updated dependancies to resolve open CVEs and cut a new version (#4108)

Summary

  Version bump to 0.18.16 - Security patch release

  Changes

Security Fixes: Updated multiple dependencies via pip-compile to resolve
critical CVEs:
  - authlib: GHSA-pq5p-34cr-23v9
  - python-3.12/python03.12-base: CVE-2025-8291, GHSA-49g5-f6qw-8mm7
- libcrypto3/libssl3: CVE-2025-9230, CVE-2025-9231, CVE-2025-9232,
GHSA-76r2-c3cg-f5r9, GHSA-9mrx-mqmg-gwj9

  Enhancement: Speed up function _assign_hash_ids by 34% (codeflash)

  Files Changed (13 files, +104/-92 lines)

  - unstructured/__version__.py - Version bumped to 0.18.16
  - CHANGELOG.md - Added release notes
  - All requirement files updated with new dependency versions:
    - requirements/base.txt
    - requirements/dev.txt
- requirements/extra-*.txt (csv, docx, odt, paddleocr, pdf-image, pptx,
xlsx)
    - requirements/huggingface.txt
    - requirements/test.txt

This is a security-focused patch release that addresses multiple CVEs
while also including a performance enhancement.

Author: luke-kucing

CHANGELOG.md

@@ -1,11 +1,15 @@
-## 0.18.16-dev0
+## 0.18.16
 
 ### Enhancement
 - Speed up function _assign_hash_ids by 34% (codeflash)
 
 ### Features
 
 ### Fixes
+- Bumped dependencies via pip-compile to address the following CVEs:
+  - **authlib**: GHSA-pq5p-34cr-23v9
+  - **python-3.12/python03**.12-base: CVE-2025-8291, GHSA-49g5-f6qw-8mm7
+  - **libcrypto3/libssl3**: CVE-2025-9230, CVE-2025-9231, CVE-2025-9232, GHSA-76r2-c3cg-f5r9, GHSA-9mrx-mqmg-gwj9
 
 ## 0.18.15
 
@@ -17,7 +21,7 @@
 
 ### Fixes
 
-- Bumped dddependencies via pip-compile to address the crit CVE in:
+- Bumped dependencies via pip-compile to address the crit CVE in:
   - deepdiff: 8.6.0 -> 8.6.1: GHSA-mw26-5g2v-hqw3
 
 ## 0.18.14

requirements/base.txt

@@ -4,38 +4,38 @@
 #
 #    pip-compile ./base.in
 #
-anyio==4.10.0
+anyio==4.11.0
     # via httpx
 backoff==2.2.1
     # via -r ./base.in
-beautifulsoup4==4.13.5
+beautifulsoup4==4.14.2
     # via -r ./base.in
-certifi==2025.8.3
+certifi==2025.10.5
     # via
     #   httpcore
     #   httpx
     #   requests
     #   unstructured-client
 cffi==2.0.0
     # via cryptography
-charset-normalizer==3.4.3
+charset-normalizer==3.4.4
     # via
     #   -r ./base.in
     #   requests
     #   unstructured-client
-click==8.2.1
+click==8.3.0
     # via
     #   nltk
     #   python-oxmsg
-cryptography==45.0.7
+cryptography==46.0.2
     # via unstructured-client
 dataclasses-json==0.6.7
     # via
     #   -r ./base.in
     #   unstructured-client
 deepdiff==8.6.1
     # via unstructured-client
-emoji==2.14.1
+emoji==2.15.0
     # via -r ./base.in
 exceptiongroup==1.3.0
     # via anyio
@@ -49,7 +49,7 @@ httpcore==1.0.9
     # via httpx
 httpx==0.28.1
     # via unstructured-client
-idna==3.10
+idna==3.11
     # via
     #   anyio
     #   httpx
@@ -61,7 +61,7 @@ jsonpath-python==1.0.6
     # via unstructured-client
 langdetect==1.0.9
     # via -r ./base.in
-lxml==6.0.1
+lxml==6.0.2
     # via -r ./base.in
 marshmallow==3.26.1
     # via
@@ -73,7 +73,7 @@ mypy-extensions==1.1.0
     #   unstructured-client
 nest-asyncio==1.6.0
     # via unstructured-client
-nltk==3.9.1
+nltk==3.9.2
     # via -r ./base.in
 numpy==2.2.6
     # via -r ./base.in
@@ -85,11 +85,11 @@ packaging==25.0
     # via
     #   marshmallow
     #   unstructured-client
-psutil==7.0.0
+psutil==7.1.0
     # via -r ./base.in
 pycparser==2.23
     # via cffi
-pypdf==6.0.0
+pypdf==6.1.1
     # via unstructured-client
 python-dateutil==2.9.0.post0
     # via unstructured-client
@@ -101,7 +101,7 @@ python-oxmsg==0.0.2
     # via -r ./base.in
 rapidfuzz==3.14.1
     # via -r ./base.in
-regex==2025.9.1
+regex==2025.9.18
     # via nltk
 requests==2.32.5
     # via
@@ -129,6 +129,7 @@ typing-extensions==4.15.0
     #   -r ./base.in
     #   anyio
     #   beautifulsoup4
+    #   cryptography
     #   exceptiongroup
     #   pypdf
     #   python-oxmsg

requirements/dev.txt

@@ -8,16 +8,16 @@ build==1.3.0
     # via pip-tools
 cfgv==3.4.0
     # via pre-commit
-click==8.2.1
+click==8.3.0
     # via
     #   -c ./base.txt
     #   -c ./test.txt
     #   pip-tools
 distlib==0.4.0
     # via virtualenv
-filelock==3.19.1
+filelock==3.20.0
     # via virtualenv
-identify==2.6.14
+identify==2.6.15
     # via pre-commit
 nodeenv==1.9.1
     # via pre-commit
@@ -26,9 +26,9 @@ packaging==25.0
     #   -c ./base.txt
     #   -c ./test.txt
     #   build
-pip-tools==7.5.0
+pip-tools==7.5.1
     # via -r ./dev.in
-platformdirs==4.4.0
+platformdirs==4.5.0
     # via
     #   -c ./test.txt
     #   virtualenv
@@ -38,9 +38,9 @@ pyproject-hooks==1.2.0
     # via
     #   build
     #   pip-tools
-pyyaml==6.0.2
+pyyaml==6.0.3
     # via pre-commit
-tomli==2.2.1
+tomli==2.3.0
     # via
     #   -c ./test.txt
     #   build
@@ -50,7 +50,7 @@ typing-extensions==4.15.0
     #   -c ./base.txt
     #   -c ./test.txt
     #   virtualenv
-virtualenv==20.34.0
+virtualenv==20.35.3
     # via pre-commit
 wheel==0.45.1
     # via pip-tools

requirements/extra-csv.txt

@@ -8,7 +8,7 @@ numpy==2.2.6
     # via
     #   -c ./base.txt
     #   pandas
-pandas==2.3.2
+pandas==2.3.3
     # via -r ./extra-csv.in
 python-dateutil==2.9.0.post0
     # via

requirements/extra-docx.txt

@@ -4,7 +4,7 @@
 #
 #    pip-compile ./extra-docx.in
 #
-lxml==6.0.1
+lxml==6.0.2
     # via
     #   -c ./base.txt
     #   python-docx

requirements/extra-odt.txt

@@ -4,7 +4,7 @@
 #
 #    pip-compile ./extra-odt.in
 #
-lxml==6.0.1
+lxml==6.0.2
     # via
     #   -c ./base.txt
     #   python-docx

requirements/extra-paddleocr.txt

@@ -12,21 +12,21 @@ albumentations==2.0.8
     # via unstructured-paddleocr
 annotated-types==0.7.0
     # via pydantic
-anyio==4.10.0
+anyio==4.11.0
     # via
     #   -c ./base.txt
     #   httpx
-beautifulsoup4==4.13.5
+beautifulsoup4==4.14.2
     # via
     #   -c ./base.txt
     #   unstructured-paddleocr
-certifi==2025.8.3
+certifi==2025.10.5
     # via
     #   -c ./base.txt
     #   httpcore
     #   httpx
     #   requests
-charset-normalizer==3.4.3
+charset-normalizer==3.4.4
     # via
     #   -c ./base.txt
     #   requests
@@ -38,7 +38,7 @@ exceptiongroup==1.3.0
     #   anyio
 fire==0.7.1
     # via unstructured-paddleocr
-fonttools==4.59.2
+fonttools==4.60.1
     # via unstructured-paddleocr
 h11==0.16.0
     # via
@@ -52,7 +52,7 @@ httpx==0.28.1
     # via
     #   -c ./base.txt
     #   paddlepaddle
-idna==3.10
+idna==3.11
     # via
     #   -c ./base.txt
     #   anyio
@@ -62,7 +62,7 @@ imageio==2.37.0
     # via scikit-image
 lazy-loader==0.4
     # via scikit-image
-lxml==6.0.1
+lxml==6.0.2
     # via
     #   -c ./base.txt
     #   python-docx
@@ -115,13 +115,13 @@ protobuf==6.32.1
     #   paddlepaddle
 pyclipper==1.3.0.post6
     # via unstructured-paddleocr
-pydantic==2.11.9
+pydantic==2.12.2
     # via albumentations
-pydantic-core==2.33.2
+pydantic-core==2.41.4
     # via pydantic
 python-docx==1.2.0
     # via unstructured-paddleocr
-pyyaml==6.0.2
+pyyaml==6.0.3
     # via
     #   albumentations
     #   unstructured-paddleocr
@@ -141,7 +141,7 @@ scipy==1.15.3
     # via
     #   albumentations
     #   scikit-image
-shapely==2.1.1
+shapely==2.1.2
     # via unstructured-paddleocr
 simsimd==6.5.3
     # via albucore
@@ -153,7 +153,7 @@ soupsieve==2.8
     # via
     #   -c ./base.txt
     #   beautifulsoup4
-stringzilla==4.0.10
+stringzilla==4.2.1
     # via albucore
 termcolor==3.1.0
     # via fire
@@ -174,7 +174,7 @@ typing-extensions==4.15.0
     #   pydantic-core
     #   python-docx
     #   typing-inspection
-typing-inspection==0.4.1
+typing-inspection==0.4.2
     # via pydantic
 unstructured-paddleocr==2.10.0
     # via -r ./extra-paddleocr.in