Bump the python group with 12 updates #937

dependabot · 2026-01-01T19:04:54Z

Bumps the python group with 12 updates:

Package	From	To
jinja2	`3.1.5`	`3.1.6`
jsonschema	`4.23.0`	`4.25.1`
pygithub	`2.6.1`	`2.8.1`
pyyaml	`6.0.2`	`6.0.3`
tomli	`2.2.1`	`2.3.0`
typing-extensions	`4.14.1`	`4.15.0`
zstandard	`0.23.0`	`0.25.0`
rpds-py	`0.29.0`	`0.30.0`
urllib3	`2.5.0`	`2.6.2`
mypy	`1.18.1`	`1.19.1`
ruff	`0.13.0`	`0.14.9`
types-jsonschema	`4.25.1.20250822`	`4.25.1.20251009`

Updates jinja2 from 3.1.5 to 3.1.6

Release notes

Sourced from jinja2's releases.

3.1.6

This is the Jinja 3.1.6 security release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.6/ Changes: https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6

The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. GHSA-cpwx-vrp4-4pq7

Changelog

Sourced from jinja2's changelog.

Version 3.1.6

Released 2025-03-05

The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. :ghsa:cpwx-vrp4-4pq7

Commits

1520688 release version 3.1.6
90457bb Merge commit from fork
065334d attr filter uses env.getattr
033c200 start version 3.1.6
bc68d4e use global contributing guide (#2070)
247de5e use global contributing guide
ab8218c use project advisory link instead of global
b4ffc8f release version 3.1.5 (#2066)
See full diff in compare view

Updates jsonschema from 4.23.0 to 4.25.1

Release notes

Sourced from jsonschema's releases.

v4.25.1

What's Changed

Fix Validator protocol init to match runtime by @sirosen in python-jsonschema/jsonschema#1396

Full Changelog: python-jsonschema/jsonschema@v4.25.0...v4.25.1

v4.25.0

What's Changed

Add support for the iri and iri-reference formats to the format-nongpl extra by @jkowalleck in python-jsonschema/jsonschema#1388

New Contributors

@jkowalleck made their first contribution in python-jsonschema/jsonschema#1388

Full Changelog: python-jsonschema/jsonschema@v4.24.1...v4.25.0

v4.24.1

What's Changed

Unambiguously quote and escape properties in JSON path rendering by @kurtmckee in python-jsonschema/jsonschema#1390

Drop python<3.9 backports by @hackowitz-af in python-jsonschema/jsonschema#1367

New Contributors

@hackowitz-af made their first contribution in python-jsonschema/jsonschema#1367

@kurtmckee made their first contribution in python-jsonschema/jsonschema#1390

Full Changelog: python-jsonschema/jsonschema@v4.24.0...v4.24.1

v4.24.0

What's Changed

Fix calculation of evaluated properties by @V02460 in python-jsonschema/jsonschema#1351

Support for Python 3.8 has been dropped, as it is end-of-life.

New Contributors

@bkueng made their first contribution in python-jsonschema/jsonschema#1326

@V02460 made their first contribution in python-jsonschema/jsonschema#1351

Full Changelog: python-jsonschema/jsonschema@v4.23.0...v4.24.0

Changelog

Sourced from jsonschema's changelog.

v4.25.1

Fix an incorrect required argument in the Validator protocol's type annotations (#1396).

v4.25.0

Add support for the iri and iri-reference formats to the format-nongpl extra via the MIT-licensed rfc3987-syntax. They were alread supported by the format extra. (#1388).

v4.24.1

Properly escape segments in ValidationError.json_path (#139).

v4.24.0

Fix improper handling of unevaluatedProperties in the presence of additionalProperties (#1351).

Support for Python 3.8 has been dropped, as it is end-of-life.

Commits

331c384 Add the fix to the changelog.
c1ec0a6 Merge pull request #1398 from python-jsonschema/dependabot/github_actions/ast...
8e7d594 Merge pull request #1399 from python-jsonschema/dependabot/github_actions/act...
460f4fa Merge pull request #1396 from sirosen/improve-protocol-init-signature
1e58409 [pre-commit.ci] auto fixes from pre-commit.com hooks
64bc217 Add a typing test for the Validator protocol
6c25741 Bump actions/checkout from 4 to 5
bf603d5 Bump astral-sh/setup-uv from 6.4.3 to 6.5.0
a916d8f Fix Validator protocol init to match runtime
de60f18 Merge pull request #1397 from python-jsonschema/pre-commit-ci-update-config
Additional commits viewable in compare view

Updates pygithub from 2.6.1 to 2.8.1

Release notes

Sourced from pygithub's releases.

v2.8.1

What's Changed

Bug Fixes

Use default type if known type is not supported by @EnricoMi in PyGithub/PyGithub#3365

Full Changelog: PyGithub/PyGithub@v2.8.0...v2.8.1

v2.8.0

What's Changed

New Features

Add self hosted runner management to Organization by @billnapier in PyGithub/PyGithub#3203

Add support to generate release notes by @mball-agathos in PyGithub/PyGithub#3022

Improvements

Fix connection pooling to improve connection performance by @chriskuehl in PyGithub/PyGithub#3289

Add Repository.get_automated_security_fixes method by @zstyblik in PyGithub/PyGithub#3303

Sync Issue class with API spec by @EnricoMi in PyGithub/PyGithub#3338

Return more union classes like NamedUser | Organization | Enterprise by @EnricoMi in PyGithub/PyGithub#3224

Sync Enterprise class with API spec by @EnricoMi in PyGithub/PyGithub#3342

Sync GitReleaseAsset class with API spec by @EnricoMi in PyGithub/PyGithub#3343

Sync many class with OpenAPI spec by @EnricoMi in PyGithub/PyGithub#3344

Point deprecation warnings to the caller code rather than inner class by @xmo-odoo in PyGithub/PyGithub#3275

Allow for repo strings in all Team repo methods by @EnricoMi in PyGithub/PyGithub#3356

Bug Fixes

Fix API path of Repository.get_git_ref by @csalerno-asml in PyGithub/PyGithub#2992

Rework redirection URL allowance check by @EnricoMi in PyGithub/PyGithub#3329

Fix GitRelease.name, deprecate GitRelease.title by @EnricoMi in PyGithub/PyGithub#3346

Remove "COMMENT" as the default event for create_review by @eddie-santos in PyGithub/PyGithub#3078

Add support for public release assets by @aolieman in PyGithub/PyGithub#3339

Fix GitHub breaking API change of maintainers in Organization.create_team by @interifter in PyGithub/PyGithub#3291

Maintenance

Minor fix to release.yml by @EnricoMi in PyGithub/PyGithub#3201

Reduce test replay data by @EnricoMi in PyGithub/PyGithub#3243

Add check to OpenAPI script to check doc-string verbs by @EnricoMi in PyGithub/PyGithub#3332

Improve apply OpenAPI schemas by @EnricoMi in PyGithub/PyGithub#3333

Add config to OpenAPI script to ignore schemas by @EnricoMi in PyGithub/PyGithub#3334

Add suggest and create method feature to OpenAPI script by @EnricoMi in PyGithub/PyGithub#3318

Fix CI OpenApi apply command by @EnricoMi in PyGithub/PyGithub#3341

Improve OpenAPI scripts by @EnricoMi in PyGithub/PyGithub#3340

Improve OpenAPI CI by @EnricoMi in PyGithub/PyGithub#3347

Rework test framework by @EnricoMi in PyGithub/PyGithub#3271

Some minor fixes to OpenAPI scripts by @EnricoMi in PyGithub/PyGithub#3350

Add manual workflow to fix auto-fixable issues by @EnricoMi in PyGithub/PyGithub#3351

Bump actions/download-artifact from 4 to 5 by @dependabot[bot] in PyGithub/PyGithub#3330

Use default per-page const in PaginatedList by @sam93210 in PyGithub/PyGithub#3039

Bump actions/setup-python from 4 to 5 by @dependabot[bot] in PyGithub/PyGithub#3283

Bump actions/checkout from 3 to 5 by @dependabot[bot] in PyGithub/PyGithub#3348

Various minor OpenAPI scripts fixes by @EnricoMi in PyGithub/PyGithub#3353

Add union class support to OpenAPI script by @EnricoMi in PyGithub/PyGithub#3354

Add github_actions label to Maintenance section by @EnricoMi in PyGithub/PyGithub#3357

Upgrade docformatter pre-commit hook by @EnricoMi in PyGithub/PyGithub#3359

... (truncated)

Changelog

Sourced from pygithub's changelog.

Version 2.8.1 (September 02, 2025)

Bug Fixes ^^^^^^^^^

Use default type if known type is not supported ([#3365](https://github.com/pygithub/pygithub/issues/3365) <https://github.com/PyGithub/PyGithub/pull/3365>) (40506415 <https://github.com/PyGithub/PyGithub/commit/40506415>)

Version 2.8.0 (September 02, 2025)

New Features ^^^^^^^^^^^^

Add self hosted runner management to Organization ([#3203](https://github.com/pygithub/pygithub/issues/3203) <https://github.com/PyGithub/PyGithub/pull/3203>) (4ea1c4e2 <https://github.com/PyGithub/PyGithub/commit/4ea1c4e2>)

Add support to generate release notes ([#3022](https://github.com/pygithub/pygithub/issues/3022) <https://github.com/PyGithub/PyGithub/pull/3022>) (e359b83a <https://github.com/PyGithub/PyGithub/commit/e359b83a>)

Improvements ^^^^^^^^^^^^

Fix connection pooling to improve connection performance ([#3289](https://github.com/pygithub/pygithub/issues/3289) <https://github.com/PyGithub/PyGithub/pull/3289>_)

Add Repository.get_automated_security_fixes method ([#3303](https://github.com/pygithub/pygithub/issues/3303) <https://github.com/PyGithub/PyGithub/pull/3303>) (22048d83 <https://github.com/PyGithub/PyGithub/commit/22048d83>)

Sync Issue class with API spec ([#3338](https://github.com/pygithub/pygithub/issues/3338) <https://github.com/PyGithub/PyGithub/pull/3338>) (62da467a <https://github.com/PyGithub/PyGithub/commit/62da467a>)

Return more union classes like NamedUser | Organization | Enterprise ([#3224](https://github.com/pygithub/pygithub/issues/3224) <https://github.com/PyGithub/PyGithub/pull/3224>) (aea64148 <https://github.com/PyGithub/PyGithub/commit/aea64148>)

Sync Enterprise class with API spec ([#3342](https://github.com/pygithub/pygithub/issues/3342) <https://github.com/PyGithub/PyGithub/pull/3342>) (01bb5ab1 <https://github.com/PyGithub/PyGithub/commit/01bb5ab1>)

Sync GitReleaseAsset class with API spec ([#3343](https://github.com/pygithub/pygithub/issues/3343) <https://github.com/PyGithub/PyGithub/pull/3343>) (74449fed <https://github.com/PyGithub/PyGithub/commit/74449fed>)

Sync many class with OpenAPI spec ([#3344](https://github.com/pygithub/pygithub/issues/3344) <https://github.com/PyGithub/PyGithub/pull/3344>_)

Point deprecation warnings to the caller code rather than inner class ([#3275](https://github.com/pygithub/pygithub/issues/3275) <https://github.com/PyGithub/PyGithub/pull/3275>) (99bb5270 <https://github.com/PyGithub/PyGithub/commit/99bb5270>)

Allow for repo strings in all Team repo methods ([#3356](https://github.com/pygithub/pygithub/issues/3356) <https://github.com/PyGithub/PyGithub/pull/3356>) (3234a21f <https://github.com/PyGithub/PyGithub/commit/3234a21f>)

Bug Fixes ^^^^^^^^^

Fix API path of Repository.get_git_ref ([#2992](https://github.com/pygithub/pygithub/issues/2992) <https://github.com/PyGithub/PyGithub/pull/2992>) (a6965031 <https://github.com/PyGithub/PyGithub/commit/a6965031>)

Rework redirection URL allowance check ([#3329](https://github.com/pygithub/pygithub/issues/3329) <https://github.com/PyGithub/PyGithub/pull/3329>) (065b1319 <https://github.com/PyGithub/PyGithub/commit/065b1319>)

Fix GitRelease.name, deprecate GitRelease.title ([#3346](https://github.com/pygithub/pygithub/issues/3346) <https://github.com/PyGithub/PyGithub/pull/3346>) (fb51957f <https://github.com/PyGithub/PyGithub/commit/fb51957f>)

Remove "COMMENT" as the default event for create_review ([#3078](https://github.com/pygithub/pygithub/issues/3078) <https://github.com/PyGithub/PyGithub/pull/3078>) (8494da5c <https://github.com/PyGithub/PyGithub/commit/8494da5c>)

Add support for public release assets ([#3339](https://github.com/pygithub/pygithub/issues/3339) <https://github.com/PyGithub/PyGithub/pull/3339>) (abad296e <https://github.com/PyGithub/PyGithub/commit/abad296e>)

Fix GitHub breaking API change of maintainers in Organization.create_team ([#3291](https://github.com/pygithub/pygithub/issues/3291) <https://github.com/PyGithub/PyGithub/pull/3291>) (17bc4df4 <https://github.com/PyGithub/PyGithub/commit/17bc4df4>)

Maintenance ^^^^^^^^^^^

Minor fix to release.yml ([#3201](https://github.com/pygithub/pygithub/issues/3201) <https://github.com/PyGithub/PyGithub/pull/3201>) (f1fc6e7c <https://github.com/PyGithub/PyGithub/commit/f1fc6e7c>)

Reduce test replay data ([#3243](https://github.com/pygithub/pygithub/issues/3243) <https://github.com/PyGithub/PyGithub/pull/3243>) (19426454 <https://github.com/PyGithub/PyGithub/commit/19426454>)

Add check to OpenAPI script to check doc-string verbs ([#3332](https://github.com/pygithub/pygithub/issues/3332) <https://github.com/PyGithub/PyGithub/pull/3332>) (3efde77d <https://github.com/PyGithub/PyGithub/commit/3efde77d>)

Improve apply OpenAPI schemas ([#3333](https://github.com/pygithub/pygithub/issues/3333) <https://github.com/PyGithub/PyGithub/pull/3333>) (ec189dd6 <https://github.com/PyGithub/PyGithub/commit/ec189dd6>)

Add config to OpenAPI script to ignore schemas ([#3334](https://github.com/pygithub/pygithub/issues/3334) <https://github.com/PyGithub/PyGithub/pull/3334>) (0478d33b <https://github.com/PyGithub/PyGithub/commit/0478d33b>)

Add suggest and create method feature to OpenAPI script ([#3318](https://github.com/pygithub/pygithub/issues/3318) <https://github.com/PyGithub/PyGithub/pull/3318>_)

Fix CI OpenApi apply command ([#3341](https://github.com/pygithub/pygithub/issues/3341) <https://github.com/PyGithub/PyGithub/pull/3341>) (cdc10a27 <https://github.com/PyGithub/PyGithub/commit/cdc10a27>)

Improve OpenAPI scripts ([#3340](https://github.com/pygithub/pygithub/issues/3340) <https://github.com/PyGithub/PyGithub/pull/3340>) (ad278c5f <https://github.com/PyGithub/PyGithub/commit/ad278c5f>)

Improve OpenAPI CI ([#3347](https://github.com/pygithub/pygithub/issues/3347) <https://github.com/PyGithub/PyGithub/pull/3347>) (8165bbc9 <https://github.com/PyGithub/PyGithub/commit/8165bbc9>)

Rework test framework ([#3271](https://github.com/pygithub/pygithub/issues/3271) <https://github.com/PyGithub/PyGithub/pull/3271>) (1b700187 <https://github.com/PyGithub/PyGithub/commit/1b700187>)

Some minor fixes to OpenAPI scripts ([#3350](https://github.com/pygithub/pygithub/issues/3350) <https://github.com/PyGithub/PyGithub/pull/3350>) (a813a945 <https://github.com/PyGithub/PyGithub/commit/a813a945>)

Add manual workflow to fix auto-fixable issues ([#3351](https://github.com/pygithub/pygithub/issues/3351) <https://github.com/PyGithub/PyGithub/pull/3351>) (0e6317d9 <https://github.com/PyGithub/PyGithub/commit/0e6317d9>)

... (truncated)

Commits

ecd4764 Update changelog
4050641 Use default type if known type is not supported (#3365)
18eeb26 Release 2.8.0 (#3360)
17bc4df Fix GitHub breaking API change of maintainers in Organization.create_team...
6f0d6ef Update docs on development (#3352)
12d8d10 Add warning about Checks API in doc-strings (#3229)
6ec3ca2 Upgrade docformatter pre-commit hook (#3359)
9612e61 Revert get_enterprise breaking change (#3358)
0c31f84 Add github_actions label to Maintenance section (#3357)
3234a21 Allow for repo strings in all Team repo methods (#3356)
Additional commits viewable in compare view

Updates pyyaml from 6.0.2 to 6.0.3

Release notes

Sourced from pyyaml's releases.

6.0.3

What's Changed

Support for Python 3.14 and free-threading (experimental).

Full Changelog: yaml/pyyaml@6.0.2...6.0.3

Changelog

Sourced from pyyaml's changelog.

6.0.3 (2025-09-25)

yaml/pyyaml#864 -- Support for Python 3.14 and free-threading (experimental)

Commits

49790e7 Release 6.0.3 (#889)
See full diff in compare view

Updates tomli from 2.2.1 to 2.3.0

Changelog

Sourced from tomli's changelog.

2.3.0

Added

Binary wheels for Python 3.14 (also free-threaded)

Performance

Reduced import time

Commits

3fccd16 Bump version: 2.2.1 → 2.3.0
6504016 Add 2.3.0 changelog
0bc66fc Remove now off-by-default PyPy from cibuildwheel skip list
0aa242f Update license metadata to appease PEP 639
a18221e Bump GitHub CI actions
6fa4d90 [pre-commit.ci] pre-commit autoupdate (#260)
b974fa1 [pre-commit.ci] pre-commit autoupdate (#248)
f574f36 Update mypy to 1.15 and use --strict mode (#257)
1da01ef Reduce import time by removing typing import (#251)
4188188 Reduce import time by removing string and tomli._types imports
Additional commits viewable in compare view

Updates typing-extensions from 4.14.1 to 4.15.0

Release notes

Sourced from typing-extensions's releases.

4.15.0

No user-facing changes since 4.15.0rc1.

New features since 4.14.1:

Add the @typing_extensions.disjoint_base decorator, as specified in PEP 800. Patch by Jelle Zijlstra.

Add typing_extensions.type_repr, a backport of annotationlib.type_repr, introduced in Python 3.14 (CPython PR #124551, originally by Jelle Zijlstra). Patch by Semyon Moroz.

Fix behavior of type params in typing_extensions.evaluate_forward_ref. Backport of CPython PR #137227 by Jelle Zijlstra.

4.15.0rc1

Add the @typing_extensions.disjoint_base decorator, as specified in PEP 800. Patch by Jelle Zijlstra.

Add typing_extensions.type_repr, a backport of annotationlib.type_repr, introduced in Python 3.14 (CPython PR #124551, originally by Jelle Zijlstra). Patch by Semyon Moroz.

Fix behavior of type params in typing_extensions.evaluate_forward_ref. Backport of CPython PR #137227 by Jelle Zijlstra.

Changelog

Sourced from typing-extensions's changelog.

Release 4.15.0 (August 25, 2025)

No user-facing changes since 4.15.0rc1.

Release 4.15.0rc1 (August 18, 2025)

Add the @typing_extensions.disjoint_base decorator, as specified in PEP 800. Patch by Jelle Zijlstra.

Add typing_extensions.type_repr, a backport of annotationlib.type_repr, introduced in Python 3.14 (CPython PR #124551, originally by Jelle Zijlstra). Patch by Semyon Moroz.

Fix behavior of type params in typing_extensions.evaluate_forward_ref. Backport of CPython PR #137227 by Jelle Zijlstra.

Commits

9d1637e Prepare release 4.15.0 (#658)
4bd67c5 Coverage: exclude some noise (#656)
e589a26 Coverage: add detailed report to job summary (#655)
67d37fe Coverage: Implement fail_under (#654)
e9ae26f Don't delete previous coverage comment (#653)
ac80bb7 Add Coverage workflow (#623)
abaaafd Prepare release 4.15.0rc1 (#650)
9810405 Add @disjoint_base (PEP 800) (#634)
7ee9e05 Backport type_params fix from CPython (#646)
1e8eb9c Do not refer to PEP 705 as being experimental (#648)
Additional commits viewable in compare view

Updates zstandard from 0.23.0 to 0.25.0

Release notes

Sourced from zstandard's releases.

0.25.0

PyO3 Rust created upgraded from 0.24 to 0.25. (#273)

We now use Py_REFCNT(obj) instead of accessing (*obj)->ob_refcnt directly. This fixes a nogil / multi-threaded compile error. (#201, #275)

A zstandard commit to fix qsort detection on BSD operating systems has been backported. (#272)

The PYTHON_ZSTANDARD_IMPORT_POLICY environment variable now has leading and trailing whitespace stripped. Values like cffi and cffi are now equivalent to cffi.

The CI jobs for building wheels have been overhauled to always use cibuildwheel and uv (where possible). This change should be backwards compatible. But wheel building for this project has historically been fragile and there may be unwanted changes. We're optimistic that standardizing on uv (except for musllinux ppc64le and s390x where uv isn't available) will lead to more stability over time.

CI now runs tests against the wheels we distribute. Previously, we ran tests against a separate build that was theoretically identical. But the builds may have been subtly different, leading to preventable bugs in our wheels. (Enabling this test coverage did not uncover any failures.)

The pyproject.toml build backend has been switched from setuptools.build_meta:__legacy__ to setuptools.build_meta.

The setuptools build dependency has been upgraded from <69.0.0 to >=77.0.0. Modern versions of setuptools broke --config-settings=--build-option=... as part of implementing PEP 660. A workaround is to use --config-settings=--global-option=... instead. --global-option apparently is deprecated and the setuptools folks have yet to figure out how to thread config settings into setup.py invocations. (--build-option is sent to the build_wheel command but not the build_editable command.)

Python 3.14 wheels are now built with manylinux_2_28 (versus manylinux2014) for older Python versions. This may raise the minimum glibc version, effectively dropping support for Debian 8 and 9, Ubuntu 13.10 through 18.04, Fedora 19 to 28, and RHEL/Centos 7. However, in practice most platforms don't container newer glibc symbols and are still ABI compatible with manylinux2014 and glibc 2.17.

We now require cffi >= 2.0.0b on Python 3.14. <3.14 still requires 1.17. (#274)

The cffi backend is now automatically disabled for free-threaded builds on Python <3.14, as cffi didn't implement free-threaded support until the 2.0 release. (#274)

Added CI coverage for free-threaded CPython 3.13 and 3.14. We do not yet formally support free-threaded builds. (#276)

The C and Rust backends now declare the GIL as unused.

The pythoncapi_compat.h file has been upgraded to the latest version. (#278)

setup.py now depends on packaging and uses packaging.version.Version for version comparisons. This removes some deprecation warnings from usage of legacy distutils Version classes.

Relax run-time libzstd version checking in C extension from exactly 1.5.7 to >=1.5.6. (#254, #267)

C extension types now (correctly) declare their fully qualified type names

... (truncated)

Changelog

Sourced from zstandard's changelog.

0.25.0 (released 2025-09-14)

PyO3 Rust created upgraded from 0.24 to 0.25. (#273)

We now use Py_REFCNT(obj) instead of accessing (*obj)->ob_refcnt directly. This fixes a nogil / multi-threaded compile error. (#201, #275)

A zstandard commit to fix qsort detection on BSD operating systems has been backported. (#272)

The PYTHON_ZSTANDARD_IMPORT_POLICY environment variable now has leading and trailing whitespace stripped. Values like cffi and cffi are now equivalent to cffi.

The CI jobs for building wheels have been overhauled to always use cibuildwheel and uv (where possible). This change should be backwards compatible. But wheel building for this project has historically been fragile and there may be unwanted changes. We're optimistic that standardizing on uv (except for musllinux ppc64le and s390x where uv isn't available) will lead to more stability over time.

CI now runs tests against the wheels we distribute. Previously, we ran tests against a separate build that was theoretically identical. But the builds may have been subtly different, leading to preventable bugs in our wheels. (Enabling this test coverage did not uncover any failures.)

The pyproject.toml build backend has been switched from setuptools.build_meta:__legacy__ to setuptools.build_meta.

The setuptools build dependency has been upgraded from <69.0.0 to >=77.0.0. Modern versions of setuptools broke --config-settings=--build-option=... as part of implementing PEP 660. A workaround is to use --config-settings=--global-option=...`` instead. --global-optionapparently is deprecated and the setuptools folks have yet to figure out how to thread config settings intosetup.py invocations. (`--build-option is sent to the build_wheel command but not the build_editable command.)

Python 3.14 wheels are now built with manylinux_2_28 (versus manylinux2014) for older Python versions. This may raise the minimum glibc version, effectively dropping support for Debian 8 and 9, Ubuntu 13.10 through 18.04, Fedora 19 to 28, and RHEL/Centos 7. However, in practice most platforms don't container newer glibc symbols and are still ABI compatible with manylinux2014 and glibc 2.17.

We now require cffi >= 2.0.0b on Python 3.14. <3.14 still requires 1.17. (#274)

The cffi backend is now automatically disabled for free-threaded builds on Python <3.14, as cffi didn't implement free-threaded support until the 2.0 release. (#274)

Added CI coverage for free-threaded CPython 3.13 and 3.14. We do not yet formally support free-threaded builds. (#276)

The C and Rust backends now declare the GIL as unused.

The pythoncapi_compat.h file has been upgraded to the latest version. (#278)

setup.py now depends on packaging and uses packaging.version.Version for version comparisons. This removes some deprecation warnings from usage of legacy distutils Version classes.

Relax run-time libzstd version checking in C extension from exactly 1.5.7

... (truncated)

Commits

7a77a75 global: release 0.25.0
7935539 rust: cargo upgrade
bc3074c rust: update dependencies
51a277a c-ext: correctly define fully qualified type names to zstandard.*
9ccbc39 docs: fix ReST in news.rst
58c68a1 zstd: synchronize qsort code with upstream
395f693 docs: document existence of compression.zstd in stdlib
6967817 docs: update comparisons to other implementations
e4e829a docs: document new libzstd version constraint behaviors
604a65a Relax libzstd version checking
Additional commits viewable in compare view

Updates rpds-py from 0.29.0 to 0.30.0

Release notes

Sourced from rpds-py's releases.

v0.30.0

What's Changed

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in crate-py/rpds#202

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in crate-py/rpds#203

Update to PyO3 0.27.2 by @edgarrmondragon in crate-py/rpds#204

Full Changelog: crate-py/rpds@v0.29.0...v0.30.0

Commits

c38c979 Tag a release.
09c7538 Update the pre-commit link for zizmor.
086997f Remove an unneeded section of the pyproject.toml.
7690933 Merge pull request #204 from edgarrmondragon/pyo3-0.27.2
84f9bd1 Update to PyO3 0.27.2
5cb6bc4 Merge pull request #203 from crate-py/pre-commit-ci-update-config
677a6db [pre-commit.ci] pre-commit autoupdate
5f1fa20 Merge pull request #202 from crate-py/pre-commit-ci-update-config
6657a51 [pre-commit.ci] pre-commit autoupdate
See full diff in compare view

Updates urllib3 from 2.5.0 to 2.6.2

Release notes

Sourced from urllib3's releases.

2.6.2

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (urllib3/urllib3#3734)

2.6.1

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. (#3731)

2.6.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by @Cycloctane, 8.9 High, GHSA-2xpw-w6gg-jr37)

Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by @illia-v, 8.9 High, GHSA-gm62-xv2j-4w53)

[!IMPORTANT]

If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.

If you use custom decompressors, please make sure to update them to respect the changed API of urllib3.response.ContentDecoder.

Features

Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. (#3653)

Added host and port information to string representations of HTTPConnection. (#3666)

Added support for Python 3.14 free-threading builds explicitly. (#3696)

Removals

Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers. Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). (#3622)

... (truncated)

Changelog

Sourced from urllib3's changelog.

2.6.2 (2025-12-11)

Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. ([#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734>__)

2.6.1 (2025-12-08)

Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. ([#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731>__)

2.6.0 (2025-12-05)

Security

Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)

Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.

If you use custom decompressors, please make sure to update them to respect the changed API of urllib3.response.ContentDecoder.

Features

Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. ([#3653](https://github.com/urllib3/urllib3/issues/3653) <https://github.com/urllib3/urllib3/issues/3653>__)

Added host and port information to string representations of HTTPConnection. ([#3666](https://github.com/urllib3/urllib3/issues/3666) <https://github.com/urllib3/urllib3/issues/3666>__)

Added support for Python 3.14 free-threading builds explicitly. ([#3696](https://github.com/urllib3/urllib3/issues/3696) <https://github.com/urllib3/urllib3/issues/3696>__)

... (truncated)

Commits

83f8643 Release 2.6.2
571a9b7 Fix HTTPResponse.read_chunked when leftover data is present in decoder's bu...
bfe8e19 Release 2.6.1
3ceeb84 Restore getheaders() and getheader() (#3732)
720f484 Release 2.6.0
24d7b67 Merge commit from fork
c19571d Merge commit from fork
816fcf0 Bump actions/setup-python from 6.0.0 to 6.1.0 (#3725)
18af0a1 Improv...
Description has been truncated

Bumps the python group with 12 updates: | Package | From | To | | --- | --- | --- | | [jinja2](https://github.com/pallets/jinja) | `3.1.5` | `3.1.6` | | [jsonschema](https://github.com/python-jsonschema/jsonschema) | `4.23.0` | `4.25.1` | | [pygithub](https://github.com/pygithub/pygithub) | `2.6.1` | `2.8.1` | | [pyyaml](https://github.com/yaml/pyyaml) | `6.0.2` | `6.0.3` | | [tomli](https://github.com/hukkin/tomli) | `2.2.1` | `2.3.0` | | [typing-extensions](https://github.com/python/typing_extensions) | `4.14.1` | `4.15.0` | | [zstandard](https://github.com/indygreg/python-zstandard) | `0.23.0` | `0.25.0` | | [rpds-py](https://github.com/crate-py/rpds) | `0.29.0` | `0.30.0` | | [urllib3](https://github.com/urllib3/urllib3) | `2.5.0` | `2.6.2` | | [mypy](https://github.com/python/mypy) | `1.18.1` | `1.19.1` | | [ruff](https://github.com/astral-sh/ruff) | `0.13.0` | `0.14.9` | | [types-jsonschema](https://github.com/typeshed-internal/stub_uploader) | `4.25.1.20250822` | `4.25.1.20251009` | Updates `jinja2` from 3.1.5 to 3.1.6 - [Release notes](https://github.com/pallets/jinja/releases) - [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst) - [Commits](pallets/jinja@3.1.5...3.1.6) Updates `jsonschema` from 4.23.0 to 4.25.1 - [Release notes](https://github.com/python-jsonschema/jsonschema/releases) - [Changelog](https://github.com/python-jsonschema/jsonschema/blob/main/CHANGELOG.rst) - [Commits](python-jsonschema/jsonschema@v4.23.0...v4.25.1) Updates `pygithub` from 2.6.1 to 2.8.1 - [Release notes](https://github.com/pygithub/pygithub/releases) - [Changelog](https://github.com/PyGithub/PyGithub/blob/main/doc/changes.rst) - [Commits](PyGithub/PyGithub@v2.6.1...v2.8.1) Updates `pyyaml` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/yaml/pyyaml/releases) - [Changelog](https://github.com/yaml/pyyaml/blob/6.0.3/CHANGES) - [Commits](yaml/pyyaml@6.0.2...6.0.3) Updates `tomli` from 2.2.1 to 2.3.0 - [Changelog](https://github.com/hukkin/tomli/blob/master/CHANGELOG.md) - [Commits](hukkin/tomli@2.2.1...2.3.0) Updates `typing-extensions` from 4.14.1 to 4.15.0 - [Release notes](https://github.com/python/typing_extensions/releases) - [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md) - [Commits](python/typing_extensions@4.14.1...4.15.0) Updates `zstandard` from 0.23.0 to 0.25.0 - [Release notes](https://github.com/indygreg/python-zstandard/releases) - [Changelog](https://github.com/indygreg/python-zstandard/blob/main/docs/news.rst) - [Commits](indygreg/python-zstandard@0.23.0...0.25.0) Updates `rpds-py` from 0.29.0 to 0.30.0 - [Release notes](https://github.com/crate-py/rpds/releases) - [Commits](crate-py/rpds@v0.29.0...v0.30.0) Updates `urllib3` from 2.5.0 to 2.6.2 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.5.0...2.6.2) Updates `mypy` from 1.18.1 to 1.19.1 - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](python/mypy@v1.18.1...v1.19.1) Updates `ruff` from 0.13.0 to 0.14.9 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](astral-sh/ruff@0.13.0...0.14.9) Updates `types-jsonschema` from 4.25.1.20250822 to 4.25.1.20251009 - [Commits](https://github.com/typeshed-internal/stub_uploader/commits) --- updated-dependencies: - dependency-name: jinja2 dependency-version: 3.1.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python - dependency-name: jsonschema dependency-version: 4.25.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python - dependency-name: pygithub dependency-version: 2.8.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python - dependency-name: pyyaml dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python - dependency-name: tomli dependency-version: 2.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python - dependency-name: typing-extensions dependency-version: 4.15.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python - dependency-name: zstandard dependency-version: 0.25.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python - dependency-name: rpds-py dependency-version: 0.30.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python - dependency-name: urllib3 dependency-version: 2.6.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python - dependency-name: mypy dependency-version: 1.19.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: python - dependency-name: ruff dependency-version: 0.14.9 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: python - dependency-name: types-jsonschema dependency-version: 4.25.1.20251009 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: python ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jan 1, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Bump the python group with 12 updates #937

Bump the python group with 12 updates #937

Uh oh!

dependabot bot commented on behalf of github Jan 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Bump the python group with 12 updates #937

Are you sure you want to change the base?

Bump the python group with 12 updates #937

Uh oh!

Conversation

dependabot bot commented on behalf of github Jan 1, 2026

3.1.6

Version 3.1.6

v4.25.1

What's Changed

v4.25.0

What's Changed

New Contributors

v4.24.1

What's Changed

New Contributors

v4.24.0

What's Changed

New Contributors

v4.25.1

v4.25.0

v4.24.1

v4.24.0

v2.8.1

What's Changed

Bug Fixes

v2.8.0

What's Changed

New Features

Improvements

Bug Fixes

Maintenance

Version 2.8.1 (September 02, 2025)

Version 2.8.0 (September 02, 2025)

6.0.3

What's Changed

2.3.0

4.15.0

4.15.0rc1

Release 4.15.0 (August 25, 2025)

Release 4.15.0rc1 (August 18, 2025)

0.25.0

0.25.0 (released 2025-09-14)

v0.30.0

What's Changed

2.6.2

🚀 urllib3 is fundraising for HTTP/2 support

Changes

2.6.1

🚀 urllib3 is fundraising for HTTP/2 support

Changes

2.6.0

🚀 urllib3 is fundraising for HTTP/2 support

Security

Features

Removals

2.6.2 (2025-12-11)

2.6.1 (2025-12-08)

2.6.0 (2025-12-05)

Security

Features

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant