Skip to content

Update Python Dependencies#347

Open
red-hat-konflux[bot] wants to merge 1 commit into
release-1.3from
konflux/mintmaker/release-1.3/python-deps
Open

Update Python Dependencies#347
red-hat-konflux[bot] wants to merge 1 commit into
release-1.3from
konflux/mintmaker/release-1.3/python-deps

Conversation

@red-hat-konflux

@red-hat-konflux red-hat-konflux Bot commented May 21, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Update Change
ast-serialize minor ==0.5.0==0.6.0
calver minor ==2025.4.17==2025.10.20
certifi minor ==2026.2.25==2026.6.17
charset-normalizer (changelog) patch ==3.4.4==3.4.9
cython (source) patch ==3.2.4==3.2.8
google-auth (source) minor ==2.47.0==2.55.2
hatchling (source, changelog) minor ==1.29.0==1.31.0
idna (changelog) minor ==3.10==3.18
librt minor ==0.11.0==0.13.0
mypy (changelog) minor ==2.1.0==2.2.0
packaging minor ==26.0==26.2
poetry-core patch ==2.4.0==2.4.1
pyjwt minor ==2.12.1==2.13.0
pyyaml (source) patch ==6.0.2==6.0.3
requests (changelog) minor ==2.32.5==2.34.2
setuptools-scm minor ==10.0.5==10.2.0
trove-classifiers minor ==2026.5.20.19==2026.6.1.19
types-psutil (changelog) patch ==7.2.1.20251231==7.2.2.20260518
typing-extensions (changelog) minor ==4.15.0==4.16.0
urllib3 (changelog) minor ==2.6.3==2.7.0

Release Notes

mypyc/ast_serialize (ast-serialize)

v0.6.0

Compare Source

di/calver (calver)

v2025.10.20

Compare Source

What's Changed

  • Fix DeprecationWarning for datetime.datetime.utcnow() by @​di in #​27

Full Changelog: di/calver@2025.04.17...2025.10.20

certifi/python-certifi (certifi)

v2026.6.17

Compare Source

v2026.5.20

Compare Source

v2026.4.22

Compare Source

jawah/charset_normalizer (charset-normalizer)

v3.4.9

Compare Source

Fixed
  • Regression in our fallback path leading to a decode error. (#​771)
    We've yanked 3.4.8 as a result of that bug.

v3.4.8

Compare Source

Fixed
  • Wall import time due to cascade codec imports for our multibyte first sort of iana supported codecs (#​742)
  • Unnecessary json import at runtime (#​753)
  • Inverse capitalization not seen by noise detector (#​731)
Changed
  • No longer holding a global cache for our noise / coherence measurements. Relax RSS memory usage.
  • Micro-optimizations in our noise / coherence measurements.
  • No longer using regex search by default for our preemptive charset mark algorithm.
  • Raised upperbound of setuptools to v83.
  • Raised upperbound of mypy(c) to v2.1.
Removed
  • Redundant UTF7 BOM marker (#​730)

v3.4.7

Compare Source

Changed
  • Pre-built optimized version using mypy[c] v1.20.
  • Relax setuptools constraint to setuptools>=68,<82.1.
Fixed
  • Correctly remove SIG remnant in utf-7 decoded string. (#​718) (#​716)

v3.4.6

Compare Source

Changed
  • Flattened the logic in charset_normalizer.md for higher performance. Removed eligible(..) and feed(...)
    in favor of feed_info(...).
  • Raised upper bound for mypy[c] to 1.20, for our optimized version.
  • Updated UNICODE_RANGES_COMBINED using Unicode blocks v17.
Fixed
  • Edge case where noise difference between two candidates can be almost insignificant. (#​672)
  • CLI --normalize writing to wrong path when passing multiple files in. (#​702)
Misc
  • Freethreaded pre-built wheels now shipped in PyPI starting with 3.14t. (#​616)

v3.4.5

Compare Source

Changed
  • Update setuptools constraint to setuptools>=68,<=82.
  • Raised upper bound of mypyc for the optional pre-built extension to v1.19.1
Fixed
  • Add explicit link to lib math in our optimized build. (#​692)
  • Logger level not restored correctly for empty byte sequences. (#​701)
  • TypeError when passing bytearray to from_bytes. (#​703)
Misc
  • Applied safe micro-optimizations in both our noise detector and language detector.
  • Rewrote the query_yes_no function (inside CLI) to avoid using ambiguous licensed code.
  • Added cd.py submodule into mypyc optional compilation to reduce further the performance impact.
cython/cython (cython)

v3.2.8

Compare Source

==================

Bugs fixed

  • Assigning a Python 3.14+ .__annotate__ function to a Cython compiled function no longer
    evaluates annotations eagerly. Fixes a regression with @functools.wraps() in Cython 3.2.6.
    Patch by Jelle Zijlstra. (Github issue :issue:7767)

  • In freethreading Python, the necessary object keep-alive while executing user code in
    .__dealloc__() uses a safer scheme.
    Patch by Yaxing Cai. (Github issue :issue:7769)

  • The local function state used by sys.monitoring read from uninitialised memory.
    (Github issue :issue:7774)

  • The .ag_running flag attribute of async generators was always false on big-endian systems.

v3.2.6

Compare Source

==================

Bugs fixed

  • @functools.wraps() was broken in Py3.14+ for Cython compiled functions.
    (Github issue :issue:7675)

  • A double-free in the t-string code was fixed.
    (Github issue :issue:7712)

  • The - operator declarations for iterators in libcpp.vector we corrected.
    Patch by Vadim Markovtsev. (Github issue :issue:7717)

  • The shared utility code module no longer uses a temporary file path that
    changed the C code on each generation.
    (Github issue :issue:7723)

  • On 32 bit platforms, cached constants are no longer made immortal during module import.
    (Github issue :issue:7744)

Other changes

  • Binary wheels are now built with -DNDEBUG to discard runtime assertions from CPython's
    inline functions.

v3.2.5

Compare Source

==================

Bugs fixed

  • A compile failure was fixed when using the walrus operator inside of try-except.
    (Github issue :issue:7462)

  • Expressions with side-effects as object argument to isinstance() could get
    evaluated multiple times, e.g. when they use the walrus operator.
    (Github issue :issue:7670)

  • Several problems generating the shared utility module were resolved, including
    a performance regression with memory views.
    (Github issues :issue:7487, :issue:7497, :issue:7504, :issue:7558)

  • Some GC and refcounting issues were resolved for Cython functions in the Limited API.
    (Github issue :issue:7594)

  • Refcounting errors and error handling issues were resolved in some rare error handling cases.
    (Github issues :issue:7597, :issue:7599, :issue:7612, :issue:7673)

  • Using cython.pymutex in an extension type with cdef methods generated
    invalid C code missing the required PyMutex declarations.
    (Github issue :issue:6995)

  • Calling .get_frame() on Cython coroutines could crash in freethreading Python.
    (Github issue :issue:7632)

  • The vectorcall protocol was not used correctly in .throw() of Cython coroutines
    when raising the exception only by type (without value or traceback).
    (Github issue :issue:7677)

  • A problem with cpdef enums in the Limited API of Python 3.11+ was resolved.
    (Github issue :issue:7503)

  • Unicode predicates like .isdigit() are now allowed to fail in the Limited API.
    (Github issue :issue:7602)

  • Conditional expressions mixing Python float and int object types could accidentally
    infer float as the common result type, instead of treating both independently.

  • Using sizeof() in the size declarations of extern arrays failed.
    (Github issue :issue:7451)

  • Enabling profiling generated invalid C code for non-Python return tuples.
    (Github issue :issue:7580)

  • abs() on C long long values could generate invalid C code.

  • When the CYTHON_AVOID_BORROWED_REFS C macro is enabled, e.g. in GraalPython,
    dict iteration could fail to compile.
    Patch by Michael Šimáček. (Github issue :issue:7631)

  • A C compiler warning about unused functions was resolved.
    (Github issue :issue:7560)

  • The py_safe_call_once() C++ mutex helper function in libcpp.mutex
    failed to compile.
    (Github issue :issue:7585)

  • The cpython.array declarations were adapted for Python 3.15. Direct access
    to the C struct of the array.array data type might require user code changes.
    (Github issue :issue:7659)

  • Spaces in file paths written to the depfile were not escaped.
    Patch by Loïc Estève. (Github issue :issue:7423)

  • Cython's cache failed to restore multi-file results.
    (Github issue :issue:7559)

  • Using Tempita from its command line failed with a name error.
    (Github issue :issue:7567)

Other changes

  • The known builtin types were updated for Py3.15.
googleapis/google-cloud-python (google-auth)

v2.55.2: google-auth: v2.55.2

Compare Source

Bug Fixes
  • auth: Agentic Identites mTLS gaps fix _is_mtls and SslCredentials. (#​17387) (7bfa41a)
  • auth: align mTLS discovery and enforce fail-fast transport configuration. (#​17470) (f492d3d)
  • auth: handle PermissionError on workload certificates to avoid startup hang and crash (#​17568) (f538ad8)

v2.55.1: google-auth: v2.55.1

Compare Source

Bug Fixes

v2.55.0: google-auth: v2.55.0

Compare Source

Features
Bug Fixes

v2.54.0: google-auth: v2.54.0

Compare Source

Features
  • implement regional access boundary support for standalone JWT and async service accounts (#​17025) (35af6168)
Bug Fixes

v2.53.0: google-auth: v2.53.0

Compare Source

Bug Fixes
  • allowlist agents-nonprod trust domains for agent identity (#​17155) (44c93d2e)

  • fail-fast on invalid or non-workload certificate configs in agent identity discovery (#​17116) (f27a5461)

v2.52.0: google-auth: v2.52.0

Compare Source

Features
  • implement in-place Regional Access Boundary configuration and add public RAB getters (#​16987) (df07fceb)

  • make _CLOUD_RESOURCE_MANAGER URL universe-domain-aware (#​16546) (e938028b)

v2.51.0: google-auth: v2.51.0

Compare Source

Bug Fixes

v2.50.0: google-auth: v2.50.0

Compare Source

v2.50.0 (2026-04-30)

v2.49.2: google-auth: v2.49.2

Compare Source

Bug Fixes

v2.49.1: google-auth: v2.49.1

Compare Source

Bug Fixes

v2.49.0: google-auth: v2.49.0

Compare Source

Features
  • Add helper methods for asynchronous x.509 certificate discovery (#​1956) (3368f27c)

  • Support timeout as aiohttp.ClientTimeout and total_attempts (max retries) in AsyncAuthorizedSession (#​1961) (4d818b93)

  • mTLS configuration via x.509 for asynchronous session in google-auth (#​1959) (7b70fead)

  • support an alternative env to decide if mtls should be enabled (#​1945) (89fc6f2e)

Bug Fixes
  • gracefully fallback if workload fields are missing from cert config (#​16022) (3ed2d680)
pypa/hatch (hatchling)

v1.31.0: Hatchling v1.31.0

Compare Source

Fixed

  • Only rewrite the shebang of a shared script when a Python shebang is present on the first line, preserving binary files and other content verbatim instead of dropping leading bytes.

v1.30.1: Hatchling v1.30.1

Compare Source

Fixed

  • Default core metadata version kept at 2.4 until more tools support 2.5

v1.30.0

Compare Source

kjd/idna (idna)

v3.18

Compare Source

  • When decoding a domain, add a display argument that will pass
    through invalid labels rather than raising an exception.

v3.17

Compare Source

  • Substantial 75% reduction in memory usage through new data
    structures and some optimization in processing speed.
  • Added a general 1024-character input length cap to the public
    validation, conversion, and codec entry points. This is well above
    any legitimate domain or label and guards against pathological
    inputs.

v3.16

Compare Source

  • Add a command-line interface (python -m idna, also available as
    the idna script). Encodes or decodes one or more domains supplied
    as arguments or on standard input, with options to select A-label
    or U-label output and control error handling.
  • Raise the minimum supported Python version to 3.9
  • Various code quality improvements

v3.15

Compare Source

  • Enforce DNS-length cap on individual labels early in check_label,
    short-circuiting contextual-rule processing for oversized input
    while staying compatible with UTS 46 usage.
  • Tidy core helpers: hoist bidi category sets to module-level
    frozensets (avoiding per-codepoint list construction), simplify
    length checks, and reuse the shared _unicode_dots_re from
    idna.core in the codec module.
  • Use raise ... from err for proper exception chaining and
    switch internal string formatting to f-strings.
  • Allow flit_core 4.x in the build backend.
  • Expand the ruff lint set (flake8-bugbear, flake8-simplify,
    pyupgrade, perflint) and apply the surfaced fixes; pin lint CI
    to Python 3.14.
  • Add Dependabot configuration for GitHub Actions.
  • Convert README and HISTORY from reStructuredText to Markdown.
  • Reference CVE-2026-45409 for the 3.14 advisory in place of the
    initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for
contributions to this release.

v3.14

Compare Source

  • Removed opportunity to process long inputs into quadratic
    time by rejecting oversize inputs up-front. Closes a bypass
    of the CVE-2024-3651 mitigation. [CVE-2026-45409]

Thanks to Stan Ulbrych for reporting the issue.

v3.13

Compare Source

  • Correct classification error for codepoint U+A7F1

v3.12

Compare Source

  • Update to Unicode 17.0.0.
  • Issue a deprecation warning for the transitional argument.
  • Added lazy-loading to provide some performance improvements.
  • Removed vestiges of code related to Python 2 support, including
    segmentation of data structures specific to Jython.

Thanks to Rodrigo Nogueira for contributions to this release.

v3.11

Compare Source

  • Update to Unicode 16.0.0, including significant changes to UTS46
    processing. As a result of Unicode ending support for it, transitional
    processing no longer has an effect and returns the same result.
  • Add support for Python 3.14, lowest supported version is Python 3.8.
  • Various updates to packaging, including PEP 740 support.
mypyc/librt (librt)

v0.13.0

Compare Source

v0.12.0

Compare Source

python/mypy (mypy)

v2.2.0

Compare Source

pypa/packaging (packaging)

v26.2

Compare Source

What's Changed

Fixes:

Documentation:

Internal:

New Contributors

Full Changelog: pypa/packaging@26.1...26.2

v26.1

Compare Source

Features:

Behavior adaptations:

Pylock (PEP 751) updates:

Fixes:

Performance:

Internal:

Documentation:

Benchmarks

Performance improvements since 26.0, from the new integrated benchmark suite:

uv run asv run 26.0..HEAD
Screenshot 2026-04-13 at 11 32 14 PM Screenshot 2026-04-13 at 11 32 43 PM

New Contributors

Full Changelog: pypa/packaging@26.0...26.1

python-poetry/poetry-core (poetry-core)

v2.4.1

Compare Source

Fixed
  • Fix an issue where certain marker operations (mostly used with extra markers) resulted in wrong markers (#​943).
jpadilla/pyjwt (pyjwt)

v2.13.0

Compare Source

yaml/pyyaml (pyyaml)

v6.0.3

Compare Source

What's Changed

  • Support for Python 3.14 and free-threading (experimental).

Full Changelog: yaml/pyyaml@6.0.2...6.0.3

psf/requests (requests)

v2.34.2

Compare Source

  • Moved headers input type back to Mapping to avoid invariance issues
    with MutableMapping and inferred dict types. Users calling
    Request.headers.update() may need to narrow typing in their code. (#​7441)

v2.34.1

Compare Source

Bugfixes

  • Widened json input type from dict and list to Mapping
    and Sequence. (#​7436)
  • Changed headers input type to MutableMapping and removed None from
    Request.headers typing to improve handling for users. (#​7431)
  • Response.reason moved from str | None to str to improve handling
    for users. (#​7437)
  • Fixed a bug where some bodies with custom __getattr__ implementations
    weren't being properly detected as Iterables. (#​7433)

v2.34.0

Compare Source

Announcements

  • Requests 2.34.0 introduces inline types, replacing those provided by
    typeshed. Public API types should be fully compatible with mypy, pyright,
    and ty. We believe types are comprehensive but if you find issues, please
    report them to the pinned tracking issue.

    Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for
    helping review and test the types ahead of the release. (#​7272)

Improvements

  • Digest Auth hashing algorithms have added usedforsecurity=False to clarify
    security considerations. (#​7310)
  • Requests added support for Python 3.15 based on beta1. Downstream projects
    should be able to start testing prior to its release in October. (#​7422)
  • Requests added support for Python 3.14t. (#​7419)

Bugfixes

  • Response.history no longer contains a reference to itself, preventing
    accidental looping when traversing the history list. (#​7328)
  • Requests no longer performs greedy matching on no_proxy domains. The
    proxy_bypass implementation has been updated with CPython's fix from
    bpo-39057. (#​7427)
  • Requests no longer incorrectly strips duplicate leading slashes in
    URI paths. This should address user issues with specific presigned
    URLs. Note the full fix requires urllib3 2.7.0+. (#​7315)

v2.33.1

Compare Source

Bugfixes

  • Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary
    files in the tmp directory. (#​7305)
  • Fixed Content-Type header parsing for malformed values. (#​7309)
  • Improved error consistency for malformed header values. (#​7308)

v2.33.0

Compare Source

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that
    uses Requests, please take a look at #​7271. Give it a try, and report
    any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts
    contents to a non-deterministic location to prevent malicious file
    replacement. This does not affect default usage of Requests, only
    applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#​7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause
    malformed authentication to be applied to Requests on
    Python 3.11+. (#​7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#​7196)

Documentation

  • Various typo fixes and doc improvements.
pypa/setuptools-scm (setuptools-scm)

v10.2.0: setuptools-scm v10.2.0

Compare Source

Added
  • Restore Python 3.8 and 3.9 support, re-enabling use as a build dependency for projects like scikit-build that still support these versions. (#​1445)
Miscellaneous
  • Move PKG-INFO discovery tests from vcs-versioning to setuptools-scm where the entry points are registered. (#​1446)

v10.1.2: setuptools-scm v10.1.2

Compare Source

Fixed
  • Fix DeprecationWarning leak by threading VcsEnvironment through VersionInferenceConfig and using env.make_reader() in _should_write_to_source. (#​1424)

v10.1.1: setuptools-scm v10.1.1

Compare Source

Fixed
  • Update CI to use PyPy 3.11 as cryptography has no PyPy 3.10 build available (#​1421)
pypa/trove-classifiers (trove-classifiers)

v2026.6.1.19

Compare Source

v2026.5.22.10

Compare Source

python/typing_extensions (typing-extensions)

v4.16.0

Compare Source

No user-facing changes since 4.16.0rc2.

urllib3/urllib3 (urllib3)

v2.7.0

Compare Source

=======================

Security

Addressed high-severity security issues.
Impact was limited to specific use cases detailed in the accompanying
advisories; overall user exposure was estimated to be marginal.

  • Decompression-bomb safeguards of the streaming API were bypassed:

    1. When HTTPResponse.drain_conn() was called after the response had been
      read and decompressed partially.
    2. During the second HTTPResponse.read(amt=N) or
      HTTPResponse.stream(amt=N) call when the response was decompressed
      using the official Brotli <https://pypi.org/project/brotli/>__ library.

    See GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__
    for details.

  • HTTP pools created using ProxyManager.connection_from_url did not strip
    sensitive headers specified in Retry.remove_headers_on_redirect when
    redirecting to a different host.
    (GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>__)

Deprecations and Removals

  • Used FutureWarning instead of DeprecationWarning for better
    visibility of existing deprecation notices. Rescheduled the removal of
    deprecated features to version 3.0.
    (#&#8203;3763 <https://github.com/urllib3/urllib3/issues/3763>__)

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/release-1.3/python-deps branch from 8826c69 to d25c25f Compare May 21, 2026 22:36
@red-hat-konflux red-hat-konflux Bot changed the title chore(deps): update python dependencies Update Python Dependencies May 21, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/release-1.3/python-deps branch 6 times, most recently from 5ef6cf6 to 4286388 Compare May 28, 2026 15:50
@red-hat-konflux red-hat-konflux Bot changed the title Update Python Dependencies chore(deps): update python dependencies May 29, 2026
@red-hat-konflux red-hat-konflux Bot changed the title chore(deps): update python dependencies Update Python Dependencies May 29, 2026
@red-hat-konflux red-hat-konflux Bot changed the title Update Python Dependencies chore(deps): update python dependencies Jun 1, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/release-1.3/python-deps branch from 4286388 to 77a5936 Compare June 1, 2026 22:42
@red-hat-konflux red-hat-konflux Bot changed the title chore(deps): update python dependencies Update Python Dependencies Jun 1, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/release-1.3/python-deps branch 3 times, most recently from 0778fdd to 4adfc7c Compare June 4, 2026 11:11
@red-hat-konflux red-hat-konflux Bot changed the title Update Python Dependencies chore(deps): update python dependencies Jun 4, 2026
@red-hat-konflux red-hat-konflux Bot changed the title chore(deps): update python dependencies Update Python Dependencies Jun 4, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/release-1.3/python-deps branch 3 times, most recently from 8cb84ec to 7f985be Compare June 20, 2026 12:18
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/release-1.3/python-deps branch 5 times, most recently from 191f50c to 197f212 Compare June 29, 2026 01:02
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/release-1.3/python-deps branch 3 times, most recently from 7b7de72 to b486940 Compare July 3, 2026 20:50
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/release-1.3/python-deps branch 7 times, most recently from cf103d8 to 274da59 Compare July 10, 2026 21:31
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/release-1.3/python-deps branch 2 times, most recently from 5e65f5a to 3ca9ef0 Compare July 11, 2026 06:12
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/release-1.3/python-deps branch from 3ca9ef0 to 95a0802 Compare July 11, 2026 13:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants