chore(deps): update all non-major documentation dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
certifi	==2025.10.5 → ==2025.11.12
docutils (changelog)	==0.21.2 → ==0.22.4
sphinx-rtd-theme	==3.0.2 → ==3.1.0
starlette (changelog)	==0.50.0 → ==0.52.1
urllib3 (changelog)	==2.5.0 → ==2.6.3
uvicorn (changelog)	==0.38.0 → ==0.42.0

---

Release Notes

certifi/python-certifi (certifi)

v2025.11.12

Compare Source

readthedocs/sphinx_rtd_theme (sphinx-rtd-theme)

v3.1.0

Compare Source

Kludex/starlette (starlette)

v0.52.1: Version 0.52.1

Compare Source

What's Changed

• Only use typing_extensions in older Python versions by @​Kludex in #​3109

---

Full Changelog: Kludex/starlette@0.52.0...0.52.1

v0.52.0: Version 0.52.0

Compare Source

In this release, State can be accessed using dictionary-style syntax for improved type safety (#​3036).

from collections.abc import AsyncIterator
from contextlib import asynccontextmanager
from typing import TypedDict

import httpx

from starlette.applications import Starlette
from starlette.requests import Request

class State(TypedDict):
    http_client: httpx.AsyncClient

@​asynccontextmanager
async def lifespan(app: Starlette) -> AsyncIterator[State]:
    async with httpx.AsyncClient() as client:
        yield {"http_client": client}

async def homepage(request: Request[State]):
    client = request.state["http_client"]
    # If you run the below line with mypy or pyright, it will reveal the correct type.
    reveal_type(client)  # Revealed type is 'httpx.AsyncClient'

See Accessing State for more details.

---

Full Changelog: Kludex/starlette@0.51.0...0.52.0

v0.51.0: Version 0.51.0

Compare Source

Added

• Add allow_private_network in CORSMiddleware #​3065.

Changed

• Increase warning stacklevel on DeprecationWarning for wsgi module #​3082.

---

New Contributors

• @​santibreo made their first contribution in #​3082
• @​iddqd888 made their first contribution in #​3083

Full Changelog: Kludex/starlette@0.50.0...0.51.0

urllib3/urllib3 (urllib3)

v2.6.3

Compare Source

==================

• Fixed a high-severity security issue where decompression-bomb safeguards of
  the streaming API were bypassed when HTTP redirects were followed.
  (GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)
• Started treating Retry-After times greater than 6 hours as 6 hours by
  default. (#&#8203;3743 <https://github.com/urllib3/urllib3/issues/3743>__)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten.
  (#&#8203;3752 <https://github.com/urllib3/urllib3/issues/3752>__)

v2.6.2

Compare Source

==================

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in
  the decoder's buffer when reading compressed chunked responses.
  (#&#8203;3734 <https://github.com/urllib3/urllib3/issues/3734>__)

v2.6.1

Compare Source

==================

• Restore previously removed HTTPResponse.getheaders() and
  HTTPResponse.getheader() methods.
  (#&#8203;3731 <https://github.com/urllib3/urllib3/issues/3731>__)

v2.6.0

Compare Source

==================

Security

• Fixed a security issue where streaming API could improperly handle highly
  compressed HTTP content ("decompression bombs") leading to excessive resource
  consumption even when a small amount of data was requested. Reading small
  chunks of compressed data is safer and much more efficient now.
  (GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
• Fixed a security issue where an attacker could compose an HTTP response with
  virtually unlimited links in the Content-Encoding header, potentially
  leading to a denial of service (DoS) attack by exhausting system resources
  during decoding. The number of allowed chained encodings is now limited to 5.
  (GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

• If urllib3 is not installed with the optional urllib3[brotli] extra, but
  your environment contains a Brotli/brotlicffi/brotlipy package anyway, make
  sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to
  benefit from the security fixes and avoid warnings. Prefer using
  urllib3[brotli] to install a compatible Brotli package automatically.

• If you use custom decompressors, please make sure to update them to
  respect the changed API of urllib3.response.ContentDecoder.

Features

• Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. (#&#8203;3653 <https://github.com/urllib3/urllib3/issues/3653>__)
• Added host and port information to string representations of HTTPConnection. (#&#8203;3666 <https://github.com/urllib3/urllib3/issues/3666>__)
• Added support for Python 3.14 free-threading builds explicitly. (#&#8203;3696 <https://github.com/urllib3/urllib3/issues/3696>__)

Removals

• Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers.
  Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). (#&#8203;3622 <https://github.com/urllib3/urllib3/issues/3622>__)

Bugfixes

• Fixed redirect handling in urllib3.PoolManager when an integer is passed
  for the retries parameter. (#&#8203;3649 <https://github.com/urllib3/urllib3/issues/3649>__)
• Fixed HTTPConnectionPool when used in Emscripten with no explicit port. (#&#8203;3664 <https://github.com/urllib3/urllib3/issues/3664>__)
• Fixed handling of SSLKEYLOGFILE with expandable variables. (#&#8203;3700 <https://github.com/urllib3/urllib3/issues/3700>__)

Misc

• Changed the zstd extra to install backports.zstd instead of zstandard on Python 3.13 and before. (#&#8203;3693 <https://github.com/urllib3/urllib3/issues/3693>__)
• Improved the performance of content decoding by optimizing BytesQueueBuffer class. (#&#8203;3710 <https://github.com/urllib3/urllib3/issues/3710>__)
• Allowed building the urllib3 package with newer setuptools-scm v9.x. (#&#8203;3652 <https://github.com/urllib3/urllib3/issues/3652>__)
• Ensured successful urllib3 builds by setting Hatchling requirement to >= 1.27.0. (#&#8203;3638 <https://github.com/urllib3/urllib3/issues/3638>__)

Kludex/uvicorn (uvicorn)

v0.42.0: Version 0.42.0

Compare Source

Changed

• Use bytearray for request body accumulation to avoid O(n^2) allocation on fragmented bodies (#​2845)

Fixed

• Escape brackets and backslash in httptools HEADER_RE regex (#​2824)
• Fix multiple issues in websockets sans-io implementation (#​2825)

---

New Contributors

• @​bysiber made their first contribution in #​2825

---

Full Changelog: Kludex/uvicorn@0.41.0...0.42.0

v0.41.0: Version 0.41.0

Compare Source

Added

• Add --limit-max-requests-jitter to stagger worker restarts (#​2707)
• Add socket path to scope["server"] (#​2561)

Changed

• Rename LifespanOn.error_occured to error_occurred (#​2776)

Fixed

• Ignore permission denied errors in watchfiles reloader (#​2817)
• Ensure lifespan shutdown runs when should_exit is set during startup (#​2812)
• Reduce the log level of 'request limit exceeded' messages (#​2788)

---

New Contributors

• @​t-kawasumi made their first contribution in #​2776
• @​fardyn made their first contribution in #​2800
• @​ewie made their first contribution in #​2807
• @​shevron made their first contribution in #​2788
• @​jonashaag made their first contribution in #​2707

---

Full Changelog: Kludex/uvicorn@0.40.0...0.41.0

v0.40.0: Version 0.40.0

Compare Source

What's Changed

• Drop Python 3.9 by @​Kludex in #​2772

Full Changelog: Kludex/uvicorn@0.39.0...0.40.0

v0.39.0: Version 0.39.0

Compare Source

What's Changed

• explicitly start ASGI run with empty context by @​pmeier in #​2742
• fix(websockets): Send close frame on ASGI return by @​Kludex in #​2769

New Contributors

• @​pmeier made their first contribution in #​2742

Full Changelog: Kludex/uvicorn@0.38.0...0.39.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ +0.00% (target: -1.00%)	✅ ∅

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (d8b47d4)	8700	2971	34.15%
Head commit (318343e)	8700 (+0)	2971 (+0)	34.15% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#893)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

[github-actions]

There hasn't been any activity on this pull request recently. Therefore, this pull request has been automatically marked as stale and will be closed if no further activity occurs within seven days. Thank you for your contributions.