chore: bump the python-security group across 7 directories with 13 updates

[dependabot]

Bumps the python-security group with 5 updates in the /services/rag-backend directory:

Package	From	To
idna	3.10	3.15
langchain-classic	1.0.0	1.0.7
langsmith	0.6.3	0.8.5
python-dotenv	1.1.1	1.2.2
urllib3	2.6.3	2.7.0

Bumps the python-security group with 6 updates in the /services/admin-backend directory:

Package	From	To
idna	3.10	3.15
langchain-classic	1.0.0	1.0.7
langsmith	0.3.45	0.8.5
python-dotenv	1.1.1	1.2.2
urllib3	2.6.3	2.7.0
nltk	3.9.2	3.9.4

Bumps the python-security group with 6 updates in the /libs/rag-core-lib directory:

Package	From	To
idna	3.10	3.15
langchain-classic	1.0.0	1.0.1
langchain-core	1.2.13	1.3.3
langsmith	0.3.45	0.8.5
python-dotenv	1.1.1	1.2.2
urllib3	2.6.3	2.7.0

Bumps the python-security group with 6 updates in the /libs/rag-core-api directory:

Package	From	To
idna	3.10	3.15
langchain-classic	1.0.0	1.0.2
langchain-text-splitters	1.1.0	1.1.2
langsmith	0.3.45	0.8.5
python-dotenv	1.1.1	1.2.2
urllib3	2.6.3	2.7.0

Bumps the python-security group with 6 updates in the /libs/admin-api-lib directory:

Package	From	To
idna	3.10	3.15
langchain-classic	1.0.0	1.0.7
langsmith	0.3.45	0.8.5
python-dotenv	1.1.1	1.2.2
urllib3	2.6.3	2.7.0
python-multipart	0.0.22	0.0.27

Bumps the python-security group with 10 updates in the /libs/extractor-api-lib directory:

Package	From	To
idna	3.11	3.15
langchain-core	1.2.7	1.3.3
langchain-text-splitters	1.1.0	1.1.2
langsmith	0.6.4	0.8.5
pillow	12.1.1	12.2.0
python-dotenv	1.2.1	1.2.2
urllib3	2.6.3	2.7.0
nltk	3.9.2	3.9.4
python-multipart	0.0.22	0.0.27
lxml	5.4.0	6.1.0

Bumps the python-security group with 6 updates in the /services/mcp-server directory:

Package	From	To
idna	3.11	3.15
python-dotenv	1.2.1	1.2.2
urllib3	2.6.3	2.7.0
python-multipart	0.0.22	0.0.27
poetry	2.3.2	2.3.4
authlib	1.6.9	1.6.12

Updates idna from 3.10 to 3.15

Changelog

Sourced from idna's changelog.

3.15 (2026-05-12)

• Enforce DNS-length cap on individual labels early in check_label, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.
• Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared _unicode_dots_re from idna.core in the codec module.
• Use raise ... from err for proper exception chaining and switch internal string formatting to f-strings.
• Allow flit_core 4.x in the build backend.
• Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.
• Add Dependabot configuration for GitHub Actions.
• Convert README and HISTORY from reStructuredText to Markdown.
• Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.

3.14 (2026-05-10)

• Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass of the CVE-2024-3651 mitigation. [CVE-2026-45409]

Thanks to Stan Ulbrych for reporting the issue.

3.13 (2026-04-22)

• Correct classification error for codepoint U+A7F1

3.12 (2026-04-21)

• Update to Unicode 17.0.0.
• Issue a deprecation warning for the transitional argument.
• Added lazy-loading to provide some performance improvements.
• Removed vestiges of code related to Python 2 support, including segmentation of data structures specific to Jython.

Thanks to Rodrigo Nogueira for contributions to this release.

3.11 (2025-10-12)

• Update to Unicode 16.0.0, including significant changes to UTS46 processing. As a result of Unicode ending support for it, transitional processing no longer has an effect and returns the same result.

... (truncated)

Commits

• af30a09 Release 3.15
• 30314d4 Pre-release 3.15rc0
• 05d4b21 Merge pull request #237 from kjd/convert-docs-to-markdown
• 2987fdb Convert README and HISTORY from reStructuredText to Markdown
• 59fa800 Merge pull request #236 from kjd/dependabot/github_actions/actions-f3e34333ea
• def6983 Merge branch 'master' into dependabot/github_actions/actions-f3e34333ea
• bbd8004 Merge pull request #234 from StanFromIreland/patch-1
• edd07c0 Bump github/codeql-action from 3.35.2 to 4.35.2 in the actions group
• 5557db0 Merge branch 'master' into patch-1
• f11746c Merge pull request #235 from StanFromIreland/patch-2
• Additional commits viewable in compare view

Updates langchain-classic from 1.0.0 to 1.0.7

Release notes

Sourced from langchain-classic's releases.

langchain-classic==1.0.7

Changes since langchain-classic==1.0.6

release(langchain-classic): 1.0.7 (#37240) chore(langchain-classic): deprecate hub, limit loads/dumps (#37234)

langchain-classic==1.0.6

Changes since langchain-classic==1.0.5

release(langchain-classic): 1.0.6 (#37211) chore: bump jupyter-server from 2.17.0 to 2.18.0 in /libs/langchain (#37203) fix(langchain): restrict deserialization in langchain_classic.storage._lc_store (#37208) fix(langchain): use langchain-classic version for hub.pull deprecation (#37199) fix(core, langchain): harden load() against untrusted manifests (#37197)

langchain-classic==1.0.5

Changes since langchain-classic==1.0.4

release(langchain-classic): 1.0.5 (#37165) refactor(langchain-classic): retarget deprecations to create_agent, other chores (#37164) chore(langchain,langchain-classic): uncomment optional deps (#37163) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/langchain (#37130) chore: bump types-pytz from 2026.1.1.20260304 to 2026.1.1.20260408 in /libs/langchain (#37131) chore: bump notebook from 7.4.5 to 7.5.6 in /libs/langchain (#37104) release(perplexity): 1.2.0 (#37091) chore(docs): update x handle references (#37081) hotfix: bump min core versions (#36996) release(openai): 1.2.1 (#36995) feat(core): add content-block-centric streaming (v2) (#36834) fix(fireworks): honor max_retries (#36973) release(openai): 1.2.0 (#36961) chore: bump nbconvert from 7.17.0 to 7.17.1 in /libs/langchain (#36922) chore: bump langsmith from 0.7.13 to 0.7.31 in /libs/langchain (#36812) release(core): release 1.3.0 (#36851)

langchain-classic==1.0.4

Changes since langchain-classic==1.0.3

release(langchain-classic): 1.0.4 (#36827) chore(langchain-classic): add deprecations (#36826) fix(langchain-classic): suppress mypy errors in compat code (#36806) chore(deps): bump pytest to 9.0.3 (#36801) chore: bump pytest from 9.0.2 to 9.0.3 in /libs/langchain (#36718) chore: bump pillow from 12.1.1 to 12.2.0 in /libs/langchain (#36709) chore: bump cryptography from 46.0.6 to 46.0.7 in /libs/langchain (#36620) chore: bump aiohttp from 3.13.3 to 3.13.4 in /libs/langchain (#36439) chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385) chore: bump cryptography from 46.0.5 to 46.0.6 in /libs/langchain (#36325) chore: bump requests from 2.32.5 to 2.33.0 in /libs/langchain (#36242) fix(langchain,langchain-classic): update model provider classes for Azure AI Foundry (#35812)

... (truncated)

Commits

• ec9a3c1 release(langchain-classic): 1.0.7 (#37240)
• 3de039a chore(model-profiles): refresh model profile data (#37231)
• cccefce chore(langchain-classic): deprecate hub, limit loads/dumps (#37234)
• 1519ed5 release(langchain-classic): 1.0.6 (#37211)
• 16b7e43 chore: bump jupyter-server from 2.17.0 to 2.18.0 in /libs/text-splitters (#37...
• ad30557 chore: bump jupyter-server from 2.17.0 to 2.18.0 in /libs/langchain (#37203)
• 2ca920c chore: bump jupyter-server from 2.17.0 to 2.18.0 in /libs/core (#37204)
• c0e1d13 fix(langchain): restrict deserialization in `langchain_classic.storage._lc_st...
• 69fb89f fix(langchain): use langchain-classic version for hub.pull deprecation (#37...
• 5039dfe release(core): 1.3.3 (#37198)
• Additional commits viewable in compare view

Updates langchain-core from 1.2.11 to 1.4.0

Release notes

Sourced from langchain-core's releases.

langchain-core==1.3.3

Changes since langchain-core==1.3.2

release(core): 1.3.3 (#37198) fix(core): set deprecation since to 1.3.3 to match release (#37200) fix(core, langchain): harden load() against untrusted manifests (#37197) chore: bump notebook from 7.5.0 to 7.5.6 in /libs/core (#37109) chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 in /libs/core (#37129) fix(core): preserve structured inputs on tool runs in tracers (#37108) release(perplexity): 1.2.0 (#37091) chore(docs): update x handle references (#37081) fix(core): make removal optional in warn_deprecated (#37056) fix(core): validate batch_size in _batch and _abatch to prevent infinite loop (#36663) chore(core): mark stream_v2/astream_v2 as beta (#36992)

langchain-core==1.3.2

Changes since langchain-core==1.3.1

release(core): 1.3.2 (#36990) feat(core): add content-block-centric streaming (v2) (#36834)

langchain-core==1.3.1

Changes since langchain-core==1.3.0

release(core): 1.3.1 (#36972) feat(core): allow _format_output to pass through list of ToolOutputMixin instances (#36963) chore: bump nbconvert from 7.17.0 to 7.17.1 in /libs/core (#36923) feat(core): Update inheritance behavior for tracer metadata for special keys (#36900) chore: bump langsmith from 0.7.13 to 0.7.31 in /libs/core (#36813)

langchain-core==1.3.0

Changes since langchain-core==1.2.31

release(core): release 1.3.0 (#36851) release(core): 1.3.0a3 (#36829) chore(core): keep checkpoint_ns behavior in streaming metadata for backwards compat (#36828) feat(core): Add chat model and LLM invocation params to traceable metadata (#36771) fix(core): restore cloud metadata IPs and link-local range in SSRF policy (#36816) chore(deps): bump pytest to 9.0.3 (#36801) chore(core): harden private SSRF utilities (#36768) fix(openai): handle content blocks without type key in responses api conversion (#36725) chore: bump pytest from 9.0.2 to 9.0.3 in /libs/core (#36719) release(core): 1.3.0.a2 (#36698) fix(core): Use reference counting for storing inherited run trees to support garbage collection (#36660) docs(core): nit (#36685) release(core): 1.3.0a1 (#36656) chore(core): reduce streaming metadata / perf (#36588)

langchain-core==1.3.0a3

Initial release

... (truncated)

Commits

• 5039dfe release(core): 1.3.3 (#37198)
• 55a7707 fix(core): set deprecation since to 1.3.3 to match release (#37200)
• c979c61 fix(core, langchain): harden load() against untrusted manifests (#37197)
• d703110 docs: update README.md (#37190)
• 4d50a2a ci(infra): run pre-release checks before TestPyPI publish (#37194)
• 9bd730e fix(fireworks): require api_key in FireworksEmbeddings (#37193)
• f475f41 release(mistralai): 1.1.4 (#37191)
• 7dbff48 fix(mistralai): strip non-wire keys from ToolMessage (#37188)
• 913816c release(fireworks): 1.3.1 (#37189)
• 4498d3d fix(fireworks): strip non-wire keys from ToolMessage text content blocks (#...
• Additional commits viewable in compare view

Updates langchain-text-splitters from 1.0.0 to 1.1.2

Release notes

Sourced from langchain-text-splitters's releases.

langchain-text-splitters==1.1.2

Changes since langchain-text-splitters==1.1.1

release(text-splitters): 1.1.2 (#36822) fix(text-splitters): deprecate and use SSRF-safe transport in split_text_from_url (#36821) chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/text-splitters (#36797) chore(deps): bump pytest to 9.0.3 (#36801) chore: bump pytest from 9.0.2 to 9.0.3 in /libs/text-splitters (#36714) chore: add comment explaining pygments>=2.20.0 (#36570) release(core): 1.2.26 (#36511) chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385) fix(text-splitters): prevent silent data loss for empty dict values in RecursiveJsonSplitter (#35079) feat(text-splitters): support spacy tests with Python 3.14 (#36198) fix(infra): correct lint_diff relative paths in package makefiles (#36333) chore: bump requests from 2.32.5 to 2.33.0 in /libs/text-splitters (#36238) chore: bump nltk from 3.9.3 to 3.9.4 in /libs/text-splitters (#36237) chore(partners): bump langchain-core min to 1.2.21 (#36183) chore(text-splitters): bump nltk in lock file (#36112) ci: suppress pytest streaming output in CI (#36092) chore(text-splitters): speed up ci (#36050) ci: avoid unnecessary dep installs in lint targets (#36046) chore: bump orjson from 3.11.5 to 3.11.6 in /libs/text-splitters (#35856) chore: bump locks, lint (#35985) perf(.github): set a timeout on get min versions HTTP calls (#35851) chore: bump tornado from 6.5.2 to 6.5.5 in /libs/text-splitters (#35774) chore: bump the minor-and-patch group across 3 directories with 3 updates (#35589) chore: bump the other-deps group across 3 directories with 2 updates (#35512) chore: bump nltk from 3.9.2 to 3.9.3 in /libs/text-splitters (#35449) chore: bump the other-deps group across 3 directories with 2 updates (#35407)

langchain-text-splitters==1.1.1

Changes since langchain-text-splitters==1.1.0

release(text-splitters): 1.1.1 (#35318) fix(text-splitters): prevent JSFrameworkTextSplitter from mutating self._separators on each split_text() call (#35316) chore: bump transformers from 5.1.0 to 5.2.0 in /libs/text-splitters in the other-deps group across 1 directory (#35279) chore: bump the other-deps group across 3 directories with 2 updates (#35255) style: bump ruff version to 0.15 (#35042) fix: Server-Side Request Forgery (SSRF) in HTMLHeaderTextSplitter.split_text_from_url (#35196) feat(text-splitters): add model_kwargs to SentenceTransformersTokenTextSplitter (#35113) chore(deps): bump langsmith from 0.4.31 to 0.6.3 in /libs/text-splitters (#35162) chore(deps): bump the other-deps group across 3 directories with 12 updates (#35127) chore(deps): bump the other-deps group across 3 directories with 8 updates (#35120) chore: add make type target (#35015) revert: "chore: add typing target in Makefile" (#35013) chore: add typing target in Makefile (#35012) fix(text-splitters): reverse preserved elements iterator in HTMLSemanticPreservingSplitter (#34080) chore: enrich pyproject.toml files (#34980) chore(deps): bump the uv group across 20 directories with 3 updates (#34941) chore: upgrade urllib3 to 2.6.3 (#34940)

... (truncated)

Commits

• 58c4e5b release(text-splitters): 1.1.2 (#36822)
• c289bf1 fix(text-splitters): deprecate and use SSRF-safe transport in split_text_from...
• b7447c6 fix(infra): skip serdes tests in min-version release step (#36818)
• 41c0cc5 release(openai): 1.1.14 (#36820)
• 0516156 fix(openai): use SSRF-safe transport for image token counting (#36819)
• 338aa81 fix(core): restore cloud metadata IPs and link-local range in SSRF policy (#3...
• 51e9548 chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/text-splitters (#36797)
• e85c418 chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/model-profiles (#36798)
• 789126e chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/standard-tests (#36799)
• 937b3eb chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/langchain_v1 (#36800)
• Additional commits viewable in compare view

Updates langsmith from 0.6.3 to 0.8.5

Release notes

Sourced from langsmith's releases.

v0.8.5

What's Changed

• release(js): 0.7.0 by @​ramon-langchain in langchain-ai/langsmith-sdk#2890
• fix(js): add alias for experimental/sandbox to appease broad peer dep range within deepagents by @​dqbd in langchain-ai/langsmith-sdk#2893
• feat(js): allow disabling multipart streaming via env variable by @​dqbd in langchain-ai/langsmith-sdk#2900
• feat(python): add Client.close() to release session [closes LSDK-183] by @​open-swe[bot] in langchain-ai/langsmith-sdk#2866
• feat(sandbox): forward client default headers on exec WebSocket by @​open-swe[bot] in langchain-ai/langsmith-sdk#2899
• release(js): 0.7.1 by @​langchain-infra in langchain-ai/langsmith-sdk#2902
• release(py): 0.8.5 by @​langchain-infra in langchain-ai/langsmith-sdk#2903

Full Changelog: langchain-ai/langsmith-sdk@v0.8.4...v0.8.5

v0.8.4

What's Changed

• release(js): 0.6.3 by @​vishnu-ssuresh in langchain-ai/langsmith-sdk#2864
• chore(deps): bump python-multipart from 0.0.26 to 0.0.27 in /python by @​dependabot[bot] in langchain-ai/langsmith-sdk#2859
• chore(deps-dev): bump @​anthropic-ai/sdk from 0.91.1 to 0.92.0 in /js by @​dependabot[bot] in langchain-ai/langsmith-sdk#2858
• chore(deps): bump postcss from 8.5.8 to 8.5.14 in /js by @​dependabot[bot] in langchain-ai/langsmith-sdk#2857
• chore(deps): bump hono from 4.12.15 to 4.12.18 in /js by @​dependabot[bot] in langchain-ai/langsmith-sdk#2860
• chore(deps-dev): bump langchain-core from 1.3.2 to 1.3.3 in /python by @​dependabot[bot] in langchain-ai/langsmith-sdk#2867
• chore(deps-dev): bump @​anthropic-ai/sdk from 0.92.0 to 0.93.0 in /js by @​dependabot[bot] in langchain-ai/langsmith-sdk#2869
• chore(deps): bump urllib3 from 2.6.3 to 2.7.0 in /python by @​dependabot[bot] in langchain-ai/langsmith-sdk#2873
• chore(deps): bump the py-minor-and-patch group across 1 directory with 12 updates by @​dependabot[bot] in langchain-ai/langsmith-sdk#2876
• chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 16 updates by @​dependabot[bot] in langchain-ai/langsmith-sdk#2877
• chore(deps): bump the py-minor-and-patch group across 1 directory with 11 updates by @​dependabot[bot] in langchain-ai/langsmith-sdk#2879
• chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates by @​dependabot[bot] in langchain-ai/langsmith-sdk#2868
• chore(deps-dev): bump @​anthropic-ai/sdk from 0.93.0 to 0.94.0 in /js by @​dependabot[bot] in langchain-ai/langsmith-sdk#2878
• sdk(js): rename experimental/sandbox -> sandbox (breaking) by @​DanielKneipp in langchain-ai/langsmith-sdk#2885
• sdk(py): drop sandbox alpha/experimental warnings by @​DanielKneipp in langchain-ai/langsmith-sdk#2884
• feat(sandbox): make snapshot optional and add TS options overload by @​ramon-langchain in langchain-ai/langsmith-sdk#2887
• release(py): 0.8.4 by @​ramon-langchain in langchain-ai/langsmith-sdk#2889

Full Changelog: langchain-ai/langsmith-sdk@v0.8.3...v0.8.4

v0.8.3

What's Changed

• fix(js): prevent sending [object Object] as span attribute when dealing with nested objects, send full langsmith.usage_metadata if present by @​dqbd in langchain-ai/langsmith-sdk#2845
• release(js): bump to 0.6.2 by @​dqbd in langchain-ai/langsmith-sdk#2856
• sdk(py): replace ttl_seconds with idle_ttl_seconds + delete_after_stop_seconds by @​DanielKneipp in langchain-ai/langsmith-sdk#2853
• sdk(js): replace ttlSeconds with idleTtlSeconds + deleteAfterStopSeconds by @​DanielKneipp in langchain-ai/langsmith-sdk#2854
• Fix push_agent URL owner for name-only identifiers by @​vishnu-ssuresh in langchain-ai/langsmith-sdk#2862
• docs(langsmith): clarify trust boundaries when working with hub by @​eyurtsev in langchain-ai/langsmith-sdk#2861
• release(py): 0.8.3 by @​vishnu-ssuresh in langchain-ai/langsmith-sdk#2863

Full Changelog: langchain-ai/langsmith-sdk@v0.8.2...v0.8.3

v0.8.2

... (truncated)

Commits

• See full diff in compare view

Updates python-dotenv from 1.1.1 to 1.2.2

Release notes

Sourced from python-dotenv's releases.

v1.2.2

Added

• Support for Python 3.14, including the free-threaded (3.14t) build. (#)

Changed

• The dotenv run command now forwards flags directly to the specified command by @​bbc2 in theskumar/python-dotenv#607
• Improved documentation clarity regarding override behavior and the reference page.
• Updated PyPy support to version 3.11.
• Documentation for FIFO file support.
• Support for Python 3.9.

Fixed

• Improved set_key and unset_key behavior when interacting with symlinks by @​bbc2 in #790c5
• Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by @​JYOuyang in theskumar/python-dotenv#590

Breaking Changes

• dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

• In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

• dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

Misc

• skip 000 permission tests for root user by @​burnout-projects in theskumar/python-dotenv#561
• Bump actions/checkout from 5 to 6 in the github-actions group by @​dependabot[bot] in theskumar/python-dotenv#593
• Add Windows testing to CI by @​bbc2 in theskumar/python-dotenv#604
• Improve workflow efficiency with best practices by @​theskumar in theskumar/python-dotenv#609
• Remove the use of sh in tests by @​bbc2 in theskumar/python-dotenv#612

New Contributors

• @​JYOuyang made their first contribution in theskumar/python-dotenv#590
• @​burnout-projects made their first contribution in theskumar/python-dotenv#561
• @​cpackham-atlnz made their first contribution in theskumar/python-dotenv#597

Full Changelog: theskumar/python-dotenv@v1.2.1...v1.2.2

v1.2.1

What's Changed

... (truncated)

Changelog

Sourced from python-dotenv's changelog.

[1.2.2] - 2026-03-01

Added

• Support for Python 3.14, including the free-threaded (3.14t) build. (#588)

Changed

• The dotenv run command now forwards flags directly to the specified command by [@​bbc2] in #607
• Improved documentation clarity regarding override behavior and the reference page.
• Updated PyPy support to version 3.11.
• Documentation for FIFO file support.
• Dropped Support for Python 3.9.

Fixed

• Improved set_key and unset_key behavior when interacting with symlinks by [@​bbc2] in [790c5c0]
• Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by [@​JYOuyang] in #590

Breaking Changes

• dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

• In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

• dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

[1.2.1] - 2025-10-26

• Move more config to pyproject.toml, removed setup.cfg
• Add support for reading .env from FIFOs (Unix) by [@​sidharth-sudhir] in #586

[1.2.0] - 2025-10-26

• Upgrade build system to use PEP 517 & PEP 518 to use build and pyproject.toml by [@​EpicWink] in #583
• Add support for Python 3.14 by [@​23f3001135] in #579
• Add support for disabling of load_dotenv() using PYTHON_DOTENV_DISABLED env var. by [@​matthewfranglen] in #569

Commits

• 36004e0 Bump version: 1.2.1 → 1.2.2
• eb20252 docs: update changelog for v1.2.2
• 790c5c0 Merge commit from fork
• 43340da Remove the use of sh in tests (#612)
• 09d7cee docs: clarify override behavior and document FIFO support (#610)
• c8de288 ci: improve workflow efficiency with best practices (#609)
• 7bd9e3d Add Windows testing to CI (#604)
• 1baaf04 Drop Python 3.9 support and update to PyPy 3.11 (#608)
• 4a22cf8 ci: enable testing on Python 3.14t (free-threaded) (#588)
• e2e8e77 Fix license specifier (#597)
• Additional commits viewable in compare view

Updates urllib3 from 2.6.3 to 2.7.0

Release notes

Sourced from urllib3's releases.

2.7.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

• Decompression-bomb safeguards of the streaming API were bypassed:

  1. When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially. (Reported by @​Cycloctane)
  2. During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli library. (Reported by @​kimkou2024)

  See GHSA-mf9v-mfxr-j63j for details.

• HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by @​christos-spearbit)

Deprecations and Removals

• Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (urllib3/urllib3#3763)
• Removed support for end-of-life Python 3.9. (urllib3/urllib3#3720)
• Removed support for end-of-life PyPy3.10. (urllib3/urllib3#4979)
• Bumped the minimum supported pyOpenSSL version to 19.0.0. (urllib3/urllib3#3777)

Bugfixes

• Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. (urllib3/urllib3#3636)
• Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True. (urllib3/urllib3#4967)
• Fixed HTTPResponse.stream() and HTTPResponse.read_chunked() to handle amt=0. (urllib3/urllib3#3793)
• Updated _TYPE_BODY type alias to include missing Iterable[str], matching the documented and runtime behavior of chunked request bodies. (urllib3/urllib3#3798)
• Fixed LocationParseError when paths resembling schemeless URIs were passed to HTTPConnectionPool.urlopen(). (urllib3/urllib3#3352)
• Fixed BaseHTTPResponse.readinto() type annotation to accept memoryview in addition to bytearray, matching the io.RawIOBase.readinto contract and enabling use with io.BufferedReader without type errors. (urllib3/urllib3#3764)

Changelog

Sourced from urllib3's changelog.

2.7.0 (2026-05-07)

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

• Decompression-bomb safeguards of the streaming API were bypassed:

  1. When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially.
  2. During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli <https://pypi.org/project/brotli/>__ library.

  See GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__ for details.

• HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>__)

Deprecations and Removals

• Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. ([#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763>__)
• Removed support for end-of-life Python 3.9. ([#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720>__)
• Removed support for end-of-life PyPy3.10. ([#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979>__)
• Bumped the minimum supported pyOpenSSL version to 19.0.0. ([#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777>__)

Bugfixes

• Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. ([#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636>__)
• Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True.

... (truncated)

Commits

• 9a950b9 Release 2.7.0
• 5ec0de4 Merge commit from fork
• 2bdcc44 Merge commit from fork
• f45b0df Fix a misleading example for ProxyManager (#4970)
• 577193c Switch to nightly PyPy3.11 in CI for now (#4984)
• e90af45 Avoid infinite loop in HTTPResponse.read_chunked when amt=0 (#4974)
• 67ed74f Bump dev dependencies (#4972)
• 3abd481 Upgrade mypy to version 1.20.2 (#4978)
• 2b8725d Drop support for EOL PyPy3.10 (#4979)
• 2944b2a Upgrade setup-chrome and setup-firefox to fix warnings (#4973)
• Additional commits viewable in compare view

Updates idna from 3.10 to 3.15

Changelog

Sourced from idna's changelog.

3.15 (2026-05-12)

• Enforce DNS-length cap on individual labels early in check_label, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.
• Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse th...

  Description has been truncated