Bump the pip group across 5 directories with 11 updates

[dependabot]

Bumps the pip group with 9 updates in the / directory:

Package	From	To
requests	2.31.0	2.32.2
fastapi	0.100.1	0.109.1
jinja2	3.1.2	3.1.4
python-multipart	0.0.6	0.0.7
aiohttp	3.8.5	3.9.4
cryptography	41.0.3	42.0.4
idna	3.4	3.7
tqdm	4.66.1	4.66.3
urllib3	1.26.16	1.26.19

Bumps the pip group with 6 updates in the /apps/client_backend directory:

Package	From	To
requests	2.31.0	2.32.2
jinja2	3.1.3	3.1.4
aiohttp	3.9.1	3.9.4
idna	3.6	3.7
tqdm	4.66.1	4.66.3
urllib3	2.1.0	2.2.2

Bumps the pip group with 7 updates in the /apps/langchain_agent directory:

Package	From	To
requests	2.31.0	2.32.2
jinja2	3.1.3	3.1.4
aiohttp	3.9.1	3.9.4
cryptography	42.0.1	42.0.4
idna	3.6	3.7
tqdm	4.66.1	4.66.3
urllib3	2.1.0	2.2.2

Bumps the pip group with 7 updates in the /apps/telegram_bot directory:

Package	From	To
requests	2.31.0	2.32.2
jinja2	3.1.3	3.1.4
aiohttp	3.9.1	3.9.4
black	23.12.1	24.3.0
idna	3.6	3.7
tqdm	4.66.1	4.66.3
urllib3	2.1.0	2.2.2

Bumps the pip group with 7 updates in the /apps/telephony_app directory:

Package	From	To
requests	2.31.0	2.32.2
jinja2	3.1.3	3.1.4
aiohttp	3.9.1	3.9.4
cryptography	42.0.1	42.0.4
idna	3.6	3.7
tqdm	4.66.1	4.66.3
urllib3	2.1.0	2.2.2

Updates requests from 2.31.0 to 2.32.2

Release notes

Sourced from requests's releases.

v2.32.2

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

v2.32.1

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

v2.32.0

2.32.0 (2024-05-20)

🐍 PYCON US 2024 EDITION 🐍

Security

• Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (GHSA-9wx4-h78v-vm56)

Improvements

• verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
• Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

• Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
• Fixed deserialization bug in JSONDecodeError. (#6629)
• Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

... (truncated)

Changelog

Sourced from requests's changelog.

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

2.32.0 (2024-05-20)

Security

• Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (GHSA-9wx4-h78v-vm56)

Improvements

• verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
• Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

• Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
• Fixed deserialization bug in JSONDecodeError. (#6629)
• Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

Deprecations

... (truncated)

Commits

• 88dce9d v2.32.2
• c98e4d1 Merge pull request #6710 from nateprewitt/api_rename
• 92075b3 Add deprecation warning
• aa1461b Move _get_connection to get_connection_with_tls_context
• 970e8ce v2.32.1
• d6ebc4a v2.32.0
• 9a40d12 Avoid reloading root certificates to improve concurrent performance (#6667)
• 0c030f7 Merge pull request #6702 from nateprewitt/no_char_detection
• 555b870 Allow character detection dependencies to be optional in post-packaging steps
• d6dded3 Merge pull request #6700 from franekmagiera/update-redirect-to-invalid-uri-test
• Additional commits viewable in compare view

Updates fastapi from 0.100.1 to 0.109.1

Release notes

Sourced from fastapi's releases.

0.109.1

Security fixes

• ⬆️ Upgrade minimum version of python-multipart to >=0.0.7 to fix a vulnerability when using form data with a ReDos attack. You can also simply upgrade python-multipart.

Read more in the advisory: Content-Type Header ReDoS.

Features

• ✨ Include HTTP 205 in status codes with no body. PR #10969 by @​tiangolo.

Refactors

• ✅ Refactor tests for duplicate operation ID generation for compatibility with other tools running the FastAPI test suite. PR #10876 by @​emmettbutler.
• ♻️ Simplify string format with f-strings in fastapi/utils.py. PR #10576 by @​eukub.
• 🔧 Fix Ruff configuration unintentionally enabling and re-disabling mccabe complexity check. PR #10893 by @​jiridanek.
• ✅ Re-enable test in tests/test_tutorial/test_header_params/test_tutorial003.py after fix in Starlette. PR #10904 by @​ooknimm.

Docs

• 📝 Tweak wording in help-fastapi.md. PR #11040 by @​tiangolo.
• 📝 Tweak docs for Behind a Proxy. PR #11038 by @​tiangolo.
• 📝 Add External Link: 10 Tips for adding SQLAlchemy to FastAPI. PR #11036 by @​Donnype.
• 📝 Add External Link: Tips on migrating from Flask to FastAPI and vice-versa. PR #11029 by @​jtemporal.
• 📝 Deprecate old tutorials: Peewee, Couchbase, encode/databases. PR #10979 by @​tiangolo.
• ✏️ Fix typo in fastapi/security/oauth2.py. PR #10972 by @​RafalSkolasinski.
• 📝 Update HTTPException details in docs/en/docs/tutorial/handling-errors.md. PR #5418 by @​papb.
• ✏️ A few tweaks in docs/de/docs/tutorial/first-steps.md. PR #10959 by @​nilslindemann.
• ✏️ Fix link in docs/en/docs/advanced/async-tests.md. PR #10960 by @​nilslindemann.
• ✏️ Fix typos for Spanish documentation. PR #10957 by @​jlopezlira.
• 📝 Add warning about lifespan functions and backwards compatibility with events. PR #10734 by @​jacob-indigo.
• ✏️ Fix broken link in docs/tutorial/sql-databases.md in several languages. PR #10716 by @​theoohoho.
• ✏️ Remove broken links from external_links.yml. PR #10943 by @​Torabek.
• 📝 Update template docs with more info about url_for. PR #5937 by @​EzzEddin.
• 📝 Update usage of Token model in security docs. PR #9313 by @​piotrszacilowski.
• ✏️ Update highlighted line in docs/en/docs/tutorial/bigger-applications.md. PR #5490 by @​papb.
• 📝 Add External Link: Explore How to Effectively Use JWT With FastAPI. PR #10212 by @​aanchlia.
• 📝 Add hyperlink to docs/en/docs/tutorial/static-files.md. PR #10243 by @​hungtsetse.
• 📝 Add External Link: Instrument a FastAPI service adding tracing with OpenTelemetry and send/show traces in Grafana Tempo. PR #9440 by @​softwarebloat.
• 📝 Review and rewording of en/docs/contributing.md. PR #10480 by @​nilslindemann.
• 📝 Add External Link: ML serving and monitoring with FastAPI and Evidently. PR #9701 by @​mnrozhkov.
• 📝 Reword in docs, from "have in mind" to "keep in mind". PR #10376 by @​malicious.
• 📝 Add External Link: Talk by Jeny Sadadia. PR #10265 by @​JenySadadia.
• 📝 Add location info to tutorial/bigger-applications.md. PR #10552 by @​nilslindemann.
• ✏️ Fix Pydantic method name in docs/en/docs/advanced/path-operation-advanced-configuration.md. PR #10826 by @​ahmedabdou14.

Translations

• 🌐 Add Spanish translation for docs/es/docs/external-links.md. PR #10933 by @​pablocm83.
• 🌐 Update Korean translation for docs/ko/docs/tutorial/first-steps.md, docs/ko/docs/tutorial/index.md, docs/ko/docs/tutorial/path-params.md, and docs/ko/docs/tutorial/query-params.md. PR #4218 by @​SnowSuno.

... (truncated)

Commits

• 7633d15 🔖 Release version 0.109.1
• a4de147 📝 Update release notes
• 9d34ad0 Merge pull request from GHSA-qf9m-vfgh-m389
• ebf9723 📝 Update release notes
• 8590d0c 👥 Update FastAPI People (#11074)
• 063d7ff 📝 Update release notes
• 3c81e62 🌐 Add Spanish translation for docs/es/docs/external-links.md (#10933)
• 6c4a143 📝 Update release notes
• d254e2f 🌐 Update Korean translation for docs/ko/docs/tutorial/first-steps.md, `docs...
• 6f6e786 📝 Update release notes
• Additional commits viewable in compare view

Updates jinja2 from 3.1.2 to 3.1.4

Release notes

Sourced from jinja2's releases.

3.1.4

This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Jinja2/3.1.4/ Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

• The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj

3.1.3

This is a fix release for the 3.1.x feature branch.

• Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.
• Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-3
• Milestone: https://github.com/pallets/jinja/milestone/15?closed=1

Changelog

Sourced from jinja2's changelog.

Version 3.1.4

Released 2024-05-05

• The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. :ghsa:h75v-3vvj-5mfj

Version 3.1.3

Released 2024-01-10

• Fix compiler error when checking if required blocks in parent templates are empty. :pr:1858
• xmlattr filter does not allow keys with spaces. :ghsa:h5c8-rqwp-cp95
• Make error messages stemming from invalid nesting of {% trans %} blocks more helpful. :pr:1918

Commits

• dd4a8b5 release version 3.1.4
• 0668239 Merge pull request from GHSA-h75v-3vvj-5mfj
• d655030 disallow invalid characters in keys to xmlattr filter
• a7863ba add ghsa links
• b5c98e7 start version 3.1.4
• da3a9f0 update project files (#1968)
• 0ee5eb4 satisfy formatter, linter, and strict mypy
• 20477c6 update project files (#5457)
• e491223 update pyyaml dev dependency
• 36f9885 fix pr link
• Additional commits viewable in compare view

Updates python-multipart from 0.0.6 to 0.0.7

Changelog

Sourced from python-multipart's changelog.

0.0.7 (2024-02-03)

• Refactor header option parser to use the standard library instead of a custom RegEx #75.

Commits

• c83e6da Version 0.0.7 (#77)
• fb7d3c9 Bump pygments from 2.7.4 to 2.15.0 (#66)
• 20f0ef6 ♻️ Refactor header option parser to use the standard library instead of a cus...
• d3d16da Use latest invoke version (2.2.0) (#73)
• 8e59feb Use single quotes to avoid special zsh chars '[' and ']' (#71)
• 86d422c Update changelog URL (#68)
• 3929f8e Move tests folder to root folder (#61)
• See full diff in compare view

Updates aiohttp from 3.8.5 to 3.9.4

Release notes

Sourced from aiohttp's releases.

3.9.4

Bug fixes

• The asynchronous internals now set the underlying causes when assigning exceptions to the future objects -- by :user:webknjaz.

  Related issues and pull requests on GitHub: #8089.

• Treated values of Accept-Encoding header as case-insensitive when checking for gzip files -- by :user:steverep.

  Related issues and pull requests on GitHub: #8104.

• Improved the DNS resolution performance on cache hit -- by :user:bdraco.

  This is achieved by avoiding an :mod:asyncio task creation in this case.

  Related issues and pull requests on GitHub: #8163.

• Changed the type annotations to allow dict on :meth:aiohttp.MultipartWriter.append, :meth:aiohttp.MultipartWriter.append_json and :meth:aiohttp.MultipartWriter.append_form -- by :user:cakemanny

  Related issues and pull requests on GitHub: #7741.

• Ensure websocket transport is closed when client does not close it -- by :user:bdraco.

  The transport could remain open if the client did not close it. This change ensures the transport is closed when the client does not close it.

... (truncated)

Changelog

Sourced from aiohttp's changelog.

3.9.4 (2024-04-11)

Bug fixes

• The asynchronous internals now set the underlying causes when assigning exceptions to the future objects -- by :user:webknjaz.

  Related issues and pull requests on GitHub: :issue:8089.

• Treated values of Accept-Encoding header as case-insensitive when checking for gzip files -- by :user:steverep.

  Related issues and pull requests on GitHub: :issue:8104.

• Improved the DNS resolution performance on cache hit -- by :user:bdraco.

  This is achieved by avoiding an :mod:asyncio task creation in this case.

  Related issues and pull requests on GitHub: :issue:8163.

• Changed the type annotations to allow dict on :meth:aiohttp.MultipartWriter.append, :meth:aiohttp.MultipartWriter.append_json and :meth:aiohttp.MultipartWriter.append_form -- by :user:cakemanny

  Related issues and pull requests on GitHub: :issue:7741.

• Ensure websocket transport is closed when client does not close it -- by :user:bdraco.

  The transport could remain open if the client did not close it. This change ensures the transport is closed when the client does not close it.

... (truncated)

Commits

• b3397c7 Release v3.9.4 (#8201)
• a7e240a [PR #8320/9ba9a4e5 backport][3.9] Fix Python parser to mark responses without...
• 2833552 Escape filenames and paths in HTML when generating index pages (#8317) (#8319)
• ed43040 [PR #8309/c29945a1 backport][3.9] Improve reliability of run_app test (#8315)
• ec2be05 [PR #8299/28d026eb backport][3.9] Create marker for internal tests (#8307)
• 292d961 [PR #8304/88c80c14 backport][3.9] Check for backports in CI (#8305)
• cebe526 Fix handling of multipart/form-data (#8280) (#8302)
• 270ae9c [PR #8297/d15f07cf backport][3.9] Upgrade to llhttp 9.2.1 (#8292) (#8298)
• bb23105 [PR #8283/54e13b0a backport][3.9] Fix blocking I/O in the event loop while pr...
• 3f79241 [PR #8286/28f1fd88 backport][3.9] docs: remove repetitive word in comment (#8...
• Additional commits viewable in compare view

Updates cryptography from 41.0.3 to 42.0.4

Changelog

Sourced from cryptography's changelog.

42.0.4 - 2024-02-20

* Fixed a null-pointer-dereference and segfault that could occur when creating
  a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
  issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
  and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
  definitions in :rfc:`2633` :rfc:`3370`.
.. _v42-0-3:
42.0.3 - 2024-02-15

• Fixed an initialization issue that caused key loading failures for some users.

.. _v42-0-2:

42.0.2 - 2024-01-30

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol objects in
  ``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
  ``X25519PrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
  ``X448PrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
  and ``DHPrivateKey``
  :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.
.. _v42-0-1:
42.0.1 - 2024-01-24

• Fixed an issue with incorrect keyword-argument naming with EllipticCurvePrivateKey :meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign.
• Resolved compatibility issue with loading certain RSA public keys in :func:~cryptography.hazmat.primitives.serialization.load_pem_public_key.

.. _v42-0-0:

42.0.0 - 2024-01-22

</tr></table> 

... (truncated)

Commits

• fe18470 Bump for 42.0.4 release (#10445)
• aaa2dd0 Fix ASN.1 issues in PKCS#7 and S/MIME signing (#10373) (#10442)
• 7a4d012 Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match (#10423) ...
• df314bb backport actions m1 switch to 42.0.x (#10415)
• c49a7a5 changelog and version bump for 42.0.3 (#10396)
• 396bcf6 fix provider loading take two (#10390) (#10395)
• 0e0e46f backport: initialize openssl's legacy provider in rust (#10323) (#10333)
• 2202123 changelog and version bump 42.0.2 (#10268)
• f7032bd bump openssl in CI (#10298) (#10299)
• 002e886 Fixes #10294 -- correct accidental change to exchange kwarg (#10295) (#10296)
• Additional commits viewable in compare view

Updates idna from 3.4 to 3.7

Release notes

Sourced from idna's releases.

v3.7

What's Changed

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: kjd/idna@v3.6...v3.7

Changelog

Sourced from idna's changelog.

3.7 (2024-04-11) ++++++++++++++++

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

3.6 (2023-11-25) ++++++++++++++++

• Fix regression to include tests in source distribution.

3.5 (2023-11-24) ++++++++++++++++

• Update to Unicode 15.1.0
• String codec name is now "idna2008" as overriding the system codec "idna" was not working.
• Fix typing error for codec encoding
• "setup.cfg" has been added for this release due to some downstream lack of adherence to PEP 517. Should be removed in a future release so please prepare accordingly.
• Removed reliance on a symlink for the "idna-data" tool to comport with PEP 517 and the Python Packaging User Guide for sdist archives.
• Added security reporting protocol for project

Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions to this release.

Commits

• 1d365e1 Release v3.7
• c1b3154 Merge pull request #172 from kjd/optimize-contextj
• 0394ec7 Merge branch 'master' into optimize-contextj
• cd58a23 Merge pull request #152 from elliotwutingfeng/dev
• 5beb28b More efficient resolution of joiner contexts
• 1b12148 Update ossf/scorecard-action to v2.3.1
• d516b87 Update Github actions/checkout to v4
• c095c75 Merge branch 'master' into dev
• 60a0a4c Fix typo in GitHub Actions workflow key
• 5918a0e Merge branch 'master' into dev
• Additional commits viewable in compare view

Updates starlette from 0.27.0 to 0.35.1

Release notes

Sourced from starlette's releases.

Version 0.35.1

Fixed

• Stop using the deprecated "method" parameter in FileResponse inside of StaticFiles #2406.
• Make typing-extensions optional again #2409.

---

Full Changelog: encode/starlette@0.35.0...0.35.1

Version 0.35.0

Added

• Add *args to Middleware and improve its type hints #2381.

Fixed

• Use Iterable instead Iterator on iterate_in_threadpool #2362.

Changes

• Handle root_path to keep compatibility with mounted ASGI applications and WSGI #2400.
• Turn scope["client"] to None on TestClient #2377.

---

Full Changelog: encode/starlette@0.34.0...0.35.0

Version 0.34.0

Added

• Use ParamSpec for run_in_threadpool #2375.
• Add UploadFile.__repr__ #2360.

Fixed

• Merge URLs properly on TestClient #2376.
• Take weak ETags in consideration on StaticFiles #2334.

Deprecated

• Deprecate FileResponse(method=...) parameter #2366.

---

Full Changelog: encode/starlette@0.33.0...0.34.0

Version 0.33.0

Added

... (truncated)

Changelog

Sourced from starlette's changelog.

0.35.1

January 11, 2024

Fixed

• Stop using the deprecated "method" parameter in FileResponse inside of StaticFiles #2406.
• Make typing-extensions optional again #2409.

0.35.0

January 11, 2024

Added

• Add *args to Middleware and improve its type hints #2381.

Fixed

• Use Iterable instead Iterator on iterate_in_threadpool #2362.

Changes

• Handle root_path to keep compatibility with mounted ASGI applications and WSGI #2400.
• Turn scope["client"] to None on TestClient #2377.

0.34.0

December 16, 2023

Added

• Use ParamSpec for run_in_threadpool #2375.
• Add UploadFile.__repr__ #2360.

Fixed

• Merge URLs properly on TestClient #2376.
• Take weak ETags in consideration on StaticFiles #2334.

Deprecated

• Deprecate FileResponse(method=...) parameter #2366.

0.33.0

December 1, 2023

Added

... (truncated)

Commits

• c817605 Version 0.35.1 (#2410)
• 6c4ffee Make typing-extensions optional again (#2409)
• 3734e85 ♻️ Do not use the deprecated method parameter in FileResponse inside of `...
• 1081520 Version 0.35.0 (#2404)
• c3c6314 ♻️ Refactor logic to handle root_path to keep compatibility with ASGI and c...
• 8f2307d Bump trio from 0.22.2 to 0.23.2 (#2395)
• d28d491 Bump ruff from 0.1.6 to 0.1.9 (#2396)
• 5f9da0b Bump coverage from 7.3.2 to 7.4.0 (#2397)
• 04684c2 Bump typing-extensions from 4.8.0 to 4.9.0 (#2393)
• 8924759 Bump importlib-metadata from 6.9.0 to 7.0.1 (#2394)
• Additional commits viewable in compare view

Updates tqdm from 4.66.1 to 4.66.3

Release notes

Sourced from tqdm's releases.

tqdm v4.66.3 stable

• cli: eval safety (fixes CVE-2024-34062, GHSA-g7vv-2v7x-gj9p)

tqdm v4.66.2 stable

• pandas: add DataFrame.progress_map (#1549)
• notebook: fix HTML padding (#1506)
• keras: fix resuming training when verbose>=2 (#1508)
• fix format_num negative fractions missing leading zero (#1548)
• fix Python 3.12 DeprecationWarning on import (#1519)
• linting: use f-strings (#1549)
• update tests (#1549)
  • fix pandas warnings
  • fix asv (airspeed-velocity/asv#1323)
  • fix macos notebook docstring indentation
• CI: bump actions (#1549)

Commits

• 4e613f8 Merge pull request from GHSA-g7vv-2v7x-gj9p
• b53348c cli: eval safety
• cc372d0 bump version, merge pull request #1549 from tqdm/devel
• e9f0c05 use PyPI trusted publishing
• 7323d5b slight makefile clean
• 5306125 tests: bump pre-commit
• 4a6fd4f fix datetime.utcfromtimestamp py3.12 warning (#1519)
• 6f13759 tests: fix macos notebook indentation
• 3abcd2a tests: fix asv
• a4d15c8 tests: fix pandas warnings
• Additional commits viewable in compare view

Updates urllib3 from 1.26.16 to 1.26.19

Release notes

Sourced from urllib3's releases.

1.26.19

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support for 2023. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.

Full Changelog: urllib3/urllib3@1.26.18...1.26.19

Note that due to an issue with our release automation, no multiple.intoto.jsonl file is available for this release.

1.26.18

• Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (GHSA-g4mx-q9vg-27p4)

1.26.17

• Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. (GHSA-v845-jxx5-vc9f)

Changelog

Sourced from urllib3's changelog.

1.26.19 (2024-06-17)

• Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.
• Fixed handling of OpenSSL 3.2.0 new error message for misconfiguring an HTTP proxy as HTTPS. ([#3405](https://github.com/urllib3/urllib3/issues/3405) <https://github.com/urllib3/urllib3/issues/3405>__)

1.26.18 (2023-10-17)

• Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses.

1.26.17 (2023-10-02)

• Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.

Commits

• d9d85c8 Release 1.26.19
• 8528b63 [1.26] Fix downstream tests (#3409)
• 40b6d16 Merge pull request from GHSA-34jh-p97f-mpxf
• 29cfd02 Fix handling of OpenSSL 3.2.0 new error message "record layer failure" (#3405)
• b600643 [1.26] Bump RECENT_DATE (#3404)
• 7e2d389 [1.26] Fix running CPython 2.7 tests in CI (#3137)
• 9c2c230 Release 1.26.18 (#3159)
• b594c5c Merge pull request from GHSA-g4mx-q9vg-27p4
• 944f0eb [1.26] Use vendored six in urllib3.contrib.securetransport
• c9016bf Release 1.26.17
• Additional commits viewable in compare view

Updates requests from 2.31.0 to 2.32.2

Release notes

Sourced from requests's releases.

v2.32.2

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

v2.32.1

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

v2.32.0

2.32.0 (2024-05-20)

🐍 PYCON US 2024 EDITION 🐍

Security

• Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (GHSA-9wx4-h78v-vm56)

Improvements

• verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
• Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

• Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
• Fixed deserialization bug in JSONDecodeError. (#6629)
• Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

... (truncated)

Changelog

Sourced from requests's changelog.

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connect...

  Description has been truncated

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.