⬆ bump the uv group across 1 directory with 15 updates

[dependabot]

Bumps the uv group with 15 updates in the / directory:

Package	From	To
mcp	1.22.0	1.23.0
fastmcp	2.13.1	2.14.2
pypdf	6.0.0	6.9.2
lxml-html-clean	0.3.1	0.4.4
simpleeval	1.0.3	1.0.5
authlib	1.6.6	1.6.9
flask	3.0.3	3.1.3
langchain-text-splitters	0.3.7	0.3.9
nltk	3.9.3	3.9.4
onnx	1.19.0	1.21.0rc1
pillow	12.1.0	12.1.1
pyasn1	0.6.2	0.6.3
requests	2.32.5	2.33.0
torch	2.2.2	2.8.0
unstructured	0.16.23	0.18.18

Updates mcp from 1.22.0 to 1.23.0

Release notes

Sourced from mcp's releases.

v1.23.0

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

• Add tests for JSON Schema 2020-12 field preservation (SEP-1613) by @​felixweinberger in modelcontextprotocol/python-sdk#1649
• Add client_secret_basic authentication support by @​jonshea in modelcontextprotocol/python-sdk#1334
• Implement SEP-1577 - Sampling With Tools by @​ochafik in modelcontextprotocol/python-sdk#1594
• SEP-1330: Elicitation Enum Schema Improvements and Standards Compliance by @​chughtapan in modelcontextprotocol/python-sdk#1246
• [auth][conformance] add conformance auth client by @​pcarleton in modelcontextprotocol/python-sdk#1640
• Implement SEP-986: Tool name validation by @​felixweinberger in modelcontextprotocol/python-sdk#1655
• fix: url for spec by @​felixweinberger in modelcontextprotocol/python-sdk#1659
• feat: implement SEP-991 URL-based client ID (CIMD) support by @​pcarleton in modelcontextprotocol/python-sdk#1652
• Update doc string on custom_route by @​pcarleton in modelcontextprotocol/python-sdk#1660
• Implement SEP-1036: URL mode elicitation for secure out-of-band interactions by @​cbcoutinho in modelcontextprotocol/python-sdk#1580
• Skip empty SSE data to avoid parsing errors by @​felixweinberger in modelcontextprotocol/python-sdk#1670
• SEP-1686: Tasks by @​maxisbey in modelcontextprotocol/python-sdk#1645
• Add on_session_created callback option by @​crondinini-ant in modelcontextprotocol/python-sdk#1710
• Add SSE polling support (SEP-1699) by @​felixweinberger in modelcontextprotocol/python-sdk#1654
• Support client_credentials flow with JWT and Basic auth by @​pcarleton in modelcontextprotocol/python-sdk#1663
• feat: backwards-compatible create_message overloads for SEP-1577 by @​felixweinberger in modelcontextprotocol/python-sdk#1713
• Auto-enable DNS rebinding protection for localhost servers by @​pcarleton (d3a184119e4479ea6a63590bc41f01dc06e3fa99)

New Contributors

• @​ochafik made their first contribution in modelcontextprotocol/python-sdk#1594

Full Changelog: modelcontextprotocol/python-sdk@v1.22.0...v1.23.0

Commits

• d3a1841 Merge commit from fork
• fa851d9 feat: backwards-compatible create_message overloads for SEP-1577 (#1713)
• f82b0c9 Support client_credentials flow with JWT and Basic auth (#1663)
• 281fd47 Add SSE polling support (SEP-1699) (#1654)
• 2cd178a Add on_session_created callback option (#1710)
• c92bb2f SEP-1686: Tasks (#1645)
• 5983a65 Skip empty SSE data to avoid parsing errors (#1670)
• 02b7889 Implement SEP-1036: URL mode elicitation for secure out-of-band interactions ...
• 27279bc Update doc string on custom_route (#1660)
• f225013 feat: implement SEP-991 URL-based client ID (CIMD) support (#1652)
• Additional commits viewable in compare view

Updates fastmcp from 2.13.1 to 2.14.2

Release notes

Sourced from fastmcp's releases.

v2.14.2: Port Authority

FastMCP 2.14.2 brings a wave of community contributions safely into the 2.x line. A variety of important fixes backported from 3.0 work improve OpenAPI 3.1 compatibility, MCP spec compliance for output schemas and elicitation, and correct a subtle base_url fallback issue. The CLI now gently reminds you that FastMCP 3.0 is on the horizon.

What's Changed

Enhancements 🔧

• Pin MCP under 2.x by @​jlowin in jlowin/fastmcp#2709
• Add auth_route parameter to SupabaseProvider by @​EloiZalczer in jlowin/fastmcp#2760
• Update CLI banner with FastMCP 3.0 notice by @​jlowin in jlowin/fastmcp#2765

Fixes 🐞

• Let FastMCPError propagate unchanged from managers by @​jlowin in jlowin/fastmcp#2697
• Fix test cleanup for uvicorn 0.39+ context isolation by @​jlowin in jlowin/fastmcp#2696
• Bump pydocket to 0.16.3 to fix worker cleanup race condition by @​chrisguidry in jlowin/fastmcp#2700
• Fix Prefect website URL in docs footer by @​mgoldsborough in jlowin/fastmcp#2705
• Fix: resolve root-level $ref in outputSchema for MCP spec compliance by @​majiayu000 in jlowin/fastmcp#2727
• Fix OAuth Proxy resource parameter validation by @​jlowin in jlowin/fastmcp#2763
• Fix openapi_version check to include 3.1 by @​deeleeramone in jlowin/fastmcp#2769
• Fix titled enum elicitation schema to comply with MCP spec by @​jlowin in jlowin/fastmcp#2774
• Fix base_url fallback when url is not set by @​bhbs in jlowin/fastmcp#2782
• Lazy import DiskStore to avoid sqlite3 dependency on import by @​jlowin in jlowin/fastmcp#2785

Docs 📚

• Add v3 breaking changes notice to README and docs by @​jlowin in jlowin/fastmcp#2713
• Add changelog entries for v2.13.1 through v2.14.1 by @​jlowin in jlowin/fastmcp#2724
• conference to 2.x branch by @​aaazzam in jlowin/fastmcp#2787

Full Changelog: PrefectHQ/fastmcp@v2.14.1...v2.14.2

v2.14.1: 'Tis a Gift to Be Sample

FastMCP 2.14.1 adds support for sampling with tools (SEP-1577). This exciting new feature lets servers pass tools to ctx.sample(), enabling agentic workflows where the server borrows the client's LLM and controls tool execution automatically. Pass any callable as a tool and FastMCP handles the loop: calling the LLM, executing tools, and feeding results back until a final response is produced. For fine-grained control, ctx.sample_step() makes a single LLM call and returns a SampleStep, letting you inspect tool calls, add custom logic, or build your own execution loop. Structured output via result_type returns validated Pydantic models instead of raw text. This release also adds AnthropicSamplingHandler alongside the existing OpenAI handler (newly promoted out of the experimental module), so clients and servers can provide sampling capability across major providers with ease.

What's Changed

New Features 🎉

• SEP-1577: Sampling with tools by @​jlowin in jlowin/fastmcp#2551
• Add AnthropicSamplingHandler by @​jlowin in jlowin/fastmcp#2617

Enhancements 🔧

• Add Python 3.13 to Ubuntu CI tests by @​jlowin in jlowin/fastmcp#2606
• Remove legacy _task_capable_initialize() workaround by @​jlowin in jlowin/fastmcp#2612
• Consolidate session state reset logic and improve cancellation cleanup by @​jlowin in jlowin/fastmcp#2615
• Unify SamplingHandler and promote OpenAI handler by @​jlowin in jlowin/fastmcp#2616
• Add tool_names parameter to mount() for name overrides by @​jlowin in jlowin/fastmcp#2619
• Adopt streamable_http_client API from MCP SDK by @​jlowin in jlowin/fastmcp#2620
• Deprecate exclude_args in favor of Depends() by @​jlowin in jlowin/fastmcp#2621

Fixes 🐞

• fix: prompt tasks returning mcp.types.PromptMessage now work by @​chrisguidry in jlowin/fastmcp#2603
• Use WindowsSelectorEventLoopPolicy to fix Windows test warnings by @​jlowin in jlowin/fastmcp#2607
• Clean up cancelled connection startup by @​shawnthapa in jlowin/fastmcp#2614

... (truncated)

Changelog

Sourced from fastmcp's changelog.

---

title: "Changelog" icon: "list-check" rss: true tag: NEW

v3.0.2: Threecovery Mode II

Two community-contributed fixes: auth headers from MCP transport no longer leak through to downstream OpenAPI APIs, and background task workers now correctly receive the originating request ID. Plus a new docs example for context-aware tool factories.

Fixes 🐞

• fix: prevent MCP transport auth header from leaking to downstream OpenAPI APIs by @​stakeswky in #3262
• fix: propagate origin_request_id to background task workers by @​gfortaine in #3175

Docs 📚

• Add v3.0.1 release notes by @​jlowin in #3259
• docs: add context-aware tool factory example by @​machov in #3264

Full Changelog: v3.0.1...v3.0.2

v3.0.1: Three-covery Mode

First patch after 3.0 — mostly smoothing out rough edges discovered in the wild. The big ones: middleware state that wasn't surviving the trip to tool handlers now does, Tool.from_tool() accepts callables again, OpenAPI schemas with circular references no longer crash discovery, and decorator overloads now return the correct types in function mode. Also adds verify_id_token to OIDCProxy for providers (like some Azure AD configs) that issue opaque access tokens but standard JWT id_tokens.

Enhancements 🔧

• Add verify_id_token option to OIDCProxy by @​jlowin in #3248

Fixes 🐞

• Fix v3.0.0 changelog compare link by @​jlowin in #3223
• Fix MDX parse error in upgrade guide prompts by @​jlowin in #3227
• Fix non-serializable state lost between middleware and tools by @​jlowin in #3234
• Accept callables in Tool.from_tool() by @​jlowin in #3235
• Preserve skill metadata through provider wrapping by @​jlowin in #3237
• Fix circular reference crash in OpenAPI schemas by @​jlowin in #3245
• Fix NameError with future annotations and Context/Depends parameters by @​jlowin in #3243
• Fix ty ignore syntax in OpenAPI provider by @​jlowin in #3253
• Use max_completion_tokens instead of deprecated max_tokens in OpenAI handler by @​jlowin in #3254
• Fix ty compatibility with upgraded deps by @​jlowin in #3257
• Fix decorator overload return types for function mode by @​jlowin in #3258

Docs 📚

• Sync README with welcome.mdx, fix install count by @​jlowin in #3224
• Document dict-to-Message prompt migration in upgrade guides by @​jlowin in #3225
• Fix v2 upgrade guide: remove incorrect v1 import advice by @​jlowin in #3226

... (truncated)

Commits

• 99832a9 Merge pull request #2787 from jlowin/confernece-to-2.x-branch
• 7fd365c Update docs.json
• 9cf9aa9 Lazy import DiskStore to avoid sqlite3 dependency on import (#2785)
• 1b63752 Fix base_url fallback when url is not set (#2776) (#2782)
• 33ff356 Fix titled enum elicitation schema to comply with MCP spec (#2774)
• 820f74e [BugFix] Fix openapi_version Check So 3.1 Is Included (#2768) (#2769)
• bbf6c20 Update CLI banner with FastMCP 3.0 notice (#2765)
• 9732789 Fix OAuth Proxy resource parameter validation (#2763)
• 6bade1c Add auth_route parameter to SupabaseProvider (#2760)
• 4963b51 Fix: resolve root-level $ref in outputSchema for MCP spec compliance (#2720) ...
• Additional commits viewable in compare view

Updates pypdf from 6.0.0 to 6.9.2

Release notes

Sourced from pypdf's releases.

Version 6.9.2, 2026-03-23

What's new

Security (SEC)

• Avoid infinite loop in read_from_stream for broken files (#3693) by @​stefan6419846

Robustness (ROB)

• Resolve UnboundLocalError for xobjs in _get_image (#3684) by @​Yuki9814

Full Changelog

Version 6.9.1, 2026-03-17

What's new

Security (SEC)

• Improve performance and limit length of array-based content streams (#3686) by @​stefan6419846

Full Changelog

Version 6.9.0, 2026-03-15

What's new

New Features (ENH)

• Expose /Perms verification result on Encryption object (#3672) by @​costajohnt

Performance Improvements (PI)

• Fix O(n²) performance in NameObject read/write (#3679) by @​dmitry-kostin
• Batch-parse all objects in ObjStm on first access (#3677) by @​dmitry-kostin

Bug Fixes (BUG)

• Avoid sharing array-based content streams between pages (#3681) by @​stefan6419846
• Avoid accessing invalid page when inserting blank page under some conditions (#3529) by @​j-t-1

Full Changelog

Version 6.8.0, 2026-03-09

What's new

Security (SEC)

• Limit allowed /Length value of stream (#3675) by @​stefan6419846

New Features (ENH)

• Add /IRT (in-reply-to) support for markup annotations (#3631) by @​costajohnt

Documentation (DOC)

• Avoid using PageObject.replace_contents on PdfReader (#3669) by @​stefan6419846
• Document how to disable jbig2dec calls by @​stefan6419846

Full Changelog

... (truncated)

Changelog

Sourced from pypdf's changelog.

Version 6.9.2, 2026-03-23

Security (SEC)

• Avoid infinite loop in read_from_stream for broken files (#3693)

Robustness (ROB)

• Resolve UnboundLocalError for xobjs in _get_image (#3684)

Full Changelog

Version 6.9.1, 2026-03-17

Security (SEC)

• Improve performance and limit length of array-based content streams (#3686)

Full Changelog

Version 6.9.0, 2026-03-15

New Features (ENH)

• Expose /Perms verification result on Encryption object (#3672)

Performance Improvements (PI)

• Fix O(n²) performance in NameObject read/write (#3679)
• Batch-parse all objects in ObjStm on first access (#3677)

Bug Fixes (BUG)

• Avoid sharing array-based content streams between pages (#3681)
• Avoid accessing invalid page when inserting blank page under some conditions (#3529)

Full Changelog

Version 6.8.0, 2026-03-09

Security (SEC)

• Limit allowed /Length value of stream (#3675)

New Features (ENH)

• Add /IRT (in-reply-to) support for markup annotations (#3631)

Documentation (DOC)

• Avoid using PageObject.replace_contents on PdfReader (#3669)
• Document how to disable jbig2dec calls

Full Changelog

Version 6.7.5, 2026-03-02

Security (SEC)

• Improve the performance of the ASCIIHexDecode filter (#3666)

... (truncated)

Commits

• da867f4 REL: 6.9.2
• 02b1345 SEC: Avoid infinite loop in read_from_stream for broken files (#3693)
• 3bef339 MAINT: Prefer bytearray over bytes in image_inline (#3692)
• 04b0a38 ROB: Resolve UnboundLocalError for xobjs in _get_image (#3684)
• 0e5157c REL: 6.9.1
• 0b5d05d SEC: Improve performance and limit length of array-based content streams (#3686)
• 87aa1d4 DEV: Remove unused reverse encoding dicts (#3685)
• 84f5266 MAINT: Use placeholder-based approach for logger_error (#3673)
• 8f1f4aa REL: 6.9.0
• 5a9a0da BUG: Avoid sharing array-based content streams between pages (#3681)
• Additional commits viewable in compare view

Updates lxml-html-clean from 0.3.1 to 0.4.4

Changelog

Sourced from lxml-html-clean's changelog.

0.4.4 (2026-02-26)

Bugs fixed

• Fixed a bug where Unicode escapes in CSS were not properly decoded before security checks. This prevents attackers from bypassing filters using escape sequences. (CVE-2026-28348)
• Fixed a security issue where <base> tags could be used for URL hijacking attacks. The <base> tag is now automatically removed whenever the <head> tag is removed (via page_structure=True or manual configuration), as <base> must be inside <head> according to HTML specifications. (CVE-2026-28350)

0.4.3 (2025-10-02)

Maintenance

• Tests updated to work correctly with new lxml and libxml2 releases.
• Python 3.6 and 3.7 are no longer tested.
• Improved documentation about CSS removal behavior.

0.4.2 (2025-04-09)

Bugs fixed

• lxml_html_clean now correctly handles HTML input as bytes as it did before the 0.2.0 release.

0.4.1 (2024-11-15)

Bugs fixed

• Removed superfluous debug prints.

0.4.0 (2024-11-12)

Bugs fixed

• The Cleaner() now scans for hidden JavaScript code embedded within CSS comments. In certain contexts, such as within <svg> or <math> tags,

... (truncated)

Commits

• fd10d79 Add more tests for different combinations of backslashes and unicode
• 5b7e228 Restore the removal of all backslashes from styles after decoding of unicode ...
• 88da8f9 Prepare release 0.4.4
• 9c5612c Remove <base> tags to prevent URL hijacking attacks
• 2ef7326 Implement unicode escape decoding
• 7c854af Add missing Python 3.14 to classifiers
• 80cebf7 Continue using the package link
• 1cef82e Update safe sanitizer recommendation
• 79f35f4 CI: Drop Python 3.8, add 3.14
• fab1dd4 Release 0.4.3
• Additional commits viewable in compare view

Updates simpleeval from 1.0.3 to 1.0.5

Release notes

Sourced from simpleeval's releases.

1.0.5

Fixes Security issues with "dangerous" modules & functions leaking through as attributes of other names, see:

Fixes CVE-2026-32640

GHSA-44vg-5wv2-h2hg

Breaking Change:

• Modules & Submodules now are not directly usable as names or as attributes of other items, if you still need this functionality, then use the new ModuleWrapper, or subclass SimpleEval to bypass it.

Commits

• a4659fa Merge pull request #171 from danthedeckie/remove-module-access
• 7c9180c version number bump
• cffa9f6 Much stricter lockdown via _check_disallowed_items plus adding ModuleWrapper
• 4e7f4b8 Add ByamB4 to contributors list
• 1654cbf Disallow module access & disallowed function access via attributes.
• 9cb4a7b Add a few additional DISALLOW_FUNCTIONS
• 0425898 Merge pull request #169 from danthedeckie/update-readme
• 618bcf4 update build tools / config
• 8828943 bump version, and update copyright year
• 97570fe lint string joining fixes
• Additional commits viewable in compare view

Updates authlib from 1.6.6 to 1.6.9

Release notes

Sourced from authlib's releases.

v1.6.9

Full Changelog: authlib/authlib@v1.6.8...v1.6.9

Changes in jose module

• Not using header's jwk automatically
• Add ES256K into default jwt algorithms
• Remove deprecated algorithm from default registry
• Generate random cek when cek length doesn't match

v1.6.8

Full Changelog: authlib/authlib@v1.6.7...v1.6.8

• Add EdDSA to default jwt instance.

v1.6.7

Full Changelog: authlib/authlib@v1.6.6...v1.6.7

Set supported algorithms for the default jwt instance.

Changelog

Sourced from authlib's changelog.

Version 1.6.9

Released on Mar 2, 2026

• Not using header's jwk automatically.
• Add ES256K into default jwt algorithms.
• Remove deprecated algorithm from default registry.
• Generate random cek when cek length doesn't match.

Version 1.6.8

Released on Feb 17, 2026

• Add EdDSA to default jwt instance.

Version 1.6.7

Released on Feb 6, 2026

• Set supported algorithms for the default jwt instance.

Commits

• 9266eaa chore: release 1.6.9
• b9bb2b2 fix(oidc): fail close at validating c_hash and at_hash
• 1b0a1d9 fix(jose): generate random cek when cek length doesn't match
• 5be3c51 fix(jose): add ES256K into default jwt algorithms
• 48b345f fix(jose): remove deprecated algorithm from default registry
• a5d4b2d fix(jose): do not use header's jwk automatically
• a769f34 chore: release 1.6.8
• 84f3fa2 fix: add EdDSA to default jwt algorithms
• 38e872a chore: release 1.6.7
• b87c32e fix: remove "none" algorithm from default jwt instance
• See full diff in compare view

Updates flask from 3.0.3 to 3.1.3

Release notes

Sourced from flask's releases.

3.1.3

This is the Flask 3.1.3 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.3/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-3

• The session is marked as accessed for operations that only access the keys but not the values, such as in and len. GHSA-68rp-wp8r-4726

3.1.2

This is the Flask 3.1.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.2/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-2 Milestone: https://github.com/pallets/flask/milestone/38?closed=1

• stream_with_context does not fail inside async views. #5774
• When using follow_redirects in the test client, the final state of session is correct. #5786
• Relax type hint for passing bytes IO to send_file. #5776

3.1.1

This is the Flask 3.1.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.1/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-1 Milestone https://github.com/pallets/flask/milestone/36?closed=1

• Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. GHSA-4grg-w6v8-c28g
• Fix type hint for cli_runner.invoke. #5645
• flask --help loads the app and plugins first to make sure all commands are shown. #5673
• Mark sans-io base class as being able to handle views that return AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. #5659

3.1.0

This is the Flask 3.1.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecations, or introduce potentially breaking changes. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

PyPI: https://pypi.org/project/Flask/3.1.0/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-0 Milestone: https://github.com/pallets/flask/milestone/33?closed=1

• Drop support for Python 3.8. #5623
• Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. #5624, #5633
• Provide a configuration option to control automatic option responses. #5496
• Flask.open_resource/open_instance_resource and Blueprint.open_resource take an encoding parameter to use when opening in text mode. It defaults to utf-8. #5504
• Request.max_content_length can be customized per-request instead of only through the MAX_CONTENT_LENGTH config. Added MAX_FORM_MEMORY_SIZE and MAX_FORM_PARTS config. Added documentation about resource limits to the security page. #5625
• Add support for the Partitioned cookie attribute (CHIPS), with the SESSION_COOKIE_PARTITIONED config. #5472
• -e path takes precedence over default .env and .flaskenv files. load_dotenv loads default files in addition to a path unless load_defaults=False is passed. #5628
• Support key rotation with the SECRET_KEY_FALLBACKS config, a list of old secret keys that can still be used for unsigning. Extensions will need to add support. #5621
• Fix how setting host_matching=True or subdomain_matching=False interacts with SERVER_NAME. Setting SERVER_NAME no longer restricts requests to only that domain. #5553
• Request.trusted_hosts is checked during routing, and can be set through the TRUSTED_HOSTS config. #5636

Changelog

Sourced from flask's changelog.

Version 3.1.3

Released 2026-02-18

• The session is marked as accessed for operations that only access the keys but not the values, such as in and len. :ghsa:68rp-wp8r-4726

Version 3.1.2

Released 2025-08-19

• stream_with_context does not fail inside async views. :issue:5774
• When using follow_redirects in the test client, the final state of session is correct. :issue:5786
• Relax type hint for passing bytes IO to send_file. :issue:5776

Version 3.1.1

Released 2025-05-13

• Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. :ghsa:4grg-w6v8-c28g
• Fix type hint for cli_runner.invoke. :issue:5645
• flask --help loads the app and plugins first to make sure all commands are shown. :issue:5673
• Mark sans-io base class as being able to handle views that return AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. :pr:5659

Version 3.1.0

Released 2024-11-13

• Drop support for Python 3.8. :pr:5623
• Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. :pr:5624,5633
• Provide a configuration option to control automatic option responses. :pr:5496
• Flask.open_resource/open_instance_resource and Blueprint.open_resource take an encoding parameter to use when opening in text mode. It defaults to utf-8. :issue:5504
• Request.max_content_length can be customized per-request instead of only through the MAX_CONTENT_LENGTH config. Added

... (truncated)

Commits

• 22d9247 release version 3.1.3
• 089cb86 Merge commit from fork
• c17f379 request context tracks session access
• 27be933 start version 3.1.3
• 4e652d3 Abort if the instance folder cannot be created (#5903)
• 3d03098 Abort if the instance folder cannot be created
• 407eb76 document using gevent for async (#5900)
• ac5664d document using gevent for async
• 4f79d5b Increase required flit_core version to 3.11 (#5865)
• fe3b215 Increase required flit_core version to 3.11
• Additional commits viewable in compare view

Updates langchain-text-splitters from 0.3.7 to 0.3.9

Commits

• 77c9819 fix(text-splitters): update langchain-core version to 0.3.72
• 7f015b6 fix(text-splitters): update lock for release
• 71ad451 Merge branch 'master' of github.com:langchain-ai/langchain
• 2c42893 fix(langchain): update langchain-core version to 0.3.72
• 0e139fb release(langchain): 0.3.27 (#32227)
• 622bb05 fix(langchain): class HTMLSemanticPreservingSplitter ignores the text inside ...
• 56dde3a feat(langchain): v1 scaffolding (#32166)
• bd3d649 release(core): 0.3.72 (#32214)
• fb5da83 fix(core): Dereference Refs for pydantic schema fails in tool schema generati...
• a7d0e42 docs: fix typos in documentation (#32201)
• Additional commits viewable in compare view

Updates nltk from 3.9.3 to 3.9.4

Changelog

Sourced from nltk's changelog.

Version 3.9.4 2026-03-24

• Support Python 3.14
• Fix bug in Levenshtein distance when substitution_cost > 2
• Fix bug in Treebank detokeniser re quote ordering
• Fix bug in Jaro similarity for empty strings
• Several security enhancements
• Fix GHSA-rf74-v2fm-23pw: unbounded recursion in JSONTaggedDecoder
• Implement TextTiling vocabulary introduction method (Hearst 1997)
• Fix ALINE feature matrix errors and add comprehensive tests
• Support multiple VerbNet versions, fix longid/shortid regex for VerbNet ids
• Let downloader fallback to md5 when sha256 is unavailable
• Several other minor bugfixes and code cleanups

Thanks to the following contributors to 3.9.4: Min-Yen Kan, Eric Kafe, Emily Voss, bowiechen, Hrudhai01, jancallewaert, Mr-Neutr0n, pollak.peter89, ylwango613,

Version 3.9.3 2026-02-21

• Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (#3468)
• Block path traversal/arbitrary reads in nltk.data for protocol-less refs (#3467)
• Block path traversal/abs paths in corpus readers and FS pointers (#3479, #3480)
• Validate external StanfordSegmenter JARs using SHA256 (#3477)
• Add optional sandbox enforcement for filestring() (#3485)
• Maintenance: downloader/zipped models, CI/tooling updates

Thanks to the following contributors to 3.9.3: Chris Clauss, Eric Kafe, HyperPS, purificant, Shivansh-Game, Christopher Smith

Version 3.9.2 2025-10-01

• Update download checksums to use SHA256 in built index
• Fix percentage escape in new-style string formatting
• replace shortened URLs using goo.gl
• Make Wordnet interoperable with various taggers and tagged corpora
• Fix saving PerceptronTagger
• Document how to reproduce old Wordnet studies
• properly initialize Portuguese corpus reader
• support for mixed rules conversion into Chomsky Normal Form
• only import tkinter if a GUI is needed
• issue #2112 with Corenlp
• new environment variable NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL
• Lesk defaults to most frequent sense in case of ties

Thanks to the following contributors to 3.9.2: Jose Cols, Peter de Blanc, GeneralPoxter, Eric Kafe, William LaCroix, Jason Liu, Samer Masterson, Mike014, purificant, Andrew Ernest Ritz, samertm, Ikram Ul Haq, Christopher Smith, Ryan Mannion

Version 3.9.1 2024-08-19

... (truncated)

Commits

• ad9c96b Update copyright year
• 7edcddf Updates for 3.9.4 release
• 67a2736 Merge pull request #3180 from yzhaoinuw/bug-on-edit_distance_align
• 2b17ac5 Fix edit_distance_align backtrace for high substitution costs
• 4b72976 Merge pull request #3018 from JuanIMartinezB/bug/shortid-longid
• 8a5619f Merge pull request #3222 from Syzygy2048/feature/texttiling-vocabulary-introd...
• c6574d7 Merge pull request #3289 from ihitamandal/codeflash/optimize-windowdiff-2024-...
• 98ff5d9 Merge pull request #3435 from Hrudhai01/fix-3260-detokenize-quotes
• aec4fce Merge pull request #3522 from ekaf/pathsec
• eec4ee3 Merge pull request #3526 from nltk/update-contributing
• Additional commits viewable in compare view

Updates onnx from 1.19.0 to 1.21.0rc1

Release notes

Sourced from onnx's releases.

v1.20.1

[!NOTE] This patch release includes important bug fixes to ONNX build.

What's Changed

• Export functions (