chore(deps): bump the uv group across 2 directories with 12 updates

[dependabot]

Bumps the uv group with 12 updates in the /climate-advisor/service directory:

Package	From	To
cryptography	46.0.3	46.0.7
langchain-core	1.2.13	1.2.28
langgraph	1.0.7	1.0.10rc1
langsmith	0.4.58	0.7.31
mcp	1.20.0	1.23.0
orjson	3.11.4	3.11.6
pytest	9.0.2	9.0.3
python-multipart	0.0.21	0.0.26
requests	2.32.5	2.33.0
starlette	0.48.0	0.49.1
urllib3	2.5.0	2.6.3
uv	0.9.7	0.11.6

Bumps the uv group with 1 update in the /hiap-meed directory: pytest.

Updates cryptography from 46.0.3 to 46.0.7

Changelog

Sourced from cryptography's changelog.

46.0.7 - 2026-04-07

* **SECURITY ISSUE**: Fixed an issue where non-contiguous buffers could be
  passed to APIs that accept Python buffers, which could lead to buffer
  overflow. **CVE-2026-39892**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.6.
.. _v46-0-6:
46.0.6 - 2026-03-25

• SECURITY ISSUE: Fixed a bug where name constraints were not applied to peer names during verification when the leaf certificate contains a wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug, including those used by the Web PKI. Credit to Oleh Konko (1seal) for reporting the issue. CVE-2026-34073

.. _v46-0-5:

46.0.5 - 2026-02-10

* An attacker could create a malicious public key that reveals portions of your
  private key when using certain uncommon elliptic curves (binary curves).
  This version now includes additional security checks to prevent this attack.
  This issue only affects binary elliptic curves, which are rarely used in
  real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and
  Atuin Automated Vulnerability Discovery Engine** for reporting the issue.
  **CVE-2026-26007**
* Support for ``SECT*`` binary elliptic curves is deprecated and will be
  removed in the next release.
.. v46-0-4:
46.0.4 - 2026-01-27

• Dropped support for win_arm64 wheels_.
• Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.

.. _v46-0-3:

Commits

• 622d672 46.0.7 release (#14602)
• 91d7288 Cherry-pick #14542 (#14543)
• 06e120e bump version for 46.0.5 release (#14289)
• 0eebb9d EC check key on cofactor > 1 (#14287)
• bedf6e1 fix openssl version on 46 branch (#14220)
• e6f44fc bump for 46.0.4 and drop win arm64 due to CI issues (#14217)
• See full diff in compare view

Updates langchain-core from 1.2.13 to 1.2.28

Release notes

Sourced from langchain-core's releases.

langchain-core==1.2.28

Changes since langchain-core==1.2.27

release(core): release 1.2.28 (#36614) fix(core): add more sanitization to templates (#36612)

langchain-core==1.2.27

Changes since langchain-core==1.2.26

release(core): 1.2.27 (#36586) fix(core): handle symlinks in deprecated prompt save path (#36585) chore: add comment explaining pygments>=2.20.0 (#36570)

Credit to Jeff Ponte (@​JDP-Security) for reporting the symlink resolution issue in #36585.

langchain-core==1.2.26

Changes since langchain-core==1.2.25

release(core): 1.2.26 (#36511) fix(core): add init validator and serialization mappings for Bedrock models (#34510) feat(core): add ChatBaseten to serializable mapping (#36510) chore(core): drop gpt-3.5-turbo from docstrings (#36497) fix(core): correct parameter names in filter_messages docstring example (#36462)

langchain-core==1.2.25

Changes since langchain-core==1.2.24

release(core): 1.2.25 (#36473) fix(core): harden check for txt files in deprecated prompt loading functions (#36471) fix(core): fixed typos in the documentation (#36459)

Credit to Jeff Ponte (@​JDP-Security) for reporting the symlink resolution issue resolved in #36471.

langchain-core==1.2.24

Changes since langchain-core==1.2.23

release(core): 1.2.24 (#36434) feat(core): impute placeholder filenames for OpenAI file inputs (#36433) chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385) fix(core): add "computer" to _WellKnownOpenAITools (#36261)

langchain-core==1.2.23

Changes since langchain-core==1.2.22

release(core): 1.2.23 (#36323) revert: Revert "fix(core): trace invocation params in metadata" (#36322) chore: bump requests from 2.32.5 to 2.33.0 in /libs/core (#36243)

langchain-core==1.2.22

Changes since langchain-core==1.2.21

... (truncated)

Commits

• dd7c3eb release(core): release 1.2.28 (#36614)
• af2ed47 fix(core): add more sanitization to templates (#36612)
• 7e5858d release(standard-tests): 1.1.6 (#36610)
• fe99cb2 fix(standard-tests): update standard tests for sandbox backends (#36036)
• 65bbd47 chore(model-profiles): refresh model profile data (#36596)
• 6486404 release(core): 1.2.27 (#36586)
• 7629c74 fix(core): handle symlinks in deprecated prompt save path (#36585)
• ce21bf4 ci: convert working-directory to validated dropdown (#36575)
• b8698ea release(ollama): 1.1.0 (#36574)
• 3beba77 feat(ollama): support response_format (#34612)
• Additional commits viewable in compare view

Updates langgraph from 1.0.7 to 1.0.10rc1

Release notes

Sourced from langgraph's releases.

langgraph==1.0.10rc1

Changes since 1.0.9

• release: Candidate (#6947)
• Merge commit from fork
• chore: add tests to confirm expected subgraph persistence behavior (#6943)
• fix(langgraph): correct ParentCommand bubbling when checkpoint_ns includes numeric task segments (#6864)
• chore: add make type target for type checking (#6748)

langgraph==1.0.9

Changes since 1.0.8

• release: langgraph + prebuilt (#6875)
• fix: sequential interrupt handling w/ functional API (#6863)
• chore: state_updated_at sort by (#6857)
• chore: bump orjson (#6852)
• chore: conformance testing (#6842)
• chore(deps): bump the all-dependencies group in /libs/langgraph with 6 updates (#6815)
• chore(deps): bump protobuf from 6.33.4 to 6.33.5 in /libs/langgraph (#6833)
• chore(deps): bump cryptography from 46.0.3 to 46.0.5 in /libs/langgraph (#6837)
• chore(deps): bump nbconvert from 7.16.6 to 7.17.0 in /libs/langgraph (#6832)
• chore: server runtime type (#6774)
• refactor: replace bare except with BaseException in AsyncQueue (#6765)

langgraph-prebuilt==1.0.9

Changes since prebuilt==1.0.8

• release: prebuilt 1.0.9 and langgraph 1.1.5 (#7401)
• feat: enhance runtime w/ more execution information (#7363)
• fix: tool node injection bug (#7391)
• release(langgraph): 1.1.4 (#7356)
• chore(deps): bump pygments from 2.19.2 to 2.20.0 in /libs/prebuilt (#7354)
• chore(deps): bump langchain-core from 1.2.20 to 1.2.22 in /libs/prebuilt in the minor-and-patch group (#7289)
• chore(deps): bump requests from 2.32.5 to 2.33.0 in /libs/prebuilt (#7281)
• chore(deps): bump the all-dependencies group in /libs/prebuilt with 2 updates (#7247)
• release(checkpoint-postgres): 3.0.5 (#7221)
• release(langgraph): 1.1.3 (#7215)
• chore(deps): bump the all-dependencies group in /libs/sdk-py with 2 updates (#7197)
• chore(deps): bump the all-dependencies group in /libs/prebuilt with 2 updates (#7196)
• chore(deps): bump orjson from 3.11.5 to 3.11.6 in /libs/prebuilt (#7145)
• release(langgraph): 1.1.2 (#7135)
• release(langgraph): 1.1.1 (#7120)
• release(langgraph): 1.1 (#7102)
• chore(deps): bump the all-dependencies group across 1 directory with 3 updates (#7072)
• chore(deps): bump the all-dependencies group across 1 directory with 4 updates (#7073)
• release(langgraph) 1.0.10 (#6967)
• release(checkpoint): 0.4.1 (#6966)
• chore: add serde events (#6954)
• chore: update defaults (#6953)
• release: rc2 (#6949)

... (truncated)

Commits

• a04ec5d release: Candidate (#6947)
• 50df7d4 Merge commit from fork
• c4a4a46 chore: add tests to confirm expected subgraph persistence behavior (#6943)
• f178eb8 fix(langgraph): correct ParentCommand bubbling when checkpoint_ns includes nu...
• 48167d7 chore(deps): bump the all-dependencies group in /libs/cli with 2 updates (#6920)
• 806878a chore(deps): bump the all-dependencies group in /libs/checkpoint-postgres wit...
• 8087e6a docs(sdk-py): update auth docstrings to default-deny pattern (#6933)
• 8fbdb14 release(sdk-py): 0.3.9 (#6932)
• 5093802 chore(deps): bump the all-dependencies group in /libs/checkpoint with 2 updat...
• b89ef60 feat(sdk-py): add extract parameter to threads.search() (#6880)
• Additional commits viewable in compare view

Updates langsmith from 0.4.58 to 0.7.31

Release notes

Sourced from langsmith's releases.

v0.7.31

What's Changed

• chore(deps-dev): bump langchain-core from 1.2.23 to 1.2.28 in /python by @​dependabot[bot] in langchain-ai/langsmith-sdk#2692
• chore(deps-dev): bump @​anthropic-ai/sdk from 0.82.0 to 0.84.0 in /js by @​dependabot[bot] in langchain-ai/langsmith-sdk#2684
• chore(deps): bump cryptography from 46.0.6 to 46.0.7 in /python by @​dependabot[bot] in langchain-ai/langsmith-sdk#2693
• chore(deps-dev): bump @​anthropic-ai/sdk from 0.84.0 to 0.85.0 in /js by @​dependabot[bot] in langchain-ai/langsmith-sdk#2700
• feat(py): Tag OpenAI Agent Python SDK runs with ls_agent_type by @​jacoblee93 in langchain-ai/langsmith-sdk#2699
• feat(js): Adds ls_agent_type metadata to AI SDK runs by @​jacoblee93 in langchain-ai/langsmith-sdk#2701
• chore(deps-dev): bump types-tqdm from 4.67.3.20260303 to 4.67.3.20260408 in /python by @​dependabot[bot] in langchain-ai/langsmith-sdk#2710
• chore(deps): bump pnpm/action-setup from 5 to 6 by @​dependabot[bot] in langchain-ai/langsmith-sdk#2705
• chore(deps): bump the py-minor-and-patch group across 1 directory with 10 updates by @​dependabot[bot] in langchain-ai/langsmith-sdk#2711
• chore(deps-dev): bump @​anthropic-ai/sdk from 0.85.0 to 0.86.0 in /js by @​dependabot[bot] in langchain-ai/langsmith-sdk#2702
• chore(deps): bump actions/github-script from 8 to 9 by @​dependabot[bot] in langchain-ai/langsmith-sdk#2706
• chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 7 updates by @​dependabot[bot] in langchain-ai/langsmith-sdk#2712
• chore(deps-dev): bump types-psutil from 7.2.2.20260130 to 7.2.2.20260408 in /python by @​dependabot[bot] in langchain-ai/langsmith-sdk#2709
• chore(deps-dev): bump rich from 14.3.3 to 15.0.0 in /python by @​dependabot[bot] in langchain-ai/langsmith-sdk#2708
• feat: Filter kwargs from new token events by @​jacoblee93 in langchain-ai/langsmith-sdk#2714
• release(py): 0.7.31 by @​jacoblee93 in langchain-ai/langsmith-sdk#2716

Full Changelog: langchain-ai/langsmith-sdk@v0.7.30...v0.7.31

v0.7.30

What's Changed

• feat(python): add service feature to sandbox by @​DanielKneipp in langchain-ai/langsmith-sdk#2665
• fix(js): Fix prototype pollution bug in anonymizers by @​jacoblee93 in langchain-ai/langsmith-sdk#2690
• release(js): 0.5.18 by @​jacoblee93 in langchain-ai/langsmith-sdk#2691
• chore(js/sandbox): suppress warning log by @​hntrl in langchain-ai/langsmith-sdk#2694
• feat(js): Add metadata to Claude Agent SDK JS tracing by @​jacoblee93 in langchain-ai/langsmith-sdk#2695
• fix(py): Fix run tree memory leak by @​jacoblee93 in langchain-ai/langsmith-sdk#2696
• release(py): 0.7.30 by @​jacoblee93 in langchain-ai/langsmith-sdk#2698

Full Changelog: langchain-ai/langsmith-sdk@v0.7.29...v0.7.30

v0.7.29

What's Changed

• release(js): 0.5.17 by @​jacoblee93 in langchain-ai/langsmith-sdk#2681
• feat(py): Fix race condition around Claude Agent SDK instrumentation by @​jacoblee93 in langchain-ai/langsmith-sdk#2685
• release(py): 0.7.29 by @​jacoblee93 in langchain-ai/langsmith-sdk#2686

Full Changelog: langchain-ai/langsmith-sdk@v0.7.28...v0.7.29

v0.7.28

What's Changed

• feat(py): Support subagent tracing in Claude Agents SDK, fix usage and duplicate messages by @​jacoblee93 in langchain-ai/langsmith-sdk#2670
• chore(deps-dev): bump the py-minor-and-patch group across 1 directory with 11 updates by @​dependabot[bot] in langchain-ai/langsmith-sdk#2677
• chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 8 updates by @​dependabot[bot] in langchain-ai/langsmith-sdk#2667
• chore(deps): bump pnpm/action-setup from 4 to 5 by @​dependabot[bot] in langchain-ai/langsmith-sdk#2658

... (truncated)

Commits

• c434999 release(py): 0.7.31 (#2716)
• 47d7c4a feat: Filter kwargs from new token events (#2714)
• 3c57445 chore(deps-dev): bump rich from 14.3.3 to 15.0.0 in /python (#2708)
• 2be6cd0 chore(deps-dev): bump types-psutil from 7.2.2.20260130 to 7.2.2.20260408 in /...
• b8b6ca3 chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 7 ...
• 9897cb3 chore(deps): bump actions/github-script from 8 to 9 (#2706)
• 572c018 chore(deps-dev): bump @​anthropic-ai/sdk from 0.85.0 to 0.86.0 in /js (#2702)
• 5744752 chore(deps): bump the py-minor-and-patch group across 1 directory with 10 upd...
• 960cae7 chore(deps): bump pnpm/action-setup from 5 to 6 (#2705)
• 9370e76 chore(deps-dev): bump types-tqdm from 4.67.3.20260303 to 4.67.3.20260408 in /...
• Additional commits viewable in compare view

Updates mcp from 1.20.0 to 1.23.0

Release notes

Sourced from mcp's releases.

v1.23.0

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

• Add tests for JSON Schema 2020-12 field preservation (SEP-1613) by @​felixweinberger in modelcontextprotocol/python-sdk#1649
• Add client_secret_basic authentication support by @​jonshea in modelcontextprotocol/python-sdk#1334
• Implement SEP-1577 - Sampling With Tools by @​ochafik in modelcontextprotocol/python-sdk#1594
• SEP-1330: Elicitation Enum Schema Improvements and Standards Compliance by @​chughtapan in modelcontextprotocol/python-sdk#1246
• [auth][conformance] add conformance auth client by @​pcarleton in modelcontextprotocol/python-sdk#1640
• Implement SEP-986: Tool name validation by @​felixweinberger in modelcontextprotocol/python-sdk#1655
• fix: url for spec by @​felixweinberger in modelcontextprotocol/python-sdk#1659
• feat: implement SEP-991 URL-based client ID (CIMD) support by @​pcarleton in modelcontextprotocol/python-sdk#1652
• Update doc string on custom_route by @​pcarleton in modelcontextprotocol/python-sdk#1660
• Implement SEP-1036: URL mode elicitation for secure out-of-band interactions by @​cbcoutinho in modelcontextprotocol/python-sdk#1580
• Skip empty SSE data to avoid parsing errors by @​felixweinberger in modelcontextprotocol/python-sdk#1670
• SEP-1686: Tasks by @​maxisbey in modelcontextprotocol/python-sdk#1645
• Add on_session_created callback option by @​crondinini-ant in modelcontextprotocol/python-sdk#1710
• Add SSE polling support (SEP-1699) by @​felixweinberger in modelcontextprotocol/python-sdk#1654
• Support client_credentials flow with JWT and Basic auth by @​pcarleton in modelcontextprotocol/python-sdk#1663
• feat: backwards-compatible create_message overloads for SEP-1577 by @​felixweinberger in modelcontextprotocol/python-sdk#1713
• Auto-enable DNS rebinding protection for localhost servers by @​pcarleton (d3a184119e4479ea6a63590bc41f01dc06e3fa99)

New Contributors

• @​ochafik made their first contribution in modelcontextprotocol/python-sdk#1594

Full Changelog: modelcontextprotocol/python-sdk@v1.22.0...v1.23.0

v1.22.0

What's Changed

• feat: Pass through and expose additional parameters in ClientSessionGroup.call_tool and .connect_to_server by @​inaku-Gyan in modelcontextprotocol/python-sdk#1576
• chore: Lazy import jsonschema library by @​wuliang229 in modelcontextprotocol/python-sdk#1596
• docs: Update examples to use stateless HTTP with JSON responses by @​domdomegg in modelcontextprotocol/python-sdk#1499

New Contributors

• @​wuliang229 made their first contribution in modelcontextprotocol/python-sdk#1596

Full Changelog: modelcontextprotocol/python-sdk@v1.21.1...v1.22.0

v1.21.2

Hotfix Release

This is a hotfix release to address a critical bug in OAuth scope handling that caused failures on 401 responses.

Related:

• modelcontextprotocol/python-sdk#1630
• modelcontextprotocol/python-sdk#1632

What's Changed

... (truncated)

Commits

• d3a1841 Merge commit from fork
• fa851d9 feat: backwards-compatible create_message overloads for SEP-1577 (#1713)
• f82b0c9 Support client_credentials flow with JWT and Basic auth (#1663)
• 281fd47 Add SSE polling support (SEP-1699) (#1654)
• 2cd178a Add on_session_created callback option (#1710)
• c92bb2f SEP-1686: Tasks (#1645)
• 5983a65 Skip empty SSE data to avoid parsing errors (#1670)
• 02b7889 Implement SEP-1036: URL mode elicitation for secure out-of-band interactions ...
• 27279bc Update doc string on custom_route (#1660)
• f225013 feat: implement SEP-991 URL-based client ID (CIMD) support (#1652)
• Additional commits viewable in compare view

Updates orjson from 3.11.4 to 3.11.6

Release notes

Sourced from orjson's releases.

3.11.6

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

3.11.5

Changed

• Show simple error message instead of traceback when attempting to build on unsupported Python versions.

Changelog

Sourced from orjson's changelog.

3.11.6 - 2026-01-29

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

3.11.5 - 2025-12-06

Changed

• Show simple error message instead of traceback when attempting to build on unsupported Python versions.

Commits

• ec02024 3.11.6
• d581687 build, clippy misc
• 4105b29 writer::num
• 62bb185 Fix sporadic crash on serializing object close
• d860078 PyRef idiom refactors
• 343ae2f Deserializer, Utf8Buffer
• 7835f58 PyBytesRef and other input refactor
• 71e0516 PyStrRef
• 1096df4 MSRV 1.89
• b718e75 Drop support for python3.9
• Additional commits viewable in compare view

Updates pytest from 9.0.2 to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

• #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

  -- by aleguy02

Commits

• a7d58d7 Prepare release version 9.0.3
• 089d981 Merge pull request #14366 from bluetech/revert-14193-backport
• 8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
• 99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
• ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
• 74eac69 doc: Update training info (#14298) (#14301)
• f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
• 7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
• 37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
• c34bfa3 Add explanation for string context diffs (#14257) (#14266)
• Additional commits viewable in compare view

Updates python-multipart from 0.0.21 to 0.0.26

Release notes

Sourced from python-multipart's releases.

Version 0.0.26

What's Changed

• Skip preamble before first multipart boundary by @​Kludex in Kludex/python-multipart#262
• Silently discard epilogue data after the closing boundary by @​Kludex in Kludex/python-multipart#259

Full Changelog: Kludex/python-multipart@0.0.25...0.0.26

Version 0.0.25

What's Changed

• Apply Apache-2.0 properly by @​Kludex in Kludex/python-multipart#247
• Handle multipart headers case-insensitively by @​Kludex in Kludex/python-multipart#252
• Emit field_end for trailing bare field names on finalize by @​bysiber in Kludex/python-multipart#230
• Add UPLOAD_DELETE_TMP to FormParser config by @​Kludex in Kludex/python-multipart#254
• Remove custom FormParser classes by @​Kludex in Kludex/python-multipart#257
• Handle CTE values case-insensitively by @​Kludex in Kludex/python-multipart#258
• Add MIME content type info to File by @​jhnstrk in Kludex/python-multipart#143

Full Changelog: Kludex/python-multipart@0.0.24...0.0.25

Version 0.0.24

What's Changed

• Validate chunk_size in parse_form() by @​Kludex in Kludex/python-multipart#244

Full Changelog: Kludex/python-multipart@0.0.23...0.0.24

Version 0.0.23

What's Changed

• Remove unused trust_x_headers parameter and X-File-Name fallback by @​jhnstrk in Kludex/python-multipart#196
• Return processed length from QuerystringParser._internal_write by @​bysiber in Kludex/python-multipart#229
• Cleanup metadata dunders from __init__.py by @​Chesars in Kludex/python-multipart#227

New Contributors

• @​Chesars made their first contribution in Kludex/python-multipart#227
• @​bysiber made their first contribution in Kludex/python-multipart#229

Full Changelog: Kludex/python-multipart@0.0.22...0.0.23

Version 0.0.22

What's Changed

• Drop directory path from filename in File 9433f4b.

---

Full Changelog: Kludex/python-multipart@0.0.21...0.0.22

Changelog

Sourced from python-multipart's changelog.

0.0.26 (2026-04-10)

• Skip preamble before the first multipart boundary more efficiently #262.
• Silently discard epilogue data after the closing multipart boundary #259.

0.0.25 (2026-04-10)

• Add MIME content type info to File #143.
• Handle CTE values case-insensitively #258.
• Remove custom FormParser classes #257.
• Add UPLOAD_DELETE_TMP to FormParser config #254.
• Emit field_end for trailing bare field names on finalize #230.
• Handle multipart headers case-insensitively #252.
• Apply Apache-2.0 properly #247.

0.0.24 (2026-04-05)

• Validate chunk_size in parse_form() #244.

0.0.23 (2026-04-05)

• Remove unused trust_x_headers parameter and X-File-Name fallback #196.
• Return processed length from QuerystringParser._internal_write #229.
• Cleanup metadata dunders from __init__.py #227.

0.0.22 (2026-01-25)

• Drop directory path from filename in File 9433f4b.

Commits

• 28f4785 Version 0.0.26 (#263)
• d4452a7 Silently discard epilogue data after the closing boundary (#259)
• 6a7b76d Skip preamble before first multipart boundary (#262)
• 4addb60 Version 0.0.25 (#261)
• d3a4698 Add MIME content type info to File (#143)
• 9a1ecbd Handle CTE values case-insensitively (#258)
• ef2a0b9 Remove custom FormParser classes (#257)
• 3a757d7 Ignore local Claude state (#255)
• 55e7396 fuzz: Add cifuzz (#186)
• d6d1d11 Bump the github-actions group with 2 updates (#249)
• Additional commits viewable in compare view

Updates requests from 2.32.5 to 2.33.0

Release notes

Sourced from requests's releases.

v2.33.0

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

New Contributors

• @​M0d3v1 made their first contribution in psf/requests#6865
• @​aminvakil made their first contribution in psf/requests#7220
• @​E8Price made their first contribution in psf/requests#6960
• @​mitre88 made their first contribution in psf/requests#7244
• @​magsen made their first contribution in psf/requests#6553
• @​Rohan5commit made their first contribution in psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

Changelog

Sourced from requests's changelog.

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the ...

  Description has been truncated