Bump the pip group across 9 directories with 16 updates

[dependabot]

Bumps the pip group with 11 updates in the / directory:

Package	From	To
scikit-learn	1.0.1	1.5.0
nltk	3.6.7	3.9.4
requests	2.32.0	2.33.0
litestar	2.8.3	2.18.0
dynaconf	3.2.4	3.2.13
urllib3	1.26.19	2.6.3
ujson	5.4.0	5.12.0
cryptography	43.0.1	46.0.5
transformers	4.39.3	4.53.0
setuptools	68.2.2	78.1.1
pillow	10.3.0	12.1.1

Bumps the pip group with 3 updates in the /examples/integrations/airflow_batch_monitoring directory: scikit-learn, requests and black.
Bumps the pip group with 1 update in the /examples/integrations/airflow_batch_monitoring/docker/airflow_base directory: apache-airflow.
Bumps the pip group with 5 updates in the /examples/integrations/fastapi_monitoring directory:

Package	From	To
scikit-learn	1.2.2	1.5.0
requests	2.30.0	2.33.0
setuptools	50.3.2	78.1.1
black	22.8.0	26.3.1
streamlit	1.22.0	1.54.0

Bumps the pip group with 2 updates in the /examples/integrations/fastapi_monitoring/streamlit_app directory: requests and streamlit.
Bumps the pip group with 4 updates in the /examples/integrations/mlflow_monitoring directory: scikit-learn, setuptools, black and mlflow.
Bumps the pip group with 2 updates in the /examples/integrations/postgres_grafana_batch_monitoring directory: scikit-learn and prefect.
Bumps the pip group with 2 updates in the /examples/integrations/prefect_evidently_ui directory: scikit-learn and prefect.
Bumps the pip group with 3 updates in the /examples/integrations/streamlit_dashboard directory: scikit-learn, requests and streamlit.

Updates scikit-learn from 1.0.1 to 1.5.0

Release notes

Sourced from scikit-learn's releases.

Scikit-learn 1.5.0

We're happy to announce the 1.5.0 release.

You can read the release highlights under https://scikit-learn.org/stable/auto_examples/release_highlights/plot_release_highlights_1_5_0.html and the long version of the change log under https://scikit-learn.org/stable/whats_new/v1.5.html

This version supports Python versions 3.9 to 3.12.

You can upgrade with pip as usual:

pip install -U scikit-learn

The conda-forge builds can be installed using:

conda install -c conda-forge scikit-learn

Scikit-learn 1.4.2

We're happy to announce the 1.4.2 release.

This release only includes support for numpy 2.

This version supports Python versions 3.9 to 3.12.

You can upgrade with pip as usual:

pip install -U scikit-learn

Scikit-learn 1.4.1.post1

We're happy to announce the 1.4.1.post1 release.

You can see the changelog here: https://scikit-learn.org/stable/whats_new/v1.4.html#version-1-4-1-post1

This version supports Python versions 3.9 to 3.12.

You can upgrade with pip as usual:

pip install -U scikit-learn

The conda-forge builds can be installed using:

conda install -c conda-forge scikit-learn

... (truncated)

Commits

• b51d0c9 trigger whell builder [cd build]
• 919ae9b MAINT Reoder what's new for 1.5 (#29039)
• 0ac28ad DOC Release highlights 1.5 (#29007)
• 729b54d test py3.12 against numpy 2 [cd build]
• 1e50434 set version
• ffbe4ab DOC remove obsolete SVM example (#27108)
• 4647729 DOC Fix time complexity of MLP (#28592)
• 9bd7047 FIX convergence criterion of MeanShift (#28951)
• b79420f FIX add long long for int32/int64 windows compat in NumPy 2.0 (#29029)
• 37f544d DOC replace pandas with Polars in examples/gaussian_process/plot_gpr_co2.py (...
• Additional commits viewable in compare view

Updates nltk from 3.6.7 to 3.9.4

Changelog

Sourced from nltk's changelog.

Version 3.9.4 2026-03-24

• Support Python 3.14
• Fix bug in Levenshtein distance when substitution_cost > 2
• Fix bug in Treebank detokeniser re quote ordering
• Fix bug in Jaro similarity for empty strings
• Several security enhancements
• Fix GHSA-rf74-v2fm-23pw: unbounded recursion in JSONTaggedDecoder
• Implement TextTiling vocabulary introduction method (Hearst 1997)
• Fix ALINE feature matrix errors and add comprehensive tests
• Support multiple VerbNet versions, fix longid/shortid regex for VerbNet ids
• Let downloader fallback to md5 when sha256 is unavailable
• Several other minor bugfixes and code cleanups

Thanks to the following contributors to 3.9.4: Min-Yen Kan, Eric Kafe, Emily Voss, bowiechen, Hrudhai01, jancallewaert, Mr-Neutr0n, pollak.peter89, ylwango613,

Version 3.9.3 2026-02-21

• Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (#3468)
• Block path traversal/arbitrary reads in nltk.data for protocol-less refs (#3467)
• Block path traversal/abs paths in corpus readers and FS pointers (#3479, #3480)
• Validate external StanfordSegmenter JARs using SHA256 (#3477)
• Add optional sandbox enforcement for filestring() (#3485)
• Maintenance: downloader/zipped models, CI/tooling updates

Thanks to the following contributors to 3.9.3: Chris Clauss, Eric Kafe, HyperPS, purificant, Shivansh-Game, Christopher Smith

Version 3.9.2 2025-10-01

• Update download checksums to use SHA256 in built index
• Fix percentage escape in new-style string formatting
• replace shortened URLs using goo.gl
• Make Wordnet interoperable with various taggers and tagged corpora
• Fix saving PerceptronTagger
• Document how to reproduce old Wordnet studies
• properly initialize Portuguese corpus reader
• support for mixed rules conversion into Chomsky Normal Form
• only import tkinter if a GUI is needed
• issue #2112 with Corenlp
• new environment variable NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL
• Lesk defaults to most frequent sense in case of ties

Thanks to the following contributors to 3.9.2: Jose Cols, Peter de Blanc, GeneralPoxter, Eric Kafe, William LaCroix, Jason Liu, Samer Masterson, Mike014, purificant, Andrew Ernest Ritz, samertm, Ikram Ul Haq, Christopher Smith, Ryan Mannion

Version 3.9.1 2024-08-19

... (truncated)

Commits

• ad9c96b Update copyright year
• 7edcddf Updates for 3.9.4 release
• 67a2736 Merge pull request #3180 from yzhaoinuw/bug-on-edit_distance_align
• 2b17ac5 Fix edit_distance_align backtrace for high substitution costs
• 4b72976 Merge pull request #3018 from JuanIMartinezB/bug/shortid-longid
• 8a5619f Merge pull request #3222 from Syzygy2048/feature/texttiling-vocabulary-introd...
• c6574d7 Merge pull request #3289 from ihitamandal/codeflash/optimize-windowdiff-2024-...
• 98ff5d9 Merge pull request #3435 from Hrudhai01/fix-3260-detokenize-quotes
• aec4fce Merge pull request #3522 from ekaf/pathsec
• eec4ee3 Merge pull request #3526 from nltk/update-contributing
• Additional commits viewable in compare view

Updates requests from 2.32.0 to 2.33.0

Release notes

Sourced from requests's releases.

v2.33.0

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

New Contributors

• @​M0d3v1 made their first contribution in psf/requests#6865
• @​aminvakil made their first contribution in psf/requests#7220
• @​E8Price made their first contribution in psf/requests#6960
• @​mitre88 made their first contribution in psf/requests#7244
• @​magsen made their first contribution in psf/requests#6553
• @​Rohan5commit made their first contribution in psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

v2.32.5

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

v2.32.4

2.32.4 (2025-06-10)

... (truncated)

Changelog

Sourced from requests's changelog.

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

... (truncated)

Commits

• bc04dfd v2.33.0
• 66d21cb Merge commit from fork
• 8b9bc8f Move badges to top of README (#7293)
• e331a28 Remove unused extraction call (#7292)
• 753fd08 docs: fix FAQ grammar in httplib2 example
• 774a0b8 docs(socks): same block as other sections
• 9c72a41 Bump github/codeql-action from 4.33.0 to 4.34.1
• ebf7190 Bump github/codeql-action from 4.32.0 to 4.33.0
• 0e4ae38 docs: exclude Response.is_permanent_redirect from API docs (#7244)
• d568f47 docs: clarify Quickstart POST example (#6960)
• Additional commits viewable in compare view

Updates litestar from 2.8.3 to 2.18.0

Release notes

Sourced from litestar's releases.

v2.18.0

Sponsors 🌟

Thanks to these incredible business sponsors:

• Scalar (@​scalar), Telemetry Sports (via @​chris-telemetry)

Thanks to these incredible personal sponsors:

• Polar.sh: @​Nozavi, @​cemrehancavdar, @​thomastu
• GitHub Sponsors: @​roboflow, @​benjamin-kirkbride, @​ddahan, @​cbscsm
• OpenCollective: Christian Y, Shaun Wah, Jordan Russel

What's changed

Bugfixes 🐛

• fix: CLI - Fix command registration by @​cofin in litestar-org/litestar#4298
• fix: remove deprecation warning from polyfactory by @​adhtruong in litestar-org/litestar#4292
• fix(routing): Ensure a MethodNotAllowedException exception during routing properly sets Allow header by @​provinzkraut in litestar-org/litestar#4289
• fix: Preserve empty strings in multipart/form-data requests (#4204) by @​doubledare704 in litestar-org/litestar#4271
• fix(OpenAPI): constraint check logic by @​floxay in litestar-org/litestar#4282
• fix: KeyError when using 'data' kwarg in dependency functions by @​doubledare704 in litestar-org/litestar#4270
• fix(OpenAPI): reenable using Parameter() to set an Enum's schema fields by @​250MHz in litestar-org/litestar#4251
• fix(cli): set --app and --app-dir as eager parameters by @​IDrokin117 in litestar-org/litestar#4341
• fix(channels/plugin): fix typo with pub_task cancelling in _on_shutdown method ChannelsPlugin by @​Peopl3s in litestar-org/litestar#4374
• fix(channels/backend/memory): add KeyError-safe delete channel from history by @​Peopl3s in litestar-org/litestar#4389
• fix(cli): pass the --app-dir option to the uvicorn subprocess when the reload option is enabled. by @​IDrokin117 in litestar-org/litestar#4352
• fix: change Optional to NotRequired in OpenAPI pydantic plugin by @​raidzin in litestar-org/litestar#4347
• fix(OpenAPI): Fix Stream response being treated as File response in OpenAPI schema by @​provinzkraut in litestar-org/litestar#4371

New features 🚀

• feat: deprecate litestar.plugins.sqlalchemy module for v3 removal by @​cofin in litestar-org/litestar#4343
• feat(pydantic): add round_trip parameter to PydanticPlugin by @​sobolevn in litestar-org/litestar#4350

Other changes

• docs: add reference for advanced alchemy sessions by @​Harshal6927 in litestar-org/litestar#4275
• docs: Fix Provide import in FastAPI migration guide by @​edgarrmondragon in litestar-org/litestar#4281
• docs: fix literal include lines in 03-repository-controller by @​HairlessVillager in litestar-org/litestar#4269
• docs: fix lifespan migration from fastapi by @​cclinet in litestar-org/litestar#4268
• docs: Fix incorrect link to sponsors on README.md by @​snqb in litestar-org/litestar#4325
• docs: fix(README/PYPI_README): remove duplicate of mgspec and attrs link by @​Peopl3s in litestar-org/litestar#4380
• docs: fix(getting-started): replace structlog to polyfactory for Polyfactory section by @​Peopl3s in litestar-org/litestar#4385
• docs: fix(docs/realse-notes): fix broken links to realse notes by @​Peopl3s in litestar-org/litestar#4368

New contributors 🎉

• @​Shekhrozx made their first contribution in litestar-org/litestar#4290
• @​raidzin made their first contribution in litestar-org/litestar#4347
• @​doubledare704 made their first contribution in litestar-org/litestar#4270
• @​snqb made their first contribution in litestar-org/litestar#4325
• @​cclinet made their first contribution in litestar-org/litestar#4268
• @​HairlessVillager made their first contribution in litestar-org/litestar#4269

... (truncated)

Commits

• c7b9b1c chore: Prepare release 2.18.0 (#4403)
• 784169c fix: typescript export not handling NotRequired and regression with handling ...
• 42a89e0 Merge commit from fork
• 7e5d67c chore: v2 - linting fixes (#4402)
• 9da91e1 chore: Delete extraneous file
• 505368b feat(pydantic): add round_trip parameter to PydanticPlugin (#4350)
• d7ca4bd docs: fix(docs/realse-notes): fix broken links to realse notes (#4368)
• 03cf622 fix(OpenAPI): Fix Stream response being treated as File response in OpenA...
• 2e75d10 docs: fix(getting-started): replace structlog to polyfactory for Polyfactory ...
• d41aff6 fix: change Optional to NotRequired in OpenAPI pydantic plugin (#4347)
• Additional commits viewable in compare view

Updates dynaconf from 3.2.4 to 3.2.13

Release notes

Sourced from dynaconf's releases.

3.2.13

What's Changed

Bug Fixes

• Fix @jinja and @format templating vulnerabilities. *By @​pedro-psb *.
• Fix failing @get converter. *By @​rochacbruno *

Full Changelog: dynaconf/dynaconf@3.2.12...3.2.13

3.2.12

What's Changed

• Incremental improvment to access performance by @​pedro-psb in dynaconf/dynaconf#1304
• fix: get method to return Any type. by @​rochacbruno in dynaconf/dynaconf#1314
• perf: add lru caching to find_the_correct_casing function by @​pedro-psb in dynaconf/dynaconf#1326

Full Changelog: dynaconf/dynaconf@3.2.11...3.2.12

3.2.11

What's Changed

Release version 3.2.11

Shortlog of commits since last release:

• Bruno Rocha (9): @​rochacbruno

  • fix(cli): handle empty hooks and boolean environments.
  • fix: Better way for CLI to find the Django Settings
  • fix: windows CI
  • feat: Run CLI as module with python -m dynaconf (#1290)
  • fix: use sys.argv instead of click.get_os_args (#1292)
  • fix: -k must exit code 1 when key do not exist (#1293)
  • feat: envless load file (#1295)
  • fix: add correct supported python version to 3.2.x

• Fabricio Aguiar (1): @​fao89

  • fix: make raw variables private (#1287)

• Pedro Brochado (1): @​pedro-psb

  • docs: clarification on redis hash title when using custom envvar prefixes (#1273)

Milestone https://github.com/dynaconf/dynaconf/milestone/31?closed=1

Full Changelog: dynaconf/dynaconf@3.2.10...3.2.11

3.2.10

Hot Fixes

• Hotfix hook collector to avoid eager evaluation. (#1255). By Bruno Rocha.

... (truncated)

Changelog

Sourced from dynaconf's changelog.

3.2.13 - 2026-03-17

Chore

• fix linting errors and pre-commit config. By Pedro Brochado.

3.2.12 - 2025-10-10

Bug Fixes

• get method to return Any type.. By Bruno Rocha.
• remove unnecessary recursive evaluation call on Settings.get. By Pedro Brochado.
• improve performance of settings access in a loop (part 1). By Pedro Brochado.

3.2.11 - 2025-05-06

Bug Fixes

• add correct supported python version to 3.2.x. By Bruno Rocha.
• -k must exit code 1 when key do not exist (#1293). By Bruno Rocha.
• use sys.argv instead of click.get_os_args (#1292). By Bruno Rocha.
• windows CI. By Bruno Rocha.
• make raw variables private (#1287). By Fabricio Aguiar.
• Better way for CLI to find the Django Settings. By Bruno Rocha.
• handle empty hooks and boolean environments.. By Bruno Rocha.

Features

• envless load file (#1295). By Bruno Rocha.
• Run CLI as module with python -m dynaconf (#1290). By Bruno Rocha.

Docs

• clarification on redis hash title when using custom envvar prefixes (#1273). By Pedro Brochado.

3.2.10 - 2025-02-17

Bug Fixes

• Hotfix hook collector to avoid eager evaluation. (#1255). By Bruno Rocha.

3.2.9 - 2025-02-16

3.2.8 - 2025-02-16

Bug Fixes

• Parse data type on merge with comma separated value. By Bruno Rocha.

Features

... (truncated)

Commits

• 3c39a2c Release version 3.2.13
• 379fc67 chore: fix linting errors and pre-commit config
• 2fbb45e Fix @​jinja and @​format templating vulnerabilities
• 8547454 backport #1347 fix failing get converter
• 83c1690 Bump to version 3.2.13-dev0
• 7606f35 Release version 3.2.12
• da44e51 perf: add lru caching to find_the_correct_casing function (#1326)
• b75eda0 fix: get method to return Any type.
• 4f3df1a misc: add some profile/perf scripts
• 420aceb refactor: merge safe{get,copy} into .get and .copy
• Additional commits viewable in compare view

Updates urllib3 from 1.26.19 to 2.6.3

Release notes

Sourced from urllib3's releases.

2.6.3

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by @​D47A, 8.9 High, GHSA-38jv-5279-wg99)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. (urllib3/urllib3#3743)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. (urllib3/urllib3#3752)

2.6.2

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (urllib3/urllib3#3734)

2.6.1

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. (#3731)

2.6.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by @​Cycloctane, 8.9 High, GHSA-2xpw-w6gg-jr37)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by @​illia-v, 8.9 High, GHSA-gm62-xv2j-4w53)

[!IMPORTANT]

• If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.

... (truncated)

Changelog

Sourced from urllib3's changelog.

2.6.3 (2026-01-07)

• Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. ([#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743>__)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. ([#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752>__)

2.6.2 (2025-12-11)

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. ([#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734>__)

2.6.1 (2025-12-08)

• Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. ([#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731>__)

2.6.0 (2025-12-05)

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

• If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using

... (truncated)

Commits

• 0248277 Release 2.6.3
• 8864ac4 Merge commit from fork
• 70cecb2 Fix Scorecard issues related to vulnerable dev dependencies (#3755)
• 41f249a Move "v2.0 Migration Guide" to the end of the table of contents (#3747)
• fd4dffd Patch VerifiedHTTPSConnection for Emscripten (#3752)
• 13f0bfd Handle massive values in Retry-After when calculating time to sleep for (#3743)
• 8c480bf Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#3748)
• 4b40616 Bump actions/cache from 4.3.0 to 5.0.1 (#3750)
• 82b8479 Bump actions/download-artifact from 6.0.0 to 7.0.0 (#3749)
• 34284cb Mention experimental features in the security policy (#3746)
• Additional commits viewable in compare view

Updates ujson from 5.4.0 to 5.12.0

Release notes

Sourced from ujson's releases.

5.12.0

Added

• Update license field (#693) @​wagenrace
• Build wheels for GraalPy (#685) @​timfel

Changed

• Drop support for Python 3.9 (#686) @​hugovk

Fixed

• Fix memory leak parsing large integers (ultrajson/ultrajson@4baeb95) @​bwoodsend
• Fix buffer overflow/infinite loop from indent handling (#709) @​bwoodsend
• Remove upper bound of setuptools for PyPy (#704) @​hugovk

5.11.0

Added

• Inline type stubs (#674) @​MarcoGorelli
• Add support for Python 3.14 (#680) @​hugovk
• Add support for PyPy3.11 (#658) @​hugovk
• Add Windows ARM64 wheels (#663) @​tonybaloney

Changed

• Migrate to src/ layout (#664) @​hugovk
• Build aarch64 wheels using native runners (#652) @​hugovk
• Drop support for EOL Python 3.8 (#645) @​hugovk
• Drop support for EOL PyPy3.8-PyPy3.10 (#639, #682) @​hugovk

Fixed

• fix(ujson.loads): raises a JSONDecodeError instead of SystemError when parsing a nested json string (#667) @​grandnew
• Pin setuptools < 72.2 to fix build on PyPy (#638) @​hugovk
• Update README.md example to match actual output (#654) @​AvdN

5.10.0

Added

• Add support for Python 3.13 (#628) @​hugovk

5.9.0

Breaking

• Raise TypeError if toDict() returns a non-dict instead of silently converting it to null (#615) @​eltoder
• Use lowercase strings for bool dict keys (#614) @​eltoder

Added

... (truncated)

Commits

• 4baeb95 Fix memory leak parsing large integers
• 486bd45 Fix buffer overflow/infinite loop from indent handling
• a465ed7 Add leak detection to tests
• 32ebf66 Remove upper bound of setuptools for PyPy (#704)
• 6bf41bd Remove upper bound of setuptools for PyPy
• 4a4fd73 chore(deps): update github-actions
• d708b05 Add security policy (#699)
• 3d66f4d Add security policy
• 8f23cce [pre-commit.ci] pre-commit autoupdate (#698)
• 2696fc3 [pre-commit.ci] pre-commit autoupdate
• Additional commits viewable in compare view

Updates cryptography from 43.0.1 to 46.0.5

Changelog

Sourced from cryptography's changelog.

46.0.5 - 2026-02-10

* An attacker could create a malicious public key that reveals portions of your
  private key when using certain uncommon elliptic curves (binary curves).
  This version now includes additional security checks to prevent this attack.
  This issue only affects binary elliptic curves, which are rarely used in
  real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and
  Atuin Automated Vulnerability Discovery Engine** for reporting the issue.
  **CVE-2026-26007**
* Support for ``SECT*`` binary elliptic curves is deprecated and will be
  removed in the next release.
.. v46-0-4:
46.0.4 - 2026-01-27

• Dropped support for win_arm64 wheels_.
• Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.

.. _v46-0-3:

46.0.3 - 2025-10-15

* Fixed compilation when using LibreSSL 4.2.0.
.. _v46-0-2:
46.0.2 - 2025-09-30

• Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.4.

.. _v46-0-1:

46.0.1 - 2025-09-16

* Fixed an issue where users installing via ``pip`` on Python 3.14 development
  versions would not properly install a dependency.
* Fixed an issue building the free-threaded macOS 3.14 wheels.
.. _v46-0-0:
46.0.0 - 2025-09-16

• BACKWARDS INCOMPATIBLE: Support for Python 3.7 has been removed.

... (truncated)

Commits

• 06e120e bump version for 46.0.5 release (#14289)
• 0eebb9d EC check key on cofactor > 1 (#14287)
• bedf6e1 fix openssl version on 46 branch (#14220)
• e6f44fc bump for 46.0.4 and drop win arm64 due to CI issues (#14217)
• c0af4dd release 46.0.3 (#13681)
• 99efe5a bump version for 46.0.2 (#13531)
• e735cfc release 46.0.1 (#13450)
• 4e457ff Explicitly specify python in mac uv build invocation (#13447)
• 2726efd Depend on CFFI 2.0.0 or newer on Python > 3.8 (#13448)
• 6223062 release 46.0.0 (#13446)
• Additional commits viewable in compare view

Updates transformers from 4.39.3 to 4.53.0

Release notes

Sourced from transformers's releases.

Release v4.53.0

Gemma3n

Gemma 3n models are designed for efficient execution on low-resource devices. They are capable of multimodal input, handling text, image, video, and audio input, and generating text outputs, with open weights for pre-trained and instruction-tuned variants. These models were trained with data in over 140 spoken languages.

Gemma 3n models use selective parameter activation technology to reduce resource requirements. This technique allows the models to operate at an effective size of 2B and 4B parameters, which is lower than the total number of parameters they contain. For more information on Gemma 3n's efficient parameter management technology, see the Gemma 3n page.

from transformers import pipeline
import torch
pipe = pipeline(
"image-text-to-text",
torch_dtype=torch.bfloat16,
model="google/gemma-3n-e4b",
device="cuda",
)
output = pipe(
"https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/bee.jpg",
text="<image_soft_token> in this image, there is"
)
print(output)

Dia