chore(deps): bump the dependencies group across 3 directories with 39 updates

[dependabot]

Bumps the dependencies group with 1 update in the /contrib/dev_reqs directory: requests.
Bumps the dependencies group with 2 updates in the /docs directory: mkdocs-git-revision-date-localized-plugin and mkdocs-include-markdown-plugin.
Bumps the dependencies group with 37 updates in the /src/backend directory:

Package	From	To
gunicorn	25.3.0	26.0.0
requests	2.33.1	2.34.2
bleach	4.1.0	6.3.0
blessed	1.38.0	1.39.0
boto3	1.42.96	1.43.8
botocore	1.42.96	1.43.8
cryptography	47.0.0	48.0.0
dulwich	1.2.0	1.2.1
fonttools	4.62.1	4.63.0
googleapis-common-protos	1.74.0	1.75.0
icalendar	7.0.3	7.1.0
importlib-metadata	8.7.1	9.0.0
nh3	0.3.4	0.3.5
opentelemetry-exporter-otlp-proto-common	1.40.0	1.41.1
opentelemetry-exporter-otlp-proto-grpc	1.40.0	1.41.1
opentelemetry-exporter-otlp-proto-http	1.40.0	1.41.1
opentelemetry-instrumentation	0.61b0	0.62b1
opentelemetry-instrumentation-dbapi	0.61b0	0.62b1
opentelemetry-proto	1.40.0	1.41.1
opentelemetry-semantic-conventions	0.61b0	0.62b1
opentelemetry-util-http	0.61b0	0.62b1
paramiko	4.0.0	5.0.0
protobuf	6.33.6	7.34.1
pypdf	6.10.2	6.11.0
s3transfer	0.16.1	0.17.0
sentry-sdk	2.58.0	2.60.0
wcwidth	0.6.0	0.7.0
wrapt	1.17.3	2.1.2
coverage	7.13.5	7.14.0
django-stubs	6.0.3	6.0.4
django-stubs-ext	6.0.3	6.0.4
markdown-it-py	4.0.0	4.2.0
pip	26.1	26.1.1
prek	0.3.13	0.4.0
pytest-codspeed	4.4.0	5.0.2
types-psycopg2	2.9.21.20260422	2.9.21.20260509
types-pyyaml	6.0.12.20260408	6.0.12.20260510

Updates requests from 2.33.1 to 2.34.2

Release notes

Sourced from requests's releases.

v2.34.2

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2342-2026-05-14

v2.34.1

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

New Contributors

• @​k223kim made their first contribution in psf/requests#7433

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2341-2026-05-13

v2.34.0

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The

... (truncated)

Changelog

Sourced from requests's changelog.

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The proxy_bypass implementation has been updated with CPython's fix from bpo-39057. (#7427)
• Requests no longer incorrectly strips duplicate leading slashes in URI paths. This should address user issues with specific presigned URLs. Note the full fix requires urllib3 2.7.0+. (#7315)

Commits

• 6e83187 v2.34.2
• 84d10f0 Move Request.headers back to Mapping (#7441)
• b7b549b v2.34.1
• e511bc7 Fix mutability issues with headers input types (#7431)
• 5691f59 Update JsonType containers to read-based collections (#7436)
• 2144213 Constrain Response.reason to str (#7437)
• 6404f34 Fix prepare_body stream detection for __getattr__-based file wrappers (#7...
• 0b401c7 v2.34.0
• 86b378d Align Session.get parameters with requests.get (#7429)
• a4f9a59 Port bpo-39057 to Requests (#7427)
• Additional commits viewable in compare view

Updates mkdocs-git-revision-date-localized-plugin from 1.5.1 to 1.5.2

Release notes

Sourced from mkdocs-git-revision-date-localized-plugin's releases.

v1.5.2

What's Changed

Bug fixes

• Guard against page is None in mkdocs theme override Jinja2 templates by @​Copilot in timvink/mkdocs-git-revision-date-localized-plugin#202

Dependency updates (security)

• Bump requests from 2.32.5 to 2.33.0 by @​dependabot in timvink/mkdocs-git-revision-date-localized-plugin#203
• Bump pytest from 8.4.2 to 9.0.3 by @​dependabot in timvink/mkdocs-git-revision-date-localized-plugin#204
• Bump gitpython from 3.1.45 to 3.1.50 by @​dependabot in timvink/mkdocs-git-revision-date-localized-plugin#205, timvink/mkdocs-git-revision-date-localized-plugin#207, timvink/mkdocs-git-revision-date-localized-plugin#208
• Bump pygments from 2.19.2 to 2.20.0 by @​dependabot in timvink/mkdocs-git-revision-date-localized-plugin#206
• Bump urllib3 from 2.6.3 to 2.7.0 by @​dependabot in timvink/mkdocs-git-revision-date-localized-plugin#209

Full Changelog: timvink/mkdocs-git-revision-date-localized-plugin@v1.5.1...v1.5.2

Commits

• 2afa3d2 Bump version to 1.5.2
• 66e9b7e Document release process in CONTRIBUTING.md
• 2fb5070 Merge pull request #209 from timvink/dependabot/uv/urllib3-2.7.0
• d0bacc8 Bump urllib3 from 2.6.3 to 2.7.0
• ee28ad9 Merge pull request #208 from timvink/dependabot/uv/gitpython-3.1.50
• befbdab Bump gitpython from 3.1.49 to 3.1.50
• 5c654ac Merge pull request #206 from timvink/dependabot/uv/pygments-2.20.0
• 095abdd Merge pull request #207 from timvink/dependabot/uv/gitpython-3.1.49
• 27bab6c Bump gitpython from 3.1.47 to 3.1.49
• 301037e Bump pygments from 2.19.2 to 2.20.0
• Additional commits viewable in compare view

Updates mkdocs-include-markdown-plugin from 7.2.2 to 7.3.0

Release notes

Sourced from mkdocs-include-markdown-plugin's releases.

v7.3.0

New features

• Add new setting include_from_url

Commits

• 0604be2 Add new setting include_from_url(#299)
• f0809f9 Document order setting (#298)
• See full diff in compare view

Updates gunicorn from 25.3.0 to 26.0.0

Release notes

Sourced from gunicorn's releases.

26.0.0

Breaking Changes

• Eventlet worker removed: The eventlet worker class has been dropped. Migrate to gevent, gthread, or tornado.

New Features

• ASGI Framework Compatibility Suite: New end-to-end compatibility test harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep. Current grid passes 438/444 tests (98%).
• ASGI Test Suite Expansion: 134 additional ASGI unit tests covering protocol semantics, lifespan, websockets, and chunked framing.

Security

• HTTP/1.1 Request-Target Validation (RFC 9112 sections 3.2.3, 3.2.4):
  • Reject authority-form request-target outside CONNECT
  • Reject asterisk-form request-target outside OPTIONS
  • Reject relative-reference request-targets
• Header Field Hardening (RFC 9110):
  • Reject control characters in header field-value (section 5.5)
  • Reject forbidden trailer field-names (section 6.5.1)
  • Reject Content-Length list form (RFC 9112 section 6.3)
• Request Smuggling Hardening:
  • Tighten keepalive gate and scope finish_body byte cap
  • Keep _body_receiver alive across the keepalive smuggling gate so pipelined requests cannot re-enter a closed body
  • Address parser/protocol findings from a six-point WSGI/ASGI audit
• PROXY Protocol (ASGI): Enforce proxy_allow_ips and tighten v1/v2 parsing in the ASGI callback parser.
• Connection Draining: Drain the connection on close per RFC 9112 section 9.6 to prevent reset-on-close truncation.

Bug Fixes

• Body Framing on HEAD/204/304:
  • Keep Content-Length on HEAD and 304 responses (#3621)
  • Drop body framing on HEAD/204/304 even when the framework set it
  • Warn once when an ASGI app emits a body for a no-body response
• HTTP/2 ASGI:
  • Fix _handle_stream_ended to set _body_complete in the async HTTP/2 handler so request bodies finalize correctly on stream end
  • Add InvalidChunkExtension mapping and fast-parser support in ASGI tests (#3565)
• HTTP/1.1 100-Continue: Stop adding Transfer-Encoding: chunked to 100-Continue interim responses.
• WebSocket Close Handshake (RFC 6455):
  • Comply with the close handshake state machine
  • Close the transport after the close handshake completes
  • Fix binary send when the text key is None
• Early Hints: Validate headers in the early_hints callback to match process_headers; pass only the header name to InvalidHeader (#3588).
• ASGI Framework Fixes:
  • Fix ASGI disconnect handling for Django-style apps
  • Fix Litestar request handling (use raw ASGI receive for body/headers)
  • Fix Litestar HTTP endpoints for compatibility tests
  • Fix Quart headers endpoint to normalize keys to lowercase
  • Fix Quart WebSocket close test app (missing accept())
  • Fix duplicate Transfer-Encoding header for BlackSheep streaming

... (truncated)

Commits

• 5d819cf release: 26.0.0
• b45c70d Merge pull request #3611 from zc-mattcen/docs-typo
• 99c8d48 Merge pull request #3623 from benoitc/chore/drop-eventlet-add-h2-uvloop-test-...
• 5a655af Merge pull request #3622 from benoitc/test/docker-port-and-ipv4-fixes
• 201df19 chore: remove eventlet worker; add h2 and uvloop to test deps
• f4ac8e1 test: pass action name to dirty client and stabilize after TTOU spam
• 54d38af test: unblock docker fixtures on macOS hosts
• 68843c8 Merge pull request #3621 from benoitc/fix/asgi-preserve-content-length-on-hea...
• 31f2618 Merge pull request #3620 from benoitc/fix/asgi-proxy-protocol-trust-and-parsing
• 41ec752 fix: keep Content-Length on HEAD and 304 responses
• Additional commits viewable in compare view

Updates requests from 2.33.1 to 2.34.2

Release notes

Sourced from requests's releases.

v2.34.2

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2342-2026-05-14

v2.34.1

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

New Contributors

• @​k223kim made their first contribution in psf/requests#7433

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2341-2026-05-13

v2.34.0

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The

... (truncated)

Changelog

Sourced from requests's changelog.

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The proxy_bypass implementation has been updated with CPython's fix from bpo-39057. (#7427)
• Requests no longer incorrectly strips duplicate leading slashes in URI paths. This should address user issues with specific presigned URLs. Note the full fix requires urllib3 2.7.0+. (#7315)

Commits

• 6e83187 v2.34.2
• 84d10f0 Move Request.headers back to Mapping (#7441)
• b7b549b v2.34.1
• e511bc7 Fix mutability issues with headers input types (#7431)
• 5691f59 Update JsonType containers to read-based collections (#7436)
• 2144213 Constrain Response.reason to str (#7437)
• 6404f34 Fix prepare_body stream detection for __getattr__-based file wrappers (#7...
• 0b401c7 v2.34.0
• 86b378d Align Session.get parameters with requests.get (#7429)
• a4f9a59 Port bpo-39057 to Requests (#7427)
• Additional commits viewable in compare view

Updates bleach from 4.1.0 to 6.3.0

Changelog

Sourced from bleach's changelog.

Version 6.3.0 (October 27th, 2025)

Backwards incompatible changes

• Dropped support for Python 3.9. (#756)

Security fixes

None

Bug fixes

• Add support for Python 3.14. (#758)
• Fix wbr handling. (#488)

Version 6.2.0 (October 29th, 2024)

Backwards incompatible changes

• Dropped support for Python 3.8. (#737)

Security fixes

None

Bug fixes

• Add support for Python 3.13. (#736)
• Remove six depdenncy. (#618)
• Update known-good versions for tinycss2. (#732)
• Fix additional < followed by characters and EOF issues. (#728)

Version 6.1.0 (October 6th, 2023)

Backwards incompatible changes

• Dropped support for Python 3.7. (#709)

Security fixes

None

Bug fixes

• Add support for Python 3.12. (#710)

... (truncated)

Commits

• 5546d5d chore: prep for 6.3.0 release
• 88df3ff chore: fix readthedocs
• d8b2fb4 fix: fix wbr handling (#488)
• 55e48ce chore: add support for Python 3.14 (#758)
• a4d6cdd chore: drop support for Python 3.9 (#756)
• 172d92f Bump actions/setup-python from 5.6.0 to 6.0.0
• df88612 Bump actions/checkout from 4.2.2 to 5.0.0
• cbcf6b1 Bump actions/cache from 4.2.3 to 4.3.0
• d9aa7ef Switch from dependabot reviewers to CODEOWNERS
• 06f0f76 Update setuptools, wheel, and twine for devs
• Additional commits viewable in compare view

Updates blessed from 1.38.0 to 1.39.0

Release notes

Sourced from blessed's releases.

1.17.9: Initial support for Python 3.10

• bugfix: Now imports on 3.10+

1.15.0: Disable various integration tests, support python 3.7

No release notes provided.

1.14.0: bugfix term.wrap for text containing newlines

• bugfix: term.wrap misbehaved for text containing newlines, #74

1.13.0: new Terminal.split_seqs() function, speed enhancement

• enhancement: method Terminal.split_seqs introduced, and 4x cost reduction in related sequence-aware functions, #29.
• deprecated: function blessed.sequences.measure_length superseded by blessed.sequences.iter_parse if necessary.
• deprecated: warnings about "binary-packed capabilities" are no longer emitted on strange terminal types, making best effort.

1.12.0: add Terminal.get_location() method

• enhancement: method Terminal.get_locationreturns the(row, col)`` position of the cursor at the time of call for attached terminal.
• enhancement: a keyboard now detected as stdin when stream is sys.stderr.

Changelog

Sourced from blessed's changelog.

.. py:currentmodule:: blessed.terminal

Version History

1.42

• bugfix: regression in :meth:~.Terminal.cbreak and :meth:~.Terminal.raw were not thread-safe broken in versions 1.40 and 1.41, remove signal ignore of SIGTTOU :ghissue:380.

1.41

• bugfix: :meth:~.Terminal.get_location broken in 1.40, returned a generator instead of a tuple. :ghissue:378.

1.40

• improved: jinxed_ is now required on all platforms, providing a curses-free and singleton-free <https://jinxed.readthedocs.io/en/stable/capabilities.html#singleton-free>_ implementation of the subset of curses_ used by blessed. The jinxed_ 1.5.0 release provides a terminal capability database <https://jinxed.readthedocs.io/en/stable/capabilities.html#database> of 45 terminals and their common aliases.

• improved: Class initialization of :class:~.Terminal() now uses XTGETTCAP_ to determine preferred terminal name TN, 24-bit color support RGB, number of colors Co, italic, and blink capabilities.

  This improves detection of Terminal kind and number_of_colors over protocols like serial that cannot forward any environment variables or ssh that do not forward COLORTERM.

• introduced: A :exc:UserWarning is emitted when :meth:~.Terminal.__getattr__ resolves an unknown terminal capability name, helping developers catch typos like term.bld (missing bold). The warning can be suppressed by setting the environment variable BLESSED_NOWARN_UNKNOWN_CAPS.

• bugfix: Fixed internal typo susimpleript to the correct terminfo name ssubm for the enter_susimpleript_mode capability. This was previously masked by curses_ returning an empty string for unknown capabilities.

1.39

• introduced: :meth:~.Terminal.progress_bar for OSC 9;4 sequence <https://ghostty.org/docs/vt/osc/conemu#change-progress-state-(osc-94)>_.
• introduced: :meth:~.Terminal.text_sized -- wrap text in Kitty text sizing protocol (OSC 66) escape sequences, with graceful fallback to plain text when the terminal does not support the protocol.
• introduced: :class:~.Keystroke of name CPR_RESPONSE for asynchronous capture of Cursor Position Report responses via :meth:~.Terminal.inkey. New argument capture_cpr=True resolves the legacy F3 key ambiguity and matches against CPR_RESPONSE. New properties :attr:~.Keystroke.cpr_yx and :attr:~.Keystroke.cpr_xy return the decoded cursor coordinates. :ghpull:369.
• improved: :meth:~.Terminal.inkey raises :exc:EOFError when keyboard fd is at EOF, rather than returning an empty :class:~.Keystroke. :ghpull:371.
• improved: :meth:~.Terminal.ljust, :meth:~.Terminal.rjust, and :meth:~.Terminal.center now measure text containing hyperlinks, Kitty text sizing protocol sequences, and overtyping (backspace/cursor-left with painter's algorithm), introduced by wcwidth_ 0.7.0.

... (truncated)

Commits

• See full diff in compare view

Updates boto3 from 1.42.96 to 1.43.8

Commits

• 7a82579 Merge branch 'release-1.43.8'
• 06a1d63 Bumping version to 1.43.8
• 2b6e7bd Add changelog entries from botocore
• e6aee5d Merge branch 'release-1.43.7'
• 05566d2 Merge branch 'release-1.43.7' into develop
• 37e8136 Bumping version to 1.43.7
• 4418d43 Add changelog entries from botocore
• 5e2df61 Bump urllib3 from 2.6.3 to 2.7.0 (#4787)
• 81a86c9 Add CI for 3.14t (#4786)
• f2ccf9f Merge branch 'release-1.43.6'
• Additional commits viewable in compare view

Updates botocore from 1.42.96 to 1.43.8

Commits

• bd1fb23 Merge branch 'release-1.43.8'
• d15b124 Bumping version to 1.43.8
• b9f0f7f Update endpoints model
• ec174c1 Update to latest models
• 74501ce Merge branch 'release-1.43.7'
• d6831a5 Merge branch 'release-1.43.7' into develop
• 0e63dbe Bumping version to 1.43.7
• 840e09f Update endpoints model
• 8228777 Update to latest models
• b63fa4b Bump urllib3 from 2.6.3 to 2.7.0 (#3702)
• Additional commits viewable in compare view

Updates cryptography from 47.0.0 to 48.0.0

Changelog

Sourced from cryptography's changelog.

48.0.0 - 2026-05-04

* **BACKWARDS INCOMPATIBLE:** Support for Python 3.8 has been removed.
  ``cryptography`` now requires Python 3.9 or later.
* **BACKWARDS INCOMPATIBLE:** Loading an X.509 CRL whose inner
  ``TBSCertList.signature`` algorithm does not match the outer
  ``signatureAlgorithm`` now raises ``ValueError``. Previously, such CRLs
  were parsed successfully and only rejected during signature validation.
* Added support for :doc:`/hazmat/primitives/asymmetric/mlkem` and
  :doc:`/hazmat/primitives/asymmetric/mldsa` when using OpenSSL 3.5.0 or
  later, in addition to the existing AWS-LC and BoringSSL support. This means
  post-quantum algorithms are now available to users of our wheels.

Note: Going forward, we do not guarantee that all functionality

in cryptography will be available when building against

OpenSSL. See :doc:/statements/state-of-openssl for more information.

.. _v47-0-0:

Commits

• 8e03e30 bump for 48.0.0 release (#14796)
• 295e0d2 Add AGENTS.md with CLAUDE.md symlink (#14794)
• 104a2de Bump BoringSSL, OpenSSL, AWS-LC in CI (#14793)
• 67ec1e5 call check_length early on AesSiv::encrypt (#14792)
• b2da57a changelog for mldsa/mlkem for openssl (#14791)
• 3cf44ad ML-KEM OpenSSL support (#14781)
• 2e31639 ML-DSA OpenSSL support (#14773)
• 5affe5a fix rust nightly clippy (#14790)
• 2e73ca4 bump rust-openssl dep and update EcPoint::mul_generator to mul_generator2 (#1...
• 82ebd3b Bump BoringSSL, OpenSSL, AWS-LC in CI (#14785)
• Additional commits viewable in compare view

Updates dulwich from 1.2.0 to 1.2.1

Release notes

Sourced from dulwich's releases.

dulwich-1.2.1

Changes since 1.2.0

• Derive the LFS endpoint as the remote's on-disk LFS store (<remote>/.git/lfs for worktrees, <remote>/lfs for bare repos) when remote.origin.url points at a local filesystem path or file:// URL, matching git-lfs behaviour. Previously the built-in smudge filter constructed an HTTP-style <remote>.git/info/lfs path that did not exist on disk, leaving LFS-tracked files as pointers when cloning from a local repo.

• Deduplicate objects when writing a multi-pack-index. Objects present in multiple packs (e.g. after git gc creates a cruft pack) would otherwise produce an OIDL chunk with repeated SHAs, causing git multi-pack-index verify to fail with "oid lookup out of order". (#2152)

• Extend ignorecase and precomposeunicode support to index lookups. (#1807)

Changelog

Sourced from dulwich's changelog.

1.2.1 2026-04-29

• Recover from concurrent pack removals (e.g. a racing git repack or git gc --auto) instead of raising spurious KeyError / FileNotFoundError. Pack.index and Pack.data now translate FileNotFoundError during lazy load into PackFileDisappeared, and PackBasedObjectStore evicts the stale pack and rescans the pack directory before retrying — equivalent to git's reprepare_packed_git(). (Jelmer Vernooij, #2159)

• Derive the LFS endpoint as the remote's on-disk LFS store (<remote>/.git/lfs for worktrees, <remote>/lfs for bare repos) when remote.origin.url points at a local filesystem path or file:// URL, matching git-lfs behaviour. Previously the built-in smudge filter constructed an HTTP-style <remote>.git/info/lfs path that did not exist on disk, leaving LFS-tracked files as pointers when cloning from a local repo. (Jelmer Vernooij)

• Deduplicate objects when writing a multi-pack-index. Objects present in multiple packs (e.g. after git gc creates a cruft pack) would otherwise produce an OIDL chunk with repeated SHAs, causing git multi-pack-index verify to fail with "oid lookup out of order". (Jelmer Vernooij, #2152)

• Extend ignorecase and precomposeunicode support to index lookups. (Jelmer Vernooij, #1807)

Commits

• 57806b8 Release 1.2.1
• a127d33 Honor GIT_PROTOCOL env var when picking default protocol version (#1862) (#2149)
• 6c1697a lfs: derive correct file:// LFS endpoint from local remote URL (#2161)
• 6685fde lfs: use pathlib.Path.as_uri() for portable file:// URLs
• 0d0b9f8 Migrate from testrepository to inquest (#2160)
• a0dac57 Migrate from testrepository to inquest
• cd6ebd9 lfs: derive correct file:// LFS endpoint from local remote URL
• bfaf192 Disable background processes to prevent issues with races (#2158)
• 06d7afd Move GIT_SSH/GIT_SSH_COMMAND env lookup from client.py to cli.py (#2156)
• e60e0c1 Disable background processes to prevent issues with races
• Additional commits viewable in compare view

Updates fonttools from 4.62.1 to 4.63.0

Release notes

Sourced from fonttools's releases.

4.63.0

• [ttLib] Add support for Apple Color Emoji bgcl table (#4065).
• [ttLib] Add support for IFT and IFTX tables (Incremental Font Transfer, PatchMapFormat2) (#4070, #4072).
• [otData] Introduce FieldSpec dataclass for OpenType table schema definitions, replacing raw tuples in otData.py (#4076).
• [Feat] Show name table strings as comments next to label IDs in TTX output, matching the convention used by fvar, STAT, trak (#4089).
• [cu2qu] Fix Cython complex-division rounding difference in split_cubic_into_three that could cause ±1 off-curve coordinate shifts (#3928, #4083).
• [designspaceLib] Fix map_backwardgooglefonts/ufo2ft#978#4085).
• [OS/2] Fix setUnicodeRanges to accept reserved bits 123-127, restoring round-trip with getUnicodeRanges and fixing recalcUnicodeRanges crash in the subsetter (#4087, #4088).
• [cython] Declare Cython extensions as free-threading compatible on Python 3.13+, so that importing them on free-threaded Python no longer re-enables the GIL (#4073, #4090).

Changelog

Sourced from fonttools's changelog.

4.63.0 (released 2026-05-14)

• [ttLib] Add support for Apple Color Emoji bgcl table (#4065).
• [ttLib] Add support for IFT and IFTX tables (Incremental Font Transfer, PatchMapFormat2) (#4070, #4072).
• [otData] Introduce FieldSpec dataclass for OpenType table schema definitions, replacing raw tuples in otData.py (#4076).
• [Feat] Show name table strings as comments next to label IDs in TTX output, matching the convention used by fvar, STAT, trak (#4089).
• [cu2qu] Fix Cython complex-division rounding difference in split_cubic_into_three that could cause ±1 off-curve coordinate shifts (#3928, #4083).
• [designspaceLib] Fix map_backward for many-to-one (flat-segment) axis maps that silently dropped entries via dict comprehension googlefonts/ufo2ft#978#4085).
• [OS/2] Fix setUnicodeRanges to accept reserved bits 123-127, restoring round-trip with getUnicodeRanges and fixing recalcUnicodeRanges crash in the subsetter (#4087, #4088).
• [cython] Declare Cython extensions as free-threading compatible on Python 3.13+, so that importing them on free-threaded Python no longer re-enables the GIL (#4073, #4090).

Commits

• 978d9ed Release 4.63.0
• 6b40ecb Add changelog entries for 4.63.0
• 382a35f Merge pull request

[netlify]

✅ Deploy Preview for inventree-web-pui-preview canceled.

Name	Link
🔨 Latest commit	53e823c
🔍 Latest deploy log	https://app.netlify.com/projects/inventree-web-pui-preview/deploys/6a10b414d8388600082b9d06