Skip to content

Bump the pip group across 2 directories with 15 updates#22

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/pip/pip-135ff923fc
Open

Bump the pip group across 2 directories with 15 updates#22
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/pip/pip-135ff923fc

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Feb 20, 2026

Bumps the pip group with 13 updates in the / directory:

Package From To
black 21.12b0 24.3.0
certifi 2021.10.8 2024.7.4
gitpython 3.1.24 3.1.41
grpcio 1.43.0 1.53.2
h11 0.12.0 0.16.0
idna 3.3 3.7
jinja2 3.0.3 3.1.6
protobuf 3.19.1 5.29.6
pydantic 1.9.0 1.10.13
requests 2.27.0 2.32.4
tqdm 4.62.3 4.66.3
virtualenv 20.13.0 20.36.1
zipp 3.7.0 3.19.1

Bumps the pip group with 2 updates in the /docs directory: scikit-learn and pip.

Updates black from 21.12b0 to 24.3.0

Release notes

Sourced from black's releases.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

  • Don't move comments along with delimiters, which could cause crashes (#4248)
  • Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
  • Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

  • Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

  • Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

  • Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

  • Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
  • Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
  • Checking for newline before adding one on docstring that is almost at the line limit (#4185)
  • Remove redundant parentheses in case statement if guards (#4214).

Configuration

... (truncated)

Changelog

Sourced from black's changelog.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

  • Don't move comments along with delimiters, which could cause crashes (#4248)
  • Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
  • Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

  • Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

  • Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

  • Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

  • Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
  • Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
  • Checking for newline before adding one on docstring that is almost at the line limit (#4185)
  • Remove redundant parentheses in case statement if guards (#4214).

... (truncated)

Commits

Updates certifi from 2021.10.8 to 2024.7.4

Commits

Updates gitpython from 3.1.24 to 3.1.41

Release notes

Sourced from gitpython's releases.

3.1.41 - fix Windows security issue

The details about the Windows security issue can be found in this advisory.

Special thanks go to @​EliahKagan who reported the issue and fixed it in a single stroke, while being responsible for an incredible amount of improvements that he contributed over the last couple of months ❤️.

What's Changed

... (truncated)

Commits
  • f288738 bump patch level
  • ef3192c Merge pull request #1792 from EliahKagan/popen
  • 1f3caa3 Further clarify comment in test_hook_uses_shell_not_from_cwd
  • 3eb7c2a Move safer_popen from git.util to git.cmd
  • c551e91 Extract shared logic for using Popen safely on Windows
  • 15ebb25 Clarify comment in test_hook_uses_shell_not_from_cwd
  • f44524a Avoid spurious "location may have moved" on Windows
  • a42ea0a Cover absent/no-distro bash.exe in hooks "not from cwd" test
  • 7751436 Extract venv management from test_installation
  • 66ff4c1 Omit CWD in search for bash.exe to run hooks on Windows
  • Additional commits viewable in compare view

Updates grpcio from 1.43.0 to 1.53.2

Release notes

Sourced from grpcio's releases.

Release v1.49.4

This is release gRPC Core 1.49.4 (gamma).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes.

  • [Core] Add set min/max TLS version APIs to TLS credentials APIs. (#34861)
Commits
  • afb307f [v1.53.x][Interop] Backport Python image update (#33864)
  • 7a9373b [Backport] [dependency] Restrict cython to less than 3.X (#33770)
  • fdb64a6 [v1.53][Build] Update Phusion baseimage (#33767) (#33836)
  • cdf4186 [PSM Interop] Legacy tests: fix xDS test client build (v1.53.x backport) (#33...
  • ce5b93a [PSM Interop] Legacy test builds always pull the driver from master (v1.53.x ...
  • b24b6ea [release] Bump release version to 1.53.2 (#33709)
  • 1e86ca5 [backport][iomgr][EventEngine] Improve server handling of file descriptor exh...
  • aff3066 [PSM interop] Don't fail url_map target if sub-target already failed (v1.53.x...
  • 539d75c [PSM interop] Don't fail target if sub-target already failed (#33222) (v1.53....
  • 3e79c88 [Release] Bump version to 1.53.1 (on v1.53.x branch) (#33047)
  • Additional commits viewable in compare view

Updates h11 from 0.12.0 to 0.16.0

Commits

Updates idna from 3.3 to 3.7

Release notes

Sourced from idna's releases.

v3.7

What's Changed

  • Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: kjd/idna@v3.6...v3.7

Changelog

Sourced from idna's changelog.

3.7 (2024-04-11) ++++++++++++++++

  • Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

3.6 (2023-11-25) ++++++++++++++++

  • Fix regression to include tests in source distribution.

3.5 (2023-11-24) ++++++++++++++++

  • Update to Unicode 15.1.0
  • String codec name is now "idna2008" as overriding the system codec "idna" was not working.
  • Fix typing error for codec encoding
  • "setup.cfg" has been added for this release due to some downstream lack of adherence to PEP 517. Should be removed in a future release so please prepare accordingly.
  • Removed reliance on a symlink for the "idna-data" tool to comport with PEP 517 and the Python Packaging User Guide for sdist archives.
  • Added security reporting protocol for project

Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions to this release.

3.4 (2022-09-14) ++++++++++++++++

  • Update to Unicode 15.0.0
  • Migrate to pyproject.toml for build information (PEP 621)
  • Correct another instance where generic exception was raised instead of IDNAError for malformed input
  • Source distribution uses zeroized file ownership for improved reproducibility

Thanks to Seth Michael Larson for contributions to this release.

Commits
  • 1d365e1 Release v3.7
  • c1b3154 Merge pull request #172 from kjd/optimize-contextj
  • 0394ec7 Merge branch 'master' into optimize-contextj
  • cd58a23 Merge pull request #152 from elliotwutingfeng/dev
  • 5beb28b More efficient resolution of joiner contexts
  • 1b12148 Update ossf/scorecard-action to v2.3.1
  • d516b87 Update Github actions/checkout to v4
  • c095c75 Merge branch 'master' into dev
  • 60a0a4c Fix typo in GitHub Actions workflow key
  • 5918a0e Merge branch 'master' into dev
  • Additional commits viewable in compare view

Updates jinja2 from 3.0.3 to 3.1.6

Release notes

Sourced from jinja2's releases.

3.1.6

This is the Jinja 3.1.6 security release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.6/ Changes: https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6

  • The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. GHSA-cpwx-vrp4-4pq7

3.1.5

This is the Jinja 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.5/ Changes: https://jinja.palletsprojects.com/changes/#version-3-1-5 Milestone: https://github.com/pallets/jinja/milestone/16?closed=1

  • The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. GHSA-q2x7-8rv6-6q7h
  • Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. #1792, GHSA-gmj6-6f8f-6699
  • Sandbox does not allow clear and pop on known mutable sequence types. #2032
  • Calling sync render for an async template uses asyncio.run. #1952
  • Avoid unclosed auto_aiter warnings. #1960
  • Return an aclose-able AsyncGenerator from Template.generate_async. #1960
  • Avoid leaving root_render_func() unclosed in Template.generate_async. #1960
  • Avoid leaving async generators unclosed in blocks, includes and extends. #1960
  • The runtime uses the correct concat function for the current environment when calling block references. #1701
  • Make |unique async-aware, allowing it to be used after another async-aware filter. #1781
  • |int filter handles OverflowError from scientific notation. #1921
  • Make compiling deterministic for tuple unpacking in a {% set ... %} call. #2021
  • Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. #2025
  • Fix copy/pickle support for the internal missing object. #2027
  • Environment.overlay(enable_async) is applied correctly. #2061
  • The error message from FileSystemLoader includes the paths that were searched. #1661
  • PackageLoader shows a clearer error message when the package does not contain the templates directory. #1705
  • Improve annotations for methods returning copies. #1880
  • urlize does not add mailto: to values like @a@b. #1870
  • Tests decorated with @pass_context can be used with the |select filter. #1624
  • Using set for multiple assignment (a, b = 1, 2) does not fail when the target is a namespace attribute. #1413
  • Using set in all branches of {% if %}{% elif %}{% else %} blocks does not cause the variable to be considered initially undefined. #1253

3.1.4

This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Jinja2/3.1.4/ Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

  • The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj

3.1.3

This is a fix release for the 3.1.x feature branch.

  • Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.

... (truncated)

Changelog

Sourced from jinja2's changelog.

Version 3.1.6

Released 2025-03-05

  • The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. :ghsa:cpwx-vrp4-4pq7

Version 3.1.5

Released 2024-12-21

  • The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. :ghsa:q2x7-8rv6-6q7h
  • Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. :issue:1792, :ghsa:gmj6-6f8f-6699
  • Sandbox does not allow clear and pop on known mutable sequence types. :issue:2032
  • Calling sync render for an async template uses asyncio.run. :pr:1952
  • Avoid unclosed auto_aiter warnings. :pr:1960
  • Return an aclose-able AsyncGenerator from Template.generate_async. :pr:1960
  • Avoid leaving root_render_func() unclosed in Template.generate_async. :pr:1960
  • Avoid leaving async generators unclosed in blocks, includes and extends. :pr:1960
  • The runtime uses the correct concat function for the current environment when calling block references. :issue:1701
  • Make |unique async-aware, allowing it to be used after another async-aware filter. :issue:1781
  • |int filter handles OverflowError from scientific notation. :issue:1921
  • Make compiling deterministic for tuple unpacking in a {% set ... %} call. :issue:2021
  • Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. :issue:2025
  • Fix copy/pickle support for the internal missing object. :issue:2027
  • Environment.overlay(enable_async) is applied correctly. :pr:2061
  • The error message from FileSystemLoader includes the paths that were searched. :issue:1661
  • PackageLoader shows a clearer error message when the package does not contain the templates directory. :issue:1705
  • Improve annotations for methods returning copies. :pr:1880
  • urlize does not add mailto: to values like @a@b. :pr:1870

... (truncated)

Commits

Updates protobuf from 3.19.1 to 5.29.6

Release notes

Sourced from protobuf's releases.

Protocol Buffers v34.0-rc1

Announcements

Bazel

Compiler

C++

... (truncated)

Commits

Updates pydantic from 1.9.0 to 1.10.13

Release notes

Sourced from pydantic's releases.

V1.10.13 2023-09-27

What's Changed

Full Changelog: pydantic/pydantic@v1.10.12...v1.10.13

V1.10.12

What's Changed

New Contributors

Full Changelog: pydantic/pydantic@v1.10.11...v1.10.12

V1.10.11

What's Changed

New Contributors

Full Changelog: pydantic/pydantic@v1.10.10...v1.10.11

V1.10.10

What's Changed

New Contributors

Full Changelog: pydantic/pydantic@v1.10.9...v1.10.10

V1.10.9

What's Changed

... (truncated)

Changelog

Sourced from pydantic's changelog.

v1.10.13 (2023-09-27)

v1.10.12 (2023-07-24)

  • Fixes the maxlen property being dropped on deque validation. Happened only if the deque item has been typed. Changes the _validate_sequence_like func, #6581 by @​maciekglowka

v1.10.11 (2023-07-04)

  • Importing create_m...

    Description has been truncated

@dependabot
Bump the pip group across 2 directories with 15 updates
c596908 
Bumps the pip group with 13 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [black](https://github.com/psf/black) | `21.12b0` | `24.3.0` |
| [certifi](https://github.com/certifi/python-certifi) | `2021.10.8` | `2024.7.4` |
| [gitpython](https://github.com/gitpython-developers/GitPython) | `3.1.24` | `3.1.41` |
| [grpcio](https://github.com/grpc/grpc) | `1.43.0` | `1.53.2` |
| [h11](https://github.com/python-hyper/h11) | `0.12.0` | `0.16.0` |
| [idna](https://github.com/kjd/idna) | `3.3` | `3.7` |
| [jinja2](https://github.com/pallets/jinja) | `3.0.3` | `3.1.6` |
| [protobuf](https://github.com/protocolbuffers/protobuf) | `3.19.1` | `5.29.6` |
| [pydantic](https://github.com/pydantic/pydantic) | `1.9.0` | `1.10.13` |
| [requests](https://github.com/psf/requests) | `2.27.0` | `2.32.4` |
| [tqdm](https://github.com/tqdm/tqdm) | `4.62.3` | `4.66.3` |
| [virtualenv](https://github.com/pypa/virtualenv) | `20.13.0` | `20.36.1` |
| [zipp](https://github.com/jaraco/zipp) | `3.7.0` | `3.19.1` |

Bumps the pip group with 2 updates in the /docs directory: [scikit-learn](https://github.com/scikit-learn/scikit-learn) and [pip](https://github.com/pypa/pip).


Updates `black` from 21.12b0 to 24.3.0
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](https://github.com/psf/black/commits/24.3.0)

Updates `certifi` from 2021.10.8 to 2024.7.4
- [Commits](certifi/python-certifi@2021.10.08...2024.07.04)

Updates `gitpython` from 3.1.24 to 3.1.41
- [Release notes](https://github.com/gitpython-developers/GitPython/releases)
- [Changelog](https://github.com/gitpython-developers/GitPython/blob/main/CHANGES)
- [Commits](gitpython-developers/GitPython@3.1.24...3.1.41)

Updates `grpcio` from 1.43.0 to 1.53.2
- [Release notes](https://github.com/grpc/grpc/releases)
- [Commits](grpc/grpc@v1.43.0...v1.53.2)

Updates `h11` from 0.12.0 to 0.16.0
- [Commits](python-hyper/h11@v0.12.0...v0.16.0)

Updates `idna` from 3.3 to 3.7
- [Release notes](https://github.com/kjd/idna/releases)
- [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst)
- [Commits](kjd/idna@v3.3...v3.7)

Updates `jinja2` from 3.0.3 to 3.1.6
- [Release notes](https://github.com/pallets/jinja/releases)
- [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst)
- [Commits](pallets/jinja@3.0.3...3.1.6)

Updates `protobuf` from 3.19.1 to 5.29.6
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Commits](https://github.com/protocolbuffers/protobuf/commits)

Updates `pydantic` from 1.9.0 to 1.10.13
- [Release notes](https://github.com/pydantic/pydantic/releases)
- [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md)
- [Commits](pydantic/pydantic@v1.9.0...v1.10.13)

Updates `requests` from 2.27.0 to 2.32.4
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.27.0...v2.32.4)

Updates `tqdm` from 4.62.3 to 4.66.3
- [Release notes](https://github.com/tqdm/tqdm/releases)
- [Commits](tqdm/tqdm@v4.62.3...v4.66.3)

Updates `virtualenv` from 20.13.0 to 20.36.1
- [Release notes](https://github.com/pypa/virtualenv/releases)
- [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst)
- [Commits](pypa/virtualenv@20.13.0...20.36.1)

Updates `zipp` from 3.7.0 to 3.19.1
- [Release notes](https://github.com/jaraco/zipp/releases)
- [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst)
- [Commits](jaraco/zipp@v3.7.0...v3.19.1)

Updates `scikit-learn` from 0.23.2 to 1.5.0
- [Release notes](https://github.com/scikit-learn/scikit-learn/releases)
- [Commits](scikit-learn/scikit-learn@0.23.2...1.5.0)

Updates `pip` from 20.2.2 to 26.0
- [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst)
- [Commits](pypa/pip@20.2.2...26.0)

---
updated-dependencies:
- dependency-name: black
  dependency-version: 24.3.0
  dependency-type: direct:development
  dependency-group: pip
- dependency-name: certifi
  dependency-version: 2024.7.4
  dependency-type: indirect
  dependency-group: pip
- dependency-name: gitpython
  dependency-version: 3.1.41
  dependency-type: indirect
  dependency-group: pip
- dependency-name: grpcio
  dependency-version: 1.53.2
  dependency-type: indirect
  dependency-group: pip
- dependency-name: h11
  dependency-version: 0.16.0
  dependency-type: indirect
  dependency-group: pip
- dependency-name: idna
  dependency-version: '3.7'
  dependency-type: indirect
  dependency-group: pip
- dependency-name: jinja2
  dependency-version: 3.1.6
  dependency-type: indirect
  dependency-group: pip
- dependency-name: protobuf
  dependency-version: 5.29.6
  dependency-type: indirect
  dependency-group: pip
- dependency-name: pydantic
  dependency-version: 1.10.13
  dependency-type: indirect
  dependency-group: pip
- dependency-name: requests
  dependency-version: 2.32.4
  dependency-type: indirect
  dependency-group: pip
- dependency-name: tqdm
  dependency-version: 4.66.3
  dependency-type: indirect
  dependency-group: pip
- dependency-name: virtualenv
  dependency-version: 20.36.1
  dependency-type: indirect
  dependency-group: pip
- dependency-name: zipp
  dependency-version: 3.19.1
  dependency-type: indirect
  dependency-group: pip
- dependency-name: scikit-learn
  dependency-version: 1.5.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pip
  dependency-version: '26.0'
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Feb 20, 2026
@semanticdiff-com
Copy link
Copy Markdown

semanticdiff-com Bot commented Feb 20, 2026

Review changes with  SemanticDiff

@snyk-io
Copy link
Copy Markdown

snyk-io Bot commented Feb 20, 2026

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
🔚 Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants