chore(deps): bump the dependencies group across 1 directory with 14 updates

[dependabot]

Bumps the dependencies group with 14 updates in the / directory:

Package	From	To
jinja2	3.1.5	3.1.6
markupsafe	3.0.2	3.0.3
packaging	24.2	25.0
pygments	2.19.1	2.19.2
typing-extensions	4.12.2	4.15.0
beautifulsoup4	4.13.3	4.14.2
certifi	2025.1.31	2025.8.3
charset-normalizer	3.4.1	3.4.3
docutils	0.21.2	0.22.2
furo	2024.8.6	2025.9.25
requests	2.32.3	2.32.5
snowballstemmer	2.2.0	3.0.1
soupsieve	2.6	2.8
urllib3	2.3.0	2.5.0

Updates jinja2 from 3.1.5 to 3.1.6

Release notes

Sourced from jinja2's releases.

3.1.6

This is the Jinja 3.1.6 security release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.6/ Changes: https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6

• The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. GHSA-cpwx-vrp4-4pq7

Changelog

Sourced from jinja2's changelog.

Version 3.1.6

Released 2025-03-05

• The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. :ghsa:cpwx-vrp4-4pq7

Commits

• 1520688 release version 3.1.6
• 90457bb Merge commit from fork
• 065334d attr filter uses env.getattr
• 033c200 start version 3.1.6
• bc68d4e use global contributing guide (#2070)
• 247de5e use global contributing guide
• ab8218c use project advisory link instead of global
• b4ffc8f release version 3.1.5 (#2066)
• See full diff in compare view

Updates markupsafe from 3.0.2 to 3.0.3

Release notes

Sourced from markupsafe's releases.

3.0.3

This is the MarkupSafe 3.0.3 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/MarkupSafe/3.0.3/ Changes: https://markupsafe.palletsprojects.com/page/changes/#version-3-0-3 Milestone: https://github.com/pallets/markupsafe/milestone/15?closed=1

• __version__ raises DeprecationWarning instead of UserWarning. #487
• Adopt multi-phase initialization PEP 489 for the C extension. #494
• Build Windows ARM64 wheels. #485
• Build Python 3.14 wheels. #503
• Build riscv64 wheels. #505

Changelog

Sourced from markupsafe's changelog.

Version 3.0.3

Released 2025-09-27

• __version__ raises DeprecationWarning instead of UserWarning. :issue:487
• Adopt multi-phase initialisation (:pep:489) for the C extension. :issue:494
• Build Windows ARM64 wheels. :issue:485
• Build Python 3.14 wheels. :issue:503
• Build riscv64 wheels. :issue:505

Commits

• 297fc8e release version 3.0.3
• 7e4e6ce Free-threading: run with pytest-run-paralell (#507)
• 6100b9c enable riscv64 wheels (#506)
• c9d5ecf enable riscv64 wheels
• 2f9b337 tox for 3.14
• 78d951a update dev dependencies
• bb6744e add entry
• 65c4134 upgrade cibuildwheel, add cp314 wheels and test on CPython 3.14 (#504)
• 3a9bd88 add cp314 wheels
• aafe44d remove slsa provenance (#501)
• Additional commits viewable in compare view

Updates packaging from 24.2 to 25.0

Release notes

Sourced from packaging's releases.

25.0

What's Changed

• Re-add a test for Unicode file name parsing by @​Siddhesh-Agarwal in pypa/packaging#863
• Upgrade to ruff 0.9.1 by @​DimitriPapadopoulos in pypa/packaging#865
• Add support for PEP 738 Android tags by @​mhsmith in pypa/packaging#880
• feat(markers): support 'extras' and 'dependency_groups' markers by @​frostming in pypa/packaging#888

New Contributors

• @​Siddhesh-Agarwal made their first contribution in pypa/packaging#863
• @​mhsmith made their first contribution in pypa/packaging#880
• @​frostming made their first contribution in pypa/packaging#888

Full Changelog: pypa/packaging@24.2...25.0

Changelog

Sourced from packaging's changelog.

25.0 - 2025-04-19

* PEP 751: Add support for ``extras`` and ``dependency_groups`` markers. (:issue:`885`)
* PEP 738: Add support for Android platform tags. (:issue:`880`)

Commits

• f585376 Bump for release
• 600ecea Add changelog entries
• 3910129 support 'extras' and 'dependency_groups' markers (#888)
• 8e49b43 Add support for PEP 738 Android tags (#880)
• e624d8e Bump the github-actions group with 3 updates (#886)
• 71f38d8 Bump the github-actions group with 2 updates (#878)
• 9b4922d Bump the github-actions group with 3 updates (#870)
• 8510bd9 Upgrade to ruff 0.9.1 (#865)
• 9375ec2 Re-add tests for Unicode file name parsing (#863)
• 2256ed4 Bump the github-actions group across 1 directory with 2 updates (#864)
• Additional commits viewable in compare view

Updates pygments from 2.19.1 to 2.19.2

Release notes

Sourced from pygments's releases.

2.19.2

• Lua: Fix regression introduced in 2.19.0 (#2882, #2839)

Changelog

Sourced from pygments's changelog.

Version 2.19.2

(released June 21st, 2025)

• Lua: Fix regression introduced in 2.19.0 (#2882, #2839)

Commits

• cfca62e Prepare v2.19.2 release.
• 6688300 Disable pyodide (currently broken.)
• 66997c3 Update ruff version.
• 94dda77 Update CHANGES.
• 26634c8 Merge pull request #2882 from thavelick/fix_lua_runaway_regex
• b6a51ec fix lua regex causing runaway backtracking.
• edef94d Investigation for #2839.
• fb6a00e Merge pull request #2837 from dlazin/sql-cleanup
• bf7aa23 Clean up sql.py
• See full diff in compare view

Updates typing-extensions from 4.12.2 to 4.15.0

Release notes

Sourced from typing-extensions's releases.

4.15.0

No user-facing changes since 4.15.0rc1.

New features since 4.14.1:

• Add the @typing_extensions.disjoint_base decorator, as specified in PEP 800. Patch by Jelle Zijlstra.
• Add typing_extensions.type_repr, a backport of annotationlib.type_repr, introduced in Python 3.14 (CPython PR #124551, originally by Jelle Zijlstra). Patch by Semyon Moroz.
• Fix behavior of type params in typing_extensions.evaluate_forward_ref. Backport of CPython PR #137227 by Jelle Zijlstra.

4.15.0rc1

• Add the @typing_extensions.disjoint_base decorator, as specified in PEP 800. Patch by Jelle Zijlstra.
• Add typing_extensions.type_repr, a backport of annotationlib.type_repr, introduced in Python 3.14 (CPython PR #124551, originally by Jelle Zijlstra). Patch by Semyon Moroz.
• Fix behavior of type params in typing_extensions.evaluate_forward_ref. Backport of CPython PR #137227 by Jelle Zijlstra.

4.14.1

Release 4.14.1 (July 4, 2025)

• Fix usage of typing_extensions.TypedDict nested inside other types (e.g., typing.Type[typing_extensions.TypedDict]). This is not allowed by the type system but worked on older versions, so we maintain support.

4.14.0

This release adds several new features, including experimental support for inline typed dictionaries (PEP 764) and sentinels (PEP 661), and support for changes in Python 3.14. In addition, Python 3.8 is no longer supported.

Changes since 4.14.0rc1:

• Remove __or__ and __ror__ methods from typing_extensions.Sentinel on Python versions <3.10. PEP 604 was introduced in Python 3.10, and typing_extensions does not generally attempt to backport PEP-604 methods to prior versions.
• Further update typing_extensions.evaluate_forward_ref with changes in Python 3.14.

Changes included in 4.14.0rc1:

• Drop support for Python 3.8 (including PyPy-3.8). Patch by Victorien Plot.
• Do not attempt to re-export names that have been removed from typing, anticipating the removal of typing.no_type_check_decorator in Python 3.15. Patch by Jelle Zijlstra.
• Update typing_extensions.Format, typing_extensions.evaluate_forward_ref, and typing_extensions.TypedDict to align

... (truncated)

Changelog

Sourced from typing-extensions's changelog.

Release 4.15.0 (August 25, 2025)

No user-facing changes since 4.15.0rc1.

Release 4.15.0rc1 (August 18, 2025)

• Add the @typing_extensions.disjoint_base decorator, as specified in PEP 800. Patch by Jelle Zijlstra.
• Add typing_extensions.type_repr, a backport of annotationlib.type_repr, introduced in Python 3.14 (CPython PR #124551, originally by Jelle Zijlstra). Patch by Semyon Moroz.
• Fix behavior of type params in typing_extensions.evaluate_forward_ref. Backport of CPython PR #137227 by Jelle Zijlstra.

Release 4.14.1 (July 4, 2025)

• Fix usage of typing_extensions.TypedDict nested inside other types (e.g., typing.Type[typing_extensions.TypedDict]). This is not allowed by the type system but worked on older versions, so we maintain support.

Release 4.14.0 (June 2, 2025)

Changes since 4.14.0rc1:

• Remove __or__ and __ror__ methods from typing_extensions.Sentinel on Python versions <3.10. PEP 604 was introduced in Python 3.10, and typing_extensions does not generally attempt to backport PEP-604 methods to prior versions.
• Further update typing_extensions.evaluate_forward_ref with changes in Python 3.14.

Release 4.14.0rc1 (May 24, 2025)

• Drop support for Python 3.8 (including PyPy-3.8). Patch by Victorien Plot.
• Do not attempt to re-export names that have been removed from typing, anticipating the removal of typing.no_type_check_decorator in Python 3.15. Patch by Jelle Zijlstra.
• Update typing_extensions.Format, typing_extensions.evaluate_forward_ref, and typing_extensions.TypedDict to align with changes in Python 3.14. Patches by Jelle Zijlstra.
• Fix tests for Python 3.14 and 3.15. Patches by Jelle Zijlstra.

New features:

• Add support for inline typed dictionaries (PEP 764). Patch by Victorien Plot.
• Add typing_extensions.Reader and typing_extensions.Writer. Patch by Sebastian Rittau.
• Add support for sentinels (PEP 661). Patch by Victorien Plot.

... (truncated)

Commits

• 9d1637e Prepare release 4.15.0 (#658)
• 4bd67c5 Coverage: exclude some noise (#656)
• e589a26 Coverage: add detailed report to job summary (#655)
• 67d37fe Coverage: Implement fail_under (#654)
• e9ae26f Don't delete previous coverage comment (#653)
• ac80bb7 Add Coverage workflow (#623)
• abaaafd Prepare release 4.15.0rc1 (#650)
• 9810405 Add @disjoint_base (PEP 800) (#634)
• 7ee9e05 Backport type_params fix from CPython (#646)
• 1e8eb9c Do not refer to PEP 705 as being experimental (#648)
• Additional commits viewable in compare view

Updates beautifulsoup4 from 4.13.3 to 4.14.2

Updates certifi from 2025.1.31 to 2025.8.3

Commits

• a97d9ad 2025.08.03 (#362)
• ddd90c6 2025.07.14 (#359)
• d905221 2025.07.09 (#358)
• e767d59 2025.06.15 (#357)
• 3e70765 Bump actions/setup-python from 5.5.0 to 5.6.0
• 9afd2ff Bump actions/download-artifact from 4.2.1 to 4.3.0
• d7c816c remove code that's no longer required that 3.7 is our minimum (#351)
• 1899613 Declare setuptools as the build backend in pyproject.toml (#350)
• c874142 update CI for ubuntu 20.04 deprecation (#348)
• 275c9eb 2025.04.26 (#347)
• Additional commits viewable in compare view

Updates charset-normalizer from 3.4.1 to 3.4.3

Release notes

Sourced from charset-normalizer's releases.

Version 3.4.3

3.4.3 (2025-08-09)

Changed

• mypy(c) is no longer a required dependency at build time if CHARSET_NORMALIZER_USE_MYPYC isn't set to 1. (#595) (#583)
• automatically lower confidence on small bytes samples that are not Unicode in detect output legacy function. (#391)

Added

• Custom build backend to overcome inability to mark mypy as an optional dependency in the build phase.
• Support for Python 3.14

Fixed

• sdist archive contained useless directories.
• automatically fallback on valid UTF-16 or UTF-32 even if the md says it's noisy. (#633)

Misc

• SBOM are automatically published to the relevant GitHub release to comply with regulatory changes. Each published wheel comes with its SBOM. We choose CycloneDX as the format.
• Prebuilt optimized wheel are no longer distributed by default for CPython 3.7 due to a change in cibuildwheel.

Version 3.4.2

3.4.2 (2025-05-02)

Fixed

• Addressed the DeprecationWarning in our CLI regarding argparse.FileType by backporting the target class into the package. (#591)
• Improved the overall reliability of the detector with CJK Ideographs. (#605) (#587)

Changed

• Optional mypyc compilation upgraded to version 1.15 for Python >= 3.9

Changelog

Sourced from charset-normalizer's changelog.

3.4.3 (2025-08-09)

Changed

• mypy(c) is no longer a required dependency at build time if CHARSET_NORMALIZER_USE_MYPYC isn't set to 1. (#595) (#583)
• automatically lower confidence on small bytes samples that are not Unicode in detect output legacy function. (#391)

Added

• Custom build backend to overcome inability to mark mypy as an optional dependency in the build phase.
• Support for Python 3.14

Fixed

• sdist archive contained useless directories.
• automatically fallback on valid UTF-16 or UTF-32 even if the md says it's noisy. (#633)

Misc

• SBOM are automatically published to the relevant GitHub release to comply with regulatory changes. Each published wheel comes with its SBOM. We choose CycloneDX as the format.
• Prebuilt optimized wheel are no longer distributed by default for CPython 3.7 due to a change in cibuildwheel.

3.4.2 (2025-05-02)

Fixed

• Addressed the DeprecationWarning in our CLI regarding argparse.FileType by backporting the target class into the package. (#591)
• Improved the overall reliability of the detector with CJK Ideographs. (#605) (#587)

Changed

• Optional mypyc compilation upgraded to version 1.15 for Python >= 3.8

Commits

• 46f662d Release 3.4.3 (#638)
• 1a059b2 🔧 skip building on freethreaded as we're not confident it is stable
• 2275e3d 📝 final note in CHANGELOG.md
• c96acdf 📝 update release date on CHANGELOG.md
• 43e5460 📝 update README.md
• f277074 🔧 automatically lower confidence on small bytes str on non Unicode res...
• 15ae241 🐛 automatically fallback on valid UTF-16 or UTF-32 even if the md says it...
• 37397c1 🔧 enable 3.14 in nox test_mypyc session
• cb82537 ⏪ revert license due to compat python 3.7 issue setuptools
• 6a2efeb 🎨 fix linter errors
• Additional commits viewable in compare view

Updates docutils from 0.21.2 to 0.22.2

Commits

• See full diff in compare view

Updates furo from 2024.8.6 to 2025.9.25

Changelog

Sourced from furo's changelog.

Changelog

2025.09.25 -- Gleaming Green

• Change the dark mode code back to native.

2025.07.19 -- Frozen Flame

• ✨ Switch to accessible-pygments themes
• ✨ Prefetch the sidebar logos
• ✨ Fix flickering header drop shadow on Safari
• Add rel=edit attribute to "Edit this page" link/icon
• Bump NodeJS and npm dependency versions
• Bump Saas & Webpack major versions
• Improve current page detection to be resilient to sticky elements above header
• Modernise Sass and use @use + @forward
• Remove top of code border-radius with captions
• Remove "debug printf" for headerTop value
• Use distinct images for light and dark mode in the documentation
• Use the modern Saas Modules

2024.08.06 -- Energetic Eminence

• ✨ Add support for Sphinx 8
• ✨ Add smoother transitions between breakpoints
• Increase specificity of table-wrapper selector
• Avoid page breaks inside paragraphs

2024.07.18 -- Dull Denim

• Improve how icons are handled and aligned.
• Improve scroll event handler.
• Hide the copybutton by default.
• Fix source_view_link configuration handling.
• Fix close tag on pencil icon.

2024.05.06 -- Cheerful Cerulean

• ✨ Add new custom icons for auto mode, reflecting the currently active theme.

... (truncated)

Commits

• 7c5f8fa Prepare release: 2025.09.25
• 8bfdc54 Update changelog
• d92b62f Switch the dark mode theme back to native
• 83c3446 Add Blender to "used by" section (#898)
• 426ea05 Remove old scrollbar selectors (#892)
• d22d31c Remove trailing slash on void elements (#895)
• f91944a Fix invalid HTML5 (#894)
• a1f74d8 Back to development
• e2cbfce Prepare release: 2025.07.19
• 2753741 Update changelog
• Additional commits viewable in compare view

Updates requests from 2.32.3 to 2.32.5

Release notes

Sourced from requests's releases.

v2.32.5

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

v2.32.4

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. (#6965)

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS. (#6926)
• Dropped support for pypy 3.9 following its end of support. (#6926)

Changelog

Sourced from requests's changelog.

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS.
• Dropped support for pypy 3.9 following its end of support.

Commits

• b25c87d v2.32.5
• 131e506 Merge pull request #7010 from psf/dependabot/github_actions/actions/checkout-...
• b336cb2 Bump actions/checkout from 4.2.0 to 5.0.0
• 46e939b Update publish workflow to use artifact-id instead of name
• 4b9c546 Merge pull request #6999 from psf/dependabot/github_actions/step-security/har...
• 7618dbe Bump step-security/harden-runner from 2.12.0 to 2.13.0
• 2edca11 Add support for Python 3.14 and drop support for Python 3.8 (#6993)
• fec96cd Update Makefile rules (#6996)
• d58d8aa docs: clarify timeout parameter uses seconds in Session.request (#6994)
• 91a3eab Bump github/codeql-action from 3.28.5 to 3.29.0
• Additional commits viewable in compare view

Updates snowballstemmer from 2.2.0 to 3.0.1

Changelog

Sourced from snowballstemmer's changelog.

Snowball 3.0.1 (2025-05-09)

Python

• The init.py in 3.0.0 was incorrectly generated due to a missing build dependency and the list of algorithms was empty. First reported by laymonage. Thanks to Dmitry Shachnev, Henry Schreiner and Adam Turner for diagnosing and fixing. (#229, #230, #231)

• Add trove classifiers for Armenian and Yiddish which have now been registered with PyPI. Thanks to Henry Schreiner and Dmitry Shachnev. (#228)

• Update documented details of Python 2 support in old versions.

Snowball 3.0.0 (2025-05-08)

Ada

• Bug fixes:

  • Fix invalid Ada code generated for Snowball loop (it was partly Pascal!) None of the stemmers shipped in previous releases triggered this bug, but the Turkish stemmer now does.

  • The Ada runtime was not tracking the current length of the string but instead used the current limit value or some other substitute, which manifested as various incorrect behaviours for code inside of setlimit.

  • size was incorrectly returning the difference between the limit and the backwards limit.

  • lenof or sizeof on a string variable generated Ada code that didn't even compile.

  • Fix incorrect preconditions on some methods in the runtime.

  • Fix bug in runtime code used by attach, insert, <- and string variable assignment when a (sub)string was replaced with a larger string. This bug was triggered by code in the Kraaij-Pohlmann Dutch stemmer implementation (which was previously not enabled by default but is now the standard Dutch stemmer).

  • Fix invalid code generated for insert, <- and string variable assignment. This bug was triggered by code in the Kraaij-Pohlmann Dutch stemmer implementation (which was previously not enabled by default but is now the standard Dutch stemmer).

... (truncated)

Commits

• e4b3efb Update for 3.0.1
• bbd3319 Protect empty languages dict
• 298ff9f Update details of Python 2 support in old versions
• 53fe098 python: Specify correct dependencies for $(python_output_dir)/__init__.py
• 00a22de Stop excluding classifiers for Armenian and Yiddish
• abd9adc Update for 3.0.0
• d23d356 Back out incomplete ESM support for 3.0.0
• ff42274 Update draft NEWS entry
• cd61f01 tamil: remove_tense_suffix signals if ending removed
• edfe576 nepali: Reformat amongs to be clearer
• Additional commits viewable in compare view

Updates soupsieve from 2.6 to 2.8

Release notes

Sourced from soupsieve's releases.

2.8

• NEW: Drop support for Python 3.8.
• NEW: Add support for Python 3.14.
• NEW: Deploy with PyPI's "Trusted Publisher".

2.7

• NEW: Add :open pseudo selector.
• NEW: Add :muted pseudo selector.
• NEW: Recognize the following pseudo selectors: :autofill, :buffering, :fullscreen, :picture-in-picture, :popover-open, :seeking, :stalled, and :volume-locked. These selectors, while recognized, will not match any element as they require a live environment to check element states and browser states. This just prevents Soup Sieve from failing when any of these selectors are specified.
• NEW: A number of existing pseudo-classes are no longer noted as experimental.
• FIX: Typing fixes.

Commits

• bf93778 Add support for Python 3.14 and drop Python 3.8 (#283)
• d82b33b Spelling
• 2fe1c55 Use "Trusted Publisher"
• a616022 Link license in readme
• 6b22489 Add new selectors and move some existing selectors out of experimental (#280)
• 48be2ee Branch specifiers on badge do not work
• fcb3aaf Actually update badge
• fef91c7 Update build badge
• 6fdce69 Fix some typing issues revealed with latest BS4 (#279)
• 6470b9d Fix a typo in faq.md (#277)
• Additional commits viewable in compare view

Updates urllib3 from 2.3.0 to 2.5.0

Release notes

Sourced from urllib3's releases.

2.5.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security issues

urllib3 2.5.0 fixes two moderate security issues:

• Pool managers now properly control redirects when retries is passed — CVE-2025-50181 reported by @​sandumjacob (5.3 Medium, GHSA-pq67-6m6q-mj2v)
• Redirects are now controlled by urllib3 in the Node.js runtime — CVE-2025-50182 (5.3 Medium, GHSA-48p4-8xcf-vxj5)

Features

• Added support for the compression.zstd module that is new in Python 3.14. See PEP 784 for more information. (#3610)
• Added support for version 0.5 of hatch-vcs (#3612)

Bugfixes

• Raised exception for HTTPResponse.shutdown on a connection already released to the pool. (#3581)
• Fixed incorrect CONNECT statement when using an IPv6 proxy with connection_from_host. Previously would not be wrapped in []. (#3615)

2.4.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Features

• Applied PEP 639 by specifying the license fields in pyproject.toml. (#3522)
• Updated exceptions to save and restore more properties during the pickle/serialization process. (#3567)
• Added verify_flags option to create_urllib3_context with a default of VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT for Python 3.13+. (#3571)

Bugfixes

• Fixed a bug with partial reads of streaming data in Emscripten. (#3555)

Misc

• Switched to uv for installing development dependecies. (#3550)
• Removed the multiple.intoto.jsonl asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. (#3566)

Changelog

Sourced from urllib3's changelog.

2.5.0 (2025-06-18)

Features

• Added support for the compression.zstd module that is new in Python 3.14. See PEP 784 <https://peps.python.org/pep-0784/>_ for more information. ([#3610](https://github.com/urllib3/urllib3/issues/3610) <https://github.com/urllib3/urllib3/issues/3610>__)
• Added support for version 0.5 of hatch-vcs ([#3612](https://github.com/urllib3/urllib3/issues/3612) <https://github.com/urllib3/urllib3/issues/3612>__)

Bugfixes

• Fixed a security issue where restricting the maximum number of followed redirects at the urllib3.PoolManager level via the retries parameter did not work.
• Made the Node.js runtime respect redirect parameters such as retries and redirects.
• Raised exception for HTTPResponse.shutdown on a connection already released to the pool. ([#3581](https://github.com/urllib3/urllib3/issues/3581) <https://github.com/urllib3/urllib3/issues/3581>__)
• Fixed incorrect CONNECT statement when using an IPv6 proxy with connection_from_host. Previously would not be wrapped in []. ([#3615](https://github.com/urllib3/urllib3/issues/3615) <https://github.com/urllib3/urllib3/issues/3615>__)

2.4.0 (2025-04-10)

Features

• Applied PEP 639 by specifying the license fields in pyproject.toml. ([#3522](https://github.com/urllib3/urllib3/issues/3522) <https://github.com/urllib3/urllib3/issues/3522>__)
• Updated exceptions to save and restore more properties during the pickle/serialization process. ([#3567](https://github.com/urllib3/urllib3/issues/3567) <https://github.com/urllib3/urllib3/issues/3567>__)
• Added verify_flags option to create_urllib3_context with a default of VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT for Python 3.13+. ([#3571](https://github.com/urllib3/urllib3/issues/3571) <https://github.com/urllib3/urllib3/issues/3571>__)

Bugfixes

• Fixed a bug with partial reads of streaming data in Emscripten. ([#3555](https://github.com/urllib3/urllib3/issues/3555) <https://github.com/urllib3/urllib3/issues/3555>__)

Misc

• Switched to uv for installing development dependecies. ([#3550](https://github.com/urllib3/urllib3/issues/3550) <https://github.com/urllib3/urllib3/issues/3550>__)
• Removed the multiple.intoto.jsonl asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. ([#3566](https://github.com/urllib3/urllib3/issues/3566) <https://github.com/urllib3/urllib3/issues/3566>__)

Commits

• aaab4ec Release 2.5.0
• 7eb4a2a Merge commit from fork
• f05b132 Merge commit from fork
• d03fe32 Fix HTTP tunneling with IPv6 in older Python versions
• 11661e9 Bump github/codeql-action from 3.28.0 to 3.29.0 (#3624)
• 6a0ecc6 Update v2 migration guide to 2.4.0 (#3621)
• 8e32e60 Raise exception for shutdown on a connection already released to the pool (#3...
• 9996e0f Fix emscripten CI for Chrome 137+ (#3599)
• 4fd1a99 Bump RECENT_DATE (#3617)
• c4b5917 Add support for the new compression.zstd module in Python 3.14 (#3611)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[codspeed-hq]

CodSpeed Performance Report

Merging #67 will not alter performance

_{Comparing dependabot/uv/dependencies-61ec217ff0 (474ddbd) with main (0f60f4f)}

Summary

✅ 10 untouched

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.