chore(deps): bump nltk from 3.9.2 to 3.9.3 in /python/agents/personalized-shopping by dependabot[bot] · Pull Request #1163 · google/adk-samples

dependabot · 2026-02-25T01:51:02Z

Bumps nltk from 3.9.2 to 3.9.3.

Changelog

Version 3.9.3 2026-02-21

Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (#3468)

Block path traversal/arbitrary reads in nltk.data for protocol-less refs (#3467)

Block path traversal/abs paths in corpus readers and FS pointers (#3479, #3480)

Validate external StanfordSegmenter JARs using SHA256 (#3477)

Add optional sandbox enforcement for filestring() (#3485)

Maintenance: downloader/zipped models, CI/tooling updates

Thanks to the following contributors to 3.9.3: Chris Clauss, Eric Kafe, HyperPS, purificant, Shivansh-Game, Christopher Smith

Version 3.9.2 2025-10-01

Update download checksums to use SHA256 in built index

Fix percentage escape in new-style string formatting

replace shortened URLs using goo.gl

Make Wordnet interoperable with various taggers and tagged corpora

Fix saving PerceptronTagger

Document how to reproduce old Wordnet studies

properly initialize Portuguese corpus reader

support for mixed rules conversion into Chomsky Normal Form

only import tkinter if a GUI is needed

issue #2112 with Corenlp

new environment variable NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL

Lesk defaults to most frequent sense in case of ties

Thanks to the following contributors to 3.9.2: Jose Cols, Peter de Blanc, GeneralPoxter, Eric Kafe, William LaCroix, Jason Liu, Samer Masterson, Mike014, purificant, Andrew Ernest Ritz, samertm, Ikram Ul Haq, Christopher Smith, Ryan Mannion

Version 3.9.1 2024-08-19

Fixed bug that prevented wordnet from loading

Version 3.9 2024-08-18

Fix security vulnerability CVE-2024-39705 (breaking change)

Replace pickled models (punkt, chunker, taggers) by new pickle-free "_tab" packages

No longer sort Wordnet synsets and relations (sort in calling function when required)

Only strip the last suffix in Wordnet Morphy, thus restricting synsets() results

Add Python 3.12 support

Many other minor fixes

Thanks to the following contributors to 3.8.2: Tom Aarsen, Cat Lee Ball, Veralara Bernhard, Carlos Brandt, Konstantin Chernyshev, Michael Higgins, Eric Kafe, Vivek Kalyan, David Lukes, Rob Malouf, purificant, Alex Rudnick, Liling Tan, Akihiro Yamazaki.

Version 3.8.1 2023-01-02

Resolve RCE vulnerability in localhost WordNet Browser (#3100)

... (truncated)

Commits

4154eb8 Merge pull request #3503 from ekaf/hotfix-3501
7a710cb Prepare release 3.9.3
1056b32 Merge pull request #3468 from HyperPS/fix/secure-unzip-rce
7dc5baa Resolve merge conflict in tag mapping using normalized nltk resource URL
7ef38b8 Merge pull request #3467 from HyperPS/develop
b2e1164 Merge pull request #3485 from HyperPS/fix-filestring-sandbox-update
ac0ce55 Merge pull request #3480 from HyperPS/fix/filesystem-sandbox-security
603e34d Merge pull request #3479 from HyperPS/fix/corpusreader-path-traversal
b63a501 Merge pull request #3477 from HyperPS/fix/stanford-segmenter-rce-sha256
df38955 Merge pull request #3494 from ekaf/ewnv
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [nltk](https://github.com/nltk/nltk) from 3.9.2 to 3.9.3. - [Changelog](https://github.com/nltk/nltk/blob/develop/ChangeLog) - [Commits](nltk/nltk@3.9.2...3.9.3) --- updated-dependencies: - dependency-name: nltk dependency-version: 3.9.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added the dependencies Pull requests that update a dependency file label Feb 25, 2026

github-actions Bot approved these changes Feb 25, 2026

View reviewed changes

dependabot Bot force-pushed the dependabot/uv/python/agents/personalized-shopping/nltk-3.9.3 branch from 2225c79 to 4ec316d Compare March 4, 2026 17:36

github-actions Bot approved these changes Mar 4, 2026

View reviewed changes

dependabot Bot force-pushed the dependabot/uv/python/agents/personalized-shopping/nltk-3.9.3 branch from 4ec316d to a921628 Compare March 11, 2026 01:09