build(deps): Bump the python-packages group across 1 directory with 9 updates

[dependabot]

Bumps the python-packages group with 9 updates in the / directory:

Package	From	To
certifi	2025.1.31	2025.8.3
charset-normalizer	3.4.1	3.4.3
docutils	0.21.2	0.22
packaging	24.2	25.0
pygments	2.19.1	2.19.2
requests	2.32.3	2.32.4
ruamel-yaml	0.18.10	0.18.14
snowballstemmer	2.2.0	3.0.1
urllib3	2.3.0	2.5.0

Updates certifi from 2025.1.31 to 2025.8.3

Commits

• a97d9ad 2025.08.03 (#362)
• ddd90c6 2025.07.14 (#359)
• d905221 2025.07.09 (#358)
• e767d59 2025.06.15 (#357)
• 3e70765 Bump actions/setup-python from 5.5.0 to 5.6.0
• 9afd2ff Bump actions/download-artifact from 4.2.1 to 4.3.0
• d7c816c remove code that's no longer required that 3.7 is our minimum (#351)
• 1899613 Declare setuptools as the build backend in pyproject.toml (#350)
• c874142 update CI for ubuntu 20.04 deprecation (#348)
• 275c9eb 2025.04.26 (#347)
• Additional commits viewable in compare view

Updates charset-normalizer from 3.4.1 to 3.4.3

Release notes

Sourced from charset-normalizer's releases.

Version 3.4.3

3.4.3 (2025-08-09)

Changed

• mypy(c) is no longer a required dependency at build time if CHARSET_NORMALIZER_USE_MYPYC isn't set to 1. (#595) (#583)
• automatically lower confidence on small bytes samples that are not Unicode in detect output legacy function. (#391)

Added

• Custom build backend to overcome inability to mark mypy as an optional dependency in the build phase.
• Support for Python 3.14

Fixed

• sdist archive contained useless directories.
• automatically fallback on valid UTF-16 or UTF-32 even if the md says it's noisy. (#633)

Misc

• SBOM are automatically published to the relevant GitHub release to comply with regulatory changes. Each published wheel comes with its SBOM. We choose CycloneDX as the format.
• Prebuilt optimized wheel are no longer distributed by default for CPython 3.7 due to a change in cibuildwheel.

Version 3.4.2

3.4.2 (2025-05-02)

Fixed

• Addressed the DeprecationWarning in our CLI regarding argparse.FileType by backporting the target class into the package. (#591)
• Improved the overall reliability of the detector with CJK Ideographs. (#605) (#587)

Changed

• Optional mypyc compilation upgraded to version 1.15 for Python >= 3.9

Changelog

Sourced from charset-normalizer's changelog.

3.4.3 (2025-08-09)

Changed

• mypy(c) is no longer a required dependency at build time if CHARSET_NORMALIZER_USE_MYPYC isn't set to 1. (#595) (#583)
• automatically lower confidence on small bytes samples that are not Unicode in detect output legacy function. (#391)

Added

• Custom build backend to overcome inability to mark mypy as an optional dependency in the build phase.
• Support for Python 3.14

Fixed

• sdist archive contained useless directories.
• automatically fallback on valid UTF-16 or UTF-32 even if the md says it's noisy. (#633)

Misc

• SBOM are automatically published to the relevant GitHub release to comply with regulatory changes. Each published wheel comes with its SBOM. We choose CycloneDX as the format.
• Prebuilt optimized wheel are no longer distributed by default for CPython 3.7 due to a change in cibuildwheel.

3.4.2 (2025-05-02)

Fixed

• Addressed the DeprecationWarning in our CLI regarding argparse.FileType by backporting the target class into the package. (#591)
• Improved the overall reliability of the detector with CJK Ideographs. (#605) (#587)

Changed

• Optional mypyc compilation upgraded to version 1.15 for Python >= 3.8

Commits

• 46f662d Release 3.4.3 (#638)
• 1a059b2 🔧 skip building on freethreaded as we're not confident it is stable
• 2275e3d 📝 final note in CHANGELOG.md
• c96acdf 📝 update release date on CHANGELOG.md
• 43e5460 📝 update README.md
• f277074 🔧 automatically lower confidence on small bytes str on non Unicode res...
• 15ae241 🐛 automatically fallback on valid UTF-16 or UTF-32 even if the md says it...
• 37397c1 🔧 enable 3.14 in nox test_mypyc session
• cb82537 ⏪ revert license due to compat python 3.7 issue setuptools
• 6a2efeb 🎨 fix linter errors
• Additional commits viewable in compare view

Updates docutils from 0.21.2 to 0.22

Commits

• See full diff in compare view

Updates packaging from 24.2 to 25.0

Release notes

Sourced from packaging's releases.

25.0

What's Changed

• Re-add a test for Unicode file name parsing by @​Siddhesh-Agarwal in pypa/packaging#863
• Upgrade to ruff 0.9.1 by @​DimitriPapadopoulos in pypa/packaging#865
• Add support for PEP 738 Android tags by @​mhsmith in pypa/packaging#880
• feat(markers): support 'extras' and 'dependency_groups' markers by @​frostming in pypa/packaging#888

New Contributors

• @​Siddhesh-Agarwal made their first contribution in pypa/packaging#863
• @​mhsmith made their first contribution in pypa/packaging#880
• @​frostming made their first contribution in pypa/packaging#888

Full Changelog: pypa/packaging@24.2...25.0

Changelog

Sourced from packaging's changelog.

25.0 - 2025-04-19

* PEP 751: Add support for ``extras`` and ``dependency_groups`` markers. (:issue:`885`)
* PEP 738: Add support for Android platform tags. (:issue:`880`)

Commits

• f585376 Bump for release
• 600ecea Add changelog entries
• 3910129 support 'extras' and 'dependency_groups' markers (#888)
• 8e49b43 Add support for PEP 738 Android tags (#880)
• e624d8e Bump the github-actions group with 3 updates (#886)
• 71f38d8 Bump the github-actions group with 2 updates (#878)
• 9b4922d Bump the github-actions group with 3 updates (#870)
• 8510bd9 Upgrade to ruff 0.9.1 (#865)
• 9375ec2 Re-add tests for Unicode file name parsing (#863)
• 2256ed4 Bump the github-actions group across 1 directory with 2 updates (#864)
• Additional commits viewable in compare view

Updates pygments from 2.19.1 to 2.19.2

Release notes

Sourced from pygments's releases.

2.19.2

• Lua: Fix regression introduced in 2.19.0 (#2882, #2839)

Changelog

Sourced from pygments's changelog.

Version 2.19.2

(released June 21st, 2025)

• Lua: Fix regression introduced in 2.19.0 (#2882, #2839)

Commits

• cfca62e Prepare v2.19.2 release.
• 6688300 Disable pyodide (currently broken.)
• 66997c3 Update ruff version.
• 94dda77 Update CHANGES.
• 26634c8 Merge pull request #2882 from thavelick/fix_lua_runaway_regex
• b6a51ec fix lua regex causing runaway backtracking.
• edef94d Investigation for #2839.
• fb6a00e Merge pull request #2837 from dlazin/sql-cleanup
• bf7aa23 Clean up sql.py
• See full diff in compare view

Updates requests from 2.32.3 to 2.32.4

Release notes

Sourced from requests's releases.

v2.32.4

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. (#6965)

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS. (#6926)
• Dropped support for pypy 3.9 following its end of support. (#6926)

Changelog

Sourced from requests's changelog.

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS.
• Dropped support for pypy 3.9 following its end of support.

Commits

• 021dc72 Polish up release tooling for last manual release
• 821770e Bump version and add release notes for v2.32.4
• 59f8aa2 Add netrc file search information to authentication documentation (#6876)
• 5b4b64c Add more tests to prevent regression of CVE 2024 47081
• 7bc4587 Add new test to check netrc auth leak (#6962)
• 96ba401 Only use hostname to do netrc lookup instead of netloc
• 7341690 Merge pull request #6951 from tswast/patch-1
• 6716d7c remove links
• a7e1c74 Update docs/conf.py
• c799b81 docs: fix dead links to kenreitz.org
• Additional commits viewable in compare view

Updates ruamel-yaml from 0.18.10 to 0.18.14

Updates snowballstemmer from 2.2.0 to 3.0.1

Changelog

Sourced from snowballstemmer's changelog.

Snowball 3.0.1 (2025-05-09)

Python

• The init.py in 3.0.0 was incorrectly generated due to a missing build dependency and the list of algorithms was empty. First reported by laymonage. Thanks to Dmitry Shachnev, Henry Schreiner and Adam Turner for diagnosing and fixing. (#229, #230, #231)

• Add trove classifiers for Armenian and Yiddish which have now been registered with PyPI. Thanks to Henry Schreiner and Dmitry Shachnev. (#228)

• Update documented details of Python 2 support in old versions.

Snowball 3.0.0 (2025-05-08)

Ada

• Bug fixes:

  • Fix invalid Ada code generated for Snowball loop (it was partly Pascal!) None of the stemmers shipped in previous releases triggered this bug, but the Turkish stemmer now does.

  • The Ada runtime was not tracking the current length of the string but instead used the current limit value or some other substitute, which manifested as various incorrect behaviours for code inside of setlimit.

  • size was incorrectly returning the difference between the limit and the backwards limit.

  • lenof or sizeof on a string variable generated Ada code that didn't even compile.

  • Fix incorrect preconditions on some methods in the runtime.

  • Fix bug in runtime code used by attach, insert, <- and string variable assignment when a (sub)string was replaced with a larger string. This bug was triggered by code in the Kraaij-Pohlmann Dutch stemmer implementation (which was previously not enabled by default but is now the standard Dutch stemmer).

  • Fix invalid code generated for insert, <- and string variable assignment. This bug was triggered by code in the Kraaij-Pohlmann Dutch stemmer implementation (which was previously not enabled by default but is now the standard Dutch stemmer).

... (truncated)

Commits

• e4b3efb Update for 3.0.1
• bbd3319 Protect empty languages dict
• 298ff9f Update details of Python 2 support in old versions
• 53fe098 python: Specify correct dependencies for $(python_output_dir)/__init__.py
• 00a22de Stop excluding classifiers for Armenian and Yiddish
• abd9adc Update for 3.0.0
• d23d356 Back out incomplete ESM support for 3.0.0
• ff42274 Update draft NEWS entry
• cd61f01 tamil: remove_tense_suffix signals if ending removed
• edfe576 nepali: Reformat amongs to be clearer
• Additional commits viewable in compare view

Updates urllib3 from 2.3.0 to 2.5.0

Release notes

Sourced from urllib3's releases.

2.5.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security issues

urllib3 2.5.0 fixes two moderate security issues:

• Pool managers now properly control redirects when retries is passed — CVE-2025-50181 reported by @​sandumjacob (5.3 Medium, GHSA-pq67-6m6q-mj2v)
• Redirects are now controlled by urllib3 in the Node.js runtime — CVE-2025-50182 (5.3 Medium, GHSA-48p4-8xcf-vxj5)

Features

• Added support for the compression.zstd module that is new in Python 3.14. See PEP 784 for more information. (#3610)
• Added support for version 0.5 of hatch-vcs (#3612)

Bugfixes

• Raised exception for HTTPResponse.shutdown on a connection already released to the pool. (#3581)
• Fixed incorrect CONNECT statement when using an IPv6 proxy with connection_from_host. Previously would not be wrapped in []. (#3615)

2.4.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Features

• Applied PEP 639 by specifying the license fields in pyproject.toml. (#3522)
• Updated exceptions to save and restore more properties during the pickle/serialization process. (#3567)
• Added verify_flags option to create_urllib3_context with a default of VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT for Python 3.13+. (#3571)

Bugfixes

• Fixed a bug with partial reads of streaming data in Emscripten. (#3555)

Misc

• Switched to uv for installing development dependecies. (#3550)
• Removed the multiple.intoto.jsonl asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. (#3566)

Changelog

Sourced from urllib3's changelog.

2.5.0 (2025-06-18)

Features

• Added support for the compression.zstd module that is new in Python 3.14. See PEP 784 <https://peps.python.org/pep-0784/>_ for more information. ([#3610](https://github.com/urllib3/urllib3/issues/3610) <https://github.com/urllib3/urllib3/issues/3610>__)
• Added support for version 0.5 of hatch-vcs ([#3612](https://github.com/urllib3/urllib3/issues/3612) <https://github.com/urllib3/urllib3/issues/3612>__)

Bugfixes

• Fixed a security issue where restricting the maximum number of followed redirects at the urllib3.PoolManager level via the retries parameter did not work.
• Made the Node.js runtime respect redirect parameters such as retries and redirects.
• Raised exception for HTTPResponse.shutdown on a connection already released to the pool. ([#3581](https://github.com/urllib3/urllib3/issues/3581) <https://github.com/urllib3/urllib3/issues/3581>__)
• Fixed incorrect CONNECT statement when using an IPv6 proxy with connection_from_host. Previously would not be wrapped in []. ([#3615](https://github.com/urllib3/urllib3/issues/3615) <https://github.com/urllib3/urllib3/issues/3615>__)

2.4.0 (2025-04-10)

Features

• Applied PEP 639 by specifying the license fields in pyproject.toml. ([#3522](https://github.com/urllib3/urllib3/issues/3522) <https://github.com/urllib3/urllib3/issues/3522>__)
• Updated exceptions to save and restore more properties during the pickle/serialization process. ([#3567](https://github.com/urllib3/urllib3/issues/3567) <https://github.com/urllib3/urllib3/issues/3567>__)
• Added verify_flags option to create_urllib3_context with a default of VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT for Python 3.13+. ([#3571](https://github.com/urllib3/urllib3/issues/3571) <https://github.com/urllib3/urllib3/issues/3571>__)

Bugfixes

• Fixed a bug with partial reads of streaming data in Emscripten. ([#3555](https://github.com/urllib3/urllib3/issues/3555) <https://github.com/urllib3/urllib3/issues/3555>__)

Misc

• Switched to uv for installing development dependecies. ([#3550](https://github.com/urllib3/urllib3/issues/3550) <https://github.com/urllib3/urllib3/issues/3550>__)
• Removed the multiple.intoto.jsonl asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. ([#3566](https://github.com/urllib3/urllib3/issues/3566) <https://github.com/urllib3/urllib3/issues/3566>__)

Commits

• aaab4ec Release 2.5.0
• 7eb4a2a Merge commit from fork
• f05b132 Merge commit from fork
• d03fe32 Fix HTTP tunneling with IPv6 in older Python versions
• 11661e9 Bump github/codeql-action from 3.28.0 to 3.29.0 (#3624)
• 6a0ecc6 Update v2 migration guide to 2.4.0 (#3621)
• 8e32e60 Raise exception for shutdown on a connection already released to the pool (#3...
• 9996e0f Fix emscripten CI for Chrome 137+ (#3599)
• 4fd1a99 Bump RECENT_DATE (#3617)
• c4b5917 Add support for the new compression.zstd module in Python 3.14 (#3611)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions