Bump the python-dependencies group with 16 updates

[dependabot]

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

---

Updates the requirements on filelock, fonttools, huggingface-hub, matplotlib, opencv-python, pillow, platformdirs, regex, requests, torch, tqdm, transformers, urllib3, protobuf, pytest and uv-build to permit the latest version.
Updates filelock from 3.20.3 to 3.29.0

Release notes

Sourced from filelock's releases.

3.29.0

What's Changed

• 🐛 fix(async): use single-thread executor for lock consistency by @​gaborbernat in tox-dev/filelock#533
• ✨ feat(soft): enable stale lock detection on Windows by @​gaborbernat in tox-dev/filelock#534

Full Changelog: tox-dev/filelock@3.28.0...3.29.0

3.28.0

What's Changed

• 🐛 fix(ci): unbreak release workflow, publish to PyPI again by @​gaborbernat in tox-dev/filelock#529

Full Changelog: tox-dev/filelock@3.27.0...3.28.0

3.27.0

What's Changed

• ✨ feat(rw): add SoftReadWriteLock for NFS and HPC clusters by @​gaborbernat in tox-dev/filelock#528

Full Changelog: tox-dev/filelock@3.26.1...3.27.0

3.26.1

What's Changed

• 🐛 fix(asyncio): add exit to BaseAsyncFileLock and fix del loop handling by @​naarob in tox-dev/filelock#518

New Contributors

• @​naarob made their first contribution in tox-dev/filelock#518

Full Changelog: tox-dev/filelock@3.26.0...3.26.1

3.26.0

What's Changed

• 🔒 ci(workflows): add zizmor security auditing by @​gaborbernat in tox-dev/filelock#517
• 🔧 fix(ci): restore git credentials for release job by @​gaborbernat in tox-dev/filelock#520
• ✨ feat(soft): add PID inspection and lock breaking by @​gaborbernat in tox-dev/filelock#524

Full Changelog: tox-dev/filelock@3.25.2...3.26.0

... (truncated)

Changelog

Sourced from filelock's changelog.

########### Changelog ###########

---

3.29.0 (2026-04-19)

---

• ✨ feat(soft): enable stale lock detection on Windows :pr:534
• 🐛 fix(async): use single-thread executor for lock consistency :pr:533
• build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 :pr:530 - by :user:dependabot[bot]

---

3.28.0 (2026-04-14)

---

• 🐛 fix(ci): unbreak release workflow, publish to PyPI again :pr:529

---

3.26.1 (2026-04-09)

---

• 🐛 fix(asyncio): add exit to BaseAsyncFileLock and fix del loop handling :pr:518 - by :user:naarob
• build(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 :pr:525 - by :user:dependabot[bot]

---

3.26.0 (2026-04-06)

---

• ✨ feat(soft): add PID inspection and lock breaking :pr:524
• [pre-commit.ci] pre-commit autoupdate :pr:523 - by :user:pre-commit-ci[bot]
• build(deps): bump astral-sh/setup-uv from 7.6.0 to 8.0.0 :pr:522 - by :user:dependabot[bot]
• Remove persist-credentials: false from release job :pr:520
• [pre-commit.ci] pre-commit autoupdate :pr:519 - by :user:pre-commit-ci[bot]
• 🔒 ci(workflows): add zizmor security auditing :pr:517
• [pre-commit.ci] pre-commit autoupdate :pr:516 - by :user:pre-commit-ci[bot]
• [pre-commit.ci] pre-commit autoupdate :pr:514 - by :user:pre-commit-ci[bot]

---

3.25.2 (2026-03-11)

---

• 🐛 fix(unix): suppress EIO on close in Docker bind mounts :pr:513

---

3.25.1 (2026-03-09)

---

• [pre-commit.ci] pre-commit autoupdate :pr:510 - by :user:pre-commit-ci[bot]
• 🐛 fix(win): restore best-effort lock file cleanup on release :pr:511

... (truncated)

Commits

• 469b47f Release 3.29.0
• e85d072 ✨ feat(soft): enable stale lock detection on Windows (#534)
• f5ee171 🐛 fix(async): use single-thread executor for lock consistency (#533)
• 2a95458 build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#530)
• 55de20c Release 3.28.0
• 476b0e4 🐛 fix(ci): unbreak release workflow, publish to PyPI again (#529)
• 824713e ✨ feat(rw): add SoftReadWriteLock for NFS and HPC clusters (#528)
• 9879de9 [pre-commit.ci] pre-commit autoupdate (#527)
• 4cfab49 Release 3.26.1
• 734c9f2 🐛 fix(asyncio): add exit to BaseAsyncFileLock and fix del loop handli...
• Additional commits viewable in compare view

Updates fonttools from 4.61.1 to 4.63.0

Release notes

Sourced from fonttools's releases.

4.63.0

• [ttLib] Add support for Apple Color Emoji bgcl table (#4065).
• [ttLib] Add support for IFT and IFTX tables (Incremental Font Transfer, PatchMapFormat2) (#4070, #4072).
• [otData] Introduce FieldSpec dataclass for OpenType table schema definitions, replacing raw tuples in otData.py (#4076).
• [Feat] Show name table strings as comments next to label IDs in TTX output, matching the convention used by fvar, STAT, trak (#4089).
• [cu2qu] Fix Cython complex-division rounding difference in split_cubic_into_three that could cause ±1 off-curve coordinate shifts (#3928, #4083).
• [designspaceLib] Fix map_backwardgooglefonts/ufo2ft#978#4085).
• [OS/2] Fix setUnicodeRanges to accept reserved bits 123-127, restoring round-trip with getUnicodeRanges and fixing recalcUnicodeRanges crash in the subsetter (#4087, #4088).
• [cython] Declare Cython extensions as free-threading compatible on Python 3.13+, so that importing them on free-threaded Python no longer re-enables the GIL (#4073, #4090).

4.62.1

• [feaLib] Extend contextual rule merging to all rule types: single subst, GSUB/GPOS named lookups, ignore rules, and chained alternate subst (#4061).

4.62.0

• [diff] Add new fonttools diff command for comparing font files, imported from the fdiff project and heavily reworked (#1190, #4007, #4009, #4011, #4013, #4019).
• [feaLib] Fix VariableScalar interpolation bug with non-linear avar mappings. Also decouple VariableScalar from compiled fonts, allowing it to work with designspace data before compilation (#3938, #4054).
• [feaLib] Fix VariableScalar axis ordering and iterative delta rounding to match fontc behavior (#4053).
• [feaLib] Merge chained multi subst rules with same context into a single subtable instead of emitting one subtable per glyph (#4016, #4058).
• [feaLib] Pass location to ConditionsetStatementfontra/fontra-glyphs#130#4057).
• [feaLib] Write 0xFFFF instead of 0 for missing nameIDs in cv feature params (#4010, #4012).
• [cmap] Fix CmapSubtable.__lt__() TypeError on Python 3 when subtables share the same encoding record, and add compile-time validation for unique encoding records (#4035, #4055).
• [svgLib] Skip non-element XML nodes (comments, processing instructions) when drawing SVG paths (#4042, #4043).
• [glifLib] Fix regression reading glyph outlines when glyphObject=None (#4030, #4031).
• [pointPen] Fix SegmentToPointPen edge case: only remove a duplicate final point on closePath() if it is an on-curve point (#4014, #4015).
• [cffLib] SECURITY Replace eval() with safeEval() in parseBlendList() to prevent arbitrary code execution from crafted TTX files (#4039, #4040).
• [ttLib] Remove defunct Adobe SING Glyphlet tables (META, SING, GMAP, GPKG) (#4044).
• [varLib.interpolatable] Various bugfixes: fix swapped nodeTypes assignment, duplicate kink-detector condition, typos, CFF2 vsindex parsing, glyph existence check, and plot helpers (#4046).
• [varLib.models] Fix getSubModel not forwarding extrapolate/axisRanges; check location uniqueness after stripping zeros (#4047).
• [varLib] Fix --variable-fonts filter in build_many; remove dead code and fix comments (#4048).
• [avar] Preserve existing name table in build; keep unbuild return types consistent; validate map CLI coordinates (#4051).
• [cu2qu/qu2cu] Add input validation: reject non-positive tolerances, validate curve inputs and list lengths (#4052).
• [colorLib] Raise a clear ColorLibError when base glyphs are missing from glyphMap, instead of a confusing KeyError (#4041).
• [glyf] Remove unnecessary fvar table dependency (#4017).
• [fvar/trak] Remove unnecessary name table dependency (#4018).
• [ufoLib] Relax guideline validation to follow the updated spec (#3537, #3553).
• [ttFont] Fix saveXML regression with empty table lists, clarify docstring (#4025, #4026, #4056).
• [setup.py] Link libm for Cython extensions using math functions (#4028, #4029).
• Add typing annotations for DSIG, DefaultTable, ttProgram (#4033).

Changelog

Sourced from fonttools's changelog.

4.63.0 (released 2026-05-14)

• [ttLib] Add support for Apple Color Emoji bgcl table (#4065).
• [ttLib] Add support for IFT and IFTX tables (Incremental Font Transfer, PatchMapFormat2) (#4070, #4072).
• [otData] Introduce FieldSpec dataclass for OpenType table schema definitions, replacing raw tuples in otData.py (#4076).
• [Feat] Show name table strings as comments next to label IDs in TTX output, matching the convention used by fvar, STAT, trak (#4089).
• [cu2qu] Fix Cython complex-division rounding difference in split_cubic_into_three that could cause ±1 off-curve coordinate shifts (#3928, #4083).
• [designspaceLib] Fix map_backward for many-to-one (flat-segment) axis maps that silently dropped entries via dict comprehension googlefonts/ufo2ft#978#4085).
• [OS/2] Fix setUnicodeRanges to accept reserved bits 123-127, restoring round-trip with getUnicodeRanges and fixing recalcUnicodeRanges crash in the subsetter (#4087, #4088).
• [cython] Declare Cython extensions as free-threading compatible on Python 3.13+, so that importing them on free-threaded Python no longer re-enables the GIL (#4073, #4090).

4.62.1 (released 2026-03-13)

• [feaLib] Extend contextual rule merging to all rule types: single subst, GSUB/GPOS named lookups, ignore rules, and chained alternate subst (#4061).

4.62.0 (released 2026-03-09)

• [diff] Add new fonttools diff command for comparing font files, imported from the fdiff project and heavily reworked (#1190, #4007, #4009, #4011, #4013, #4019).
• [feaLib] Fix VariableScalar interpolation bug with non-linear avar mappings. Also decouple VariableScalar from compiled fonts, allowing it to work with designspace data before compilation (#3938, #4054).
• [feaLib] Fix VariableScalar axis ordering and iterative delta rounding to match fontc behavior (#4053).
• [feaLib] Merge chained multi subst rules with same context into a single subtable instead of emitting one subtable per glyph (#4016, #4058).
• [feaLib] Pass location to ConditionsetStatement to fix glyphsLib round-tripping fontra/fontra-glyphs#130#4057).
• [feaLib] Write 0xFFFF instead of 0 for missing nameIDs in cv feature params (#4010, #4012).
• [cmap] Fix CmapSubtable.__lt__() TypeError on Python 3 when subtables share the same encoding record, and add compile-time validation for unique encoding records (#4035, #4055).
• [svgLib] Skip non-element XML nodes (comments, processing instructions) when drawing SVG paths (#4042, #4043).

... (truncated)

Commits

• 978d9ed Release 4.63.0
• 6b40ecb Add changelog entries for 4.63.0
• 382a35f Merge pull request #4090 from fonttools/fix-freethreading-compat
• 0e999b5 Declare Cython extensions as free-threading compatible
• 9e55ea5 Merge pull request #4089 from fonttools/graphite-feat-labels
• e84db3a Merge pull request #4088 from fonttools/fix-setUnicodeRanges-bits-123-127
• d6eabd1 Feat: show name table strings as comments next to label IDs in ttx
• 7d0902b OS/2: fix setUnicodeRanges round-trip for reserved bits 123-127
• 06e266c Merge pull request #4085 from fonttools/fix-map-backward-non-injective
• 6d64598 Add more tests for map_backward with many-to-one axis maps
• Additional commits viewable in compare view

Updates huggingface-hub from 1.3.2 to 1.16.1

Release notes

Sourced from huggingface-hub's releases.

[v1.16.1] [Hot-fix] [Inference] Remove Together ASR task to drop urllib3 dependency

• [Hot-fix] [Inference] Remove Together ASR task to drop urllib3 dependency by @​Wauplin in #4248

Full Changelog: huggingface/huggingface_hub@v1.16.0...v1.16.1

[v1.16.0] Together goes multimodal on Inference Providers, CLI improvements, and token security

⚡ Together goes multimodal on Inference Providers

Together now supports five additional task types beyond chat and text-to-image on Inference Providers:

• feature_extraction
• text_to_speech
• automatic_speech_recognition EDIT: hot-fix v1.16.1 removed this task (see huggingface/huggingface_hub#4248) to fix a dependency issue. We will add it back in a future release.
• image_to_image
• text_to_video

from huggingface_hub import InferenceClient
client = InferenceClient(provider="together")
Embeddings
embeddings = client.feature_extraction("Hello world", model="intfloat/multilingual-e5-large-instruct")
Text-to-speech
audio = client.text_to_speech("Hello world", model="hexgrad/Kokoro-82M", extra_body={'voice': 'af_heart'})
Text-to-video
video = client.text_to_video("A cat on the moon", model="Wan-AI/Wan2.2-T2V-A14B")

• [Inference] Add embeddings, TTS, ASR, image-to-image and video tasks for Together by @​nbroad1881 in #4164

📚 Documentation: Inference guide

🔗 Centralized hf:// URI parsing

All scattered ad-hoc hf:// URI parsers throughout the codebase have been consolidated onto the new parse_hf_uri/parse_hf_mount helpers. This brings consistent parsing behavior, a new is_hf_uri public helper for validating URIs, and proper handling of @ in filenames (now treated as literal). The CLI error handler now catches HfUriError and displays a clean message instead of a raw traceback.

🚨 Breaking Changes

This migration includes several breaking changes: BucketUrl.handle has been renamed to BucketUrl.uri (type changed from str to HfUri, use .to_uri() for the string form), Volume.to_hf_handle() has been renamed to Volume.to_uri(), single-segment repo IDs (e.g. gpt2) are no longer supported in HfFileSystem paths or CLI -v flags — you must use the namespace/name format instead.

• [Core] Migrate hf:// URI parsing to centralized parse_hf_uri by @​Wauplin in #4189

📚 Documentation: CLI guide | Buckets guide

🖥️ CLI

Global --no-truncate flag for CLI tables

... (truncated)

Commits

• ff0cc60 Release: v1.16.1
• a77e961 [Inference] Remove Together ASR task to drop urllib3 dependency (#4248)
• c68a383 Release: v1.16.0
• fa7fc45 Release: v1.16.0.rc0
• 06d6990 [Jobs] Add ephemeral_storage field to JobHardware (#4233)
• 2618a54 [CLI] Surface job runtime fields in ps + inspect (#4211)
• 356b712 [CI] make test_model_info_with_security for robust (#4246)
• 609e64a [CLI] Raise error when both --local-dir and --cache-dir are provided (#4245)
• b4fd28d [Download] Fix snapshot bar inflation on http_get retry (#4209)
• a117e68 [CLI] Expose linked repos in PaperInfo (#4240)
• Additional commits viewable in compare view

Updates matplotlib from 3.10.8 to 3.10.9

Release notes

Sourced from matplotlib's releases.

v3.10.9

This is a micro release of the v3.10.x series. Highlights of this release include:

• Various minor bug and doc fixes
• Security hardening validation of cyclers - Removing eval usage
• Security hardening in Latex and PS calls - Removing shell escapes

Commits

• dd8d78b REL: v3.10.9
• 2fb1891 REL: Release prep v3.10.9
• d0e923a Merge branch 'v3.10.8-doc' into v3.10.x
• 1637932 Merge pull request #31558 from meeseeksmachine/auto-backport-of-pr-31556-on-v...
• a83faac Backport PR #31556: FIX: Inverted PyErr_Occurred check in enum type caster (_...
• a4f57ab Merge pull request #31545 from ksunden/backport-of-pr-31282-on-v3.10.x
• 063288d Merge pull request #31544 from ksunden/backport-of-pr-31248-on-v3.10.x
• b2ed196 Backport PR #31248: SEC: Remove eval() from validate_cycler
• acc6024 Merge pull request #31282 from scottshambaugh/tex_no_shell
• e3fb541 Merge pull request #31078 from meeseeksmachine/auto-backport-of-pr-31075-on-v...
• Additional commits viewable in compare view

Updates opencv-python from 4.13.0.90 to 4.13.0.92

Release notes

Sourced from opencv-python's releases.

4.13.0.92

Follow up release for 4.13.0 with X server dependency fix. See #28438 for details.

Commits

• See full diff in compare view

Updates pillow from 12.1.1 to 12.2.0

Release notes

Sourced from pillow's releases.

12.2.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html

Documentation

• Update 12.2.0 release notes #9522 [@​hugovk]
• Add loader plugins: AMOS abk, Atari Degas, 40+ more obscure formats via Netpbm #9482 [@​bitplane]
• Update Python versions #9515 [@​radarhere]
• Jeffrey A. Clark -> Jeffrey 'Alex' Clark #9513 [@​aclark4life]
• Add release notes for #9394, #9419 and #9456 #9467 [@​radarhere]
• Add Amiga Workbench .info loader to 3rd party plugins list #9459 [@​bitplane]
• Merge PFM documentation into PPM #9434 [@​radarhere]
• Update macOS tested Pillow versions #9431 [@​radarhere]
• Fix CVE number #9430 [@​hugovk]

Dependencies

• Update xz to 5.8.3 #9523 [@​radarhere]
• Update libjpeg-turbo to 3.1.4.1 #9507 [@​radarhere]
• Update libpng to 1.6.56 #9499 [@​radarhere]
• Update freetype to 2.14.3 #9485 [@​radarhere]
• Updated libavif to 1.4.1 #9479 [@​radarhere]
• Updated harfbuzz to 13.2.1 #9461 [@​radarhere]
• Update Ghostscript to 10.7.0 #9469 [@​radarhere]
• Update harfbuzz to 13.0.1 #9453 [@​radarhere]
• Update libavif to 1.4.0 #9460 [@​radarhere]
• Update freetype to 2.14.2 #9449 [@​radarhere]
• Update actions/download-artifact action to v8 #9451 [@renovate[bot]]
• Updated libpng to 1.6.55 #9425 [@​radarhere]

Testing

• Cleanup .spider extension in the same test where it is added #9517 [@​radarhere]
• Run tests in parallel via tox for 3.5x speedup #9516 [@​hugovk]
• Enable colour in CI logs #9486 [@​hugovk]
• Update Ghostscript to 10.7.0 #9469 [@​radarhere]
• Simplify TGA test code #9477 [@​radarhere]
• Update tests to check for ValueError when encoding an empty image #9464 [@​radarhere]
• Upgrade CI from macos-15-intel to macos-26-intel #9454 [@​hugovk]
• Add check-case-conflict hook #9446 [@​radarhere]
• Specify platform when pulling docker image #9440 [@​radarhere]
• GHA: Cache libavif and webp builds for Ubuntu #9437 [@​hugovk]
• Update macOS tested Pillow versions #9431 [@​radarhere]

Other changes

• Check calloc return value #9527 [@​radarhere]
• Check all allocs in the Arrow tree #9488 [@​wiredfool]
• Reject non-numeric elements inside list coords #9526 [@​hugovk]
• Move variable declaration inside define #9525 [@​radarhere]

... (truncated)

Commits

• 3c41c09 12.2.0 version bump
• cdaa29e Check calloc return value (#9527)
• 585b2f5 Check calloc return value
• ecf011e Check all allocs in the Arrow tree (#9488)
• cf6de8c Reject non-numeric elements inside list coords (#9526)
• ffdcede Update 12.2.0 release notes (#9522)
• 7929d77 Added security release notes (#149)
• c4f7aa5 Added security release notes
• 22cdb5f Move variable declaration inside define (#9525)
• fc15b3b Resize tall images vertically first (#9524)
• Additional commits viewable in compare view

Updates platformdirs from 4.5.1 to 4.9.6

Release notes

Sourced from platformdirs's releases.

4.9.6

What's Changed

• 🐛 fix(release): use double quotes for tag variable expansion by @​gaborbernat in tox-dev/platformdirs#477

Full Changelog: tox-dev/platformdirs@4.9.5...4.9.6

4.9.4

What's Changed

• Add permissions to workflows by @​gaborbernat in tox-dev/platformdirs#455
• Move SECURITY.md to .github/SECURITY.md by @​gaborbernat in tox-dev/platformdirs#456
• Standardize .github files to .yaml suffix by @​gaborbernat in tox-dev/platformdirs#458
• 📝 docs: add project logo to documentation by @​gaborbernat in tox-dev/platformdirs#459

Full Changelog: tox-dev/platformdirs@4.9.3...4.9.4

4.9.3

What's Changed

• Fix test failures on BSD for runtime directory defaults by @​Fridayai700 in tox-dev/platformdirs#451
• Respect XDG_CONFIG_HOME in _get_user_dirs_folder by @​bysiber in tox-dev/platformdirs#453
• Add missing _optionally_create_directory in Android user_log_dir and user_runtime_dir by @​bysiber in tox-dev/platformdirs#452

New Contributors

• @​Fridayai700 made their first contribution in tox-dev/platformdirs#451
• @​bysiber made their first contribution in tox-dev/platformdirs#453

Full Changelog: tox-dev/platformdirs@4.9.2...4.9.3

4.9.2

What's Changed

• 📝 docs(platforms): fix RST formatting and TOC hierarchy by @​gaborbernat in tox-dev/platformdirs#447
• 📝 docs: restructure following Diataxis framework by @​gaborbernat in tox-dev/platformdirs#448

Full Changelog: tox-dev/platformdirs@4.9.1...4.9.2

4.9.1

What's Changed

• 📝 docs: enhance README, fix issues, and reorganize platforms.rst by @​gaborbernat in tox-dev/platformdirs#445

... (truncated)

Changelog

Sourced from platformdirs's changelog.

########### Changelog ###########

---

4.9.6 (2026-04-09)

---

• 🐛 fix(release): use double quotes for tag variable expansion :pr:477

---

4.9.5 (2026-04-06)

---

• 📝 docs(appauthor): clarify None vs False on Windows :pr:476
• Separates implementations of macOS dirs that share a default :pr:473 - by :user:Goddesen
• Remove persist-credentials: false from release job :pr:472
• fix: do not duplicate site dirs in Unix.iter_{config,site}_dirs() when use_site_for_root is active :pr:469 - by :user:viccie30
• 🔧 fix(type): resolve ty 0.0.25 type errors :pr:468
• 🔒 ci(workflows): add zizmor security auditing :pr:467
• 🐛 fix(release): generate docstrfmt-compatible changelog entries :pr:463

---

4.9.4 (2026-03-05)

---

• [pre-commit.ci] pre-commit autoupdate :pr:461 - by :user:pre-commit-ci[bot]
• Update README.md
• 📝 docs: add project logo to documentation :pr:459
• Standardize .github files to .yaml suffix
• build(deps): bump the all group with 2 updates :pr:457 - by :user:dependabot[bot]
• Move SECURITY.md to .github/SECURITY.md
• Add permissions to workflows :pr:455
• Add security policy
• [pre-commit.ci] pre-commit autoupdate :pr:454 - by :user:pre-commit-ci[bot]

---

4.9.2 (2026-02-16)

---

• 📝 docs: restructure following Diataxis framework :pr:448
• 📝 docs(platforms): fix RST formatting and TOC hierarchy :pr:447

---

4.9.1 (2026-02-14)

---

• 📝 docs: enhance README, fix issues, and reorganize platforms.rst :pr:445

... (truncated)

Commits

• 56efd77 Release 4.9.6
• d5d812a 🐛 fix(release): use double quotes for tag variable expansion (#477)
• c2b0cee build(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 in the al...
• 7688069 Release 4.9.5
• 104d28b 📝 docs(appauthor): clarify None vs False on Windows (#476)
• 0955048 [pre-commit.ci] pre-commit autoupdate (#475)
• bd3c766 build(deps): bump astral-sh/setup-uv from 7.6.0 to 8.0.0 in the all group (#474)
• 749ac3f Separates implementations of macOS dirs that share a default (#473)
• cb88156 Remove persist-credentials: false from release job (#472)
• a501eab [pre-commit.ci] pre-commit autoupdate (#470)
• Additional commits viewable in compare view

Updates regex from 2026.1.15 to 2026.5.9

Changelog

Sourced from regex's changelog.

Version: 2026.5.9

Reverse matching with full unicode casefolding could lead to out-of-range string indexes.

Version: 2026.4.4

A fix for older Python versions before free-threading was  supported.

Version: 2026.4.3

More fixes for free-threading.

Version: 2026.3.32

Fixed segfault.

Version: 2026.3.31

Fixed bug again.

Version: 2026.3.30

Fixed bug.

Version: 2026.3.28

Fixed version.

Version: 2026.3.27

Various fixes, including ones to improve free-threading support.

Version: 2026.2.28

Replaced atomic operations with mutex on pattern object for free-threaded Python.

Version: 2026.2.26

PR [#598](https://github.com/mrabarnett/mrab-regex/issues/598): Fix race condition in storage caching with atomic operations.
Replaced use of PyUnicode_GET_LENGTH with PyUnicode_GetLength.

Version: 2026.2.19

Added \z as alias of \Z, like in re module.
Added prefixmatch as alias of match, like in re module.

Version: 2026.1.15

... (truncated)

Commits

• e57d185 Reverse matching with full unicode casefolding lead to out-of-range string in...
• bc57b04 A fix for older Python versions before free-threading was supported.
• 773e213 More fixes for free-threading.
• 5d51c75 Fixed segfault.
• 2aff2db Fixed bug again.
• 16af8ae Fixed bug.
• 2356563 Fixed bug.
• f579e8f Fixed version.
• 55315a0 Fixed version.
• 923d78e Various fixes, including ones to improve free-threading support.
• Additional commits viewable in compare view

Updates requests from 2.32.5 to 2.34.2

Release notes

Sourced from requests's releases.

v2.34.2

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2342-2026-05-14

v2.34.1

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

New Contributors

• @​k223kim made their first contribution in psf/requests#7433

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2341-2026-05-13

v2.34.0

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The

... (truncated)

Changelog

Sourced from requests's changelog.

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementat...

  Description has been truncated

[dependabot]

Labels

The following labels could not be found: dependencies, python. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.