Bump the uv group across 1 directory with 10 updates

[dependabot]

Bumps the uv group with 10 updates in the / directory:

Package	From	To
filelock	3.18.0	3.20.3
fonttools	4.55.3	4.60.2
h11	0.14.0	0.16.0
jinja2	3.1.4	3.1.6
jupyterlab	4.3.4	4.4.8
requests	2.32.3	2.32.4
setuptools	75.6.0	78.1.1
tornado	6.4.2	6.5
urllib3	2.2.3	2.6.3
virtualenv	20.31.2	20.36.1

Updates filelock from 3.18.0 to 3.20.3

Release notes

Sourced from filelock's releases.

3.20.3

What's Changed

• Fix TOCTOU symlink vulnerability in SoftFileLock by @​gaborbernat in tox-dev/filelock#465

Full Changelog: tox-dev/filelock@3.20.2...3.20.3

3.20.2

What's Changed

• Support Unix systems without O_NOFOLLOW by @​mwilliamson in tox-dev/filelock#463
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in tox-dev/filelock#464

New Contributors

• @​mwilliamson made their first contribution in tox-dev/filelock#463

Full Changelog: tox-dev/filelock@3.20.1...3.20.2

3.20.1

What's Changed

• CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file creation by @​gaborbernat in tox-dev/filelock#461

Full Changelog: tox-dev/filelock@3.20.0...3.20.1

3.20.0

What's Changed

• Add tox.toml to sdist by @​mtelka in tox-dev/filelock#436
• Update docs with example by @​znichollscr in tox-dev/filelock#438
• Add 3.14 support and drop 3.9 by @​gaborbernat in tox-dev/filelock#448

New Contributors

• @​mtelka made their first contribution in tox-dev/filelock#436
• @​znichollscr made their first contribution in tox-dev/filelock#438

Full Changelog: tox-dev/filelock@3.19.1...3.20.0

3.19.1

What's Changed

• add 3.14t (free threading) to matrix by @​paultiq in tox-dev/filelock#433
• Increase test coverage by @​paultiq in tox-dev/filelock#434

... (truncated)

Commits

• 41b42dd Fix TOCTOU symlink vulnerability in SoftFileLock (#465)
• f2e7d40 [pre-commit.ci] pre-commit autoupdate (#464)
• 5088854 Support Unix systems without O_NOFOLLOW (#463)
• 377f622 [pre-commit.ci] pre-commit autoupdate (#460)
• 4724d7f Fix TOCTOU symlink vulnerability in lock file creation (#461)
• cb69414 Bump actions/upload-artifact from 5 to 6 (#459)
• 0769294 Bump actions/download-artifact from 6 to 7 (#458)
• 414193a [pre-commit.ci] pre-commit autoupdate (#457)
• 1456797 [pre-commit.ci] pre-commit autoupdate (#456)
• 8d6bf90 Bump actions/checkout from 5 to 6 (#455)
• Additional commits viewable in compare view

Updates fonttools from 4.55.3 to 4.60.2

Release notes

Sourced from fonttools's releases.

4.60.2

• Backport release Same as 4.61.0 but without "Drop support for EOL Python 3.9" change to allow downstream projects still on Python 3.9 to avail of the security fix for CVE-2025-66034 (#3994, #3999).

4.60.1

• [ufoLib] Reverted accidental method name change in UFOReader.getKerningGroupConversionRenameMaps that broke compatibility with downstream projects like defcon (#3948, #3947, robotools/defcon#478).
• [ufoLib] Added test coverage for getKerningGroupConversionRenameMaps method (#3950).
• [subset] Don't try to subset BASE table; pass it through by default instead (#3949).
• [subset] Remove empty BaseRecord entries in MarkBasePos lookups (#3897, #3892).
• [subset] Add pruning for MarkLigPos and MarkMarkPos lookups (#3946).
• [subset] Remove duplicate features when subsetting (#3945).
• [Docs] Added documentation for the visitor module (#3944).

4.60.0

• [pointPen] Allow reverseFlipped parameter of DecomposingPointPen to take a ReverseFlipped enum value to control whether/how to reverse contour direction of flipped components, in addition to the existing True/False. This allows to set ReverseFlipped.ON_CURVE_FIRST to ensure that the decomposed outline starts with an on-curve point before being reversed, for better consistency with other segment-oriented contour transformations. The change is backward compatible, and the default behavior hasn't changed (#3934).

• [filterPen] Added ContourFilterPointPen, base pen for buffered contour operations, and OnCurveStartPointPen filter to ensure contours start with an on-curve point (#3934).

• [cu2qu] Fixed difference in cython vs pure-python complex division by real number (#3930).

• [varLib.avar] Refactored and added some new sub-modules and scripts (#3926).

  • varLib.avar.build module to build avar (and a missing fvar) binaries into a possibly empty TTFont,
  • varLib.avar.unbuild module to print a .designspace snippet that would generate the same avar binary,
  • varLib.avar.map module to take TTFont and do the mapping, in user/normalized space,
  • varLib.avar.plan module moved from varLib.avarPlanner.

  The bare fonttools varLib.avar script is deprecated, in favour of fonttools varLib.avar.build (or unbuild).

• [interpolatable] Clarify linear_sum_assignment backend options and minimal dependency usage (#3927).

• [post] Speed up build_psNameMapping (#3923).

• [ufoLib] Added typing annotations to fontTools.ufoLib (#3875).

4.59.2

• [varLib] Clear USE_MY_METRICS component flags when inconsistent across masters (#3912).
• [varLib.instancer] Avoid negative advance width/height values when instatiating HVAR/VVAR, (unlikely in well-behaved fonts) (#3918).
• [subset] Fix shaping behaviour when pruning empty mark sets (#3915, harfbuzz/harfbuzz#5499).
• [cu2qu] Fixed dot() product of perpendicular vectors not always returning exactly 0.0 in all Python implementations (#3911)
• [varLib.instancer] Implemented fully-instantiating avar2 fonts (#3909).
• [feaLib] Allow float values in VariableScalar's axis locations (#3906, #3907).
• [cu2qu] Handle special case in calc_intersect for degenerate cubic curves where 3 to 4 control points are equal (#3904).

4.59.1

• [featureVars] Update OS/2.usMaxContext if possible after addFeatureVariationsRaw (#3894).
• [vhmtx] raise TTLibError('not enough data...') when hmtx/vmtx are truncated (#3843, #3901).
• [feaLib] Combine duplicate features that have the same set of lookups regardless of the order in which those lookups are added to the feature (#3895).
• [varLib] Deprecate varLib.mutator in favor of varLib.instancer. The latter provides equivalent full (static font) instancing in addition to partial VF instancing.
  CLI users should replace fonttools varLib.mutator with fonttools varLib.instancer. API users should migrate to fontTools.varLib.instancer.instantiateVariableFont (#2680).

4.59.0

• Removed hard-dependency on pyfilesystem2 (fs package) from fonttools[ufo] extra. This is replaced by the fontTools.misc.filesystem package, a stdlib-only, drop-in replacement for the subset of the pyfilesystem2's API used by fontTools.ufoLib. The latter should continue to work with the upstream fs (we even test with/without). However, clients who wish to continue using fs can do so by depending on it directly instead of via the fonttools[ufo] extra (#3885, #3620).
• [xmlWriter] Replace illegal XML characters (e.g. control or non-characters) with "?" when dumping to ttx (#3868, #71).
• [varLib.hvar] Fixed vertical metrics fields copy/pasta error (#3884).
• Micro optimizations in ttLib and sstruct modules (#3878, #3879).
• [unicodedata] Add Garay script to RTL_SCRIPTS (#3882).

... (truncated)

Changelog

Sourced from fonttools's changelog.

4.60.2 (released 2025-12-09)

• Backport release Same as 4.61.0 but without "Drop support for EOL Python 3.9" change to allow downstream projects still on Python 3.9 to avail of the security fix for CVE-2025-66034 (#3994, #3999).

4.61.0 (released 2025-11-28)

• [varLib.main]: SECURITY Only use basename(vf.filename) to prevent path traversal attacks when running fonttools varLib command, or code which invokes fonttools.varLib.main(). Fixes CVE-2025-66034, see: GHSA-768j-98cg-p3fv.
• [feaLib] Sort BaseLangSysRecords by tag (#3986).
• Drop support for EOL Python 3.9 (#3982).
• [instancer] Support --remove-overlaps for fonts with CFF2 table (#3975).
• [CFF2ToCFF] Add --remove-overlaps option (#3976).
• [feaLib] Raise an error for rsub with NULL target (#3979).
• [bezierTools] Fix logic bug in curveCurveIntersections (#3963).
• [feaLib] Error when condition sets have the same name (#3958).
• [cu2qu.ufo] skip processing empty glyphs to support sparse kerning masters (#3956).
• [unicodedata] Update to Unicode 17. Require unicodedata2 >= 17.0.0 when installed with 'unicode' extra.

4.60.1 (released 2025-09-29)

• [ufoLib] Reverted accidental method name change in UFOReader.getKerningGroupConversionRenameMaps that broke compatibility with downstream projects like defcon (#3948, #3947, robotools/defcon#478).
• [ufoLib] Added test coverage for getKerningGroupConversionRenameMaps method (#3950).
• [subset] Don't try to subset BASE table; pass it through by default instead (#3949).
• [subset] Remove empty BaseRecord entries in MarkBasePos lookups (#3897, #3892).
• [subset] Add pruning for MarkLigPos and MarkMarkPos lookups (#3946).
• [subset] Remove duplicate features when subsetting (#3945).
• [Docs] Added documentation for the visitor module (#3944).

4.60.0 (released 2025-09-17)

• [pointPen] Allow reverseFlipped parameter of DecomposingPointPen to take a ReverseFlipped enum value to control whether/how to reverse contour direction of flipped components, in addition to the existing True/False. This allows to set ReverseFlipped.ON_CURVE_FIRST to ensure that the decomposed outline starts with an on-curve point before being reversed, for better consistency with other segment-oriented contour transformations. The change is backward compatible, and the default behavior hasn't changed (#3934).
• [filterPen] Added ContourFilterPointPen, base pen for buffered contour operations, and OnCurveStartPointPen filter to ensure contours start with an on-curve point (#3934).
• [cu2qu] Fixed difference in cython vs pure-python complex division by real number (#3930).
• [varLib.avar] Refactored and added some new sub-modules and scripts (#3926).
  • varLib.avar.build module to build avar (and a missing fvar) binaries into a possibly empty TTFont,
  • varLib.avar.unbuild module to print a .designspace snippet that would generate the same avar binary,

... (truncated)

Commits

• 78ba5e8 Release 4.60.2
• c3f9979 macos-13 runner is no more, use macos-15-intel
• 8016403 Revert "Merge pull request #3982 from fonttools/drop-py39"
• e691e3b Release 4.61.0
• c2d540f Update NEWS.rst
• 3859753 Update NEWS.rst
• 26eb070 black
• 5ff73af Merge commit from fork
• a696d5b varLib: only use the basename(vf.filename)
• b00bc45 varLib_test: test path traversal in variable-font filename
• Additional commits viewable in compare view

Updates h11 from 0.14.0 to 0.16.0

Commits

• 1c5b075 this time for surer
• d9c3699 this time for sure...
• d91b9dd blacken
• 5a4683c Soothe mypy
• 9c9567f Bump version to 0.16.0
• 114803a Merge commit from fork
• 9462006 Bump version to 0.15.0
• 70a96be Merge pull request #181 from Julien00859/Julien00859/get_int_max_str_digits
• 60782ad Reject Content-Length longer 1 billion TB
• dff7cc3 Validate Chunked-Encoding chunk footer
• Additional commits viewable in compare view

Updates jinja2 from 3.1.4 to 3.1.6

Release notes

Sourced from jinja2's releases.

3.1.6

This is the Jinja 3.1.6 security release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.6/ Changes: https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6

• The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. GHSA-cpwx-vrp4-4pq7

3.1.5

This is the Jinja 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.5/ Changes: https://jinja.palletsprojects.com/changes/#version-3-1-5 Milestone: https://github.com/pallets/jinja/milestone/16?closed=1

• The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. GHSA-q2x7-8rv6-6q7h
• Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. #1792, GHSA-gmj6-6f8f-6699
• Sandbox does not allow clear and pop on known mutable sequence types. #2032
• Calling sync render for an async template uses asyncio.run. #1952
• Avoid unclosed auto_aiter warnings. #1960
• Return an aclose-able AsyncGenerator from Template.generate_async. #1960
• Avoid leaving root_render_func() unclosed in Template.generate_async. #1960
• Avoid leaving async generators unclosed in blocks, includes and extends. #1960
• The runtime uses the correct concat function for the current environment when calling block references. #1701
• Make |unique async-aware, allowing it to be used after another async-aware filter. #1781
• |int filter handles OverflowError from scientific notation. #1921
• Make compiling deterministic for tuple unpacking in a {% set ... %} call. #2021
• Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. #2025
• Fix copy/pickle support for the internal missing object. #2027
• Environment.overlay(enable_async) is applied correctly. #2061
• The error message from FileSystemLoader includes the paths that were searched. #1661
• PackageLoader shows a clearer error message when the package does not contain the templates directory. #1705
• Improve annotations for methods returning copies. #1880
• urlize does not add mailto: to values like @a@b. #1870
• Tests decorated with @pass_context can be used with the |select filter. #1624
• Using set for multiple assignment (a, b = 1, 2) does not fail when the target is a namespace attribute. #1413
• Using set in all branches of {% if %}{% elif %}{% else %} blocks does not cause the variable to be considered initially undefined. #1253

Changelog

Sourced from jinja2's changelog.

Version 3.1.6

Released 2025-03-05

• The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. :ghsa:cpwx-vrp4-4pq7

Version 3.1.5

Released 2024-12-21

• The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. :ghsa:q2x7-8rv6-6q7h
• Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. :issue:1792, :ghsa:gmj6-6f8f-6699
• Sandbox does not allow clear and pop on known mutable sequence types. :issue:2032
• Calling sync render for an async template uses asyncio.run. :pr:1952
• Avoid unclosed auto_aiter warnings. :pr:1960
• Return an aclose-able AsyncGenerator from Template.generate_async. :pr:1960
• Avoid leaving root_render_func() unclosed in Template.generate_async. :pr:1960
• Avoid leaving async generators unclosed in blocks, includes and extends. :pr:1960
• The runtime uses the correct concat function for the current environment when calling block references. :issue:1701
• Make |unique async-aware, allowing it to be used after another async-aware filter. :issue:1781
• |int filter handles OverflowError from scientific notation. :issue:1921
• Make compiling deterministic for tuple unpacking in a {% set ... %} call. :issue:2021
• Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. :issue:2025
• Fix copy/pickle support for the internal missing object. :issue:2027
• Environment.overlay(enable_async) is applied correctly. :pr:2061
• The error message from FileSystemLoader includes the paths that were searched. :issue:1661
• PackageLoader shows a clearer error message when the package does not contain the templates directory. :issue:1705
• Improve annotations for methods returning copies. :pr:1880
• urlize does not add mailto: to values like @a@b. :pr:1870

... (truncated)

Commits

• 1520688 release version 3.1.6
• 90457bb Merge commit from fork
• 065334d attr filter uses env.getattr
• 033c200 start version 3.1.6
• bc68d4e use global contributing guide (#2070)
• 247de5e use global contributing guide
• ab8218c use project advisory link instead of global
• b4ffc8f release version 3.1.5 (#2066)
• 877f6e5 release version 3.1.5
• 8d58859 remove test pypi
• Additional commits viewable in compare view

Updates jupyterlab from 4.3.4 to 4.4.8

Release notes

Sourced from jupyterlab's releases.

v4.4.8

4.4.8

(Full Changelog)

Bugs fixed

• Debugger: Only send the configurationDone message once as per the DAP #17912 (@​martinRenou)
• Fix output prompt overlay height for large outputs #17863 (@​Meriem-BenIsmail)
• Prevent overlay of content from other columns when renaming a file in the file browser #17857 (@​CrafterKolyan)
• Fix notebook toolbar item order #17866 (@​Darshan808)

Maintenance and upkeep improvements

• Ignore npmjs.com in check-links #17915 (@​jtpio)

Documentation improvements

• Add JupyterCon banner and Jupyter colors #17906 (@​choldgraf)

Contributors to this release

(GitHub contributors page for this release)

@​brichet | @​github-actions | @​HaudinFlorence | @​jtpio | @​jupyterlab-probot | @​krassowski | @​martinRenou | @​meeseeksmachine | @​Meriem-BenIsmail | @​williamstein

v4.4.7

4.4.7

(Full Changelog)

Enhancements made

• Update to mermaid 11.10, marked 16.2 #17813 (@​bollwyvl)

Bugs fixed

• Change default line wrap in default editor config #17818 (@​gjmooney)
• Select file and accept dialog on file double click in FileDialog.getOpenFiles #17844 (@​martinRenou)
• Fix broken toolbar updates due to missing 'clear' cases in switch statements for ObservableList #17837 (@​Darshan808)
• Send code to console #17824 (@​gjmooney)
• Clear incomplete execution metadata when splitting running cells #17804 (@​Darshan808)
• Don't create empty page_config in sys_prefix when disabled is empty #17791 (@​gjmooney)

Documentation improvements

... (truncated)

Commits

• a889bb5 [ci skip] Publish 4.4.8
• 51c585b Fix integrity
• f8841dc Merge commit from fork
• 526a3d7 Backport PR #17915: Ignore npmjs.com in check-links (#17921)
• 911ff90 Backport PR #17912: Debugger: Only send the configurationDone message once ...
• 2d0ff31 Backport PR #17906: Add JupyterCon banner and Jupyter colors (#17908)
• 276b38c Backport PR #17863: Fix output prompt overlay height for large outputs (#17889)
• 88f58b1 Backport PR #17857: Prevent overlay of content from other columns when renami...
• baf78ec Backport PR #17866: Fix notebook toolbar item order (#17872)
• 30d1f70 [ci skip] Publish 4.4.7
• Additional commits viewable in compare view

Updates requests from 2.32.3 to 2.32.4

Release notes

Sourced from requests's releases.

v2.32.4

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. (#6965)

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS. (#6926)
• Dropped support for pypy 3.9 following its end of support. (#6926)

Changelog

Sourced from requests's changelog.

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS.
• Dropped support for pypy 3.9 following its end of support.

Commits

• 021dc72 Polish up release tooling for last manual release
• 821770e Bump version and add release notes for v2.32.4
• 59f8aa2 Add netrc file search information to authentication documentation (#6876)
• 5b4b64c Add more tests to prevent regression of CVE 2024 47081
• 7bc4587 Add new test to check netrc auth leak (#6962)
• 96ba401 Only use hostname to do netrc lookup instead of netloc
• 7341690 Merge pull request #6951 from tswast/patch-1
• 6716d7c remove links
• a7e1c74 Update docs/conf.py
• c799b81 docs: fix dead links to kenreitz.org
• Additional commits viewable in compare view

Updates setuptools from 75.6.0 to 78.1.1

Changelog

Sourced from setuptools's changelog.

v78.1.1

Bugfixes

• More fully sanitized the filename in PackageIndex._download. (#4946)

v78.1.0

Features

• Restore access to _get_vc_env with a warning. (#4874)

v78.0.2

Bugfixes

• Postponed removals of deprecated dash-separated and uppercase fields in setup.cfg. All packages with deprecated configurations are advised to move before 2026. (#4911)

v78.0.1

Misc

• #4909

v78.0.0

Bugfixes

• Reverted distutils changes that broke the monkey patching of command classes. (#4902)

Deprecations and Removals

• Setuptools no longer accepts options containing uppercase or dash characters in setup.cfg.

... (truncated)

Commits

• 8e4868a Bump version: 78.1.0 → 78.1.1
• 100e9a6 Merge pull request #4951
• 8faf1d7 Add news fragment.
• 2ca4a9f Rely on re.sub to perform the decision in one expression.
• e409e80 Extract _sanitize method for sanitizing the filename.
• 250a6d1 Add a check to ensure the name resolves relative to the tmpdir.
• d8390fe Extract _resolve_download_filename with test.
• 4e1e893 Merge https://github.com/jaraco/skeleton
• 3a3144f Fix typo: pyproject.license -> project.license (#4931)
• d751068 Fix typo: pyproject.license -> project.license
• Additional commits viewable in compare view

Updates tornado from 6.4.2 to 6.5

Changelog

Sourced from tornado's changelog.

Release notes

.. toctree:: :maxdepth: 2

releases/v6.5.3 releases/v6.5.2 releases/v6.5.1 releases/v6.5.0 releases/v6.4.2 releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1 releases/v3.2.0 releases/v3.1.1 releases/v3.1.0 releases/v3.0.2

... (truncated)

Commits

• ab5f354 Merge pull request #3498 from bdarnell/final-6.5
• 3623024 Final release notes for 6.5.0
• b39b892 Merge pull request #3497 from bdarnell/multipart-log-spam
• cc61050 httputil: Raise errors instead of logging in multipart/form-data parsing
• ae4a4e4 asyncio: Preserve contextvars across SelectorThread on Windows (#3479)
• 197ff13 Merge pull request #3496 from bdarnell/undeprecate-set-event-loop
• c3d906c requirements: Upgrade tox to 4.26.0
• a838977 testing: Remove deprecation warning filter for set_event_loop
• d8e0d36 build: Fix free-threaded build, mark speedups module as no-GIL
• bfe7489 Merge pull request #3492 from bdarnell/relnotes-6.5
• Additional commits viewable in compare view

Updates urllib3 from 2.2.3 to 2.6.3

Release notes

Sourced from urllib3's releases.

2.6.3

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by @​D47A, 8.9 High, GHSA-38jv-5279-wg99)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. (urllib3/urllib3#3743)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. (urllib3/urllib3#3752)

2.6.2

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (urllib3/urllib3#3734)

2.6.1

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. (#3731)

2.6.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by @​Cycloctane, 8.9 High, GHSA-2xpw-w6gg-jr37)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by @​illia-v, 8.9 High, GHSA-gm62-xv2j-4w53)

[!IMPORTANT]

• If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.

... (truncated)

Changelog

Sourced from urllib3's changelog.

2.6.3 (2026-01-07)

• Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. ([#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743>__)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. ([#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752>__)

2.6.2 (2025-12-11)

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. ([#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734>__)

2.6.1 (2025-12-08)

• Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. ([#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731>__)

2.6.0 (2025-12-05)

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

• If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using

... (truncated)

Commits

• 0248277 Release 2.6.3
• 8864ac4 Merge commit from fork
• 70cecb2 Fix Scorecard issues related to vulnerable dev dependencies (#3755)
• 41f249a Move "v2.0 Migration Guide" to the end of the table of contents (#3747)
• fd4dffd Patch VerifiedHTTPSConnection for Emscripten (#3752)
• 13f0bfd Handle massive values in Retry-After when calculating time to sleep for (#3743)
• Description has been truncated

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml