chore: bump the python-security group across 7 directories with 12 updates

[dependabot]

Bumps the python-security group with 9 updates in the /libs/extractor-api-lib directory:

Package	From	To
langsmith	0.6.4	0.8.5
langchain-core	1.2.7	1.3.3
langchain-text-splitters	1.1.0	1.1.2
lxml	5.4.0	6.1.0
nltk	3.9.2	3.9.4
pillow	12.1.1	12.2.0
python-dotenv	1.2.1	1.2.2
python-multipart	0.0.22	0.0.27
urllib3	2.6.3	2.7.0

Bumps the python-security group with 4 updates in the /services/rag-backend directory: langsmith, langchain-classic, python-dotenv and urllib3.
Bumps the python-security group with 5 updates in the /services/admin-backend directory:

Package	From	To
langsmith	0.3.45	0.8.5
langchain-classic	1.0.0	1.0.7
nltk	3.9.2	3.9.4
python-dotenv	1.1.1	1.2.2
urllib3	2.6.3	2.7.0

Bumps the python-security group with 5 updates in the /libs/rag-core-lib directory:

Package	From	To
langsmith	0.3.45	0.8.5
langchain-classic	1.0.0	1.0.1
langchain-core	1.2.13	1.3.3
python-dotenv	1.1.1	1.2.2
urllib3	2.6.3	2.7.0

Bumps the python-security group with 5 updates in the /libs/rag-core-api directory:

Package	From	To
langsmith	0.3.45	0.8.5
langchain-classic	1.0.0	1.0.2
langchain-text-splitters	1.1.0	1.1.2
python-dotenv	1.1.1	1.2.2
urllib3	2.6.3	2.7.0

Bumps the python-security group with 5 updates in the /libs/admin-api-lib directory:

Package	From	To
langsmith	0.3.45	0.8.5
langchain-classic	1.0.0	1.0.7
python-dotenv	1.1.1	1.2.2
python-multipart	0.0.22	0.0.27
urllib3	2.6.3	2.7.0

Bumps the python-security group with 5 updates in the /services/mcp-server directory:

Package	From	To
python-dotenv	1.2.1	1.2.2
python-multipart	0.0.22	0.0.27
urllib3	2.6.3	2.7.0
poetry	2.3.2	2.3.4
authlib	1.6.9	1.6.12

Updates langsmith from 0.6.4 to 0.8.5

Release notes

Sourced from langsmith's releases.

v0.8.5

What's Changed

• release(js): 0.7.0 by @​ramon-langchain in langchain-ai/langsmith-sdk#2890
• fix(js): add alias for experimental/sandbox to appease broad peer dep range within deepagents by @​dqbd in langchain-ai/langsmith-sdk#2893
• feat(js): allow disabling multipart streaming via env variable by @​dqbd in langchain-ai/langsmith-sdk#2900
• feat(python): add Client.close() to release session [closes LSDK-183] by @​open-swe[bot] in langchain-ai/langsmith-sdk#2866
• feat(sandbox): forward client default headers on exec WebSocket by @​open-swe[bot] in langchain-ai/langsmith-sdk#2899
• release(js): 0.7.1 by @​langchain-infra in langchain-ai/langsmith-sdk#2902
• release(py): 0.8.5 by @​langchain-infra in langchain-ai/langsmith-sdk#2903

Full Changelog: langchain-ai/langsmith-sdk@v0.8.4...v0.8.5

v0.8.4

What's Changed

• release(js): 0.6.3 by @​vishnu-ssuresh in langchain-ai/langsmith-sdk#2864
• chore(deps): bump python-multipart from 0.0.26 to 0.0.27 in /python by @​dependabot[bot] in langchain-ai/langsmith-sdk#2859
• chore(deps-dev): bump @​anthropic-ai/sdk from 0.91.1 to 0.92.0 in /js by @​dependabot[bot] in langchain-ai/langsmith-sdk#2858
• chore(deps): bump postcss from 8.5.8 to 8.5.14 in /js by @​dependabot[bot] in langchain-ai/langsmith-sdk#2857
• chore(deps): bump hono from 4.12.15 to 4.12.18 in /js by @​dependabot[bot] in langchain-ai/langsmith-sdk#2860
• chore(deps-dev): bump langchain-core from 1.3.2 to 1.3.3 in /python by @​dependabot[bot] in langchain-ai/langsmith-sdk#2867
• chore(deps-dev): bump @​anthropic-ai/sdk from 0.92.0 to 0.93.0 in /js by @​dependabot[bot] in langchain-ai/langsmith-sdk#2869
• chore(deps): bump urllib3 from 2.6.3 to 2.7.0 in /python by @​dependabot[bot] in langchain-ai/langsmith-sdk#2873
• chore(deps): bump the py-minor-and-patch group across 1 directory with 12 updates by @​dependabot[bot] in langchain-ai/langsmith-sdk#2876
• chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 16 updates by @​dependabot[bot] in langchain-ai/langsmith-sdk#2877
• chore(deps): bump the py-minor-and-patch group across 1 directory with 11 updates by @​dependabot[bot] in langchain-ai/langsmith-sdk#2879
• chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates by @​dependabot[bot] in langchain-ai/langsmith-sdk#2868
• chore(deps-dev): bump @​anthropic-ai/sdk from 0.93.0 to 0.94.0 in /js by @​dependabot[bot] in langchain-ai/langsmith-sdk#2878
• sdk(js): rename experimental/sandbox -> sandbox (breaking) by @​DanielKneipp in langchain-ai/langsmith-sdk#2885
• sdk(py): drop sandbox alpha/experimental warnings by @​DanielKneipp in langchain-ai/langsmith-sdk#2884
• feat(sandbox): make snapshot optional and add TS options overload by @​ramon-langchain in langchain-ai/langsmith-sdk#2887
• release(py): 0.8.4 by @​ramon-langchain in langchain-ai/langsmith-sdk#2889

Full Changelog: langchain-ai/langsmith-sdk@v0.8.3...v0.8.4

v0.8.3

What's Changed

• fix(js): prevent sending [object Object] as span attribute when dealing with nested objects, send full langsmith.usage_metadata if present by @​dqbd in langchain-ai/langsmith-sdk#2845
• release(js): bump to 0.6.2 by @​dqbd in langchain-ai/langsmith-sdk#2856
• sdk(py): replace ttl_seconds with idle_ttl_seconds + delete_after_stop_seconds by @​DanielKneipp in langchain-ai/langsmith-sdk#2853
• sdk(js): replace ttlSeconds with idleTtlSeconds + deleteAfterStopSeconds by @​DanielKneipp in langchain-ai/langsmith-sdk#2854
• Fix push_agent URL owner for name-only identifiers by @​vishnu-ssuresh in langchain-ai/langsmith-sdk#2862
• docs(langsmith): clarify trust boundaries when working with hub by @​eyurtsev in langchain-ai/langsmith-sdk#2861
• release(py): 0.8.3 by @​vishnu-ssuresh in langchain-ai/langsmith-sdk#2863

Full Changelog: langchain-ai/langsmith-sdk@v0.8.2...v0.8.3

v0.8.2

... (truncated)

Commits

• ef9fcd5 release(py): 0.8.5 (#2903)
• 63b402e release(js): 0.7.1 (#2902)
• 602a27a feat(sandbox): forward client default headers on exec WebSocket (#2899)
• 126ef52 feat(python): add Client.close() to release session [closes LSDK-183] (#2866)
• fddf88d feat(js): allow disabling multipart streaming via env variable (#2900)
• 19bfc57 fix(js): add alias for experimental/sandbox to appease broad peer dep range...
• 6717def release(js): 0.7.0 (#2890)
• 273f8f9 release(py): 0.8.4 (#2889)
• afbf4fb feat(sandbox): make snapshot optional and add TS options overload (#2887)
• 54da541 sdk(py): drop sandbox alpha/experimental warnings (#2884)
• Additional commits viewable in compare view

Updates langchain-core from 1.2.7 to 1.3.3

Release notes

Sourced from langchain-core's releases.

langchain-core==1.3.3

Changes since langchain-core==1.3.2

release(core): 1.3.3 (#37198) fix(core): set deprecation since to 1.3.3 to match release (#37200) fix(core, langchain): harden load() against untrusted manifests (#37197) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (#37109) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (#37129) fix(core): preserve structured inputs on tool runs in tracers (#37108) release(perplexity): 1.2.0 (#37091) chore(docs): update x handle references (#37081) fix(core): make removal optional in warn_deprecated (#37056) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (#36663) chore(core): mark stream_v2/astream_v2 as beta (#36992)

langchain-core==1.3.2

Changes since langchain-core==1.3.1

release(core): 1.3.2 (#36990) feat(core): add content-block-centric streaming (v2) (#36834)

langchain-core==1.3.1

Changes since langchain-core==1.3.0

release(core): 1.3.1 (#36972) feat(core): allow _format_output to pass through list of ToolOutputMixin instances (#36963) chore: bump nbconvert from 7.17.0 to 7.17.1 in /libs/core (#36923) feat(core): Update inheritance behavior for tracer metadata for special keys (#36900) chore: bump langsmith from 0.7.13 to 0.7.31 in /libs/core (#36813)

langchain-core==1.3.0

Changes since langchain-core==1.2.31

release(core): release 1.3.0 (#36851) release(core): 1.3.0a3 (#36829) chore(core): keep checkpoint_ns behavior in streaming metadata for backwards compat (#36828) feat(core): Add chat model and LLM invocation params to traceable metadata (#36771) fix(core): restore cloud metadata IPs and link-local range in SSRF policy (#36816) chore(deps): bump pytest to 9.0.3 (#36801) chore(core): harden private SSRF utilities (#36768) fix(openai): handle content blocks without type key in responses api conversion (#36725) chore: bump pytest from 9.0.2 to 9.0.3 in /libs/core (#36719) release(core): 1.3.0.a2 (#36698) fix(core): Use reference counting for storing inherited run trees to support garbage collection (#36660) docs(core): nit (#36685) release(core): 1.3.0a1 (#36656) chore(core): reduce streaming metadata / perf (#36588)

langchain-core==1.3.0a3

Initial release

... (truncated)

Commits

• 5039dfe release(core): 1.3.3 (#37198)
• 55a7707 fix(core): set deprecation since to 1.3.3 to match release (#37200)
• c979c61 fix(core, langchain): harden load() against untrusted manifests (#37197)
• d703110 docs: update README.md (#37190)
• 4d50a2a ci(infra): run pre-release checks before TestPyPI publish (#37194)
• 9bd730e fix(fireworks): require api_key in FireworksEmbeddings (#37193)
• f475f41 release(mistralai): 1.1.4 (#37191)
• 7dbff48 fix(mistralai): strip non-wire keys from ToolMessage (#37188)
• 913816c release(fireworks): 1.3.1 (#37189)
• 4498d3d fix(fireworks): strip non-wire keys from ToolMessage text content blocks (#...
• Additional commits viewable in compare view

Updates langchain-text-splitters from 1.1.0 to 1.1.2

Release notes

Sourced from langchain-text-splitters's releases.

langchain-text-splitters==1.1.2

Changes since langchain-text-splitters==1.1.1

release(text-splitters): 1.1.2 (#36822) fix(text-splitters): deprecate and use SSRF-safe transport in split_text_from_url (#36821) chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/text-splitters (#36797) chore(deps): bump pytest to 9.0.3 (#36801) chore: bump pytest from 9.0.2 to 9.0.3 in /libs/text-splitters (#36714) chore: add comment explaining pygments>=2.20.0 (#36570) release(core): 1.2.26 (#36511) chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385) fix(text-splitters): prevent silent data loss for empty dict values in RecursiveJsonSplitter (#35079) feat(text-splitters): support spacy tests with Python 3.14 (#36198) fix(infra): correct lint_diff relative paths in package makefiles (#36333) chore: bump requests from 2.32.5 to 2.33.0 in /libs/text-splitters (#36238) chore: bump nltk from 3.9.3 to 3.9.4 in /libs/text-splitters (#36237) chore(partners): bump langchain-core min to 1.2.21 (#36183) chore(text-splitters): bump nltk in lock file (#36112) ci: suppress pytest streaming output in CI (#36092) chore(text-splitters): speed up ci (#36050) ci: avoid unnecessary dep installs in lint targets (#36046) chore: bump orjson from 3.11.5 to 3.11.6 in /libs/text-splitters (#35856) chore: bump locks, lint (#35985) perf(.github): set a timeout on get min versions HTTP calls (#35851) chore: bump tornado from 6.5.2 to 6.5.5 in /libs/text-splitters (#35774) chore: bump the minor-and-patch group across 3 directories with 3 updates (#35589) chore: bump the other-deps group across 3 directories with 2 updates (#35512) chore: bump nltk from 3.9.2 to 3.9.3 in /libs/text-splitters (#35449) chore: bump the other-deps group across 3 directories with 2 updates (#35407)

langchain-text-splitters==1.1.1

Changes since langchain-text-splitters==1.1.0

release(text-splitters): 1.1.1 (#35318) fix(text-splitters): prevent JSFrameworkTextSplitter from mutating self._separators on each split_text() call (#35316) chore: bump transformers from 5.1.0 to 5.2.0 in /libs/text-splitters in the other-deps group across 1 directory (#35279) chore: bump the other-deps group across 3 directories with 2 updates (#35255) style: bump ruff version to 0.15 (#35042) fix: Server-Side Request Forgery (SSRF) in HTMLHeaderTextSplitter.split_text_from_url (#35196) feat(text-splitters): add model_kwargs to SentenceTransformersTokenTextSplitter (#35113) chore(deps): bump langsmith from 0.4.31 to 0.6.3 in /libs/text-splitters (#35162) chore(deps): bump the other-deps group across 3 directories with 12 updates (#35127) chore(deps): bump the other-deps group across 3 directories with 8 updates (#35120) chore: add make type target (#35015) revert: "chore: add typing target in Makefile" (#35013) chore: add typing target in Makefile (#35012) fix(text-splitters): reverse preserved elements iterator in HTMLSemanticPreservingSplitter (#34080) chore: enrich pyproject.toml files (#34980) chore(deps): bump the uv group across 20 directories with 3 updates (#34941) chore: upgrade urllib3 to 2.6.3 (#34940)

... (truncated)

Commits

• 58c4e5b release(text-splitters): 1.1.2 (#36822)
• c289bf1 fix(text-splitters): deprecate and use SSRF-safe transport in split_text_from...
• b7447c6 fix(infra): skip serdes tests in min-version release step (#36818)
• 41c0cc5 release(openai): 1.1.14 (#36820)
• 0516156 fix(openai): use SSRF-safe transport for image token counting (#36819)
• 338aa81 fix(core): restore cloud metadata IPs and link-local range in SSRF policy (#3...
• 51e9548 chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/text-splitters (#36797)
• e85c418 chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/model-profiles (#36798)
• 789126e chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/standard-tests (#36799)
• 937b3eb chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/langchain_v1 (#36800)
• Additional commits viewable in compare view

Updates lxml from 5.4.0 to 6.1.0

Changelog

Sourced from lxml's changelog.

6.1.0 (2026-04-17)

This release fixes a possible external entity injection (XXE) vulnerability in iterparse() and the ETCompatXMLParser.

Features added

• GH#486: The HTML ARIA accessibility attributes were added to the set of safe attributes in lxml.html.defs. This allows lxml_html_clean to pass them through. Patch by oomsveta.

• The default chunk size for reading from file-likes in iterparse() is now configurable with a new chunk_size argument.

Bugs fixed

• LP#2146291: The resolve_entities option was still set to True for iterparse and ETCompatXMLParser, allowing for external entity injection (XXE) when using these parsers without setting this option explicitly. The default was now changed to 'internal' only (as for the normal XML and HTML parsers since lxml 5.0). Issue found by Sihao Qiu as CVE-2026-41066.

6.0.4 (2026-04-12)

Bugs fixed

• LP#2148019: Spurious MemoryError during namespace cleanup.

6.0.3 (2026-04-09)

Bugs fixed

• Several out of memory error cases now raise MemoryError that were not handled before.

• Slicing with large step values (outside of +/- sys.maxsize) could trigger undefined C behaviour.

• LP#2125399: Some failing tests were fixed or disabled in PyPy.

• LP#2138421: Memory leak in error cases when setting the public_id or system_url of a document.

... (truncated)

Commits

• 43722f4 Update changelog.
• 8747040 Name version of option change in docstring.
• 6c36e6c Fix pypistats URL in download statistics script.
• c7d76d6 Change security policy to point to Github security advisories.
• 378ccf8 Update project income report.
• 315270b Docs: Reduce TOC depth of package pages and move module contents first.
• 6dbba7f Docs: Show current year in copyright line.
• e4385bf Update project income report.
• 5bed1e1 Validate file hashes in release download script.
• c13ee10 Prepare release of 6.1.0.
• Additional commits viewable in compare view

Updates nltk from 3.9.2 to 3.9.4

Changelog

Sourced from nltk's changelog.

Version 3.9.4 2026-03-24

• Support Python 3.14
• Fix bug in Levenshtein distance when substitution_cost > 2
• Fix bug in Treebank detokeniser re quote ordering
• Fix bug in Jaro similarity for empty strings
• Several security enhancements
• Fix GHSA-rf74-v2fm-23pw: unbounded recursion in JSONTaggedDecoder
• Implement TextTiling vocabulary introduction method (Hearst 1997)
• Fix ALINE feature matrix errors and add comprehensive tests
• Support multiple VerbNet versions, fix longid/shortid regex for VerbNet ids
• Let downloader fallback to md5 when sha256 is unavailable
• Several other minor bugfixes and code cleanups

Thanks to the following contributors to 3.9.4: Min-Yen Kan, Eric Kafe, Emily Voss, bowiechen, Hrudhai01, jancallewaert, Mr-Neutr0n, pollak.peter89, ylwango613,

Version 3.9.3 2026-02-21

• Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (#3468)
• Block path traversal/arbitrary reads in nltk.data for protocol-less refs (#3467)
• Block path traversal/abs paths in corpus readers and FS pointers (#3479, #3480)
• Validate external StanfordSegmenter JARs using SHA256 (#3477)
• Add optional sandbox enforcement for filestring() (#3485)
• Maintenance: downloader/zipped models, CI/tooling updates

Thanks to the following contributors to 3.9.3: Chris Clauss, Eric Kafe, HyperPS, purificant, Shivansh-Game, Christopher Smith

Version 3.9.2 2025-10-01

• Update download checksums to use SHA256 in built index
• Fix percentage escape in new-style string formatting
• replace shortened URLs using goo.gl
• Make Wordnet interoperable with various taggers and tagged corpora
• Fix saving PerceptronTagger
• Document how to reproduce old Wordnet studies
• properly initialize Portuguese corpus reader
• support for mixed rules conversion into Chomsky Normal Form
• only import tkinter if a GUI is needed
• issue #2112 with Corenlp
• new environment variable NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL
• Lesk defaults to most frequent sense in case of ties

Thanks to the following contributors to 3.9.2: Jose Cols, Peter de Blanc, GeneralPoxter, Eric Kafe, William LaCroix, Jason Liu, Samer Masterson, Mike014, purificant, Andrew Ernest Ritz, samertm, Ikram Ul Haq, Christopher Smith, Ryan Mannion

Version 3.9.1 2024-08-19

... (truncated)

Commits

• ad9c96b Update copyright year
• 7edcddf Updates for 3.9.4 release
• 67a2736 Merge pull request #3180 from yzhaoinuw/bug-on-edit_distance_align
• 2b17ac5 Fix edit_distance_align backtrace for high substitution costs
• 4b72976 Merge pull request #3018 from JuanIMartinezB/bug/shortid-longid
• 8a5619f Merge pull request #3222 from Syzygy2048/feature/texttiling-vocabulary-introd...
• c6574d7 Merge pull request #3289 from ihitamandal/codeflash/optimize-windowdiff-2024-...
• 98ff5d9 Merge pull request #3435 from Hrudhai01/fix-3260-detokenize-quotes
• aec4fce Merge pull request #3522 from ekaf/pathsec
• eec4ee3 Merge pull request #3526 from nltk/update-contributing
• Additional commits viewable in compare view

Updates pillow from 12.1.1 to 12.2.0

Release notes

Sourced from pillow's releases.

12.2.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html

Documentation

• Update 12.2.0 release notes #9522 [@​hugovk]
• Add loader plugins: AMOS abk, Atari Degas, 40+ more obscure formats via Netpbm #9482 [@​bitplane]
• Update Python versions #9515 [@​radarhere]
• Jeffrey A. Clark -> Jeffrey 'Alex' Clark #9513 [@​aclark4life]
• Add release notes for #9394, #9419 and #9456 #9467 [@​radarhere]
• Add Amiga Workbench .info loader to 3rd party plugins list #9459 [@​bitplane]
• Merge PFM documentation into PPM #9434 [@​radarhere]
• Update macOS tested Pillow versions #9431 [@​radarhere]
• Fix CVE number #9430 [@​hugovk]

Dependencies

• Update xz to 5.8.3 #9523 [@​radarhere]
• Update libjpeg-turbo to 3.1.4.1 #9507 [@​radarhere]
• Update libpng to 1.6.56 #9499 [@​radarhere]
• Update freetype to 2.14.3 #9485 [@​radarhere]
• Updated libavif to 1.4.1 #9479 [@​radarhere]
• Updated harfbuzz to 13.2.1 #9461 [@​radarhere]
• Update Ghostscript to 10.7.0 #9469 [@​radarhere]
• Update harfbuzz to 13.0.1 #9453 [@​radarhere]
• Update libavif to 1.4.0 #9460 [@​radarhere]
• Update freetype to 2.14.2 #9449 [@​radarhere]
• Update actions/download-artifact action to v8 #9451 [@renovate[bot]]
• Updated libpng to 1.6.55 #9425 [@​radarhere]

Testing

• Cleanup .spider extension in the same test where it is added #9517 [@​radarhere]
• Run tests in parallel via tox for 3.5x speedup #9516 [@​hugovk]
• Enable colour in CI logs #9486 [@​hugovk]
• Update Ghostscript to 10.7.0 #9469 [@​radarhere]
• Simplify TGA test code #9477 [@​radarhere]
• Update tests to check for ValueError when encoding an empty image #9464 [@​radarhere]
• Upgrade CI from macos-15-intel to macos-26-intel #9454 [@​hugovk]
• Add check-case-conflict hook #9446 [@​radarhere]
• Specify platform when pulling docker image #9440 [@​radarhere]
• GHA: Cache libavif and webp builds for Ubuntu #9437 [@​hugovk]
• Update macOS tested Pillow versions #9431 [@​radarhere]

Other changes

• Check calloc return value #9527 [@​radarhere]
• Check all allocs in the Arrow tree #9488 [@​wiredfool]
• Reject non-numeric elements inside list coords #9526 [@​hugovk]
• Move variable declaration inside define #9525 [@​radarhere]

... (truncated)

Commits

• 3c41c09 12.2.0 version bump
• cdaa29e Check calloc return value (#9527)
• 585b2f5 Check calloc return value
• ecf011e Check all allocs in the Arrow tree (#9488)
• cf6de8c Reject non-numeric elements inside list coords (#9526)
• ffdcede Update 12.2.0 release notes (#9522)
• 7929d77 Added security release notes (#149)
• c4f7aa5 Added security release notes
• 22cdb5f Move variable declaration inside define (#9525)
• fc15b3b Resize tall images vertically first (#9524)
• Additional commits viewable in compare view

Updates python-dotenv from 1.2.1 to 1.2.2

Release notes

Sourced from python-dotenv's releases.

v1.2.2

Added

• Support for Python 3.14, including the free-threaded (3.14t) build. (#)

Changed

• The dotenv run command now forwards flags directly to the specified command by @​bbc2 in theskumar/python-dotenv#607
• Improved documentation clarity regarding override behavior and the reference page.
• Updated PyPy support to version 3.11.
• Documentation for FIFO file support.
• Support for Python 3.9.

Fixed

• Improved set_key and unset_key behavior when interacting with symlinks by @​bbc2 in #790c5
• Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by @​JYOuyang in theskumar/python-dotenv#590

Breaking Changes

• dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

• In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

• dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

Misc

• skip 000 permission tests for root user by @​burnout-projects in theskumar/python-dotenv#561
• Bump actions/checkout from 5 to 6 in the github-actions group by @​dependabot[bot] in theskumar/python-dotenv#593
• Add Windows testing to CI by @​bbc2 in theskumar/python-dotenv#604
• Improve workflow efficiency with best practices by @​theskumar in theskumar/python-dotenv#609
• Remove the use of sh in tests by @​bbc2 in theskumar/python-dotenv#612

New Contributors

• @​JYOuyang made their first contribution in theskumar/python-dotenv#590
• @​burnout-projects made their first contribution in theskumar/python-dotenv#561
• @​cpackham-atlnz made their first contribution in theskumar/python-dotenv#597

Full Changelog: theskumar/python-dotenv@v1.2.1...v1.2.2

Changelog

Sourced from python-dotenv's changelog.

[1.2.2] - 2026-03-01

Added

• Support for Python 3.14, including the free-threaded (3.14t) build. (#588)

Changed

• The dotenv run command now forwards flags directly to the specified command by [@​bbc2] in #607
• Improved documentation clarity regarding override behavior and the reference page.
• Updated PyPy support to version 3.11.
• Documentation for FIFO file support.
• Dropped Support for Python 3.9.

Fixed

• Improved set_key and unset_key behavior when interacting with symlinks by [@​bbc2] in [790c5c0]
• Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by [@​JYOuyang] in #590

Breaking Changes

• dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

• In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

• dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

Commits

• 36004e0 Bump version: 1.2.1 → 1.2.2
• eb20252 docs: update changelog for v1.2.2
• 790c5c0 Merge commit from fork
• 43340da Remove the use of sh in tests (#612)
• 09d7cee docs: clarify override behavior and document FIFO support (#610)
• c8de288 ci: improve workflow efficiency with best practices (#609)
• 7bd9e3d Add Windows testing to CI (#604)
• 1baaf04 Drop Python 3.9 support and update to PyPy 3.11 (#608)
• 4a22cf8 ci: enable testing on Python 3.14t (free-threaded) (#588)
• e2e8e77 Fix license specifier (#597)
• Additional commits viewable in compare view

Updates python-multipart from 0.0.22 to 0.0.27

Release notes

Sourced from python-multipart's releases.

Version 0.0.27

What's Changed

• Pass parse offsets via constructors by @​Kludex in Kludex/python-multipart#268
• Add multipart header limits by @​Kludex in Kludex/python-multipart#267

Full Changelog: Kludex/python-multipart@0.0.26...0.0.27

Version 0.0.26

What's Changed

• Skip preamble before first multipart boundary by @​Kludex in Kludex/python-multipart#262
• Silently discard epilogue data after the closing boundary by @​Kludex in Kludex/python-multipart#259

Full Changelog: Kludex/python-multipart@0.0.25...0.0.26

Version 0.0.25

What's Changed

• Apply Apache-2.0 properly by @​Kludex in Kludex/python-multipart#247
• Handle multipart headers case-insensitively by @​Kludex in Kludex/python-multipart#252
• Emit field_end for trailing bare field names on finalize by @​bysiber in Kludex/python-multipart#230
• Add UPLOAD_DELETE_TMP to FormParser config by @​Kludex in Kludex/python-multipart#254
• Remove custom FormParser classes by @​Kludex in Kludex/python-multipart#257
• Handle CTE values case-insen...

  Description has been truncated

[dependabot]

Superseded by #387.