build(deps): bump the pip group across 1 directory with 10 updates #1

dependabot · 2026-01-08T05:27:30Z

Bumps the pip group with 10 updates in the / directory:

Package	From	To
mlflow	`2.20.3`	`3.5.0rc0`
setuptools	`75.8.2`	`78.1.1`
filelock	`3.18.0`	`3.20.1`
flask	`3.1.0`	`3.1.1`
fonttools	`4.56.0`	`4.60.2`
protobuf	`5.29.3`	`5.29.5`
requests	`2.32.3`	`2.32.4`
tornado	`6.4.2`	`6.5`
urllib3	`2.3.0`	`2.6.3`
werkzeug	`3.1.3`	`3.1.4`

Updates mlflow from 2.20.3 to 3.5.0rc0

Release notes

Sourced from mlflow's releases.

v3.5.0rc0

MLflow 3.5.0rc0 includes several major features and improvements

Major new features:

🤖 Tracing support for Claude Code SDK: MLflow now provides a tracing integration for both the Claude Code CLI and SDK! Configure the autologging integration to track your prompts, Claude's responses, tool calls, and more. Check out this doc page to get started. (#18022, @smoorjani)

✨ Improved UI homepage: The MLflow UI's homepage has been updated to help you get started with more of our latest features. This page will be updated regularly moving forward, allowing you to get more in-product guidance. (#18098, @B-Step62)

🗂️ Evaluation datasets UI integration: In MLflow 3.4.0, we released backend support for creating evaluation datasets for GenAI applications. In this release, we've added a new tab to the MLflow Experiment UI, allowing you to create, manage, and export traces to your datasets without having to write a line of code. (#18110, @daniellok-db)

🧮 GEPA support for prompt optimization: MLflow's prompt optimization feature now supports the GEPA algorithm, allowing you to achieve higher performing prompts with less rollouts. For instructions on how to get started with prompt optimization, visit this doc page! (#18031, @TomeHirata)

🔐 Security middleware layer for tracking server: MLflow now ships with a security middleware layer by default, allowing you to protect against DNS rebinding, CORS attacks, and more. Read the documentation here to learn how to configure these options. (#17910, @BenWilson2)

Stay tuned for the full release, which will be packed with more features and bugfixes.

To try out this release candidate, please run:

pip install mlflow==3.5.0rc0

v3.4.0

MLflow 3.4.0rc0 includes several major features and improvements

Major New Features

📊 OpenTelemetry Metrics Export: MLflow now exports span-level statistics as OpenTelemetry metrics, providing enhanced observability and monitoring capabilities for traced applications. (#17325, @dbczumar)

🤖 MCP Server Integration: Introducing the Model Context Protocol (MCP) server for MLflow, enabling AI assistants and LLMs to interact with MLflow programmatically. (#17122, @harupy)

🧑‍⚖️ Custom Judges API: New make_judge API enables creation of custom evaluation judges for assessing LLM outputs with domain-specific criteria. (#17647, @BenWilson2, @dbczumar, @alkispoly-db, @smoorjani)

📈 Correlations Backend: Implemented backend infrastructure for storing and computing correlations between experiment metrics using NPMI (Normalized Pointwise Mutual Information). (#17309, #17368, @BenWilson2)

🗂️ Evaluation Datasets: MLflow now supports storing and versioning evaluation datasets directly within experiments for reproducible model assessment. (#17447, @BenWilson2)

🔗 Databricks Backend for MLflow Server: MLflow server can now use Databricks as a backend, enabling seamless integration with Databricks workspaces. (#17411, @nsthorat)

🤖 Claude Autologging: Automatic tracing support for Claude AI interactions, capturing conversations and model responses. (#17305, @smoorjani)

🌊 Strands Agent Tracing: Added comprehensive tracing support for Strands agents, including automatic instrumentation for agent workflows and interactions. (#17151, @joelrobin18)

🧪 Experiment Types in UI: MLflow now introduces experiment types, helping reduce clutter between classic ML/DL and GenAI features. MLflow auto-detects the type, but you can easily adjust it via a selector next to the experiment name. (#17605, @daniellok-db)

Features:

[Evaluation] Add ability to pass tags via dataframe in mlflow.genai.evaluate (#17549, @smoorjani)

[Evaluation] Add custom judge model support for Safety and RetrievalRelevance builtin scorers (#17526, @dbrx-euirim)

[Tracing] Add AI commands as MCP prompts for LLM interaction (#17608, @nsthorat)

[Tracing] Add MLFLOW_ENABLE_OTLP_EXPORTER environment variable (#17505, @dbczumar)

[Tracing] Support OTel and MLflow dual export (#17187, @dbczumar)

[Tracing] Make set_destination use ContextVar for thread safety (#17219, @B-Step62)

[CLI] Add MLflow commands CLI for exposing prompt commands to LLMs (#17530, @nsthorat)

[CLI] Add 'mlflow runs link-traces' command (#17444, @nsthorat)

[CLI] Add 'mlflow runs create' command for programmatic run creation (#17417, @nsthorat)

[CLI] Add MLflow traces CLI command with comprehensive search and management capabilities (#17302, @nsthorat)

[CLI] Add --env-file flag to all MLflow CLI commands (#17509, @nsthorat)

[Tracking] Backend for storing scorers in MLflow experiments (#17090, @WeichenXu123)

[Model Registry] Allow cross-workspace copying of model versions between WMR and UC (#17458, @arpitjasa-db)

[Models] Add automatic Git-based model versioning for GenAI applications (#17076, @harupy)

[Models] Improve WheeledModel._download_wheels safety (#17004, @serena-ruan)

[Projects] Support resume run for Optuna hyperparameter optimization (#17191, @lu-wang-dl)

... (truncated)

Changelog

Sourced from mlflow's changelog.

3.5.0rc0 (2025-10-08)

MLflow 3.5.0rc0 includes several major features and improvements

Major new features:

🤖 Tracing support for Claude Code SDK: MLflow now provides a tracing integration for both the Claude Code CLI and SDK! Configure the autologging integration to track your prompts, Claude's responses, tool calls, and more. Check out this doc page to get started. (#18022, @smoorjani)

✨ Improved UI homepage: The MLflow UI's homepage has been updated to help you get started with more of our latest features. This page will be updated regularly moving forward, allowing you to get more in-product guidance.

🗂️ Evaluation datasets UI integration: In MLflow 3.4.0, we released backend support for creating evaluation datasets for GenAI applications. In this release, we've added a new tab to the MLflow Experiment UI, allowing you to create, manage, and export traces to your datasets without having to write a line of code.

🧮 GEPA support for prompt optimization: MLflow's prompt optimization feature now supports the GEPA algorithm, allowing you to achieve higher performing prompts with less rollouts. For instructions on how to get started with prompt optimization, visit this doc page!

🔐 Security middleware layer for tracking server: MLflow now ships with a security middleware layer by default, allowing you to protect against DNS rebinding, CORS attacks, and more. Read the documentation here to learn how to configure these options.

Stay tuned for the full release, which will be packed with more features and bugfixes.

To try out this release candidate, please run:

pip install mlflow==3.5.0rc0

3.4.0rc0 (2025-09-11)

MLflow 3.4.0rc0 includes several major features and improvements

Major New Features

📊 OpenTelemetry Metrics Export: MLflow now exports span-level statistics as OpenTelemetry metrics, providing enhanced observability and monitoring capabilities for traced applications. (#17325, @dbczumar)

🤖 MCP Server Integration: Introducing the Model Context Protocol (MCP) server for MLflow, enabling AI assistants and LLMs to interact with MLflow programmatically. (#17122, @harupy)

🧑‍⚖️ Custom Judges API: New make_judge API enables creation of custom evaluation judges for assessing LLM outputs with domain-specific criteria. (#17647, @BenWilson2, @dbczumar, @alkispoly-db, @smoorjani)

📈 Correlations Backend: Implemented backend infrastructure for storing and computing correlations between experiment metrics using NPMI (Normalized Pointwise Mutual Information). (#17309, #17368, @BenWilson2)

🗂️ Evaluation Datasets: MLflow now supports storing and versioning evaluation datasets directly within experiments for reproducible model assessment. (#17447, @BenWilson2)

🔗 Databricks Backend for MLflow Server: MLflow server can now use Databricks as a backend, enabling seamless integration with Databricks workspaces. (#17411, @nsthorat)

🤖 Claude Autologging: Automatic tracing support for Claude AI interactions, capturing conversations and model responses. (#17305, @smoorjani)

🌊 Strands Agent Tracing: Added comprehensive tracing support for Strands agents, including automatic instrumentation for agent workflows and interactions. (#17151, @joelrobin18)

🧪 Experiment Types in UI: MLflow now introduces experiment types, helping reduce clutter between classic ML/DL and GenAI features. MLflow auto-detects the type, but you can easily adjust it via a selector next to the experiment name. (#17605, @daniellok-db)

Features:

[Evaluation] Add ability to pass tags via dataframe in mlflow.genai.evaluate (#17549, @smoorjani)

[Evaluation] Add custom judge model support for Safety and RetrievalRelevance builtin scorers (#17526, @dbrx-euirim)

[Tracing] Add AI commands as MCP prompts for LLM interaction (#17608, @nsthorat)

[Tracing] Add MLFLOW_ENABLE_OTLP_EXPORTER environment variable (#17505, @dbczumar)

[Tracing] Support OTel and MLflow dual export (#17187, @dbczumar)

[Tracing] Make set_destination use ContextVar for thread safety (#17219, @B-Step62)

[CLI] Add MLflow commands CLI for exposing prompt commands to LLMs (#17530, @nsthorat)

[CLI] Add 'mlflow runs link-traces' command (#17444, @nsthorat)

[CLI] Add 'mlflow runs create' command for programmatic run creation (#17417, @nsthorat)

[CLI] Add MLflow traces CLI command with comprehensive search and management capabilities (#17302, @nsthorat)

[CLI] Add --env-file flag to all MLflow CLI commands (#17509, @nsthorat)

[Tracking] Backend for storing scorers in MLflow experiments (#17090, @WeichenXu123)

[Model Registry] Allow cross-workspace copying of model versions between WMR and UC (#17458, @arpitjasa-db)

[Models] Add automatic Git-based model versioning for GenAI applications (#17076, @harupy)

... (truncated)

Commits

19c618c Run python3 dev/update_mlflow_versions.py pre-release ... (#18181)
13115e4 Support GEPA in mlflow.genai.optimize_prompt (#18031)
fa83107 Run python3 dev/update_ml_package_versions.py (#18177)
16fc22f Add uv lock call after pyproject.toml generation in DEV branch (#18180)
be2125a Run python3 dev/update_requirements.py && python3 bin/... (#18176)
2fd3145 Dump sql_warehouse_id into trace UI mimebundle (#18165)
5cb6a95 Replace Docker with uv in tests/test_import.py for faster test execution (#18...
eaadd39 Add support for trace inputs to built-in scorers (#17943)
30f2f55 Add B012 (jump-statement-in-finally) rule to ruff configuration (#18170)
97ac7e1 Increase MAX_DOCSTRING_LENGTH_RATIO to 1.25 and remove redundant test docstri...
Additional commits viewable in compare view

Updates setuptools from 75.8.2 to 78.1.1

Changelog

Sourced from setuptools's changelog.

v78.1.1

Bugfixes

More fully sanitized the filename in PackageIndex._download. (#4946)

v78.1.0

Features

Restore access to _get_vc_env with a warning. (#4874)

v78.0.2

Bugfixes

Postponed removals of deprecated dash-separated and uppercase fields in setup.cfg. All packages with deprecated configurations are advised to move before 2026. (#4911)

v78.0.1

Misc

#4909

v78.0.0

Bugfixes

Reverted distutils changes that broke the monkey patching of command classes. (#4902)

Deprecations and Removals

Setuptools no longer accepts options containing uppercase or dash characters in setup.cfg.

... (truncated)

Commits

8e4868a Bump version: 78.1.0 → 78.1.1
100e9a6 Merge pull request #4951
8faf1d7 Add news fragment.
2ca4a9f Rely on re.sub to perform the decision in one expression.
e409e80 Extract _sanitize method for sanitizing the filename.
250a6d1 Add a check to ensure the name resolves relative to the tmpdir.
d8390fe Extract _resolve_download_filename with test.
4e1e893 Merge https://github.com/jaraco/skeleton
3a3144f Fix typo: pyproject.license -> project.license (#4931)
d751068 Fix typo: pyproject.license -> project.license
Additional commits viewable in compare view

Updates filelock from 3.18.0 to 3.20.1

Release notes

Sourced from filelock's releases.

3.20.1

What's Changed

CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file creation by @gaborbernat in tox-dev/filelock#461

Full Changelog: tox-dev/filelock@3.20.0...3.20.1

3.20.0

What's Changed

Add tox.toml to sdist by @mtelka in tox-dev/filelock#436

Update docs with example by @znichollscr in tox-dev/filelock#438

Add 3.14 support and drop 3.9 by @gaborbernat in tox-dev/filelock#448

New Contributors

@mtelka made their first contribution in tox-dev/filelock#436

@znichollscr made their first contribution in tox-dev/filelock#438

Full Changelog: tox-dev/filelock@3.19.1...3.20.0

3.19.1

What's Changed

add 3.14t (free threading) to matrix by @paultiq in tox-dev/filelock#433

Increase test coverage by @paultiq in tox-dev/filelock#434

New Contributors

@paultiq made their first contribution in tox-dev/filelock#433

Full Changelog: tox-dev/filelock@3.19.0...3.19.1

3.19.0

What's Changed

Add support for 3.14 by @gaborbernat in tox-dev/filelock#432

Full Changelog: tox-dev/filelock@3.18.0...3.19.0

Commits

377f622 [pre-commit.ci] pre-commit autoupdate (#460)
4724d7f Fix TOCTOU symlink vulnerability in lock file creation (#461)
cb69414 Bump actions/upload-artifact from 5 to 6 (#459)
0769294 Bump actions/download-artifact from 6 to 7 (#458)
414193a [pre-commit.ci] pre-commit autoupdate (#457)
1456797 [pre-commit.ci] pre-commit autoupdate (#456)
8d6bf90 Bump actions/checkout from 5 to 6 (#455)
f7edeeb [pre-commit.ci] pre-commit autoupdate (#454)
fb09235 [pre-commit.ci] pre-commit autoupdate (#453)
f5825d8 [pre-commit.ci] pre-commit autoupdate (#452)
Additional commits viewable in compare view

Updates flask from 3.1.0 to 3.1.1

Release notes

Sourced from flask's releases.

3.1.1

This is the Flask 3.1.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.1/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-1 Milestone https://github.com/pallets/flask/milestone/36?closed=1

Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. GHSA-4grg-w6v8-c28g

Fix type hint for cli_runner.invoke. #5645

flask --help loads the app and plugins first to make sure all commands are shown. #5673

Mark sans-io base class as being able to handle views that return AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. #5659

Changelog

Sourced from flask's changelog.

Version 3.1.1

Released 2025-05-13

Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. :ghsa:4grg-w6v8-c28g

Fix type hint for cli_runner.invoke. :issue:5645

flask --help loads the app and plugins first to make sure all commands are shown. :issue:5673

Mark sans-io base class as being able to handle views that return AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. :pr:5659

Commits

7fff56f release version 3.1.1
73d6504 Merge commit from fork
cbb6c36 update docs about fallback order
fb54159 secret key rotation: fix key list ordering
941efd4 use uv (#5727)
0109e49 use uv
e785166 Async Iterable Response (#5659)
410e5ab Accept AsyncIterable for responses
bfffe87 add ghsa links
73ce26c remove tests about deprecated pkgutil.get_loader (#5702)
Additional commits viewable in compare view

Updates fonttools from 4.56.0 to 4.60.2

Release notes

Sourced from fonttools's releases.

4.60.2

Backport release Same as 4.61.0 but without "Drop support for EOL Python 3.9" change to allow downstream projects still on Python 3.9 to avail of the security fix for CVE-2025-66034 (#3994, #3999).

4.60.1

[ufoLib] Reverted accidental method name change in UFOReader.getKerningGroupConversionRenameMaps that broke compatibility with downstream projects like defcon (#3948, #3947, robotools/defcon#478).

[ufoLib] Added test coverage for getKerningGroupConversionRenameMaps method (#3950).

[subset] Don't try to subset BASE table; pass it through by default instead (#3949).

[subset] Remove empty BaseRecord entries in MarkBasePos lookups (#3897, #3892).

[subset] Add pruning for MarkLigPos and MarkMarkPos lookups (#3946).

[subset] Remove duplicate features when subsetting (#3945).

[Docs] Added documentation for the visitor module (#3944).

4.60.0

[pointPen] Allow reverseFlipped parameter of DecomposingPointPen to take a ReverseFlipped enum value to control whether/how to reverse contour direction of flipped components, in addition to the existing True/False. This allows to set ReverseFlipped.ON_CURVE_FIRST to ensure that the decomposed outline starts with an on-curve point before being reversed, for better consistency with other segment-oriented contour transformations. The change is backward compatible, and the default behavior hasn't changed (#3934).

[filterPen] Added ContourFilterPointPen, base pen for buffered contour operations, and OnCurveStartPointPen filter to ensure contours start with an on-curve point (#3934).

[cu2qu] Fixed difference in cython vs pure-python complex division by real number (#3930).

[varLib.avar] Refactored and added some new sub-modules and scripts (#3926).

varLib.avar.build module to build avar (and a missing fvar) binaries into a possibly empty TTFont,

varLib.avar.unbuild module to print a .designspace snippet that would generate the same avar binary,

varLib.avar.map module to take TTFont and do the mapping, in user/normalized space,

varLib.avar.plan module moved from varLib.avarPlanner.

The bare fonttools varLib.avar script is deprecated, in favour of fonttools varLib.avar.build (or unbuild).

[interpolatable] Clarify linear_sum_assignment backend options and minimal dependency usage (#3927).

[post] Speed up build_psNameMapping (#3923).

[ufoLib] Added typing annotations to fontTools.ufoLib (#3875).

4.59.2

[varLib] Clear USE_MY_METRICS component flags when inconsistent across masters (#3912).

[varLib.instancer] Avoid negative advance width/height values when instatiating HVAR/VVAR, (unlikely in well-behaved fonts) (#3918).

[subset] Fix shaping behaviour when pruning empty mark sets (#3915, harfbuzz/harfbuzz#5499).

[cu2qu] Fixed dot() product of perpendicular vectors not always returning exactly 0.0 in all Python implementations (#3911)

[varLib.instancer] Implemented fully-instantiating avar2 fonts (#3909).

[feaLib] Allow float values in VariableScalar's axis locations (#3906, #3907).

[cu2qu] Handle special case in calc_intersect for degenerate cubic curves where 3 to 4 control points are equal (#3904).

4.59.1

[featureVars] Update OS/2.usMaxContext if possible after addFeatureVariationsRaw (#3894).

[vhmtx] raise TTLibError('not enough data...') when hmtx/vmtx are truncated (#3843, #3901).

[feaLib] Combine duplicate features that have the same set of lookups regardless of the order in which those lookups are added to the feature (#3895).

[varLib] Deprecate varLib.mutator in favor of varLib.instancer. The latter provides equivalent full (static font) instancing in addition to partial VF instancing.
CLI users should replace fonttools varLib.mutator with fonttools varLib.instancer. API users should migrate to fontTools.varLib.instancer.instantiateVariableFont (#2680).

4.59.0

Removed hard-dependency on pyfilesystem2 (fs package) from fonttools[ufo] extra. This is replaced by the fontTools.misc.filesystem package, a stdlib-only, drop-in replacement for the subset of the pyfilesystem2's API used by fontTools.ufoLib. The latter should continue to work with the upstream fs (we even test with/without). However, clients who wish to continue using fs can do so by depending on it directly instead of via the fonttools[ufo] extra (#3885, #3620).

[xmlWriter] Replace illegal XML characters (e.g. control or non-characters) with "?" when dumping to ttx (#3868, #71).

[varLib.hvar] Fixed vertical metrics fields copy/pasta error (#3884).

Micro optimizations in ttLib and sstruct modules (#3878, #3879).

[unicodedata] Add Garay script to RTL_SCRIPTS (#3882).

... (truncated)

Changelog

Sourced from fonttools's changelog.

4.60.2 (released 2025-12-09)

Backport release Same as 4.61.0 but without "Drop support for EOL Python 3.9" change to allow downstream projects still on Python 3.9 to avail of the security fix for CVE-2025-66034 (#3994, #3999).

4.61.0 (released 2025-11-28)

[varLib.main]: SECURITY Only use basename(vf.filename) to prevent path traversal attacks when running fonttools varLib command, or code which invokes fonttools.varLib.main(). Fixes CVE-2025-66034, see: GHSA-768j-98cg-p3fv.

[feaLib] Sort BaseLangSysRecords by tag (#3986).

Drop support for EOL Python 3.9 (#3982).

[instancer] Support --remove-overlaps for fonts with CFF2 table (#3975).

[CFF2ToCFF] Add --remove-overlaps option (#3976).

[feaLib] Raise an error for rsub with NULL target (#3979).

[bezierTools] Fix logic bug in curveCurveIntersections (#3963).

[feaLib] Error when condition sets have the same name (#3958).

[cu2qu.ufo] skip processing empty glyphs to support sparse kerning masters (#3956).

[unicodedata] Update to Unicode 17. Require unicodedata2 >= 17.0.0 when installed with 'unicode' extra.

4.60.1 (released 2025-09-29)

[ufoLib] Reverted accidental method name change in UFOReader.getKerningGroupConversionRenameMaps that broke compatibility with downstream projects like defcon (#3948, #3947, robotools/defcon#478).

[ufoLib] Added test coverage for getKerningGroupConversionRenameMaps method (#3950).

[subset] Don't try to subset BASE table; pass it through by default instead (#3949).

[subset] Remove empty BaseRecord entries in MarkBasePos lookups (#3897, #3892).

[subset] Add pruning for MarkLigPos and MarkMarkPos lookups (#3946).

[subset] Remove duplicate features when subsetting (#3945).

[Docs] Added documentation for the visitor module (#3944).

4.60.0 (released 2025-09-17)

[pointPen] Allow reverseFlipped parameter of DecomposingPointPen to take a ReverseFlipped enum value to control whether/how to reverse contour direction of flipped components, in addition to the existing True/False. This allows to set ReverseFlipped.ON_CURVE_FIRST to ensure that the decomposed outline starts with an on-curve point before being reversed, for better consistency with other segment-oriented contour transformations. The change is backward compatible, and the default behavior hasn't changed (#3934).

[filterPen] Added ContourFilterPointPen, base pen for buffered contour operations, and OnCurveStartPointPen filter to ensure contours start with an on-curve point (#3934).

[cu2qu] Fixed difference in cython vs pure-python complex division by real number (#3930).

[varLib.avar] Refactored and added some new sub-modules and scripts (#3926).

varLib.avar.build module to build avar (and a missing fvar) binaries into a possibly empty TTFont,

varLib.avar.unbuild module to print a .designspace snippet that would generate the same avar binary,

... (truncated)

Commits

78ba5e8 Release 4.60.2
c3f9979 macos-13 runner is no more, use macos-15-intel
8016403 Revert "Merge pull request #3982 from fonttools/drop-py39"
e691e3b Release 4.61.0
c2d540f Update NEWS.rst
3859753 Update NEWS.rst
26eb070 black
5ff73af Merge commit from fork
a696d5b varLib: only use the basename(vf.filename)
b00bc45 varLib_test: test path traversal in variable-font filename
Additional commits viewable in compare view

Updates protobuf from 5.29.3 to 5.29.5

Commits

f5de0a0 Updating version.json and repo version numbers to: 29.5
8563766 Merge pull request #21858 from shaod2/py-cp-29
05ba1a8 Add recursion depth limits to pure python
1ef3f01 Internal pure python fixes
69cca9b Remove fast-path check for non-clang compilers in MessageCreator. (#21612)
21fdb7a fix: contains check segfaults on empty map (#20446) (#20904)
03c50e3 Re-enable aarch64 tests. (#20853)
128f0aa Add volatile to featuresResolved (#20767)
bdd49bb Merge pull request #20755 from protocolbuffers/29.x-202503192110
c659468 Updating version.json and repo version numbers to: 29.5-dev
Additional commits viewable in compare view

Updates requests from 2.32.3 to 2.32.4

Release notes

Sourced from requests's releases.

v2.32.4

2.32.4 (2025-06-10)

Security

CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. (#6965)

Improvements

Numerous documentation improvements

Deprecations

Added support for pypy 3.11 for Linux and macOS. (#6926)

Dropped support for pypy 3.9 following its end of support. (#6926)

Changelog

Sourced from requests's changelog.

2.32.4 (2025-06-10)

Security

CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

Improvements

Numerous documentation improvements

Deprecations

Added support for pypy 3.11 for Linux and macOS.

Dropped support for pypy 3.9 following its end of support.

Commits

021dc72 Polish up release tooling for last manual release
821770e Bump version and add release notes for v2.32.4
59f8aa2 Add netrc file search information to authentication documentation (#6876)
5b4b64c Add more tests to prevent regression of CVE 2024 47081
7bc4587 Add new test to check netrc auth leak (#6962)
96ba401 Only use hostname to do netrc lookup instead of netloc
7341690 Merge pull request #6951 from tswast/patch-1
6716d7c remove links
a7e1c74 Update docs/conf.py
c799b81 docs: fix dead links to kenreitz.org
Additional commits viewable in compare view

Updates tornado from 6.4.2 to 6.5

Changelog

Sourced from tornado's changelog.

Release notes

.. toctree:: :maxdepth: 2

releases/v6.5.3 releases/v6.5.2 releases/v6.5.1 releases/v6.5.0 releases/v6.4.2 releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1 releases/v3.2.0 releases/v3.1.1 releases/v3.1.0 releases/v3.0.2

... (truncated)

Commits

ab5f354 Merge pull request #3498 from bdarnell/final-6.5
3623024 Final release notes for 6.5.0
b39b892 Merge pull request #3497 from bdarnell/multipart-log-spam
cc61050 httputil: Raise errors instead of logging in multipart/form-data parsing
ae4a4e4 asyncio: Preserve contextvars across SelectorThread on Windows (#3479)
197ff13 Merge pull request #3496 from bdarnell/undeprecate-set-event-loop
c3d906c requirements: Upgrade tox to 4.26.0
a838977 testing: Remove deprecation warning filter for set_event_loop
d8e0d36 build: Fix free-threaded build, mark speedups module as no-GIL
bfe7489 Merge pull request #3492 from bdarnell/relnotes-6.5
Additional commits viewable in compare view

Updates urllib3 from 2.3.0 to 2.6.3

Release notes

Sourced from urllib3's releases.

2.6.3

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by @D47A, 8.9 High, GHSA-38jv-5279-wg99)

Started treating Retry-After times greater than 6 hours as 6 hours by default. (urllib3/urllib3#3743)

Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. (urllib3/urllib3#3752)

2.6.2

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (urllib3/urllib3#3734)

2.6.1

🚀 urllib3 is fundra...
Description has been truncated

Bumps the pip group with 10 updates in the / directory: | Package | From | To | | --- | --- | --- | | [mlflow](https://github.com/mlflow/mlflow) | `2.20.3` | `3.5.0rc0` | | [setuptools](https://github.com/pypa/setuptools) | `75.8.2` | `78.1.1` | | [filelock](https://github.com/tox-dev/py-filelock) | `3.18.0` | `3.20.1` | | [flask](https://github.com/pallets/flask) | `3.1.0` | `3.1.1` | | [fonttools](https://github.com/fonttools/fonttools) | `4.56.0` | `4.60.2` | | [protobuf](https://github.com/protocolbuffers/protobuf) | `5.29.3` | `5.29.5` | | [requests](https://github.com/psf/requests) | `2.32.3` | `2.32.4` | | [tornado](https://github.com/tornadoweb/tornado) | `6.4.2` | `6.5` | | [urllib3](https://github.com/urllib3/urllib3) | `2.3.0` | `2.6.3` | | [werkzeug](https://github.com/pallets/werkzeug) | `3.1.3` | `3.1.4` | Updates `mlflow` from 2.20.3 to 3.5.0rc0 - [Release notes](https://github.com/mlflow/mlflow/releases) - [Changelog](https://github.com/mlflow/mlflow/blob/master/CHANGELOG.md) - [Commits](mlflow/mlflow@v2.20.3...v3.5.0rc0) Updates `setuptools` from 75.8.2 to 78.1.1 - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](pypa/setuptools@v75.8.2...v78.1.1) Updates `filelock` from 3.18.0 to 3.20.1 - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](tox-dev/filelock@3.18.0...3.20.1) Updates `flask` from 3.1.0 to 3.1.1 - [Release notes](https://github.com/pallets/flask/releases) - [Changelog](https://github.com/pallets/flask/blob/main/CHANGES.rst) - [Commits](pallets/flask@3.1.0...3.1.1) Updates `fonttools` from 4.56.0 to 4.60.2 - [Release notes](https://github.com/fonttools/fonttools/releases) - [Changelog](https://github.com/fonttools/fonttools/blob/main/NEWS.rst) - [Commits](fonttools/fonttools@4.56.0...4.60.2) Updates `protobuf` from 5.29.3 to 5.29.5 - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Commits](protocolbuffers/protobuf@v5.29.3...v5.29.5) Updates `requests` from 2.32.3 to 2.32.4 - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.32.3...v2.32.4) Updates `tornado` from 6.4.2 to 6.5 - [Changelog](https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst) - [Commits](tornadoweb/tornado@v6.4.2...v6.5.0) Updates `urllib3` from 2.3.0 to 2.6.3 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.3.0...2.6.3) Updates `werkzeug` from 3.1.3 to 3.1.4 - [Release notes](https://github.com/pallets/werkzeug/releases) - [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst) - [Commits](pallets/werkzeug@3.1.3...3.1.4) --- updated-dependencies: - dependency-name: mlflow dependency-version: 3.5.0rc0 dependency-type: direct:production dependency-group: pip - dependency-name: setuptools dependency-version: 78.1.1 dependency-type: direct:production dependency-group: pip - dependency-name: filelock dependency-version: 3.20.1 dependency-type: direct:production dependency-group: pip - dependency-name: flask dependency-version: 3.1.1 dependency-type: direct:production dependency-group: pip - dependency-name: fonttools dependency-version: 4.60.2 dependency-type: direct:production dependency-group: pip - dependency-name: protobuf dependency-version: 5.29.5 dependency-type: direct:production dependency-group: pip - dependency-name: requests dependency-version: 2.32.4 dependency-type: direct:production dependency-group: pip - dependency-name: tornado dependency-version: '6.5' dependency-type: direct:production dependency-group: pip - dependency-name: urllib3 dependency-version: 2.6.3 dependency-type: direct:production dependency-group: pip - dependency-name: werkzeug dependency-version: 3.1.4 dependency-type: direct:production dependency-group: pip ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jan 8, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the pip group across 1 directory with 10 updates #1

build(deps): bump the pip group across 1 directory with 10 updates #1

Uh oh!

dependabot bot commented on behalf of github Jan 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

build(deps): bump the pip group across 1 directory with 10 updates #1

Are you sure you want to change the base?

build(deps): bump the pip group across 1 directory with 10 updates #1

Uh oh!

Conversation

dependabot bot commented on behalf of github Jan 8, 2026

v3.5.0rc0

v3.4.0

Major New Features

3.5.0rc0 (2025-10-08)

3.4.0rc0 (2025-09-11)

Major New Features

v78.1.1

Bugfixes

v78.1.0

Features

v78.0.2

Bugfixes

v78.0.1

Misc

v78.0.0

Bugfixes

Deprecations and Removals

3.20.1

What's Changed

3.20.0

What's Changed

New Contributors

3.19.1

What's Changed

New Contributors

3.19.0

What's Changed

3.1.1

Version 3.1.1

4.60.2

4.60.1

4.60.0

4.59.2

4.59.1

4.59.0

4.60.2 (released 2025-12-09)

4.61.0 (released 2025-11-28)

4.60.1 (released 2025-09-29)

4.60.0 (released 2025-09-17)

v2.32.4

2.32.4 (2025-06-10)

2.32.4 (2025-06-10)

Release notes

2.6.3

🚀 urllib3 is fundraising for HTTP/2 support

Changes

2.6.2

🚀 urllib3 is fundraising for HTTP/2 support

Changes

2.6.1

🚀 urllib3 is fundra... Description has been truncated

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

🚀 urllib3 is fundra...
Description has been truncated