Update Python Dependencies#347
Open
red-hat-konflux[bot] wants to merge 1 commit into
Open
Conversation
8826c69 to
d25c25f
Compare
5ef6cf6 to
4286388
Compare
4286388 to
77a5936
Compare
0778fdd to
4adfc7c
Compare
8cb84ec to
7f985be
Compare
191f50c to
197f212
Compare
7b7de72 to
b486940
Compare
cf103d8 to
274da59
Compare
5e65f5a to
3ca9ef0
Compare
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
3ca9ef0 to
95a0802
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==0.5.0→==0.6.0==2025.4.17→==2025.10.20==2026.2.25→==2026.6.17==3.4.4→==3.4.9==3.2.4→==3.2.8==2.47.0→==2.55.2==1.29.0→==1.31.0==3.10→==3.18==0.11.0→==0.13.0==2.1.0→==2.2.0==26.0→==26.2==2.4.0→==2.4.1==2.12.1→==2.13.0==6.0.2→==6.0.3==2.32.5→==2.34.2==10.0.5→==10.2.0==2026.5.20.19→==2026.6.1.19==7.2.1.20251231→==7.2.2.20260518==4.15.0→==4.16.0==2.6.3→==2.7.0Release Notes
mypyc/ast_serialize (ast-serialize)
v0.6.0Compare Source
di/calver (calver)
v2025.10.20Compare Source
What's Changed
DeprecationWarningfordatetime.datetime.utcnow()by @di in #27Full Changelog: di/calver@2025.04.17...2025.10.20
certifi/python-certifi (certifi)
v2026.6.17Compare Source
v2026.5.20Compare Source
v2026.4.22Compare Source
jawah/charset_normalizer (charset-normalizer)
v3.4.9Compare Source
Fixed
We've yanked 3.4.8 as a result of that bug.
v3.4.8Compare Source
Fixed
Changed
Removed
v3.4.7Compare Source
Changed
setuptoolsconstraint tosetuptools>=68,<82.1.Fixed
v3.4.6Compare Source
Changed
charset_normalizer.mdfor higher performance. Removedeligible(..)andfeed(...)in favor of
feed_info(...).UNICODE_RANGES_COMBINEDusing Unicode blocks v17.Fixed
--normalizewriting to wrong path when passing multiple files in. (#702)Misc
v3.4.5Compare Source
Changed
setuptoolsconstraint tosetuptools>=68,<=82.Fixed
Misc
query_yes_nofunction (inside CLI) to avoid using ambiguous licensed code.cd.pysubmodule into mypyc optional compilation to reduce further the performance impact.cython/cython (cython)
v3.2.8Compare Source
==================
Bugs fixed
Assigning a Python 3.14+
.__annotate__function to a Cython compiled function no longerevaluates annotations eagerly. Fixes a regression with
@functools.wraps()in Cython 3.2.6.Patch by Jelle Zijlstra. (Github issue :issue:
7767)In freethreading Python, the necessary object keep-alive while executing user code in
.__dealloc__()uses a safer scheme.Patch by Yaxing Cai. (Github issue :issue:
7769)The local function state used by
sys.monitoringread from uninitialised memory.(Github issue :issue:
7774)The
.ag_runningflag attribute of async generators was always false on big-endian systems.v3.2.6Compare Source
==================
Bugs fixed
@functools.wraps()was broken in Py3.14+ for Cython compiled functions.(Github issue :issue:
7675)A double-free in the t-string code was fixed.
(Github issue :issue:
7712)The
-operator declarations for iterators inlibcpp.vectorwe corrected.Patch by Vadim Markovtsev. (Github issue :issue:
7717)The shared utility code module no longer uses a temporary file path that
changed the C code on each generation.
(Github issue :issue:
7723)On 32 bit platforms, cached constants are no longer made immortal during module import.
(Github issue :issue:
7744)Other changes
-DNDEBUGto discard runtime assertions from CPython'sinline functions.
v3.2.5Compare Source
==================
Bugs fixed
A compile failure was fixed when using the walrus operator inside of try-except.
(Github issue :issue:
7462)Expressions with side-effects as object argument to
isinstance()could getevaluated multiple times, e.g. when they use the walrus operator.
(Github issue :issue:
7670)Several problems generating the shared utility module were resolved, including
a performance regression with memory views.
(Github issues :issue:
7487, :issue:7497, :issue:7504, :issue:7558)Some GC and refcounting issues were resolved for Cython functions in the Limited API.
(Github issue :issue:
7594)Refcounting errors and error handling issues were resolved in some rare error handling cases.
(Github issues :issue:
7597, :issue:7599, :issue:7612, :issue:7673)Using
cython.pymutexin an extension type withcdefmethods generatedinvalid C code missing the required
PyMutexdeclarations.(Github issue :issue:
6995)Calling
.get_frame()on Cython coroutines could crash in freethreading Python.(Github issue :issue:
7632)The vectorcall protocol was not used correctly in
.throw()of Cython coroutineswhen raising the exception only by type (without value or traceback).
(Github issue :issue:
7677)A problem with cpdef enums in the Limited API of Python 3.11+ was resolved.
(Github issue :issue:
7503)Unicode predicates like
.isdigit()are now allowed to fail in the Limited API.(Github issue :issue:
7602)Conditional expressions mixing Python float and int object types could accidentally
infer float as the common result type, instead of treating both independently.
Using
sizeof()in the size declarations ofexternarrays failed.(Github issue :issue:
7451)Enabling profiling generated invalid C code for non-Python return tuples.
(Github issue :issue:
7580)abs()on Clong longvalues could generate invalid C code.When the
CYTHON_AVOID_BORROWED_REFSC macro is enabled, e.g. in GraalPython,dict iteration could fail to compile.
Patch by Michael Šimáček. (Github issue :issue:
7631)A C compiler warning about unused functions was resolved.
(Github issue :issue:
7560)The
py_safe_call_once()C++ mutex helper function inlibcpp.mutexfailed to compile.
(Github issue :issue:
7585)The
cpython.arraydeclarations were adapted for Python 3.15. Direct accessto the C struct of the
array.arraydata type might require user code changes.(Github issue :issue:
7659)Spaces in file paths written to the
depfilewere not escaped.Patch by Loïc Estève. (Github issue :issue:
7423)Cython's cache failed to restore multi-file results.
(Github issue :issue:
7559)Using Tempita from its command line failed with a name error.
(Github issue :issue:
7567)Other changes
googleapis/google-cloud-python (google-auth)
v2.55.2: google-auth: v2.55.2Compare Source
Bug Fixes
v2.55.1: google-auth: v2.55.1Compare Source
Bug Fixes
v2.55.0: google-auth: v2.55.0Compare Source
Features
Bug Fixes
v2.54.0: google-auth: v2.54.0Compare Source
Features
Bug Fixes
configure mTLS for impersonated credentials (#17404) (57269d56)
fail-fast on missing ECP config file to avoid 30s hang (#17377) (e0961270)
Rename the 'seed' argument for setting an initial regional access boundary for clarity (#17186) (e5c8cf92)
update incorrect urls in setup.py to point at monorepo vs splitrepo (#17237) (eaed04ba)
v2.53.0: google-auth: v2.53.0Compare Source
Bug Fixes
allowlist agents-nonprod trust domains for agent identity (#17155) (44c93d2e)
fail-fast on invalid or non-workload certificate configs in agent identity discovery (#17116) (f27a5461)
v2.52.0: google-auth: v2.52.0Compare Source
Features
implement in-place Regional Access Boundary configuration and add public RAB getters (#16987) (df07fceb)
make _CLOUD_RESOURCE_MANAGER URL universe-domain-aware (#16546) (e938028b)
v2.51.0: google-auth: v2.51.0Compare Source
Bug Fixes
v2.50.0: google-auth: v2.50.0Compare Source
v2.50.0 (2026-04-30)
v2.49.2: google-auth: v2.49.2Compare Source
Bug Fixes
v2.49.1: google-auth: v2.49.1Compare Source
Bug Fixes
fix request session error (#16050) (bfd93225)
remove deprecated rsa dependency (#16020) (e8927b9c)
v2.49.0: google-auth: v2.49.0Compare Source
Features
Add helper methods for asynchronous x.509 certificate discovery (#1956) (3368f27c)
Support timeout as aiohttp.ClientTimeout and total_attempts (max retries) in AsyncAuthorizedSession (#1961) (4d818b93)
mTLS configuration via x.509 for asynchronous session in google-auth (#1959) (7b70fead)
support an alternative env to decide if mtls should be enabled (#1945) (89fc6f2e)
Bug Fixes
pypa/hatch (hatchling)
v1.31.0: Hatchling v1.31.0Compare Source
Fixed
v1.30.1: Hatchling v1.30.1Compare Source
Fixed
v1.30.0Compare Source
kjd/idna (idna)
v3.18Compare Source
displayargument that will passthrough invalid labels rather than raising an exception.
v3.17Compare Source
structures and some optimization in processing speed.
validation, conversion, and codec entry points. This is well above
any legitimate domain or label and guards against pathological
inputs.
v3.16Compare Source
python -m idna, also available asthe
idnascript). Encodes or decodes one or more domains suppliedas arguments or on standard input, with options to select A-label
or U-label output and control error handling.
v3.15Compare Source
check_label,short-circuiting contextual-rule processing for oversized input
while staying compatible with UTS 46 usage.
frozensets (avoiding per-codepoint list construction), simplify
length checks, and reuse the shared
_unicode_dots_refromidna.corein the codec module.raise ... from errfor proper exception chaining andswitch internal string formatting to f-strings.
flit_core4.x in the build backend.pyupgrade, perflint) and apply the surfaced fixes; pin lint CI
to Python 3.14.
initial GHSA identifier.
Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for
contributions to this release.
v3.14Compare Source
time by rejecting oversize inputs up-front. Closes a bypass
of the CVE-2024-3651 mitigation. [CVE-2026-45409]
Thanks to Stan Ulbrych for reporting the issue.
v3.13Compare Source
v3.12Compare Source
segmentation of data structures specific to Jython.
Thanks to Rodrigo Nogueira for contributions to this release.
v3.11Compare Source
processing. As a result of Unicode ending support for it, transitional
processing no longer has an effect and returns the same result.
mypyc/librt (librt)
v0.13.0Compare Source
v0.12.0Compare Source
python/mypy (mypy)
v2.2.0Compare Source
pypa/packaging (packaging)
v26.2Compare Source
What's Changed
Fixes:
Version,Specifier,SpecifierSet,Tag,Marker, andRequirementpickle-safeand backward-compatible with pickles created in 25.0-26.1 (including references to the removed
packaging._structuresmodule) by @eachimei and @henryiii in #1163, #1168, #1170, and #1171Documentation:
Internal:
New Contributors
Full Changelog: pypa/packaging@26.1...26.2
v26.1Compare Source
Features:
PEP 783: add handling for Emscripten wheel tags by @hoodmane in #804(old name used in implementation, will be fixed in next release)abi3.abi3tfree-threading tag by @ngoldbaum in #1099packaging.dependency_groupsmodule, based on thedependency-groupspackage by @sirosen in #1065packaging.direct_urlmodule by @sbidoul in #944packaging.errorsmodule by @henryiii in #1071SpecifierSet.is_unsatisfiableusing ranges (new internals that will be expanded in future versions) by @notatallshaw in #1119create_compatible_tags_selectorto select compatible tags by @sbidoul in #1110keyargument toSpecifierSet.filter()by @frostming in #1068&and|forMarker's by @henryiii in #1146Version.__replace__and addVersion.from_partsby @henryiii in #1078parse_wheel_filenameby @r266-tech in #1150Behavior adaptations:
<V.postNto match spec by @notatallshaw in #1140>Vto match spec by @notatallshaw in #1141format_full_versionto_format_full_versionto make it visibly private by @r266-tech in #1125Pylock (PEP 751) updates:
selectfunction by @sbidoul in #1092select()method andPylockSelectErrorby @r266-tech in #1153filenameproperty toPackageSdistandPackageWheel, more validation by @sbidoul in #1095Fixes:
>comparison for versions with dev+local segments by @veeceey in #1097InfinityTypeandNegativeInfinityTypeby @bysiber in #1093SpecifierSetby @notatallshaw in #1109keyparameter inSpecifierSet.filterwhen specifiers are empty and prerelease isFalseby @notatallshaw in #1096reproutput by @henryiii in #1090Specifier's===uses original string, not normalized, when available by @notatallshaw in #1124ValueErrorby @notatallshaw in #1155Performance:
VersiontoVersioncomparison by skipping_keyproperty by @notatallshaw in #1083Versionhash value in dedicated slot by @notatallshaw in #1118_cmpkeyto remove use of custom objects by @notatallshaw in #1116__replace__in Specifier comparison if not needed by @notatallshaw in #1081SpecifierSetusetupleinstead offrozensetfor_specsby @notatallshaw in #1108SpecifierSetfiltering by implementing cost-based ordering by @notatallshaw in #1105SpecifierSet.filterby @notatallshaw in #1076__slots__toMarkerby @henryiii in #1147Specifierregex by @sirosen in #1106Internal:
collections.namedtuplein tests by @henryiii in #1070dir()/ tab-completion in REPL by @henryiii in #1011__all__/__dir__by @henryiii in #1069SpecifierSet.prereleasesby @notatallshaw in #1073_compare_compatibleby @notatallshaw in #1100Specifier.prereleasesby @notatallshaw in #1074Specifier.prereleasesby @notatallshaw in #1072Documentation:
Version.from_parts()by @Jackenmen in #1134&and|operators for combiningMarkerobjects by @r266-tech in #1151Versiondocumentation by @henryiii in #1089Benchmarks
Performance improvements since 26.0, from the new integrated benchmark suite:
New Contributors
Full Changelog: pypa/packaging@26.0...26.1
python-poetry/poetry-core (poetry-core)
v2.4.1Compare Source
Fixed
jpadilla/pyjwt (pyjwt)
v2.13.0Compare Source
yaml/pyyaml (pyyaml)
v6.0.3Compare Source
What's Changed
Full Changelog: yaml/pyyaml@6.0.2...6.0.3
psf/requests (requests)
v2.34.2Compare Source
headersinput type back toMappingto avoid invariance issueswith
MutableMappingand inferred dict types. Users callingRequest.headers.update()may need to narrow typing in their code. (#7441)v2.34.1Compare Source
Bugfixes
jsoninput type fromdictandlisttoMappingand
Sequence. (#7436)headersinput type to MutableMapping and removedNonefromRequest.headerstyping to improve handling for users. (#7431)Response.reasonmoved fromstr | Nonetostrto improve handlingfor users. (#7437)
__getattr__implementationsweren't being properly detected as Iterables. (#7433)
v2.34.0Compare Source
Announcements
Requests 2.34.0 introduces inline types, replacing those provided by
typeshed. Public API types should be fully compatible with mypy, pyright,
and ty. We believe types are comprehensive but if you find issues, please
report them to the pinned tracking issue.
Special thanks to @bastimeyer, @cthoyt, @edgarrmondragon, and @srittau for
helping review and test the types ahead of the release. (#7272)
Improvements
usedforsecurity=Falseto clarifysecurity considerations. (#7310)
should be able to start testing prior to its release in October. (#7422)
Bugfixes
Response.historyno longer contains a reference to itself, preventingaccidental looping when traversing the history list. (#7328)
proxy_bypass implementation has been updated with CPython's fix from
bpo-39057. (#7427)
URI paths. This should address user issues with specific presigned
URLs. Note the full fix requires urllib3 2.7.0+. (#7315)
v2.33.1Compare Source
Bugfixes
files in the tmp directory. (#7305)
v2.33.0Compare Source
Announcements
uses Requests, please take a look at #7271. Give it a try, and report
any gaps or feedback you may have in the issue. 📣
Security
requests.utils.extract_zipped_pathsnow extractscontents to a non-deterministic location to prevent malicious file
replacement. This does not affect default usage of Requests, only
applications calling the utility function directly.
Improvements
Bugfixes
malformed authentication to be applied to Requests on
Python 3.11+. (#7205)
Deprecations
Documentation
pypa/setuptools-scm (setuptools-scm)
v10.2.0: setuptools-scm v10.2.0Compare Source
Added
Miscellaneous
v10.1.2: setuptools-scm v10.1.2Compare Source
Fixed
v10.1.1: setuptools-scm v10.1.1Compare Source
Fixed
pypa/trove-classifiers (trove-classifiers)
v2026.6.1.19Compare Source
v2026.5.22.10Compare Source
python/typing_extensions (typing-extensions)
v4.16.0Compare Source
No user-facing changes since 4.16.0rc2.
urllib3/urllib3 (urllib3)
v2.7.0Compare Source
=======================
Security
Addressed high-severity security issues.
Impact was limited to specific use cases detailed in the accompanying
advisories; overall user exposure was estimated to be marginal.
Decompression-bomb safeguards of the streaming API were bypassed:
HTTPResponse.drain_conn()was called after the response had beenread and decompressed partially.
HTTPResponse.read(amt=N)orHTTPResponse.stream(amt=N)call when the response was decompressedusing the official
Brotli <https://pypi.org/project/brotli/>__ library.See
GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__for details.
HTTP pools created using
ProxyManager.connection_from_urldid not stripsensitive headers specified in
Retry.remove_headers_on_redirectwhenredirecting to a different host.
(
GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>__)Deprecations and Removals
FutureWarninginstead ofDeprecationWarningfor bettervisibility of existing deprecation notices. Rescheduled the removal of
deprecated features to version 3.0.
(
#​3763 <https://github.com/urllib3/urllib3/issues/3763>__)Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.