzeug/3.1.6?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/werkzeug/3.1.5/3.1.6?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-27199](https://redirect.github.com/pallets/werkzeug/security/advisories/GHSA-29vq-49wr-vm6x)

Werkzeug's `safe_join` function allows Windows device names as filenames
if when preceded by other path segments.

This was previously reported as
GHSA-hgf8-39gv-g3f2,
but the added filtering failed to account for the fact that `safe_join`
accepts paths with multiple segments, such as `example/NUL`.

`send_from_directory` uses `safe_join` to safely serve files at
user-specified paths under a directory. If the application is running on
Windows, and the requested path ends with a special device name, the
file will be opened successfully, but reading will hang indefinitely.

---

### Release Notes

<details>
<summary>pallets/werkzeug (werkzeug)</summary>

###
[`v3.1.6`](https://redirect.github.com/pallets/werkzeug/releases/tag/3.1.6)

[Compare
Source](https://redirect.github.com/pallets/werkzeug/compare/3.1.5...3.1.6)

This is the Werkzeug 3.1.6 security fix release, which fixes a security
issue but does not otherwise change behavior and should not result in
breaking changes compared to the latest feature release.

PyPI: <https://pypi.org/project/Werkzeug/3.1.6/>
Changes:
<https://werkzeug.palletsprojects.com/page/changes/#version-3-1-6>

- `safe_join` on Windows does not allow special devices names in
multi-segment paths.
[GHSA-29vq-49wr-vm6x](https://redirect.github.com/pallets/werkzeug/security/advisories/GHSA-29vq-49wr-vm6x)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Australia/Sydney,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/google/osv.dev).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNS4xMSIsInVwZGF0ZWRJblZlciI6IjQzLjI1LjExIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Author: renovate-bot

gcp/website/poetry.lock

@@ -5,7 +5,7 @@ dependencies = [
     "Flask==3.1.2",
     "Flask-Caching==2.3.1",
     "Flask-Compress==1.23",
-    "werkzeug==3.1.5",
+    "werkzeug==3.1.6",
     "google-auth==2.48.0",
     "google-cloud-ndb==2.4.0",
     "google-cloud-logging==3.13.0",