Bump the prod-dependencies group across 1 directory with 3 updates

[dependabot]

Bumps the prod-dependencies group with 3 updates in the / directory: lxml, polars and requests.

Updates lxml from 6.0.2 to 6.0.4

Changelog

Sourced from lxml's changelog.

6.0.4 (2026-04-12)

Bugs fixed

• LP#2148019: Spurious MemoryError during namespace cleanup.

6.0.3 (2026-04-09)

Bugs fixed

• Several out of memory error cases now raise MemoryError that were not handled before.

• Slicing with large step values (outside of +/- sys.maxsize) could trigger undefined C behaviour.

• LP#2125399: Some failing tests were fixed or disabled in PyPy.

• LP#2138421: Memory leak in error cases when setting the public_id or system_url of a document.

• Memory leak in case of a memory allocation failure when copying document subtrees.

• When mapping an XPath result to Python failed, the result memory could leak.

• When preparing an XSLT transform failed, the XSLT parameter memory could leak.

Other changes

• Built using Cython 3.2.4.

• Binary wheels use zlib 1.3.2.

Commits

• 1fd1d6b Fix release date.
• 5154859 CI: Include all library versions in libs cache key to asssure updated on vers...
• 6a606f3 Add "doesn't crash" tests for LP#2148019.
• f488f16 Prepare release of 6.0.4.
• 1255d98 LP#2148019: Prevent spurious MemoryError during namespace cleanup.
• 03b0c4a Remove dead type check.
• a6f833c Fix release date.
• 973d059 Update changelog.
• 9044a52 Build: Downgrade libiconv to 1.18 since 1.19 does not build reliably.
• a34dfdd Build: Upgrade libiconv to 1.19.
• Additional commits viewable in compare view

Updates polars from 1.38.1 to 1.39.3

Release notes

Sourced from polars's releases.

Python Polars 1.39.3

• No changes

Thank you to all our contributors for making this release possible! @​ritchie46

Python Polars 1.39.2

• No changes

Thank you to all our contributors for making this release possible! @​nameexhaustion and @​ritchie46

Python Polars 1.39.1

🐞 Bug fixes

• Handle empty rolling windows in streaming engine (#26903)

📖 Documentation

• Add documentation for on_columns for LazyFrame pivot (#26859)

🛠️ Other improvements

• Bump build deps used in ARM64 Windows release pipeline (#26892)

Thank you to all our contributors for making this release possible! @​Kevin-Patyk, @​RenzoMXD, @​TNieuwdorp, @​dsprenkels, @​gautamvarmadatla, @​nameexhaustion, @​nicholaslegrand102 and @​ritchie46

Python Polars 1.39.0

🚀 Performance improvements

• Lower arg_{min,max} to streaming engine (#26845)
• Additional IR slice pushdown after filter pushdown (#26815)
• Streaming first/last on Enum through physical (#26783)
• Fast filter for scalar predicates (#26745)
• Allow SimpleProjection in streaming engine to rename (#26709)
• Streaming cloud download for scan_csv (#26637)
• Drop columns only needed for predicates after the predicate is applied (#26703)
• Run projection pushdown after predicate pushdown (#26688)
• Comparison literal downcasting (#26663)
• Add dynamic predicates for TopK (#26495)
• Increase minimum default parquet row group prefetch to 8 (#26632)
• Partial predicate conversion to PyArrow (#26567)
• Streaming cloud download for scan_ndjson / scan_lines (#26563)
• Grab GIL fewer times during Object join materialization (#26587)
• Improve CSV and NDJSON cloud sink performance (#26545)
• Tune cloud writer performance (#26518)
• Allow parallel InMemorySinks in streaming engine (#26501)
• Add streaming AsOf join node (#26398)
• Don't always rechunk on gather of nested types (#26478)

... (truncated)

Commits

• 1cd236c version + lockfile
• ebe3364 lockfile
• 4f31f72 fix: Fix ColumnNotFound due to projection between filter/cache in CSPE (#26946)
• 71873e5 bump
• 39d1d4c fix: Fix the loop bounds in `BitmapBuilder::extend_each_repeated_from_slice_u...
• 0f5ae40 fix: Default engine as streaming for collect_batches (#26932)
• 266141e lockfile
• 259723f Python Polars 1.39.1
• 1b71c72 fix: Fix error passing Series of dates to business functions (#26927)
• 16725ce fix: Propagate null in min_by / max_by for all-null by groups (#26919)
• Additional commits viewable in compare view

Updates requests from 2.32.5 to 2.33.1

Release notes

Sourced from requests's releases.

v2.33.1

2.33.1 (2026-03-30)

Bugfixes

• Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
• Fixed Content-Type header parsing for malformed values. (#7309)
• Improved error consistency for malformed header values. (#7308)

New Contributors

• @​ferdnyc made their first contribution in psf/requests#7277

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2331-2026-03-30

v2.33.0

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

New Contributors

• @​M0d3v1 made their first contribution in psf/requests#6865
• @​aminvakil made their first contribution in psf/requests#7220
• @​E8Price made their first contribution in psf/requests#6960
• @​mitre88 made their first contribution in psf/requests#7244
• @​magsen made their first contribution in psf/requests#6553
• @​Rohan5commit made their first contribution in psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

Changelog

Sourced from requests's changelog.

2.33.1 (2026-03-30)

Bugfixes

• Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
• Fixed Content-Type header parsing for malformed values. (#7309)
• Improved error consistency for malformed header values. (#7308)

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

Commits

• 111d2b7 v2.33.1
• f0198e6 Fix malformed value parsing for Content-Type (#7309)
• bc7dd0f Fix cosmetic header validity parsing regex (#7308)
• 4443b1a Fix unintended test extra (#7306)
• 389eea5 Cleanup extracted file after extract_zipped_path test (#7305)
• 7407309 Packaging: DRY out extras definition (#7277)
• bc04dfd v2.33.0
• 66d21cb Merge commit from fork
• 8b9bc8f Move badges to top of README (#7293)
• e331a28 Remove unused extraction call (#7292)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions