Merge pull request #418 from networktocode/chore/dependency-bumps-2026-05

Bump dependencies and add Python 3.14 support

Author: jvanderaa

.github/workflows/ci.yml

@@ -91,7 +91,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python-version: ["3.10", "3.11", "3.12", "3.13"]
+        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
     env:
       INVOKE_PARSER_PYTHON_VER: "${{ matrix.python-version }}"
     steps:
@@ -127,7 +127,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python-version: ["3.10", "3.11", "3.12", "3.13"]
+        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
     runs-on: "ubuntu-latest"
     env:
       INVOKE_PARSER_PYTHON_VER: "${{ matrix.python-version }}"

.github/workflows/release.yml

@@ -69,7 +69,6 @@ jobs:
         with:
           user: "__token__"
           password: "${{ secrets.PYPI_API_TOKEN }}"
-        # End publish to PyPI job.
 
   slack-notify:
     needs:

Dockerfile

@@ -2,6 +2,11 @@ ARG PYTHON_VER="3.10"
 
 FROM python:${PYTHON_VER}-slim
 
+# Install build tooling so dependencies without cp3xx wheels can be source-built (relevant for newest Python versions).
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends build-essential \
+    && rm -rf /var/lib/apt/lists/*
+
 # Install Poetry manually via its installer script;
 # if we instead used "pip install poetry" it would install its own dependencies globally which may conflict with ours.
 # https://python-poetry.org/docs/master/#installing-with-the-official-installer

changes/415.dependencies

@@ -0,0 +1,2 @@
+Bumped Python dependencies (click, coverage, netconan, pylint, ruff, cffi, pymdown-extensions) and CI action pins (actions/checkout, docker/setup-buildx-action, pypa/gh-action-pypi-publish).
+Added Python 3.14 to the supported version range and split `numpy` by Python version (2.2.x on Python 3.10, >=2.3 on 3.11+) so the same lock resolves cleanly across the full supported range.

changes/415.security

@@ -0,0 +1 @@
+Bumped `lxml` (>=6.1.0), `urllib3` (>=2.7.0), `requests` (>=2.33.0), and `pygments` (>=2.20.0) to address open Dependabot advisories (XXE in iterparse, sensitive-header forwarding on proxied redirects, decompression-bomb safeguard bypass, insecure temp file reuse, ReDoS).

poetry.lock

@@ -17,19 +17,20 @@ classifiers = [
     "Programming Language :: Python :: 3.11",
     "Programming Language :: Python :: 3.12",
     "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
 ]
 include = [
     "LICENSE",
     "README.md",
 ]
 
 [tool.poetry.dependencies]
-python = ">=3.10,<3.14"
+python = ">=3.10,<3.15"
 click = ">=7.1, <9.0"
 pydantic = ">=1.10.4,<3"
 icalendar = "^5.0.0"
 bs4 = "^0.0.2"
-lxml = ">=4.6.2,<7"
+lxml = ">=6.1.0,<7"
 geopy = "^2.1.0"
 timezonefinder = ">=6.0.1,<9.0.0"
 backoff = "^2.2.1"
@@ -38,6 +39,13 @@ openai = { version = ">=1.2.4", optional = true }
 openpyxl = { version = "^3.1.5", optional = true }
 pandas = { version = "^2.2.3", optional = true }
 python-dateutil = "^2.9.0"
+requests = ">=2.33.0,<3"
+urllib3 = ">=2.7.0,<3"
+# Floor `numpy` per Python version so 3.11+ (including 3.14) pulls modern wheels while 3.10 stays on the 2.2 line.
+numpy = [
+    { version = ">=1.22.4,<2.3", python = "<3.11" },
+    { version = ">=2.3,<3", python = ">=3.11" },
+]
 
 [tool.poetry.extras]
 xlsx = [
@@ -59,12 +67,13 @@ ruff = "*"
 types-python-dateutil = "^2.8.3"
 types-pytz = "^2025.2.0"
 types-toml = "^0.10.1"
-netconan = "^0.12.3"
+netconan = "^0.15.0"
 toml = "0.10.2"
 towncrier = "^25.8.0"
 types-chardet = "^5.0.4"
 pandas-stubs = "^2.3.2"
 coverage = "^7.6.12"
+pygments = ">=2.20.0,<3"
 
 [tool.poetry.group.docs.dependencies]
 # Rendering docs to HTML