Skip to content

Bump the uv group across 1 directory with 5 updates#875

Merged
mgeier merged 1 commit into
masterfrom
dependabot/uv/uv-6afa0de4ed
Jul 14, 2026
Merged

Bump the uv group across 1 directory with 5 updates#875
mgeier merged 1 commit into
masterfrom
dependabot/uv/uv-6afa0de4ed

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor

Bumps the uv group with 4 updates in the / directory: idna, mistune, pillow and soupsieve.

Updates idna from 3.10 to 3.15

Changelog

Sourced from idna's changelog.

3.15 (2026-05-12)

  • Enforce DNS-length cap on individual labels early in check_label, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.
  • Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared _unicode_dots_re from idna.core in the codec module.
  • Use raise ... from err for proper exception chaining and switch internal string formatting to f-strings.
  • Allow flit_core 4.x in the build backend.
  • Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.
  • Add Dependabot configuration for GitHub Actions.
  • Convert README and HISTORY from reStructuredText to Markdown.
  • Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.

3.14 (2026-05-10)

  • Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass of the CVE-2024-3651 mitigation. [CVE-2026-45409]

Thanks to Stan Ulbrych for reporting the issue.

3.13 (2026-04-22)

  • Correct classification error for codepoint U+A7F1

3.12 (2026-04-21)

  • Update to Unicode 17.0.0.
  • Issue a deprecation warning for the transitional argument.
  • Added lazy-loading to provide some performance improvements.
  • Removed vestiges of code related to Python 2 support, including segmentation of data structures specific to Jython.

Thanks to Rodrigo Nogueira for contributions to this release.

3.11 (2025-10-12)

  • Update to Unicode 16.0.0, including significant changes to UTS46 processing. As a result of Unicode ending support for it, transitional processing no longer has an effect and returns the same result.

... (truncated)

Commits
  • af30a09 Release 3.15
  • 30314d4 Pre-release 3.15rc0
  • 05d4b21 Merge pull request #237 from kjd/convert-docs-to-markdown
  • 2987fdb Convert README and HISTORY from reStructuredText to Markdown
  • 59fa800 Merge pull request #236 from kjd/dependabot/github_actions/actions-f3e34333ea
  • def6983 Merge branch 'master' into dependabot/github_actions/actions-f3e34333ea
  • bbd8004 Merge pull request #234 from StanFromIreland/patch-1
  • edd07c0 Bump github/codeql-action from 3.35.2 to 4.35.2 in the actions group
  • 5557db0 Merge branch 'master' into patch-1
  • f11746c Merge pull request #235 from StanFromIreland/patch-2
  • Additional commits viewable in compare view

Updates mistune from 0.8.4 to 3.3.0

Release notes

Sourced from mistune's releases.

v3.3.0

   🐞 Bug Fixes

   🏎 Performance

    View changes on GitHub

v3.2.1

   🐞 Bug Fixes

    View changes on GitHub

v3.2.0

   🚀 Features

   🐞 Bug Fixes

... (truncated)

Changelog

Sourced from mistune's changelog.

Version 3.3.0

Released on Jun 21, 2026

  • Improve CommonMark compatibility and parser performance.
  • Add command line entrypoint with UTF-8 output.
  • Support display and backtick math.
  • Render plugin list and table nodes in Markdown renderer.
  • Escape leading block markers in Markdown renderer.
  • Fix RST renderer for block quotes nested in lists.
  • Avoid generated heading ID collisions in TOC.
  • Harden URL, image, figure, and include directive handling.
  • Fix quadratic scans in inline links, reference links, and formatting markers.
  • Fix math escaping, currency pattern matching, and cross-line matching.

Version 3.2.1

Released on May 3, 2026

  • Escape link in render_toc_ul.
  • Escape text in math plugin.
  • Fix regex for math plugin.
  • Escape heading's ID attribute.
  • Fix LINK_TITLE_RE to prevent DoS.
  • Escape class attribute for admonition directive.
  • Remove double-encoding of image alt text.
  • Escape class attribute for image directive.
  • Fix width/height attribute for image directive.

Version 3.2.0

Released on Dec 23, 2025

  • Announce supports for python 3.14
  • Fix footnotes plugins for code blocks, ref links, blockquote and etc.
  • Fix ref links in TOC.

Version 3.1.4

Released on Aug 29, 2025

  • Add fenced directive break rule in list parser.
  • Prevent removing unicode whitespace when parsing atx heading.

Version 3.1.3

... (truncated)

Commits
  • 15c3b79 chore: release 3.3.0
  • bdc01ad tests: increase run time on pypy
  • 7cf1814 tests: increase run time for pypy
  • 6dfdc3d tests: add more tests
  • 17c50f6 chore: fix mypy issues
  • 63abe4b chore: use ruff check and format
  • e6c1b18 chore: resolve mypy issues
  • dcf8902 test(math): cover escaped math output
  • c4093c4 fix(toc): avoid generated id collisions
  • e3e51de fix(image): validate figure width option
  • Additional commits viewable in compare view

Updates pillow from 12.1.1 to 12.2.0

Release notes

Sourced from pillow's releases.

12.2.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html

Documentation

Dependencies

Testing

Other changes

... (truncated)

Commits

Updates soupsieve from 2.7 to 2.8.4

Release notes

Sourced from soupsieve's releases.

2.8.4

  • FIX: Fix another inefficient attribute pattern (@​mauriceng98).
  • FIX: Limit total number of selectors processed in a pattern to prevent massive selector requests (@​mauriceng98).

2.8.3

  • FIX: Fix inefficient attribute pattern.

2.8.2

  • FIX: Ensure custom selectors or namespace dictionaries reject non-string keys (@​mundanevision20).
  • FIX: Fix handling of :in-range and :out-of-range with end of year weeks (@​mundanevision20).
  • FIX: Fix a potential infinite loop in the pretty printing debug function (@​mundanevision20).

2.8.1

  • FIX: Changes in tests to accommodate latest Python HTML parser changes.

2.8

  • NEW: Drop support for Python 3.8.
  • NEW: Add support for Python 3.14.
  • NEW: Deploy with PyPI's "Trusted Publisher".
Commits

Updates tornado from 6.5.5 to 6.4.2

Changelog

Sourced from tornado's changelog.

Release notes

.. toctree:: :maxdepth: 2

releases/v6.5.7 releases/v6.5.6 releases/v6.5.5 releases/v6.5.4 releases/v6.5.3 releases/v6.5.2 releases/v6.5.1 releases/v6.5.0 releases/v6.4.2 releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1

... (truncated)

Commits
  • a5ecfab Bump version to 6.4.2
  • bc7df6b Fix tests with Twisted 24.7.0
  • d5ba4a1 httputil: Fix quadratic performance of cookie parsing
  • 2a0e1d1 Merge pull request #3388 from bdarnell/release-641
  • b7af4e8 Release notes and version bump for version 6.4.1
  • d65f6e7 Merge pull request #3387 from bdarnell/chunked-parsing
  • 8d721a8 httputil: Only strip tabs and spaces from header values
  • 7786f09 Merge pull request #3386 from bdarnell/curl-crlf
  • fb119c7 http1connection: Stricter handling of transfer-encoding
  • b0ffc58 curl_httpclient,http1connection: Prohibit CR and LF in headers
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the uv group with 4 updates in the / directory: [idna](https://github.com/kjd/idna), [mistune](https://github.com/lepture/mistune), [pillow](https://github.com/python-pillow/Pillow) and [soupsieve](https://github.com/facelessuser/soupsieve).


Updates `idna` from 3.10 to 3.15
- [Release notes](https://github.com/kjd/idna/releases)
- [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.md)
- [Commits](kjd/idna@v3.10...v3.15)

Updates `mistune` from 0.8.4 to 3.3.0
- [Release notes](https://github.com/lepture/mistune/releases)
- [Changelog](https://github.com/lepture/mistune/blob/main/docs/changes.rst)
- [Commits](lepture/mistune@v0.8.4...v3.3.0)

Updates `pillow` from 12.1.1 to 12.2.0
- [Release notes](https://github.com/python-pillow/Pillow/releases)
- [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst)
- [Commits](python-pillow/Pillow@12.1.1...12.2.0)

Updates `soupsieve` from 2.7 to 2.8.4
- [Release notes](https://github.com/facelessuser/soupsieve/releases)
- [Commits](facelessuser/soupsieve@2.7...2.8.4)

Updates `tornado` from 6.5.5 to 6.4.2
- [Changelog](https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst)
- [Commits](tornadoweb/tornado@v6.5.5...v6.4.2)

---
updated-dependencies:
- dependency-name: idna
  dependency-version: '3.15'
  dependency-type: indirect
  dependency-group: uv
- dependency-name: mistune
  dependency-version: 3.3.0
  dependency-type: indirect
  dependency-group: uv
- dependency-name: pillow
  dependency-version: 12.2.0
  dependency-type: indirect
  dependency-group: uv
- dependency-name: soupsieve
  dependency-version: 2.8.4
  dependency-type: indirect
  dependency-group: uv
- dependency-name: tornado
  dependency-version: 6.4.2
  dependency-type: indirect
  dependency-group: uv
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jul 13, 2026
@mgeier
mgeier merged commit a23df08 into master Jul 14, 2026
26 checks passed
@dependabot
dependabot Bot deleted the dependabot/uv/uv-6afa0de4ed branch July 14, 2026 07:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant