Bump the pip group across 1 directory with 10 updates

[dependabot]

Bumps the pip group with 10 updates in the / directory:

Package	From	To
babel	2.5.3	2.9.1
certifi	2018.1.18	2024.7.4
idna	2.6	3.7
jinja2	2.10	3.1.6
requests	2.18.4	2.33.0
tornado	4.5.3	6.5.5
urllib3	1.22	2.6.3
tqdm	4.19.6	4.66.3
pip	9.0.1	26.0
wheel	0.30.0	0.38.1

Updates babel from 2.5.3 to 2.9.1

Release notes

Sourced from babel's releases.

Version 2.9.1

Bugfixes

• The internal locale-data loading functions now validate the name of the locale file to be loaded and only allow files within Babel's data directory. Thank you to Chris Lyne of Tenable, Inc. for discovering the issue!

Version 2.9.0

Upcoming version support changes

• This version, Babel 2.9, is the last version of Babel to support Python 2.7, Python 3.4, and Python 3.5.

Improvements

• CLDR: Use CLDR 37 – Aarni Koskela (#734)
• Dates: Handle ZoneInfo objects in get_timezone_location, get_timezone_name - Alessio Bogon (#741)
• Numbers: Add group_separator feature in number formatting - Abdullah Javed Nesar (#726)

Bugfixes

• Dates: Correct default Format().timedelta format to 'long' to mute deprecation warnings – Aarni Koskela
• Import: Simplify iteration code in "import_cldr.py" – Felix Schwarz
• Import: Stop using deprecated ElementTree methods "getchildren()" and "getiterator()" – Felix Schwarz
• Messages: Fix unicode printing error on Python 2 without TTY. – Niklas Hambüchen
• Messages: Introduce invariant that _invalid_pofile() takes unicode line. – Niklas Hambüchen
• Tests: fix tests when using Python 3.9 – Felix Schwarz
• Tests: Remove deprecated 'sudo: false' from Travis configuration – Jon Dufresne
• Tests: Support Py.test 6.x – Aarni Koskela
• Utilities: LazyProxy: Handle AttributeError in specified func – Nikiforov Konstantin (#724)
• Utilities: Replace usage of parser.suite with ast.parse – Miro Hrončok

Documentation

• Update parse_number comments – Brad Martin (#708)
• Add iter to Catalog documentation – @​CyanNani123

Version 2.8.1

This patch version only differs from 2.8.0 in that it backports in #752.

Version 2.8.0

Improvements

• CLDR: Upgrade to CLDR 36.0 - Aarni Koskela (#679)
• Messages: Don't even open files with the "ignore" extraction method - @​sebleblanc (#678)

Bugfixes

• Numbers: Fix formatting very small decimals when quantization is disabled - Lev Lybin, @​miluChen (#662)
• Messages: Attempt to sort all messages – Mario Frasca (#651, #606)

Docs

... (truncated)

Changelog

Sourced from babel's changelog.

Version 2.9.1

Bugfixes

* The internal locale-data loading functions now validate the name of the locale file to be loaded and only
  allow files within Babel's data directory.  Thank you to Chris Lyne of Tenable, Inc. for discovering the issue!
Version 2.9.0
Upcoming version support changes

• This version, Babel 2.9, is the last version of Babel to support Python 2.7, Python 3.4, and Python 3.5.

Improvements

* CLDR: Use CLDR 37 – Aarni Koskela (:gh:`734`)
* Dates: Handle ZoneInfo objects in get_timezone_location, get_timezone_name - Alessio Bogon (:gh:`741`)
* Numbers: Add group_separator feature in number formatting - Abdullah Javed Nesar (:gh:`726`)
Bugfixes

* Dates: Correct default Format().timedelta format to 'long' to mute deprecation warnings – Aarni Koskela
* Import: Simplify iteration code in "import_cldr.py" – Felix Schwarz
* Import: Stop using deprecated ElementTree methods "getchildren()" and "getiterator()" – Felix Schwarz
* Messages: Fix unicode printing error on Python 2 without TTY. – Niklas Hambüchen
* Messages: Introduce invariant that _invalid_pofile() takes unicode line. – Niklas Hambüchen
* Tests: fix tests when using Python 3.9 – Felix Schwarz
* Tests: Remove deprecated 'sudo: false' from Travis configuration – Jon Dufresne
* Tests: Support Py.test 6.x – Aarni Koskela
* Utilities: LazyProxy: Handle AttributeError in specified func – Nikiforov Konstantin (:gh:`724`)
* Utilities: Replace usage of parser.suite with ast.parse – Miro Hrončok
Documentation

</code></pre>

<ul>

<li>Update parse_number comments – Brad Martin (:gh:<code>708</code>)</li>

<li>Add <strong>iter</strong> to Catalog documentation – <a href="https://github.com/CyanNani123&quot;&gt;&lt;code&gt;@​CyanNani123&lt;/code&gt;&lt;/a&gt;&lt;/li>

</ul>

<h2>Version 2.8.1</h2>

<p>This is solely a patch release to make running tests on Py.test 6+ possible.</p>

<p>Bugfixes</p>

<!-- raw HTML omitted -->

</blockquote>

<p>... (truncated)</p>

</details>

<details>

<summary>Commits</summary>
<ul>

<li><a href="https://github.com/python-babel/babel/commit/a99fa2474c808b51ebdabea18db871e389751559&quot;&gt;&lt;code&gt;a99fa24&lt;/code&gt;&lt;/a> Use 2.9.0's setup.py for 2.9.1</li>

<li><a href="https://github.com/python-babel/babel/commit/60b33e083801109277cb068105251e76d0b7c14e&quot;&gt;&lt;code&gt;60b33e0&lt;/code&gt;&lt;/a> Become 2.9.1</li>

<li><a href="https://github.com/python-babel/babel/commit/412015ef642bfcc0d8ba8f4d05cdbb6aac98d9b3&quot;&gt;&lt;code&gt;412015e&lt;/code&gt;&lt;/a> Merge pull request <a href="https://redirect.github.com/python-babel/babel/issues/782&quot;&gt;#782&lt;/a> from python-babel/locale-basename</li>

<li><a href="https://github.com/python-babel/babel/commit/5caf717ceca4bd235552362b4fbff88983c75d8c&quot;&gt;&lt;code&gt;5caf717&lt;/code&gt;&lt;/a> Disallow special filenames on Windows</li>

<li><a href="https://github.com/python-babel/babel/commit/3a700b5b8b53606fd98ef8294a56f9510f7290f8&quot;&gt;&lt;code&gt;3a700b5&lt;/code&gt;&lt;/a> Run locale identifiers through <code>os.path.basename()</code></li>

<li><a href="https://github.com/python-babel/babel/commit/5afe2b2f11dcdd6090c00231d342c2e9cd1bdaab&quot;&gt;&lt;code&gt;5afe2b2&lt;/code&gt;&lt;/a> Merge pull request <a href="https://redirect.github.com/python-babel/babel/issues/754&quot;&gt;#754&lt;/a> from python-babel/github-ci</li>

<li><a href="https://github.com/python-babel/babel/commit/58de8342f865df88697a4a166191e880e3c84d82&quot;&gt;&lt;code&gt;58de834&lt;/code&gt;&lt;/a> Replace Travis + Appveyor with GitHub Actions (WIP)</li>

<li><a href="https://github.com/python-babel/babel/commit/d1bbc08e845d03d8e1f0dfa0e04983d755f39cb5&quot;&gt;&lt;code&gt;d1bbc08&lt;/code&gt;&lt;/a> import_cldr: use logging; add -q option</li>

<li><a href="https://github.com/python-babel/babel/commit/156b7fb9f377ccf58c71cf01dc69fb10c7b69314&quot;&gt;&lt;code&gt;156b7fb&lt;/code&gt;&lt;/a> Quiesce CLDR download progress bar if requested (or not a TTY)</li>

<li><a href="https://github.com/python-babel/babel/commit/613dc1700f91c3d40b081948c0dd6023d8ece057&quot;&gt;&lt;code&gt;613dc17&lt;/code&gt;&lt;/a> Make the import warnings about unsupported number systems less verbose</li>

<li>Additional commits viewable in <a href="https://github.com/python-babel/babel/compare/v2.5.3...v2.9.1&quot;&gt;compare view</a></li>

</ul>

</details>
<br />

Updates certifi from 2018.1.18 to 2024.7.4

Commits

bd81538 2024.07.04 (#295)
06a2cbf Bump peter-evans/create-pull-request from 6.0.5 to 6.1.0 (#294)
13bba02 Bump actions/checkout from 4.1.6 to 4.1.7 (#293)
e8abcd0 Bump pypa/gh-action-pypi-publish from 1.8.14 to 1.9.0 (#292)
124f4ad 2024.06.02 (#291)
c2196ce --- (#290)
fefdeec Bump actions/checkout from 4.1.4 to 4.1.5 (#289)
3c5fb15 Bump actions/download-artifact from 4.1.6 to 4.1.7 (#286)
4a9569a Bump actions/checkout from 4.1.2 to 4.1.4 (#287)
1fc8086 Bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 (#288)
Additional commits viewable in compare view




Updates idna from 2.6 to 3.7

Release notes
Sourced from idna's releases.

v3.7
What's Changed

Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.
Full Changelog: https://github.com/kjd/idna/compare/v3.6...v3.7



Changelog
Sourced from idna's changelog.

3.7 (2024-04-11)
++++++++++++++++

Fix issue where specially crafted inputs to encode() could
take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.
3.6 (2023-11-25)
++++++++++++++++

Fix regression to include tests in source distribution.

3.5 (2023-11-24)
++++++++++++++++

Update to Unicode 15.1.0
String codec name is now "idna2008" as overriding the system codec
"idna" was not working.
Fix typing error for codec encoding
"setup.cfg" has been added for this release due to some downstream
lack of adherence to PEP 517. Should be removed in a future release
so please prepare accordingly.
Removed reliance on a symlink for the "idna-data" tool to comport
with PEP 517 and the Python Packaging User Guide for sdist archives.
Added security reporting protocol for project

Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions
to this release.
3.4 (2022-09-14)
++++++++++++++++

Update to Unicode 15.0.0
Migrate to pyproject.toml for build information (PEP 621)
Correct another instance where generic exception was raised instead of
IDNAError for malformed input
Source distribution uses zeroized file ownership for improved
reproducibility

Thanks to Seth Michael Larson for contributions to this release.
3.3 (2021-10-13)
++++++++++++++++

Update to Unicode 14.0.0
Update to in-line type annotations
Throw IDNAError exception correctly for some malformed input
Advertise support for Python 3.10
Improve testing regime on Github



... (truncated)


Commits

1d365e1 Release v3.7
c1b3154 Merge pull request #172 from kjd/optimize-contextj
0394ec7 Merge branch 'master' into optimize-contextj
cd58a23 Merge pull request #152 from elliotwutingfeng/dev
5beb28b More efficient resolution of joiner contexts
1b12148 Update ossf/scorecard-action to v2.3.1
d516b87 Update Github actions/checkout to v4
c095c75 Merge branch 'master' into dev
60a0a4c Fix typo in GitHub Actions workflow key
5918a0e Merge branch 'master' into dev
Additional commits viewable in compare view




Updates jinja2 from 2.10 to 3.1.6

Release notes
Sourced from jinja2's releases.

3.1.6
This is the Jinja 3.1.6 security release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.
PyPI: https://pypi.org/project/Jinja2/3.1.6/
Changes: https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6

The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. https://github.com/pallets/jinja/security/advisories/GHSA-cpwx-vrp4-4pq7

3.1.5
This is the Jinja 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.
PyPI: https://pypi.org/project/Jinja2/3.1.5/
Changes: https://jinja.palletsprojects.com/changes/#version-3-1-5
Milestone: https://github.com/pallets/jinja/milestone/16?closed=1

The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. GHSA-q2x7-8rv6-6q7h
Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. #1792, GHSA-gmj6-6f8f-6699
Sandbox does not allow clear and pop on known mutable sequence types. #2032
Calling sync render for an async template uses asyncio.run. #1952
Avoid unclosed auto_aiter warnings. #1960
Return an aclose-able AsyncGenerator from Template.generate_async. #1960
Avoid leaving root_render_func() unclosed in Template.generate_async. #1960
Avoid leaving async generators unclosed in blocks, includes and extends. #1960
The runtime uses the correct concat function for the current environment when calling block references. #1701
Make |unique async-aware, allowing it to be used after another async-aware filter. #1781
|int filter handles OverflowError from scientific notation. #1921
Make compiling deterministic for tuple unpacking in a {% set ... %} call. #2021
Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. #2025
Fix copy/pickle support for the internal missing object. #2027
Environment.overlay(enable_async) is applied correctly. #2061
The error message from FileSystemLoader includes the paths that were searched. #1661
PackageLoader shows a clearer error message when the package does not contain the templates directory. #1705
Improve annotations for methods returning copies. #1880
urlize does not add mailto: to values like @a@b. #1870
Tests decorated with @pass_context can be used with the |select filter. #1624
Using set for multiple assignment (a, b = 1, 2) does not fail when the target is a namespace attribute. #1413
Using set in all branches of {% if %}{% elif %}{% else %} blocks does not cause the variable to be considered initially undefined. #1253

3.1.4
This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.
PyPI: https://pypi.org/project/Jinja2/3.1.4/
Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj

3.1.3
This is a fix release for the 3.1.x feature branch.

Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.



... (truncated)


Changelog
Sourced from jinja2's changelog.

Version 3.1.6
Released 2025-03-05

The |attr filter does not bypass the environment's attribute lookup,
allowing the sandbox to apply its checks. :ghsa:cpwx-vrp4-4pq7

Version 3.1.5
Released 2024-12-21

The sandboxed environment handles indirect calls to str.format, such as
by passing a stored reference to a filter that calls its argument.
:ghsa:q2x7-8rv6-6q7h
Escape template name before formatting it into error messages, to avoid
issues with names that contain f-string syntax.
:issue:1792, :ghsa:gmj6-6f8f-6699
Sandbox does not allow clear and pop on known mutable sequence
types. :issue:2032
Calling sync render for an async template uses asyncio.run.
:pr:1952
Avoid unclosed auto_aiter warnings. :pr:1960
Return an aclose-able AsyncGenerator from
Template.generate_async. :pr:1960
Avoid leaving root_render_func() unclosed in
Template.generate_async. :pr:1960
Avoid leaving async generators unclosed in blocks, includes and extends.
:pr:1960
The runtime uses the correct concat function for the current environment
when calling block references. :issue:1701
Make |unique async-aware, allowing it to be used after another
async-aware filter. :issue:1781
|int filter handles OverflowError from scientific notation.
:issue:1921
Make compiling deterministic for tuple unpacking in a {% set ... %}
call. :issue:2021
Fix dunder protocol (copy/pickle/etc) interaction with Undefined
objects. :issue:2025
Fix copy/pickle support for the internal missing object.
:issue:2027
Environment.overlay(enable_async) is applied correctly. :pr:2061
The error message from FileSystemLoader includes the paths that were
searched. :issue:1661
PackageLoader shows a clearer error message when the package does not
contain the templates directory. :issue:1705
Improve annotations for methods returning copies. :pr:1880
urlize does not add mailto: to values like @a@b. :pr:1870



... (truncated)


Commits

1520688 release version 3.1.6
90457bb Merge commit from fork
065334d attr filter uses env.getattr
033c200 start version 3.1.6
bc68d4e use global contributing guide (#2070)
247de5e use global contributing guide
ab8218c use project advisory link instead of global
b4ffc8f release version 3.1.5 (#2066)
877f6e5 release version 3.1.5
8d58859 remove test pypi
Additional commits viewable in compare view




Updates requests from 2.18.4 to 2.33.0

Release notes
Sourced from requests's releases.

v2.33.0
2.33.0 (2026-03-25)
Announcements

📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

Various typo fixes and doc improvements.

New Contributors

@​M0d3v1 made their first contribution in psf/requests#6865
@​aminvakil made their first contribution in psf/requests#7220
@​E8Price made their first contribution in psf/requests#6960
@​mitre88 made their first contribution in psf/requests#7244
@​magsen made their first contribution in psf/requests#6553
@​Rohan5commit made their first contribution in psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25
v2.32.5
2.32.5 (2025-08-18)
Bugfixes

The SSLContext caching feature originally introduced in 2.32.0 has created
a new class of issues in Requests that have had negative impact across a number
of use cases. The Requests team has decided to revert this feature as long term
maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

Added support for Python 3.14.
Dropped support for Python 3.8 following its end of support.

v2.32.4
2.32.4 (2025-06-10)


... (truncated)


Changelog
Sourced from requests's changelog.

2.33.0 (2026-03-25)
Announcements

📣 Requests is adding inline types. If you have a typed code base that
uses Requests, please take a look at #7271. Give it a try, and report
any gaps or feedback you may have in the issue. 📣

Security

CVE-2026-25645 requests.utils.extract_zipped_paths now extracts
contents to a non-deterministic location to prevent malicious file
replacement. This does not affect default usage of Requests, only
applications calling the utility function directly.

Improvements

Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

Fixed an issue where an empty netrc entry could cause
malformed authentication to be applied to Requests on
Python 3.11+. (#7205)

Deprecations

Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

Various typo fixes and doc improvements.

2.32.5 (2025-08-18)
Bugfixes

The SSLContext caching feature originally introduced in 2.32.0 has created
a new class of issues in Requests that have had negative impact across a number
of use cases. The Requests team has decided to revert this feature as long term
maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

Added support for Python 3.14.
Dropped support for Python 3.8 following its end of support.

2.32.4 (2025-06-10)
Security

CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file.



... (truncated)


Commits

bc04dfd v2.33.0
66d21cb Merge commit from fork
8b9bc8f Move badges to top of README (#7293)
e331a28 Remove unused extraction call (#7292)
753fd08 docs: fix FAQ grammar in httplib2 example
774a0b8 docs(socks): same block as other sections
9c72a41 Bump github/codeql-action from 4.33.0 to 4.34.1
ebf7190 Bump github/codeql-action from 4.32.0 to 4.33.0
0e4ae38 docs: exclude Response.is_permanent_redirect from API docs (#7244)
d568f47 docs: clarify Quickstart POST example (#6960)
Additional commits viewable in compare view




Updates tornado from 4.5.3 to 6.5.5

Changelog
Sourced from tornado's changelog.

Release notes
.. toctree::
:maxdepth: 2
releases/v6.5.5
releases/v6.5.4
releases/v6.5.3
releases/v6.5.2
releases/v6.5.1
releases/v6.5.0
releases/v6.4.2
releases/v6.4.1
releases/v6.4.0
releases/v6.3.3
releases/v6.3.2
releases/v6.3.1
releases/v6.3.0
releases/v6.2.0
releases/v6.1.0
releases/v6.0.4
releases/v6.0.3
releases/v6.0.2
releases/v6.0.1
releases/v6.0.0
releases/v5.1.1
releases/v5.1.0
releases/v5.0.2
releases/v5.0.1
releases/v5.0.0
releases/v4.5.3
releases/v4.5.2
releases/v4.5.1
releases/v4.5.0
releases/v4.4.3
releases/v4.4.2
releases/v4.4.1
releases/v4.4.0
releases/v4.3.0
releases/v4.2.1
releases/v4.2.0
releases/v4.1.0
releases/v4.0.2
releases/v4.0.1
releases/v4.0.0
releases/v3.2.2
releases/v3.2.1
releases/v3.2.0
releases/v3.1.1


... (truncated)


Commits

7d64650 Merge pull request #3586 from bdarnell/update-cibw
d05d59b build: Bump cibuildwheel to 3.4.0
c2f4673 Merge pull request #3585 from bdarnell/release-655
e5f1aa4 Release notes and version bump for v6.5.5
78a046f httputil: Add CRLF to _FORBIDDEN_HEADER_CHARS_RE
24a2d96 web: Validate characters in all cookie attributes.
119a195 httputil: Add limits on multipart form data parsing
63d4df4 Merge pull request #3564 from bdarnell/release-654
eadbf9a Release notes and version bump for 6.5.4
bbc2b14 Make sure that the in-operator on HTTPHeaders is case insensitive
Additional commits viewable in compare view




Updates urllib3 from 1.22 to 2.6.3

Release notes
Sourced from urllib3's releases.

2.6.3
🚀 urllib3 is fundraising for HTTP/2 support
urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.
Thank you for your support.
Changes

Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by @​D47A, 8.9 High, GHSA-38jv-5279-wg99)
Started treating Retry-After times greater than 6 hours as 6 hours by default. (urllib3/urllib3#3743)
Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. (urllib3/urllib3#3752)

2.6.2
🚀 urllib3 is fundraising for HTTP/2 support
urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.
Thank you for your support.
Changes

Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (urllib3/urllib3#3734)

2.6.1
🚀 urllib3 is fundraising for HTTP/2 support
urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.
Thank you for your support.
Changes

Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. (#3731)

2.6.0
🚀 urllib3 is fundraising for HTTP/2 support
urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.
Thank you for your support.
Security

Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by @​Cycloctane, 8.9 High, GHSA-2xpw-w6gg-jr37)
Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by @​illia-v, 8.9 High, GHSA-gm62-xv2j-4w53)


[!IMPORTANT]

If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to  benefit from the security fixes and avoid warnings. Prefer using  urllib3[brotli] to install a compatible Brotli package automatically.




... (truncated)


Changelog
Sourced from urllib3's changelog.

2.6.3 (2026-01-07)

Fixed a high-severity security issue where decompression-bomb safeguards of
the streaming API were bypassed when HTTP redirects were followed.
(GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)
Started treating Retry-After times greater than 6 hours as 6 hours by
default. ([#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743>__)
Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten.
([#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752>__)

2.6.2 (2025-12-11)

Fixed HTTPResponse.read_chunked() to properly handle leftover data in
the decoder's buffer when reading compressed chunked responses.
([#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734>__)

2.6.1 (2025-12-08)

Restore previously removed HTTPResponse.getheaders() and
HTTPResponse.getheader() methods.
([#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731>__)

2.6.0 (2025-12-05)
Security

Fixed a security issue where streaming API could improperly handle highly
compressed HTTP content ("decompression bombs") leading to excessive resource
consumption even when a small amount of data was requested. Reading small
chunks of compressed data is safer and much more efficient now.
(GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
Fixed a security issue where an attacker could compose an HTTP response with
virtually unlimited links in the Content-Encoding header, potentially
leading to a denial of service (DoS) attack by exhausting system resources
during decoding. The number of allowed chained encodings is now limited to 5.
(GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

If urllib3 is not installed with the optional urllib3[brotli] extra, but
your environment contains a Brotli/brotlicffi/brotlipy package anyway, make
sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to
benefit from the security fixes and avoid warnings. Prefer using



... (truncated)


Commits

0248277 Release 2.6.3
8864ac4 Merge commit from fork
70cecb2 Fix Scorecard issues related to vulnerable dev dependencies (#3755)
41f249a Move "v2.0 Migration Guide" to the end of the table of contents (#3747)
fd4dffd Patch VerifiedHTTPSConnection for Emscripten (#3752)
13f0bfd Handle massive values in Retry-After when calculating time to sleep for (#3743)
8c480bf Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#3748)
4b40616 Bump actions/cache from 4.3.0 to 5.0.1 (#3750)
82b8479 Bump actions/download-artifact from 6.0.0 to 7.0.0 (#3749)
34284cb Mention experimental features in the security policy (#3746)
Additional commits viewable in compare view




Updates tqdm from 4.19.6 to 4.66.3

Release notes
Sourced from tqdm's releases.

tqdm v4.66.3 stable

cli: eval safety (fixes CVE-2024-34062, GHSA-g7vv-2v7x-gj9p)

tqdm v4.66.2 stable

pandas: add DataFrame.progress_map (#1549)
notebook: fix HTML padding (#1506)
keras: fix resuming training when verbose>=2 (#1508)
fix format_num negative fractions missing leading zero (#1548)
fix Python 3.12 DeprecationWarning on import (#1519)
linting: use f-strings (#1549)
update tests (#1549)

fix pandas warnings
fix asv (airspeed-velocity/asv#1323)
fix macos notebook docstring indentation


CI: bump actions (#1549)

tqdm v4.66.1 stable

fix utils.envwrap types (#1493 <- #1491, #1320 <- #966, #1319)

e.g. cloudwatch & kubernetes workaround: export TQDM_POSITION=-1


drop mentions of unsupported Python versions

tqdm v4.66.0 stable

environment variables to override defaults (TQDM_*) (#1491 <- #1061, #950 <- #614, #1318, #619, #612, #370)

e.g. in CI jobs, export TQDM_MININTERVAL=5 to avoid log spam
add tests & docs for tqdm.utils.envwrap


fix & update CLI completion
fix & update API docs
minor code tidy: replace os.path => pathlib.Path
fix docs image hosting
release with CI bot account again (cli/cli#6680)

tqdm v4.65.2 stable

exclude examples from distributed wheel (#1492)

tqdm v4.65.1 stable

migrate setup.{cfg,py} => pyproject.toml (#1490)

fix asv benchmarks
update docs


fix snap build (#1490)
fix & update tests (#1490)

fix flaky notebook tests
bump pre-commit
bump workflow actions



tqdm v4.65.0 stable

add Python 3.11 and drop Python 3.6 support (#1439, #1419, #502 <- #720, #620)
misc code & docs tidy
fix & update CI workflows & tests

tqdm v4.64.1 stable


... (truncated)


Commits

4e613f8 Merge pull request from GHSA-g7vv-2v7x-gj9p
b53348c cli: eval safety
cc372d0 bump version, merge pull request #1549 from tqdm/devel
e9f0c05 use PyPI trusted publishing
7323d5b slight makefile clean
5306125 tests: bump pre-commit
4a6fd4f fix datetime.utcfromtimestamp py3.12 warning (#1519)
6f13759 tests: fix macos notebook indentation
3abcd2a tests: fix asv
a4d15c8 tests: fix pandas warnings
Additional commits viewable in compare view




Updates pip from 9.0.1 to 26.0

Changelog
Sourced from pip's changelog.

26.0 (2026-01-30)
Deprecations and Removals

Remove support for non-bare project names in egg fragments. Affected users should use
the Direct URL requirement syntax <https://packaging.python.org/en/latest/specifications/version-specifiers/#direct-references>. ([#13157](https://github.com/pypa/pip/issues/13157) <https://github.com/pypa/pip/issues/13157>)

Features


Display pip's command-line help in colour, if possible. ([#12134](https://github.com/pypa/pip/issues/12134) <https://github.com/pypa/pip/issues/12134>_)


Support installing dependencies declared with inline script metadata
(:pep:723) with --requirements-from-script. ([#12891](https://github.com/pypa/pip/issues/12891) <https://github.com/pypa/pip/issues/12891>_)


Add --all-releases and --only-final options to control pre-release
and final release selection during package installation. ([#13221](https://github.com/pypa/pip/issues/13221) <https://github.com/pypa/pip/issues/13221>_)


Add --uploaded-prior-to option to only consider packages uploaded prior to
a given datetime when the upload-time field is available from a remote index. ([#13625](https://github.com/pypa/pip/issues/13625) <https://github.com/pypa/pip/issues/13625>_)


Add --use-feature inprocess-build-deps to request that build dependencies are installed
within the same pip install process. This new mechanism is faster, supports --no-clean
and --no-cache-dir reliably, and supports prompting for authentication.
Enabling this feature will also enable --use-feature build-constraints. This feature will
become the default in a future pip version. ([#9081](https://github.com/pypa/pip/issues/9081) <https://github.com/pypa/pip/issues/9081>_)


pip cache purge and pip cache remove now clean up empty directories
and legacy files left by older pip versions. ([#9058](https://github.com/pypa/pip/issues/9058) <https://github.com/pypa/pip/issues/9058>_)


Bug Fixes

Fix selecting pre-release versions when only pre-releases match.
For example, package>1.0 with versions 1.0, 2.0rc1 now installs
2.0rc1 instead of failing. ([#13746](https://github.com/pypa/pip/issues/13746) <https://github.com/pypa/pip/issues/13746>_)
Revisions in version control URLs now must be percent-encoded.
For example, use git+https://example.com/repo.git@issue%231 to specify the branch issue#1.
If you previously used a branch name containing a % character in a version control URL, you now need to replace it with %25 to ensure correct percent-encoding. ([#13407](https://github.com/pypa/pip/issues/13407) <https://github.com/pypa/pip/issues/13407>_)
Preserve original casing when a path is displayed. ([#6823](https://github.com/pypa/pip/issues/6823) <https://github.com/pypa/pip/issues/6823>_)
Fix bash completion when the $IFS variable has been modified from its default. ([#13555](https://github.com/pypa/pip/issues/13555) <https://github.com/pypa/pip/issues/13555>_)
Precompute Python requirements on each candidate, reducing time of long resolutions. ([#13656](https://github.com/pypa/pip/issues/13656) <https://github.com/pypa/pip/issues/13656>_)
Skip redundant work converting version objects to strings when using the
importlib.metadata backend. ([#13660](https://github.com/pypa/pip/issues/13660) <https://github.com/pypa/pip/issues/13660>_)
Fix pip index versions to honor only-binary/no-binary options. ([#13682](https://github.com/pypa/pip/issues/13682) <https://github.com/pypa/pip/issues/13682>_)
Fix fallthrough logic for options, allowing overriding global options with
defaults from user config. ([#13703](https://github.com/pypa/pip/issues/13703) <https://github.com/pypa/pip/issues/13703>_)
Use a path-segment prefix comparison, not char-by-char. ([#13777](https://github.com/pypa/pip/issues/13777) <https://github.com/pypa/pip/issues/13777>_)

Vendored Libraries


... (truncated)


Commits

2f4d4a8 Merge pull request #13779 from notatallshaw/fix-26.0-news
04307a4 fix 26.0 news
6ec7b0a Merge pull request #13775 from notatallshaw/release/26.0
4104356 Bump for release
58be883 Update AUTHORS.txt
66f2dec Merge pull request #13778 from ichard26/docs/groups
0214103 doc: Re-expose package selection group options
fdbe762 Install pip within docs Nox sessions
8e227a9 Merge pull request #13777 from sethmlarson/commonpath
f5315ad Merge pull request #13776 from ichard26/docs/versionadded
Additional commits viewable in compare view




Updates wheel from 0.30.0 to 0.38.1

Changelog
Sourced from wheel's changelog.

Release Notes
UNRELEASED

Added the wheel info subcommand to display metadata about wheel files without
unpacking them ([#639](https://github.com/pypa/wheel/issues/639) <https://github.com/pypa/wheel/issues/639>_)

0.46.3 (2026-01-22)

Fixed ImportError: cannot import name '_setuptools_logging' from 'wheel' when
installed alongside an old version of setuptools and ...
Description has been truncated