Dependency updates

[nfelt14]

This PR contains the following updates:

Package	Change	Age	Confidence
pygments (changelog)	==2.19.2 → ==2.20.0
cryptography (changelog)	==46.0.5 → ==46.0.6
requests (changelog)	==2.32.5 → ==2.33.0

GitHub Vulnerability Alerts

CVE-2026-4539

A security flaw has been discovered in pygments before 2.20.0. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

---

Release Notes

pygments/pygments (pygments)

v2.20.0

Compare Source

(released March 29th, 2026)

• New lexers:

  • Rell (#​2914)

• Updated lexers:

  • archetype: Fix catastrophic backtracking in GUID and ID patterns (#​3064)
  • ASN.1: Recognize minus sign and fix range operator (#​3014, #​3060)
  • C++: Add C++26 keywords (#​2955), add integer literal suffixes (#​2966)
  • ComponentPascal: Fix analyse_text (#​3028, #​3032)
  • Coq renamed to Rocq (#​2883, #​2908)
  • Cython: Various improvements (#​2932, #​2933)
  • Debian control: Improve architecture parsing (#​3052)
  • Devicetree: Add support for overlay/fragments (#​3021), add bytestring support (#​3022), fix catastrophic backtracking (#​3057)
  • Fennel: Various improvements (#​2911)
  • Haskell: Handle escape sequences in character literals (#​3069, #​1795)
  • Java: Add module keywords (#​2955)
  • Lean4: Add operators ]', ]?, ]! (#​2946)
  • LESS: Support single-line comments (#​3005)
  • LilyPond: Update to 2.25.29 (#​2974)
  • LLVM: Support C-style comments (#​3023, #​2978)
  • Lua(u): Fix catastrophic backtracking (#​3047)
  • Macaulay2: Update to 1.25.05 (#​2893), 1.25.11 (#​2988)
  • Mathematica: Various improvements (#​2957)
  • meson: Add additional operators (#​2919)
  • MySQL: Update keywords (#​2970)
  • org-Mode: Support both schedule and deadline (#​2899)
  • PHP: Add __PROPERTY__ magic constant (#​2924), add reserved keywords (#​3002)
  • PostgreSQL: Add more keywords (#​2985)
  • protobuf: Fix namespace tokenization (#​2929)
  • Python: Add t-string support (#​2973, #​3009, #​3010)
  • Tablegen: Fix infinite loop (#​2972, #​2940)
  • Tera Term macro: Add commands introduced in v5.3 through v5.6 (#​2951)
  • TOML: Support TOML 1.1.0 (#​3026, #​3027)
  • Turtle: Allow empty comment lines (#​2980)
  • XML: Added .xbrl as file ending (#​2890, #​2891)

• Drop Python 3.8, and add Python 3.14 as a supported version (#​2987, #​3012)

• Various improvements to autopygmentize (#​2894)

• Update onedark style to support more token types (#​2977)

• Update rtt style to support more token types (#​2895)

• Cache entry points to improve performance (#​2979)

• Fix xterm-256 color table (#​3043)

• Fix kwargs dictionary getting mutated on each call (#​3044)

---

GitHub Vulnerability Alerts

CVE-2026-34073

Summary

In versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com.

This behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead.

In practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity.

See CVE-2025-61727 for a similar bypass in Go's crypto/x509.

Remediation

Users should upgrade to 46.0.6 or newer.

Attribution

Reporter: @​1seal

---

Release Notes

pyca/cryptography (cryptography)

v46.0.6

Compare Source

---

GitHub Vulnerability Alerts

CVE-2026-25645

Impact

The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.

Affected usages

Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted.

Remediation

Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.

If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.

---

Release Notes

psf/requests (requests)

v2.33.0

Compare Source

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that
  uses Requests, please take a look at #​7271. Give it a try, and report
  any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts
  contents to a non-deterministic location to prevent malicious file
  replacement. This does not affect default usage of Requests, only
  applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#​7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause
  malformed authentication to be applied to Requests on
  Python 3.11+. (#​7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#​7196)

Documentation

• Various typo fixes and doc improvements.

---

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (bf0839c) to head (2ebcc48).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #914   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            4         4           
  Lines          233       233           
  Branches        32        32           
=========================================
  Hits           233       233           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Test Results (windows)

path	passed	subtotal
tests\test_bump_version_in_files.py	5	5
tests\test_create_unique_testpypi_version.py	7	7
tests\test_find_unreleased_changelog_items.py	6	6
tests\test_update_development_dependencies.py	13	13
TOTAL	31	31

Link to workflow run

[github-actions]

Test Results (ubuntu)

path	passed	subtotal
tests/test_bump_version_in_files.py	5	5
tests/test_create_unique_testpypi_version.py	7	7
tests/test_find_unreleased_changelog_items.py	6	6
tests/test_update_development_dependencies.py	13	13
TOTAL	31	31

Link to workflow run

[github-actions]

Test Results (macos)

path	passed	subtotal
tests/test_bump_version_in_files.py	5	5
tests/test_create_unique_testpypi_version.py	7	7
tests/test_find_unreleased_changelog_items.py	6	6
tests/test_update_development_dependencies.py	13	13
TOTAL	31	31

Link to workflow run