Bump the uv group across 1 directory with 15 updates

[dependabot]

Bumps the uv group with 15 updates in the /backend directory:

Package	From	To
requests	2.32.4	2.33.0
urllib3	2.5.0	2.6.3
lxml	6.0.0	6.1.0
wagtail	7.1.2	7.2.3
cryptography	44.0.0	46.0.7
pypdf	5.1.0	6.10.2
nltk	3.9.2	3.9.4
pytest	7.4.3	9.0.3
brotli	1.1.0	1.2.0
fonttools	4.55.3	4.60.2
h11	0.14.0	0.16.0
protobuf	5.29.0	5.29.6
pyasn1	0.6.1	0.6.3
python-dotenv	1.0.1	1.2.2
sqlparse	0.5.2	0.5.4

Updates requests from 2.32.4 to 2.33.0

Release notes

Sourced from requests's releases.

v2.33.0

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

New Contributors

• @​M0d3v1 made their first contribution in psf/requests#6865
• @​aminvakil made their first contribution in psf/requests#7220
• @​E8Price made their first contribution in psf/requests#6960
• @​mitre88 made their first contribution in psf/requests#7244
• @​magsen made their first contribution in psf/requests#6553
• @​Rohan5commit made their first contribution in psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

v2.32.5

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

Changelog

Sourced from requests's changelog.

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

Commits

• bc04dfd v2.33.0
• 66d21cb Merge commit from fork
• 8b9bc8f Move badges to top of README (#7293)
• e331a28 Remove unused extraction call (#7292)
• 753fd08 docs: fix FAQ grammar in httplib2 example
• 774a0b8 docs(socks): same block as other sections
• 9c72a41 Bump github/codeql-action from 4.33.0 to 4.34.1
• ebf7190 Bump github/codeql-action from 4.32.0 to 4.33.0
• 0e4ae38 docs: exclude Response.is_permanent_redirect from API docs (#7244)
• d568f47 docs: clarify Quickstart POST example (#6960)
• Additional commits viewable in compare view

Updates urllib3 from 2.5.0 to 2.6.3

Release notes

Sourced from urllib3's releases.

2.6.3

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by @​D47A, 8.9 High, GHSA-38jv-5279-wg99)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. (urllib3/urllib3#3743)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. (urllib3/urllib3#3752)

2.6.2

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (urllib3/urllib3#3734)

2.6.1

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. (#3731)

2.6.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by @​Cycloctane, 8.9 High, GHSA-2xpw-w6gg-jr37)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by @​illia-v, 8.9 High, GHSA-gm62-xv2j-4w53)

[!IMPORTANT]

• If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.

... (truncated)

Changelog

Sourced from urllib3's changelog.

2.6.3 (2026-01-07)

• Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. ([#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743>__)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. ([#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752>__)

2.6.2 (2025-12-11)

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. ([#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734>__)

2.6.1 (2025-12-08)

• Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. ([#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731>__)

2.6.0 (2025-12-05)

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

• If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using

... (truncated)

Commits

• 0248277 Release 2.6.3
• 8864ac4 Merge commit from fork
• 70cecb2 Fix Scorecard issues related to vulnerable dev dependencies (#3755)
• 41f249a Move "v2.0 Migration Guide" to the end of the table of contents (#3747)
• fd4dffd Patch VerifiedHTTPSConnection for Emscripten (#3752)
• 13f0bfd Handle massive values in Retry-After when calculating time to sleep for (#3743)
• 8c480bf Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#3748)
• 4b40616 Bump actions/cache from 4.3.0 to 5.0.1 (#3750)
• 82b8479 Bump actions/download-artifact from 6.0.0 to 7.0.0 (#3749)
• 34284cb Mention experimental features in the security policy (#3746)
• Additional commits viewable in compare view

Updates lxml from 6.0.0 to 6.1.0

Changelog

Sourced from lxml's changelog.

6.1.0 (2026-04-17)

This release fixes a possible external entity injection (XXE) vulnerability in iterparse() and the ETCompatXMLParser.

Features added

• GH#486: The HTML ARIA accessibility attributes were added to the set of safe attributes in lxml.html.defs. This allows lxml_html_clean to pass them through. Patch by oomsveta.

• The default chunk size for reading from file-likes in iterparse() is now configurable with a new chunk_size argument.

Bugs fixed

• LP#2146291: The resolve_entities option was still set to True for iterparse and ETCompatXMLParser, allowing for external entity injection (XXE) when using these parsers without setting this option explicitly. The default was now changed to 'internal' only (as for the normal XML and HTML parsers since lxml 5.0). Issue found by Sihao Qiu as CVE-2026-41066.

6.0.4 (2026-04-12)

Bugs fixed

• LP#2148019: Spurious MemoryError during namespace cleanup.

6.0.3 (2026-04-09)

Bugs fixed

• Several out of memory error cases now raise MemoryError that were not handled before.

• Slicing with large step values (outside of +/- sys.maxsize) could trigger undefined C behaviour.

• LP#2125399: Some failing tests were fixed or disabled in PyPy.

• LP#2138421: Memory leak in error cases when setting the public_id or system_url of a document.

... (truncated)

Commits

• 43722f4 Update changelog.
• 8747040 Name version of option change in docstring.
• 6c36e6c Fix pypistats URL in download statistics script.
• c7d76d6 Change security policy to point to Github security advisories.
• 378ccf8 Update project income report.
• 315270b Docs: Reduce TOC depth of package pages and move module contents first.
• 6dbba7f Docs: Show current year in copyright line.
• e4385bf Update project income report.
• 5bed1e1 Validate file hashes in release download script.
• c13ee10 Prepare release of 6.1.0.
• Additional commits viewable in compare view

Updates wagtail from 7.1.2 to 7.2.3

Release notes

Sourced from wagtail's releases.

7.2.3

• Fix: CVE-2026-28222: Improper escaping of HTML (Cross-site Scripting) on TableBlock class attributes (Guan Chenxian, Matt Westcott)
• Fix: CVE-2026-28223: Improper escaping of HTML (Cross-site Scripting) in simple_translation admin interface (Guan Chenxian, Matt Westcott)
• Maintenance: Update semgrep to 1.150.0 (Pravin Kamble)

7.2.2

• Fix: Prevent conflicting IDs in nested StructBlocks with blocks named content (Sage Abdullah, Serkan Korkusuz)
• Fix: CVE-2026-25517: Improper permission handling on admin preview endpoints (thxtech, Matt Westcott, Jake Howard)

7.2.1

• Fix: Allow userbar in page previews to render without needing to configure site record (Sage Abdullah)
• Fix: Disable usage count ordering when searching on documents and images listing views, to prevent unsupported search query (Sage Abdullah)
• Fix: Do not replace existing document or image title when uploading a new file (Sage Abdullah)
• Fix: Use a more efficient query for fetching usage counts on image and document listings when not ordering by usage count (Sage Abdullah)
• Fix: Add composite indexes to improve reference index performance (Sage Abdullah)
• Maintenance: Remove use of _WAGTAILSEARCH_FORCE_AUTO_UPDATE in search tests (Matt Westcott)

7.2

• Added support for Python 3.14 (Sage Abdullah)
• Add usage count filter to the admin image and document listings (Joel William)
• Add keyboard shortcut (?) to activate the keyboard shortcuts dialog (Dhruvi Patel)
• Add keyboard shortcut (/) to activate and focus on the search input in the sidebar (Dhruvi Patel)
• Allow deep contentpath for comments on fields other than StreamField (Lasse Schmieding, Sébastien Corbin, Joel William, Sage Abdullah)
• Reorganize keyboard shortcuts into better categories with an ordering from most common to most specific (Dhruvi Patel)
• Add max_value of 100 (%) for the closeness field in Image URL Generator form (LB (Ben) Johnston)
• Add reordering support to generic model and snippet listing views (Joey Jurjens, Sage Abdullah)
• Add messaging within the keyboard shortcuts dialog to indicate when keyboard shortcuts are disabled or how to disable them via user preferences (Pravin Kamble)
• Allow defining a custom WorkflowLock subclass via Task.lock_class in a custom task (Dan Braghis)
• Add new toggle from grid to list layout for image choosers (Joel William)
• Update grid-list layout toggle to new design (Joel William)
• Add readability score metric to content checks (Thibaud Colas)
• Add explainer panel for content metrics (Thibaud Colas)
• Add a button to jump to the first validation error in header messages (Srishti Jaiswal, Sage Abdullah, LB (Ben) Johnston)
• Support calculating content metrics without opening the preview panel (Sage Abdullah)
• Update project template settings to use pathlib Path object (Eric Matthes)
• Migrate to django-modelsearch library, providing Elasticsearch 9 and OpenSearch backends (Karl Hobley, Matt Westcott)
• Fix: Use the correct method of resolving the file storage dynamically for FileField usage in images & documents (Amir Mahmoodi)
• Fix: Ensure the add comment keyboard shortcut is disabled when keyboard shortcuts are disabled in user preferences (Dhruvi Patel)
• Fix: Use model name when ordering by page type in page listings (Sage Abdullah)
• Fix: Prevent error from default update_fields parameter on Page.asave() (Tosinibikunle)
• Fix: Ignore hidden error messages in minimap & CountController default findValue (Sage Abdullah)
• Fix: Change default ordering for UserViewSet to User.USERNAME_FIELD to support default ordering with custom User models that may not have a name field (Lynwee)
• Fix: Ensure starter tests in the project template pass (Lasse Schmieding)
• Fix: Ensure fixed RichText toolbar shows under footer actions (Maciek Baron)
• Fix: Prevent error when iterating over specific tasks with missing models (Lasse Schmieding)
• Fix: Ensure TableBlock header dropdown default option can be translated (arpitmak)
• Fix: Fix missing cache key prefix when removing cached redirect files (Heric Libong)
• Docs: Fix cross-reference links to the TypeDoc-generated docs (Sage Abdullah)
• Docs: Refine readthedocs' search indexing for releases and client-side code (Sage Abdullah)
• Docs: Fix incorrect link to third party site in advanced topics (Yousef Al-Hadhrami (Yemeni))

... (truncated)

Changelog

Sourced from wagtail's changelog.

7.2.3 (03.03.2026)

 * Fix: CVE-2026-28222: Improper escaping of HTML (Cross-site Scripting) on TableBlock class attributes (Guan Chenxian, Matt Westcott)
 * Fix: CVE-2026-28223: Improper escaping of HTML (Cross-site Scripting) in simple_translation admin interface (Guan Chenxian, Matt Westcott)
 * Maintenance: Update semgrep to 1.150.0 (Pravin Kamble)
7.2.2 (03.02.2026)

• Fix: Prevent conflicting IDs in nested StructBlocks with blocks named content (Sage Abdullah, Serkan Korkusuz)
• Fix: CVE-2026-25517: Improper permission handling on admin preview endpoints (thxtech, Matt Westcott, Jake Howard)

7.2.1 (26.11.2025)

 * Fix: Allow userbar in page previews to render without needing to configure site record (Sage Abdullah)
 * Fix: Disable usage count ordering when searching on documents and images listing views, to prevent unsupported search query (Sage Abdullah)
 * Fix: Do not replace existing document or image title when uploading a new file (Sage Abdullah)
 * Fix: Use a more efficient query for fetching usage counts on image and document listings when not ordering by usage count (Sage Abdullah)
 * Fix: Add composite indexes to improve reference index performance (Sage Abdullah)
 * Maintenance: Remove use of `_WAGTAILSEARCH_FORCE_AUTO_UPDATE` in search tests (Matt Westcott)
7.2 (05.11.2025)

 * Added support for Python 3.14 (Sage Abdullah)
 * Add usage count filter to the admin image and document listings (Joel William)
 * Add keyboard shortcut (`?`) to activate the keyboard shortcuts dialog (Dhruvi Patel)
 * Add keyboard shortcut (`/`) to activate and focus on the search input in the sidebar (Dhruvi Patel)
 * Allow deep contentpath for comments on fields other than StreamField (Lasse Schmieding, Sébastien Corbin, Joel William, Sage Abdullah)
 * Reorganize keyboard shortcuts into better categories with an ordering from most common to most specific (Dhruvi Patel)
 * Add `max_value` of 100 (%) for the `closeness` field in Image URL Generator form (LB (Ben) Johnston)
 * Add reordering support to generic model and snippet listing views (Joey Jurjens, Sage Abdullah)
 * Add messaging within the keyboard shortcuts dialog to indicate when keyboard shortcuts are disabled or how to disable them via user preferences (Pravin Kamble)
 * Allow defining a custom `WorkflowLock` subclass via `Task.lock_class` in a custom task (Dan Braghis)
 * Add new toggle from grid to list layout for image choosers (Joel William)
 * Update grid-list layout toggle to new design (Joel William)
 * Add readability score metric to content checks (Thibaud Colas)
 * Add explainer panel for content metrics (Thibaud Colas)
 * Add a button to jump to the first validation error in header messages (Srishti Jaiswal, Sage Abdullah, LB (Ben) Johnston)
 * Support calculating content metrics without opening the preview panel (Sage Abdullah)
 * Update project template settings to use pathlib Path object (Eric Matthes)
 * Migrate to django-modelsearch library, providing Elasticsearch 9 and OpenSearch backends (Karl Hobley, Matt Westcott)
 * Fix: Use the correct method of resolving the file storage dynamically for FileField usage in images & documents (Amir Mahmoodi)
 * Fix: Ensure the add comment keyboard shortcut is disabled when keyboard shortcuts are disabled in user preferences (Dhruvi Patel)
 * Fix: Use model name when ordering by page type in page listings (Sage Abdullah)
</tr></table> 
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>

<li><a href="https://github.com/wagtail/wagtail/commit/b55a95d83acff5895b2c48894a5b1e7ad2dd2273&quot;&gt;&lt;code&gt;b55a95d&lt;/code&gt;&lt;/a> Update semgrep to 1.150.0</li>

<li><a href="https://github.com/wagtail/wagtail/commit/b5c79f05d3cf9fed4b3171e06d9b5b66d4beef45&quot;&gt;&lt;code&gt;b5c79f0&lt;/code&gt;&lt;/a> Version bump to 7.2.3 final</li>

<li><a href="https://github.com/wagtail/wagtail/commit/3b1684d5d949e69291ccd93c825a709084953cb1&quot;&gt;&lt;code&gt;3b1684d&lt;/code&gt;&lt;/a> Release note for CVE-2026-28223 in 7.2.3</li>

<li><a href="https://github.com/wagtail/wagtail/commit/94b8939db67e62517b2acd859ea7aac88ee0cc72&quot;&gt;&lt;code&gt;94b8939&lt;/code&gt;&lt;/a> Release note for CVE-2026-28223 in 7.0.6</li>

<li><a href="https://github.com/wagtail/wagtail/commit/0a6b3b64561fa113117f652237d8fe8dcb369cbb&quot;&gt;&lt;code&gt;0a6b3b6&lt;/code&gt;&lt;/a> Release note for CVE-2026-28223 in 6.3.8</li>

<li><a href="https://github.com/wagtail/wagtail/commit/1c6f2effed68f4ccad6fbd07987e03641505f863&quot;&gt;&lt;code&gt;1c6f2ef&lt;/code&gt;&lt;/a> Enforce HTML escaping of all confirmation / warning / error messages</li>

<li><a href="https://github.com/wagtail/wagtail/commit/29ff50c92b1392a007b2f7860804f10c600bed59&quot;&gt;&lt;code&gt;29ff50c&lt;/code&gt;&lt;/a> Release note for CVE-2026-28222 in 7.2.3</li>

<li><a href="https://github.com/wagtail/wagtail/commit/75858f4b07671d323712c68d3e7ea1312f7bd0a6&quot;&gt;&lt;code&gt;75858f4&lt;/code&gt;&lt;/a> Release note for CVE-2026-28222 in 7.0.6</li>

<li><a href="https://github.com/wagtail/wagtail/commit/0c5bf737880530bfec989b3fec85f4ec1d43b70c&quot;&gt;&lt;code&gt;0c5bf73&lt;/code&gt;&lt;/a> Release note for CVE-2026-28222 in 6.3.8</li>

<li><a href="https://github.com/wagtail/wagtail/commit/605a5569686565e035313222e1bc2f9802fbc55b&quot;&gt;&lt;code&gt;605a556&lt;/code&gt;&lt;/a> Correctly escape <code>class</code>, <code>rowspan</code> and <code>colspan</code> attributes in TableBlock HT...</li>

<li>Additional commits viewable in <a href="https://github.com/wagtail/wagtail/compare/v7.1.2...v7.2.3&quot;&gt;compare view</a></li>

</ul>

</details>
<br />

Updates cryptography from 44.0.0 to 46.0.7

Changelog
Sourced from cryptography's changelog.

46.0.7 - 2026-04-07

* **SECURITY ISSUE**: Fixed an issue where non-contiguous buffers could be
  passed to APIs that accept Python buffers, which could lead to buffer
  overflow. **CVE-2026-39892**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.6.
.. _v46-0-6:
46.0.6 - 2026-03-25



SECURITY ISSUE: Fixed a bug where name constraints were not applied
to peer names during verification when the leaf certificate contains a
wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug,
including those used by the Web PKI. Credit to Oleh Konko (1seal) for
reporting the issue. CVE-2026-34073

.. _v46-0-5:
46.0.5 - 2026-02-10

* An attacker could create a malicious public key that reveals portions of your
  private key when using certain uncommon elliptic curves (binary curves).
  This version now includes additional security checks to prevent this attack.
  This issue only affects binary elliptic curves, which are rarely used in
  real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and
  Atuin Automated Vulnerability Discovery Engine** for reporting the issue.
  **CVE-2026-26007**
* Support for ``SECT*`` binary elliptic curves is deprecated and will be
  removed in the next release.
.. v46-0-4:
46.0.4 - 2026-01-27



Dropped support for win_arm64 wheels_.
Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.

.. _v46-0-3:
46.0.3 - 2025-10-15

* Fixed compilation when using LibreSSL 4.2.0.
.. _v46-0-2:

</tr></table>



... (truncated)


Commits

622d672 46.0.7 release (#14602)
91d7288 Cherry-pick #14542 (#14543)
06e120e bump version for 46.0.5 release (#14289)
0eebb9d EC check key on cofactor > 1 (#14287)
bedf6e1 fix openssl version on 46 branch (#14220)
e6f44fc bump for 46.0.4 and drop win arm64 due to CI issues (#14217)
c0af4dd release 46.0.3 (#13681)
99efe5a bump version for 46.0.2 (#13531)
e735cfc release 46.0.1 (#13450)
4e457ff Explicitly specify python in mac uv build invocation (#13447)
Additional commits viewable in compare view




Updates pypdf from 5.1.0 to 6.10.2

Release notes
Sourced from pypdf's releases.

Version 6.10.2, 2026-04-15
What's new
Security (SEC)

Do not rely on possibly invalid /Size for incremental cloning (#3735) by @​stefan6419846
Introduce limits for FlateDecode parameters and image decoding (#3734) by @​stefan6419846

Full Changelog
Version 6.10.1, 2026-04-14
What's new
Security (SEC)

Limit the allowed size of xref and object streams (#3733) by @​stefan6419846

Robustness (ROB)

Consider strict mode setting for decryption errors (#3731) by @​stefan6419846

Documentation (DOC)

Use new parameter names for compress_identical_objects by @​stefan6419846

Full Changelog
Version 6.10.0, 2026-04-10
What's new
Security (SEC)

Disallow custom XML entity declarations for XMP metadata (#3724) by @​stefan6419846

New Features (ENH)

Skip MD5 key derivation for AES-256 encrypted PDFs (#3694) by @​Ygnas

Bug Fixes (BUG)

Use remove_orphans in compress_identical_objects (#3310) by @​j-t-1
Fix PdfReadError when xref table contains comments before trailer (#3710) by @​rassie
Correctly verify AES padding during decryption (#3699) by @​stefan6419846
Fix stale object cache from non-authoritative object streams (#3698) by @​astahlman
Fix extract_links pairing when annotations include non-links (#3687) by @​ReinerBRO

Documentation (DOC)

Add AI policy (#3717) by @​stefan6419846

Full Changelog
Version 6.9.2, 2026-03-23
What's new
Security (SEC)

Avoid infinite loop in read_from_stream for broken files (#3693) by @​stefan6419846



... (truncated)


Changelog
Sourced from pypdf's changelog.

Version 6.10.2, 2026-04-15
Security (SEC)

Do not rely on possibly invalid /Size for incremental cloning (#3735)
Introduce limits for FlateDecode parameters and image decoding (#3734)

Full Changelog
Version 6.10.1, 2026-04-14
Security (SEC)

Limit the allowed size of xref and object streams (#3733)

Robustness (ROB)

Consider strict mode setting for decryption errors (#3731)

Documentation (DOC)

Use new parameter names for compress_identical_objects

Full Changelog
Version 6.10.0, 2026-04-10
Security (SEC)

Disallow custom XML entity declarations for XMP metadata (#3724)

New Features (ENH)

Skip MD5 key derivation for AES-256 encrypted PDFs (#3694)

Bug Fixes (BUG)

Use remove_orphans in compress_identical_objects (#3310)
Fix PdfReadError when xref table contains comments before trailer (#3710)
Correctly verify AES padding during decryption (#3699)
Fix stale object cache from non-authoritative object streams (#3698)
Fix extract_links pairing when annotations include non-links (#3687)

Documentation (DOC)

Add AI policy (#3717)

Full Changelog
Version 6.9.2, 2026-03-23
Security (SEC)

Avoid infinite loop in read_from_stream for broken files (#3693)

Robustness (ROB)

Resolve UnboundLocalError for xobjs in _get_image (#3684)

Full Changelog


... (truncated)


Commits

c476b4f REL: 6.10.2
c50a010 SEC: Do not rely on possibly invalid /Size for incremental cloning (#3735)
ac734da SEC: Introduce limits for FlateDecode parameters and image decoding (#3734)
b49e7eb REL: 6.10.1
62338e9 SEC: Limit the allowed size of xref and object streams (#3733)
5dcc0ae DEV: Update pytest-benchmark to 5.2.3
b42e4aa DEV: Update pinned pillow and pytest where possible (#3732)
717446b ROB: Consider strict mode setting for decryption errors (#3731)
9e461d3 DEV: Bump softprops/action-gh-release from 2 to 3 (#3730)
500d09d TST: Update test_embedded_file__basic to use tmp_path fixture (#3726)
Additional commits viewable in compare view




Updates nltk from 3.9.2 to 3.9.4

Changelog
Sourced from nltk's changelog.

Version 3.9.4 2026-03-24

Support Python 3.14
Fix bug in Levenshtein distance when substitution_cost > 2
Fix bug in Treebank detokeniser re quote ordering
Fix bug in Jaro similarity for empty strings
Several security enhancements
Fix GHSA-rf74-v2fm-23pw: unbounded recursion in JSONTaggedDecoder
Implement TextTiling vocabulary introduction method (Hearst 1997)
Fix ALINE feature matrix errors and add comprehensive tests
Support multiple VerbNet versions, fix longid/shortid regex for VerbNet ids
Let downloader fallback to md5 when sha256 is unavailable
Several other minor bugfixes and code cleanups

Thanks to the following contributors to 3.9.4:
Min-Yen Kan, Eric Kafe, Emily Voss, bowiechen, Hrudhai01,
jancallewaert, Mr-Neutr0n, pollak.peter89, ylwango613,
Version 3.9.3 2026-02-21

Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (#3468)
Block path traversal/arbitrary reads in nltk.data for protocol-less refs (#3467)
Block path traversal/abs paths in corpus readers and FS pointers (#3479, #3480)
Validate external StanfordSegmenter JARs using SHA256 (#3477)
Add optional sandbox enforcement for filestring() (#3485)
Maintenance: downloader/zipped models, CI/tooling updates

Thanks to the following contributors to 3.9.3:
Chris Clauss, Eric Kafe, HyperPS, purificant, Shivansh-Game, Christopher Smith
Version 3.9.2 2025-10-01

Update download checksums to use SHA256 in built index
Fix percentage escape in new-style string formatting
replace shortened URLs using goo.gl
Make Wordnet interoperable with various taggers and tagged corpora
Fix saving PerceptronTagger
Document how to reproduce old Wordnet studies
properly initialize Portuguese corpus reader
support for mixed rules conversion into Chomsky Normal Form
only import tkinter if a GUI is needed
issue #2112 with Corenlp
new environment variable NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL
Lesk defaults to most frequent sense in case of ties

Thanks to the following contributors to 3.9.2:
Jose Cols, Peter de Blanc, GeneralPoxter, Eric Kafe, William LaCroix, Jason Liu,
Samer Masterson, Mike014, purificant, Andrew Ernest Ritz, samertm, Ikram Ul Haq,
Christopher Smith, Ryan Mannion
Version 3.9.1 2024-08-19


... (truncated)


Commits

ad9c96b Update copyright year
7edcddf Updates for 3.9.4 release
67a2736 Merge pull request #3180 from yzhaoinuw/bug-on-edit_distance_align
2b17ac5 Fix edit_distance_align backtrace for high substitution costs
4b72976 Merge pull request #3018 from JuanIMartinezB/bug/shortid-longid
8a5619f Merge pull request #3222 from Syzygy2048/feature/texttiling-vocabulary-introd...
c6574d7 Merge pull request #3289 from ihitamandal/codeflash/optimize-windowdiff-2024-...
98ff5d9 Merge pull request #3435 from Hrudhai01/fix-3260-detokenize-quotes
aec4fce Merge pull request #3522 from ekaf/pathsec
eec4ee3 Merge pull request #3526 from nltk/update-contributing
Additional commits viewable in compare view




Updates pytest from 7.4.3 to 9.0.3

Release notes
Sourced from pytest's releases.

9.0.3
pytest 9.0.3 (2026-04-07)
Bug fixes


#12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.


#13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.
Previously this resulted in an internal assertion failure during plugin loading.
Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.


#13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.


#14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.


#14343: Fixed use of insecure temporary directory (CVE-2025-71176).


Improved documentation

#13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
#13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
#14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
#14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes


#12689: The test reports are now published to Codecov from GitHub Actions.
The test statistics is visible on the web interface.
-- by aleguy02


9.0.2
pytest 9.0.2 (2025-12-06)
Bug fixes


#13896: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.
You may enable it again by passing -p terminalprogress. We may enable it by default again once compatibility improves in the future.
Additionally, when the environment variable TERM is dumb, the escape codes are no longer emitted, even if the plugin is enabled.


#13904: Fixed the TOML type of the tmp_path_retention_count settings in the API reference from number to string.


#13946: The private config.inicfg attribute was changed in a breaking manner in pytest 9.0.0.
Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim.
It will be deprecated in pytest 9.1 and removed in pytest 10.




... (truncated)


Commits

a7d58d7 Prepare release version 9.0.3
089d981 Merge pull request #14366 from bluetech/revert-14193-backport
8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
74eac69 doc: Update training info (#14298) (#14301)
f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
c34bfa3 Add explanation for string context diffs (#14257) (#14266)
Additional commits viewable in compare view




Updates brotli from 1.1.0 to 1.2.0

Release notes
Sourced from brotli's releases.

v1.2.0
SECURITY

python: added Decompressor::can_accept_more_data method and optional
output_buffer_limit argument Decompressor::process;
that allows mitigation of unexpectedly large output;
reported by Charles Chan (https://github.com/charleswhchan)

Added

decoder / encoder: added static initialization to reduce binary size
python: allow limiting decoder output (see SECURITY section)
CLI: brcat alias; allow decoding concatenated brotli streams
kt: pure Kotlin decoder
cgo: support "raw" dictionaries
build: Bazel modules

Removed

java: dropped finalize() for native entities

Fixed

java: in compress pass correct length to native encoder

Improved

build: install man pages
build: updated / fixed / refined Bazel buildfiles
encoder: faster encoding
cgo: link via pkg-config
python: modernize extension / allow multi-phase module initialization

Changed

decoder / encoder: static tables use "small" model (allows 2GiB+ binaries)

v1.2.0 RC2
What's Changed (compared to RC1)

pick changes from Debian patch by @​copybara-service[bot] in google/brotli#1349
pick changes from Alpine patch by @​copybara-service[bot] in google/brotli#1348
pick VCPKG patches by @​copybara-service[bot] in google/brotli#1350
fix copy-paste in Java decoder by @​copybara-service[bot] in google/brotli#1357

v1.2.0 RC1
IMPORTANT: though this is a pre-release for v1.2.0, it is expected that some changes will be added before release; most notably concerning build files: patches applied by Alpine, Debian, Conan, VCPKG will be partially/fully integrated.
SECURITY

python: added Decompressor::can_accept_more_data method and optional
Description has been truncated

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
pycon	Ready	Preview	May 4, 2026 10:54pm