chore(deps): bump the pip-version-updates group across 1 directory with 11 updates

[dependabot]

Bumps the pip-version-updates group with 11 updates in the / directory:

Package	From	To
pytest	8.4.1	8.4.2
pytest-cov	6.2.1	7.0.0
tox	4.28.0	4.30.3
types-python-dateutil	2.9.0.20250708	2.9.0.20251115
mypy	1.17.0	1.19.1
python-dotenv	1.1.1	1.2.1
ruff	0.12.4	0.14.10
urllib3	2.5.0	2.6.2
typing-extensions	4.14.1	4.15.0
authlib	1.6.5	1.6.6
requests	2.32.4	2.32.5

Updates pytest from 8.4.1 to 8.4.2

Release notes

Sourced from pytest's releases.

8.4.2

pytest 8.4.2 (2025-09-03)

Bug fixes

• #13478: Fixed a crash when using console_output_style{.interpreted-text role="confval"} with times and a module is skipped.

• #13530: Fixed a crash when using pytest.approx{.interpreted-text role="func"} and decimal.Decimal{.interpreted-text role="class"} instances with the decimal.FloatOperation{.interpreted-text role="class"} trap set.

• #13549: No longer evaluate type annotations in Python 3.14 when inspecting function signatures.

  This prevents crashes during module collection when modules do not explicitly use from __future__ import annotations and import types for annotations within a if TYPE_CHECKING: block.

• #13559: Added missing [int]{.title-ref} and [float]{.title-ref} variants to the [Literal]{.title-ref} type annotation of the [type]{.title-ref} parameter in pytest.Parser.addini{.interpreted-text role="meth"}.

• #13563: pytest.approx{.interpreted-text role="func"} now only imports numpy if NumPy is already in sys.modules. This fixes unconditional import behavior introduced in [8.4.0]{.title-ref}.

Improved documentation

• #13577: Clarify that pytest_generate_tests is discovered in test modules/classes; other hooks must be in conftest.py or plugins.

Contributor-facing changes

• #13480: Self-testing: fixed a few test failures when run with -Wdefault or a similar override.
• #13547: Self-testing: corrected expected message for test_doctest_unexpected_exception in Python 3.14.
• #13684: Make pytest's own testsuite insensitive to the presence of the CI environment variable -- by ogrisel{.interpreted-text role="user"}.

Commits

• bfae422 Prepare release version 8.4.2
• 8990538 Fix passenv CI in tox ini and make tests insensitive to the presence of the C...
• ca676bf Merge pull request #13687 from pytest-dev/patchback/backports/8.4.x/e63f6e51c...
• 975a60a Merge pull request #13686 from pytest-dev/patchback/backports/8.4.x/12bde8af6...
• 7723ce8 Merge pull request #13683 from even-even/fix_Exeption_to_Exception_in_errorMe...
• b7f0568 Merge pull request #13685 from CoretexShadow/fix/docs-pytest-generate-tests
• 2c94c4a add missing colon (#13640) (#13641)
• c3d7684 Merge pull request #13606 from pytest-dev/patchback/backports/8.4.x/5f9938563...
• dc6e3be Merge pull request #13605 from The-Compiler/training-update-2025-07
• f87289c Fix crash with times output style and skipped module (#13573) (#13579)
• Additional commits viewable in compare view

Updates pytest-cov from 6.2.1 to 7.0.0

Changelog

Sourced from pytest-cov's changelog.

7.0.0 (2025-09-09)

• Dropped support for subprocesses measurement.

  It was a feature added long time ago when coverage lacked a nice way to measure subprocesses created in tests. It relied on a .pth file, there was no way to opt-out and it created bad interations with coverage's new patch system <https://coverage.readthedocs.io/en/latest/config.html#run-patch>_ added in 7.10 <https://coverage.readthedocs.io/en/7.10.6/changes.html#version-7-10-0-2025-07-24>_.

  To migrate to this release you might need to enable the suprocess patch, example for .coveragerc:

  .. code-block:: ini

  [run] patch = subprocess

  This release also requires at least coverage 7.10.6.

• Switched packaging to have metadata completely in pyproject.toml and use hatchling <https://pypi.org/project/hatchling/>_ for building. Contributed by Ofek Lev in [#551](https://github.com/pytest-dev/pytest-cov/issues/551) <https://github.com/pytest-dev/pytest-cov/pull/551>_ with some extras in [#716](https://github.com/pytest-dev/pytest-cov/issues/716) <https://github.com/pytest-dev/pytest-cov/pull/716>_.

• Removed some not really necessary testing deps like six.

6.3.0 (2025-09-06)

• Added support for markdown reports. Contributed by Marcos Boger in [#712](https://github.com/pytest-dev/pytest-cov/issues/712) <https://github.com/pytest-dev/pytest-cov/pull/712>_ and [#714](https://github.com/pytest-dev/pytest-cov/issues/714) <https://github.com/pytest-dev/pytest-cov/pull/714>_.
• Fixed some formatting issues in docs. Anonymous contribution in [#706](https://github.com/pytest-dev/pytest-cov/issues/706) <https://github.com/pytest-dev/pytest-cov/pull/706>_.

Commits

• 224d896 Bump version: 6.3.0 → 7.0.0
• 73424e3 Cleanup the docs a bit.
• 36f1cc2 Bump pins in template.
• f299c59 Bump the github-actions group with 2 updates
• 25f0b2e Update docs/config.rst
• bb23eac Improve configuration docs
• a19531e Switch from build/pre-commit to uv/prek - this should make this faster.
• 82f9993 Update changelog.
• 211b5cd Fix links.
• 97aadd7 Update some ci config, reformat and apply some lint fixes.
• Additional commits viewable in compare view

Updates tox from 4.28.0 to 4.30.3

Release notes

Sourced from tox's releases.

4.30.3

What's Changed

• Isolate the test suite from any existing DEFAULT_CONFIG_FILE file by @​kurtmckee in tox-dev/tox#3612
• Fix none config file issue 3611 by @​kurtmckee in tox-dev/tox#3613
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in tox-dev/tox#3608
• Fix incorrect type annotations in PythonPathPackageWithDeps (fixes #3607) by @​PreistlyPython in tox-dev/tox#3616
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in tox-dev/tox#3615

New Contributors

• @​PreistlyPython made their first contribution in tox-dev/tox#3616

Full Changelog: tox-dev/tox@4.30.2...4.30.3

4.30.2

What's Changed

• Bump pypa/gh-action-pypi-publish from 1.12.4 to 1.13.0 by @​dependabot[bot] in tox-dev/tox#3603
• Ensure automatically provisioned environment is torn down by @​vytas7 in tox-dev/tox#3601
• Bump pypa/gh-action-pypi-publish from 1.12.4 to 1.13.0 in /.github/workflows by @​dependabot[bot] in tox-dev/tox#3604

Full Changelog: tox-dev/tox@4.30.1...4.30.2

4.30.1

What's Changed

• Prevent Tox from hanging with --installpkg sdist due to orphaned build backend by @​vytas7 in tox-dev/tox#3530

New Contributors

• @​vytas7 made their first contribution in tox-dev/tox#3530

Full Changelog: tox-dev/tox@4.30.0...4.30.1

4.30.0

What's Changed

• Pass through CI as __TOX_ENVIRONMENT_VARIABLE_ORIGINAL_CI by @​Liam-DeVoe in tox-dev/tox#3592
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in tox-dev/tox#3596
• Fix the built docs HTML path hint in tox.toml by @​webknjaz in tox-dev/tox#3594
• Add a "version added" note for tox_extend_envs by @​webknjaz in tox-dev/tox#3595
• fix: provide clear messaging about config file loading by @​ssbarnea in tox-dev/tox#3578
• Ensure tox_extend_envs list can be read twice by @​webknjaz in tox-dev/tox#3598

New Contributors

• @​Liam-DeVoe made their first contribution in tox-dev/tox#3592

... (truncated)

Changelog

Sourced from tox's changelog.

v4.30.3 (2025-10-02)

Bugfixes - 4.30.3

- Fix incorrect type annotation in ``PythonPathPackageWithDeps.__init__()``
  where ``deps`` was annotated as ``Sequence[Package]`` but should be
  ``Sequence[Requirement]`` to match actual runtime usage - by :user:`PreistlyPython` (:issue:`3607`)
- Fix ``None`` appearing as the config filename in error output
  when the user's default config file is corrupt. - by :user:`kurtmckee` (:issue:`3611`)
v4.30.2 (2025-09-04)
Bugfixes - 4.30.2

• Previously, when tox ran in an automatically provisioned environment, it could hang waiting for a PEP 517 build backend if used in conjunction with the --installpkg option. This has been fixed by properly tearing down the automatically provisioned environment after the tests.
  • by :user:vytas7 (:issue:3600)

v4.30.1 (2025-09-03)

Bugfixes - 4.30.1

- Prevent tox from hanging upon exit due to orphaned build threads and subprocesses when the ``--installpkg`` option is
  used with *sdist*.
  - by :user:`vytas7` (:issue:`3530`)
v4.30.0 (2025-09-03)
Features - 4.30.0

• Add __TOX_ENVIRONMENT_VARIABLE_ORIGINAL_CI, which passes through the CI variable if present. This is intended for use by other libraries to detect if tox is running under CI. (:issue:3442)

Bugfixes - 4.30.0

- Makes the error message more clear when pyproject.toml file cannot be loaded
  or is missing expected keys. (:issue:`3578`)
- The :func:`tox_extend_envs() hook <tox.plugin.spec.tox_extend_envs>`
  recently added in :pr:`3591` turned out to not work well with
  ``tox run``. It was fixed internally, not to exhaust the underlying
  iterator on the first use.
-- by :user:webknjaz (:issue:3598)
v4.29.0 (2025-08-29)
</tr></table>

... (truncated)

Commits

• 01442da release 4.30.3
• 984dc78 [pre-commit.ci] pre-commit autoupdate (#3615)
• 660adb5 Fix incorrect type annotations in PythonPathPackageWithDeps (fixes #3607) (#3...
• 393de39 [pre-commit.ci] pre-commit autoupdate (#3608)
• 6e32426 Fix none config file issue 3611 (#3613)
• 0805c83 Isolate the test suite from any existing DEFAULT_CONFIG_FILE file (#3612)
• 5e0784a release 4.30.2
• 64e8a34 Bump pypa/gh-action-pypi-publish in /.github/workflows (#3604)
• 7230088 Ensure automatically provisioned environment is torn down (#3601)
• 2c31dbc Bump pypa/gh-action-pypi-publish from 1.12.4 to 1.13.0 (#3603)
• Additional commits viewable in compare view

Updates types-python-dateutil from 2.9.0.20250708 to 2.9.0.20251115

Commits

• See full diff in compare view

Updates mypy from 1.17.0 to 1.19.1

Changelog

Sourced from mypy's changelog.

Mypy 1.19.1

• Fix noncommutative joins with bounded TypeVars (Shantanu, PR 20345)
• Respect output format for cached runs by serializing raw errors in cache metas (Ivan Levkivskyi, PR 20372)
• Allow types.NoneType in match cases (A5rocks, PR 20383)
• Fix mypyc generator regression with empty tuple (BobTheBuidler, PR 20371)
• Fix crash involving Unpack-ed TypeVarTuple (Shantanu, PR 20323)
• Fix crash on star import of redefinition (Ivan Levkivskyi, PR 20333)
• Fix crash on typevar with forward ref used in other module (Ivan Levkivskyi, PR 20334)
• Fail with an explicit error on PyPy (Ivan Levkivskyi, PR 20389)

Acknowledgements

Thanks to all mypy contributors who contributed to this release:

• A5rocks
• BobTheBuidler
• bzoracler
• Chainfire
• Christoph Tyralla
• David Foster
• Frank Dana
• Guo Ci
• iap
• Ivan Levkivskyi
• James Hilton-Balfe
• jhance
• Joren Hammudoglu
• Jukka Lehtosalo
• KarelKenens
• Kevin Kannammalil
• Marc Mueller
• Michael Carlstrom
• Michael J. Sullivan
• Piotr Sawicki
• Randolf Scholz
• Shantanu
• Sigve Sebastian Farstad
• sobolevn
• Stanislav Terliakov
• Stephen Morton
• Theodore Ando
• Thiago J. Barbalho
• wyattscarpenter

I’d also like to thank my employer, Dropbox, for supporting mypy development.

Mypy 1.18

We’ve just uploaded mypy 1.18.1 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance

... (truncated)

Commits

• 412c19a Bump version to 1.19.1
• 20aea0a Update changelog for 1.19.1 (#20414)
• 2b23b50 Serialize raw errors in cache metas (#20372)
• f60f90f Fail on PyPy in main instead of setup.py (#20389)
• 58d485b Fail with an explicit error on PyPy (#20384)
• a4b31a2 Allow types.NoneType in match cases (#20383)
• 8a6eff4 [mypyc] fix generator regression with empty tuple (#20371)
• 70eceea Fix noncommutative joins with bounded TypeVars (#20345)
• 3890fc4 Fix crash involving Unpack-ed TypeVarTuple (#20323)
• c93d917 Fix crash on star import of redefinition (#20333)
• Additional commits viewable in compare view

Updates python-dotenv from 1.1.1 to 1.2.1

Release notes

Sourced from python-dotenv's releases.

v1.2.1

What's Changed

• Support reading .env from FIFOs (Unix) by @​sidharth-sudhir in theskumar/python-dotenv#586
• Update CI to use trusted publishing on PyPI

New Contributors

• @​sidharth-sudhir made their first contribution in theskumar/python-dotenv#586

Full Changelog: theskumar/python-dotenv@v1.2.0...v1.2.1

v1.2.0

What's Changed

• style: upgrade to use ruff by @​theskumar in theskumar/python-dotenv#567
• Use sys.exit() instead of exit() by @​theskumar in theskumar/python-dotenv#568
• feat: add PYTHON_DOTENV_DISABLED flag to disable load_dotenv (fixes #510) by @​matthewfranglen in theskumar/python-dotenv#569
• Added Python@3.14: Github CI & tox.ini by @​23f3001135 in theskumar/python-dotenv#579
• ocs: clarify what load_dotenv() does in README by @​cybercoded in theskumar/python-dotenv#575
• Bump the github-actions group across 1 directory with 2 updates by @​dependabot[bot] in theskumar/python-dotenv#577
• Move project metadata and config to pyproject.toml by @​EpicWink in theskumar/python-dotenv#583

New Contributors

• @​matthewfranglen made their first contribution in theskumar/python-dotenv#569
• @​23f3001135 made their first contribution in theskumar/python-dotenv#579
• @​cybercoded made their first contribution in theskumar/python-dotenv#575
• @​EpicWink made their first contribution in theskumar/python-dotenv#583

Full Changelog: theskumar/python-dotenv@v1.1.1...v1.2.0

Changelog

Sourced from python-dotenv's changelog.

[1.2.1] - 2025-10-26

• Move more config to pyproject.toml, removed setup.cfg
• Add support for reading .env from FIFOs (Unix) by [@​sidharth-sudhir] in #586

[1.2.0] - 2025-10-26

• Upgrade build system to use PEP 517 & PEP 518 to use build and pyproject.toml by [@​EpicWink] in #583
• Add support for Python 3.14 by [@​23f3001135] in #579
• Add support for disabling of load_dotenv() using PYTHON_DOTENV_DISABLED env var. by [@​matthewfranglen] in #569

Commits

• eaf2a91 Do not remove .coverage file
• 8716196 Bump version: 1.2.0 → 1.2.1
• b87807f Update changelog
• 3af77d3 Support reading .env from FIFOs (Unix) (#586)
• 467ee22 Fix test failures after moving config to pyproject.toml
• 76999e7 Move more config pyproject.toml
• 222ce2c Update to use trusted publisher on pypi
• 8ed4f79 Update docs requirements
• 5bf8822 Bump version: 1.1.1 → 1.2.0
• 1fe11cc upadate changelog
• Additional commits viewable in compare view

Updates ruff from 0.12.4 to 0.14.10

Release notes

Sourced from ruff's releases.

0.14.10

Release Notes

Released on 2025-12-18.

Preview features

• [formatter] Fluent formatting of method chains (#21369)
• [formatter] Keep lambda parameters on one line and parenthesize the body if it expands (#21385)
• [flake8-implicit-str-concat] New rule to prevent implicit string concatenation in collections (ISC004) (#21972)
• [flake8-use-pathlib] Make fixes unsafe when types change in compound statements (PTH104, PTH105, PTH109, PTH115) (#22009)
• [refurb] Extend support for Path.open (FURB101, FURB103) (#21080)

Bug fixes

• [pyupgrade] Fix parsing named Unicode escape sequences (UP032) (#21901)

Rule changes

• [eradicate] Ignore ruff:disable and ruff:enable comments in ERA001 (#22038)
• [flake8-pytest-style] Allow match and check keyword arguments without an expected exception type (PT010) (#21964)
• [syntax-errors] Annotated name cannot be global (#20868)

Documentation

• Add uv and ty to the Ruff README (#21996)
• Document known lambda formatting deviations from Black (#21954)
• Update setup.md (#22024)
• [flake8-bandit] Fix broken link (S704) (#22039)

Other changes

• Fix playground Share button showing "Copied!" before clipboard copy completes (#21942)

Contributors

• @​dylwil3
• @​charliecloudberry
• @​charliermarsh
• @​chirizxc
• @​ntBre
• @​zanieb
• @​amyreese
• @​hauntsaninja
• @​11happy
• @​mahiro72
• @​MichaReiser
• @​phongddo
• @​PeterJCLaw

... (truncated)

Changelog

Sourced from ruff's changelog.

0.14.10

Released on 2025-12-18.

Preview features

• [formatter] Fluent formatting of method chains (#21369)
• [formatter] Keep lambda parameters on one line and parenthesize the body if it expands (#21385)
• [flake8-implicit-str-concat] New rule to prevent implicit string concatenation in collections (ISC004) (#21972)
• [flake8-use-pathlib] Make fixes unsafe when types change in compound statements (PTH104, PTH105, PTH109, PTH115) (#22009)
• [refurb] Extend support for Path.open (FURB101, FURB103) (#21080)

Bug fixes

• [pyupgrade] Fix parsing named Unicode escape sequences (UP032) (#21901)

Rule changes

• [eradicate] Ignore ruff:disable and ruff:enable comments in ERA001 (#22038)
• [flake8-pytest-style] Allow match and check keyword arguments without an expected exception type (PT010) (#21964)
• [syntax-errors] Annotated name cannot be global (#20868)

Documentation

• Add uv and ty to the Ruff README (#21996)
• Document known lambda formatting deviations from Black (#21954)
• Update setup.md (#22024)
• [flake8-bandit] Fix broken link (S704) (#22039)

Other changes

• Fix playground Share button showing "Copied!" before clipboard copy completes (#21942)

Contributors

• @​dylwil3
• @​charliecloudberry
• @​charliermarsh
• @​chirizxc
• @​ntBre
• @​zanieb
• @​amyreese
• @​hauntsaninja
• @​11happy
• @​mahiro72
• @​MichaReiser
• @​phongddo
• @​PeterJCLaw

0.14.9

... (truncated)

Commits

• 45bbb4c Bump 0.14.10 (#22058)
• 42b9727 [ty] Use datatest instead of dirtest (#21937)
• f7ec178 [ty] Gracefully handle client requests that can't be deserialized (#22051)
• c315164 [ty] Don't suggest keyword statements when only expressions are valid
• bb1955e [ty] Use cursor context in a few more places...
• 070e08a [ty] Move completion function to the top
• bab3924 [ty] Refactor completion generation
• 10748b2 [flake8-pytest-style] Allow match and check keyword arguments without a...
• 56539db [ty] Fix some configuration panics in the LSP (#22040)
• 8d32ad1 [ty] Add support for attribute docstrings (#22036)
• Additional commits viewable in compare view

Updates urllib3 from 2.5.0 to 2.6.2

Release notes

Sourced from urllib3's releases.

2.6.2

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (urllib3/urllib3#3734)

2.6.1

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. (#3731)

2.6.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by @​Cycloctane, 8.9 High, GHSA-2xpw-w6gg-jr37)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by @​illia-v, 8.9 High, GHSA-gm62-xv2j-4w53)

[!IMPORTANT]

• If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.
• If you use custom decompressors, please make sure to update them to respect the changed API of urllib3.response.ContentDecoder.

Features

• Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. (#3653)
• Added host and port information to string representations of HTTPConnection. (#3666)
• Added support for Python 3.14 free-threading builds explicitly. (#3696)

Removals

• Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers. Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). (#3622)

... (truncated)

Changelog

Sourced from urllib3's changelog.

2.6.2 (2025-12-11)

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. ([#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734>__)

2.6.1 (2025-12-08)

• Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. ([#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731>__)

2.6.0 (2025-12-05)

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

• If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.

• If you use custom decompressors, please make sure to update them to respect the changed API of urllib3.response.ContentDecoder.

Features

• Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. ([#3653](https://github.com/urllib3/urllib3/issues/3653) <https://github.com/urllib3/urllib3/issues/3653>__)
• Added host and port information to string representations of HTTPConnection. ([#3666](https://github.com/urllib3/urllib3/issues/3666) <https://github.com/urllib3/urllib3/issues/3666>__)
• Added support for Python 3.14 free-threading builds explicitly. ([#3696](https://github.com/urllib3/urllib3/issues/3696) <https://github.com/urllib3/urllib3/issues/3696>__)

... (truncated)

Commits

• 83f8643 Release 2.6.2
• 571a9b7 Fix HTTPResponse.read_chunked when leftover data is present in decoder's bu...
• bfe8e19 Release 2.6.1
• 3ceeb84 Restore getheaders() and getheader() (#3732)
• 720f484 Release 2.6.0
• 24d7b67 Merge commit from fork
• c19571d Merge commit from fork
• 816fcf0 Bump actions/setup-python from 6.0.0 to 6.1.0 (#3725)
• 18af0a1 Improve speed of BytesQueueBuffer.get() by using memoryview (#3711)
• 1f6abac Bump versions of pre-commit hooks (#3716)
• Additional commits viewable in compare view

Updates typing-extensions from 4.14.1 to 4.15.0

Release notes

Sourced from typing-extensions's releases.

4.15.0

No user-facing changes since 4.15.0rc1.

New features since 4.14.1:

• Add the @typing_extensions.disjoint_base decorator, as specified in PEP 800. Patch by Jelle Zijlstra.
• Add typing_extensions.type_repr, a backport of annotationlib.type_repr, introduced in Python 3.14 (CPython PR #124551, originally by Jelle Zijlstra). Patch by Semyon Moroz.
• Fix behavior of type params in typing_extensions.evaluate_forward_ref. Backport of CPython PR #137227 by Jelle Zijlstra.

4.15.0rc1

• Add the @typing_extensions.disjoint_base decorator, as specified in PEP 800. Patch by Jelle Zijlstra.
• Add typing_extensions.type_repr, a backport of annotationlib.type_repr, introduced in Python 3.14 (CPython PR #124551, originally by Jelle Zijlstra). Patch by Semyon Moroz.
• Fix behavior of type params in typing_extensions.evaluate_forward_ref. Backport of CPython PR #137227 by Jelle Zijlstra.

Changelog

Sourced from typing-extensions's changelog.

Release 4.15.0 (August 25, 2025)

No user-facing changes since 4.15.0rc1.

Release 4.15.0rc1 (August 18, 2025)

• Add the @typing_extensions.disjoint_base decorator, as specified in PEP 800. Patch by Jelle Zijlstra.
• Add typing_extensions.type_repr, a backport of annotationlib.type_repr, introduced in Python 3.14 (CPython PR #124551, originally by Jelle Zijlstra). Patch by Semyon Moroz.
• Fix behavior of type params in typing_extensions.evaluate_forward_ref. Backport of CPython PR #137227 by Jelle Zijlstra.

Commits

• 9d1637e Prepare release 4.15.0 (#658)
• 4bd67c5 Coverage: exclude some noise (#656)
• e589a26 Coverage: add detailed report to job summary (#655)
• 67d37fe Coverage: Implement fail_under (#654)
• e9ae26f Don't delete previous coverage comment (#653)
• ac80bb7 Add Coverage workflow (#623)
• abaaafd Prepare release 4.15.0rc1 (#650)
• 9810405 Add @disjoint_base (PEP 800) (#634)
• 7ee9e05 Backport type_params fix from CPython (#646)
• 1e8eb9c Do not refer to PEP 705 as being experimental (#648)
• Additional commits viewable in compare view

Updates authlib from 1.6.5 to 1.6.6

Changelog

Sourced from authlib's changelog.

Version 1.6.6

Released on Dec 12, 2025

• get_jwt_config takes a client parameter, :pr:844.
• Fix incorrect signature when Content-Type is x-www-form-urlencoded for OAuth 1.0 Client, :pr:778.
• Use expires_in in OAuth2Token when expires_at is unparsable, :pr:842.
• Always track state in session for OAuth client integrations.

Commits

• bb7a315 chore: release 1.6.6
• 0a423d4 Merge pull request #844 from azmeuk/806-get-jwt-config-client
• 2808378 Merge commit from fork
• 714502a feat: get_jwt_config takes a client parameter
• 260d04e Fix: Use expires_in when expires_at is unparsable
• eb37124 Merge pull request #778 from shc261392/fix-httpx-oauth1-form-data-incorrect-s...
• 0ba9ec4 docs: fix guide on requests self signed certificate
• a2e9943 docs: indicate that #743 needs a migration
• 06015d2 test: factorize the token fixture
• See full diff in compare view

Updates requests from 2.32.4 to 2.32.5

Release notes

Sourced from requests's releases.

v2.32.5

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

Changelog

Sourced from requests's changelog.

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

Commits

• b25c87d v2.32.5
• 131e506 Merge pull request #7010 from psf/dependabot/github_actions/actions/checkout-...
• b336cb2 Bump actions/checkout from 4.2.0 to 5.0.0
• 46e939b Update publish workflow to use artifact-id instead of name
• 4b9c546 Merge pull request #6999 from psf/dependabot/github_actions/step-security/har...
• 7618dbe<...

  Description has been truncated

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.