dependabot[bot] opened a new pull request, #67008: URL: https://github.com/apache/airflow/pull/67008
Updates the requirements on [filelock](https://github.com/tox-dev/py-filelock), [packaging](https://github.com/pypa/packaging), [pathspec](https://github.com/cpburnz/python-pathspec), [trove-classifiers](https://github.com/pypa/trove-classifiers), [virtualenv](https://github.com/pypa/virtualenv), [pytest](https://github.com/pytest-dev/pytest), [click](https://github.com/pallets/click), [jinja2](https://github.com/pallets/jinja), [requests](https://github.com/psf/requests) and [python-on-whales](https://github.com/gabrieldemarmiesse/python-on-whales) to permit the latest version. Updates `filelock` from 3.25.2 to 3.29.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tox-dev/py-filelock/releases";>filelock's releases</a>.</em></p> <blockquote> <h2>3.29.0</h2> <!-- raw HTML omitted --> <h2>What's Changed</h2> <ul> <li>🐛 fix(async): use single-thread executor for lock consistency by <a href="https://github.com/gaborbernat";><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/tox-dev/filelock/pull/533";>tox-dev/filelock#533</a></li> <li>✨ feat(soft): enable stale lock detection on Windows by <a href="https://github.com/gaborbernat";><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/tox-dev/filelock/pull/534";>tox-dev/filelock#534</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/tox-dev/filelock/compare/3.28.0...3.29.0";>https://github.com/tox-dev/filelock/compare/3.28.0...3.29.0</a></p> <h2>3.28.0</h2> <!-- raw HTML omitted --> <h2>What's Changed</h2> <ul> <li>🐛 fix(ci): unbreak release workflow, publish to PyPI again by <a href="https://github.com/gaborbernat";><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/tox-dev/filelock/pull/529";>tox-dev/filelock#529</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/tox-dev/filelock/compare/3.27.0...3.28.0";>https://github.com/tox-dev/filelock/compare/3.27.0...3.28.0</a></p> <h2>3.27.0</h2> <!-- raw HTML omitted --> <h2>What's Changed</h2> <ul> <li>✨ feat(rw): add SoftReadWriteLock for NFS and HPC clusters by <a href="https://github.com/gaborbernat";><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/tox-dev/filelock/pull/528";>tox-dev/filelock#528</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/tox-dev/filelock/compare/3.26.1...3.27.0";>https://github.com/tox-dev/filelock/compare/3.26.1...3.27.0</a></p> <h2>3.26.1</h2> <!-- raw HTML omitted --> <h2>What's Changed</h2> <ul> <li>🐛 fix(asyncio): add <strong>exit</strong> to BaseAsyncFileLock and fix <strong>del</strong> loop handling by <a href="https://github.com/naarob";><code>@naarob</code></a> in <a href="https://redirect.github.com/tox-dev/filelock/pull/518";>tox-dev/filelock#518</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/naarob";><code>@naarob</code></a> made their first contribution in <a href="https://redirect.github.com/tox-dev/filelock/pull/518";>tox-dev/filelock#518</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/tox-dev/filelock/compare/3.26.0...3.26.1";>https://github.com/tox-dev/filelock/compare/3.26.0...3.26.1</a></p> <h2>3.26.0</h2> <!-- raw HTML omitted --> <h2>What's Changed</h2> <ul> <li>🔒 ci(workflows): add zizmor security auditing by <a href="https://github.com/gaborbernat";><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/tox-dev/filelock/pull/517";>tox-dev/filelock#517</a></li> <li>🔧 fix(ci): restore git credentials for release job by <a href="https://github.com/gaborbernat";><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/tox-dev/filelock/pull/520";>tox-dev/filelock#520</a></li> <li>✨ feat(soft): add PID inspection and lock breaking by <a href="https://github.com/gaborbernat";><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/tox-dev/filelock/pull/524";>tox-dev/filelock#524</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/tox-dev/filelock/compare/3.25.2...3.26.0";>https://github.com/tox-dev/filelock/compare/3.25.2...3.26.0</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst";>filelock's changelog</a>.</em></p> <blockquote> <p>########### Changelog ###########</p> <hr /> <p>3.29.0 (2026-04-19)</p> <hr /> <ul> <li>✨ feat(soft): enable stale lock detection on Windows :pr:<code>534</code></li> <li>🐛 fix(async): use single-thread executor for lock consistency :pr:<code>533</code></li> <li>build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 :pr:<code>530</code> - by :user:<code>dependabot[bot]</code></li> </ul> <hr /> <p>3.28.0 (2026-04-14)</p> <hr /> <ul> <li>🐛 fix(ci): unbreak release workflow, publish to PyPI again :pr:<code>529</code></li> </ul> <hr /> <p>3.26.1 (2026-04-09)</p> <hr /> <ul> <li>🐛 fix(asyncio): add <strong>exit</strong> to BaseAsyncFileLock and fix <strong>del</strong> loop handling :pr:<code>518</code> - by :user:<code>naarob</code></li> <li>build(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 :pr:<code>525</code> - by :user:<code>dependabot[bot]</code></li> </ul> <hr /> <p>3.26.0 (2026-04-06)</p> <hr /> <ul> <li>✨ feat(soft): add PID inspection and lock breaking :pr:<code>524</code></li> <li>[pre-commit.ci] pre-commit autoupdate :pr:<code>523</code> - by :user:<code>pre-commit-ci[bot]</code></li> <li>build(deps): bump astral-sh/setup-uv from 7.6.0 to 8.0.0 :pr:<code>522</code> - by :user:<code>dependabot[bot]</code></li> <li>Remove persist-credentials: false from release job :pr:<code>520</code></li> <li>[pre-commit.ci] pre-commit autoupdate :pr:<code>519</code> - by :user:<code>pre-commit-ci[bot]</code></li> <li>🔒 ci(workflows): add zizmor security auditing :pr:<code>517</code></li> <li>[pre-commit.ci] pre-commit autoupdate :pr:<code>516</code> - by :user:<code>pre-commit-ci[bot]</code></li> <li>[pre-commit.ci] pre-commit autoupdate :pr:<code>514</code> - by :user:<code>pre-commit-ci[bot]</code></li> </ul> <hr /> <p>3.25.2 (2026-03-11)</p> <hr /> <ul> <li>🐛 fix(unix): suppress EIO on close in Docker bind mounts :pr:<code>513</code></li> </ul> <hr /> <p>3.25.1 (2026-03-09)</p> <hr /> <ul> <li>[pre-commit.ci] pre-commit autoupdate :pr:<code>510</code> - by :user:<code>pre-commit-ci[bot]</code></li> <li>🐛 fix(win): restore best-effort lock file cleanup on release :pr:<code>511</code></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/tox-dev/filelock/commit/469b47f192b0a9f8c8b795d9b9f57212c716959b";><code>469b47f</code></a> Release 3.29.0</li> <li><a href="https://github.com/tox-dev/filelock/commit/e85d07281987e0855ba67c03dfdef342ec1097d5";><code>e85d072</code></a> ✨ feat(soft): enable stale lock detection on Windows (<a href="https://redirect.github.com/tox-dev/py-filelock/issues/534";>#534</a>)</li> <li><a href="https://github.com/tox-dev/filelock/commit/f5ee1712ced6916b2768812ee378183319339944";><code>f5ee171</code></a> 🐛 fix(async): use single-thread executor for lock consistency (<a href="https://redirect.github.com/tox-dev/py-filelock/issues/533";>#533</a>)</li> <li><a href="https://github.com/tox-dev/filelock/commit/2a954588cdf462a786835eeb102240ce79fecc8b";><code>2a95458</code></a> build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (<a href="https://redirect.github.com/tox-dev/py-filelock/issues/530";>#530</a>)</li> <li><a href="https://github.com/tox-dev/filelock/commit/55de20c0819652362881906fa289feff5a323c19";><code>55de20c</code></a> Release 3.28.0</li> <li><a href="https://github.com/tox-dev/filelock/commit/476b0e4a92776fe530b5d993247342f039004174";><code>476b0e4</code></a> 🐛 fix(ci): unbreak release workflow, publish to PyPI again (<a href="https://redirect.github.com/tox-dev/py-filelock/issues/529";>#529</a>)</li> <li><a href="https://github.com/tox-dev/filelock/commit/824713edc32b54efd66566907f97c1238502810e";><code>824713e</code></a> ✨ feat(rw): add SoftReadWriteLock for NFS and HPC clusters (<a href="https://redirect.github.com/tox-dev/py-filelock/issues/528";>#528</a>)</li> <li><a href="https://github.com/tox-dev/filelock/commit/9879de9298db93ffba0a9f58d9de75e9e2a00fc1";><code>9879de9</code></a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/tox-dev/py-filelock/issues/527";>#527</a>)</li> <li><a href="https://github.com/tox-dev/filelock/commit/4cfab498b6916f89be46152efa4a72e9731be98f";><code>4cfab49</code></a> Release 3.26.1</li> <li><a href="https://github.com/tox-dev/filelock/commit/734c9f26e8107ad24886129fc68865f0b46cf71f";><code>734c9f2</code></a> 🐛 fix(asyncio): add <strong>exit</strong> to BaseAsyncFileLock and fix <strong>del</strong> loop handli...</li> <li>Additional commits viewable in <a href="https://github.com/tox-dev/py-filelock/compare/3.25.2...3.29.0";>compare view</a></li> </ul> </details> <br /> Updates `packaging` from 26.0 to 26.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pypa/packaging/releases";>packaging's releases</a>.</em></p> <blockquote> <h2>26.2</h2> <h2>What's Changed</h2> <p>Fixes:</p> <ul> <li>Fix incorrect sysconfig var name for pyemscripten by <a href="https://github.com/ryanking13";><code>@ryanking13</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/1160";>pypa/packaging#1160</a></li> <li>Make <code>Version</code>, <code>Specifier</code>, <code>SpecifierSet</code>, <code>Tag</code>, <code>Marker</code>, and <code>Requirement</code> pickle-safe and backward-compatible with pickles created in 25.0-26.1 (including references to the removed <code>packaging._structures</code> module) by <a href="https://github.com/eachimei";><code>@eachimei</code></a> and <a href="https://github.com/henryiii";><code>@henryiii</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/1163";>pypa/packaging#1163</a>, <a href="https://redirect.github.com/pypa/packaging/pull/1168";>pypa/packaging#1168</a>, <a href="https://redirect.github.com/pypa/packaging/pull/1170";>pypa/packaging#1170</a>, and <a href="https://redirect.github.com/pypa/packaging/pull/1171";>pypa/packaging#1171</a></li> <li>fix: re-export ExceptionGroup for now by <a href="https://github.com/henryiii";><code>@henryiii</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/1164";>pypa/packaging#1164</a></li> </ul> <p>Documentation:</p> <ul> <li>docs: add errors section and fix missing details by <a href="https://github.com/henryiii";><code>@henryiii</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/1159";>pypa/packaging#1159</a></li> <li>docs(dev): document property-based test suite by <a href="https://github.com/r266-tech";><code>@r266-tech</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/1167";>pypa/packaging#1167</a></li> <li>Fix typo in DirectUrl documentation by <a href="https://github.com/sbidoul";><code>@sbidoul</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/1169";>pypa/packaging#1169</a></li> <li>docs(specifiers): add is_unsatisfiable() usage example by <a href="https://github.com/r266-tech";><code>@r266-tech</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/1166";>pypa/packaging#1166</a></li> </ul> <p>Internal:</p> <ul> <li>Enable the auditor persona on zizmor by <a href="https://github.com/henryiii";><code>@henryiii</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/1158";>pypa/packaging#1158</a></li> <li>Test new pickle guarantees by <a href="https://github.com/henryiii";><code>@henryiii</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/1174";>pypa/packaging#1174</a></li> <li>Use native uv integration in rtd by <a href="https://github.com/henryiii";><code>@henryiii</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/1175";>pypa/packaging#1175</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/ryanking13";><code>@ryanking13</code></a> made their first contribution in <a href="https://redirect.github.com/pypa/packaging/pull/1160";>pypa/packaging#1160</a></li> <li><a href="https://github.com/eachimei";><code>@eachimei</code></a> made their first contribution in <a href="https://redirect.github.com/pypa/packaging/pull/1163";>pypa/packaging#1163</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/pypa/packaging/compare/26.1...26.2";>https://github.com/pypa/packaging/compare/26.1...26.2</a></p> <h2>26.1</h2> <p>Features:</p> <ul> <li><del>PEP 783: add handling for Emscripten wheel tags by <a href="https://github.com/hoodmane";><code>@hoodmane</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/804";>pypa/packaging#804</a></del> (old name used in implementation, will be fixed in next release)</li> <li>PEP 803: add handling for the <code>abi3.abi3t</code> free-threading tag by <a href="https://github.com/ngoldbaum";><code>@ngoldbaum</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/1099";>pypa/packaging#1099</a></li> <li>PEP 723: add <code>packaging.dependency_groups</code> module, based on the <code>dependency-groups</code> package by <a href="https://github.com/sirosen";><code>@sirosen</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/1065";>pypa/packaging#1065</a></li> <li>Add the <code>packaging.direct_url</code> module by <a href="https://github.com/sbidoul";><code>@sbidoul</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/944";>pypa/packaging#944</a></li> <li>Add the <code>packaging.errors</code> module by <a href="https://github.com/henryiii";><code>@henryiii</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/1071";>pypa/packaging#1071</a></li> <li>Add <code>SpecifierSet.is_unsatisfiable</code> using ranges (new internals that will be expanded in future versions) by <a href="https://github.com/notatallshaw";><code>@notatallshaw</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/1119";>pypa/packaging#1119</a></li> <li>Add <code>create_compatible_tags_selector</code> to select compatible tags by <a href="https://github.com/sbidoul";><code>@sbidoul</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/1110";>pypa/packaging#1110</a></li> <li>Add a <code>key</code> argument to <code>SpecifierSet.filter()</code> by <a href="https://github.com/frostming";><code>@frostming</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/1068";>pypa/packaging#1068</a></li> <li>Support <code>&</code> and <code>|</code> for <code>Marker</code>'s by <a href="https://github.com/henryiii";><code>@henryiii</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/1146";>pypa/packaging#1146</a></li> <li>Normalize <code>Version.__replace__</code> and add <code>Version.from_parts</code> by <a href="https://github.com/henryiii";><code>@henryiii</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/1078";>pypa/packaging#1078</a></li> <li>Add an option to validate compressed tag set sort order in <code>parse_wheel_filename</code> by <a href="https://github.com/r266-tech";><code>@r266-tech</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/1150";>pypa/packaging#1150</a></li> </ul> <p>Behavior adaptations:</p> <ul> <li>Narrow exclusion of pre-releases for <code><V.postN</code> to match spec by <a href="https://github.com/notatallshaw";><code>@notatallshaw</code></a> in <a href="https://redirect.github.com/pypa/packaging/pull/1140";>pypa/packaging#1140</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/packaging/blob/main/CHANGELOG.rst";>packaging's changelog</a>.</em></p> <blockquote> <p>26.2 - 2026-04-24</p> <pre><code> Fixes: <ul> <li>Fix incorrect sysconfig var name for pyemscripten in (:pull:<code>1160</code>)</li> <li>Make <code>Version</code>, <code>Specifier</code>, <code>SpecifierSet</code>, <code>Tag</code>, <code>Marker</code>, and <code>Requirement</code> pickle-safe<br /> and backward-compatible with pickles created in 25.0-26.1 (including references to the removed<br /> <code>packaging._structures</code> module) (:pull:<code>1163</code>, :pull:<code>1168</code>, :pull:<code>1170</code>, :pull:<code>1171</code>)</li> <li>Re-export <code>ExceptionGroup</code> in metadata for now in (:pull:<code>1164</code>)</li> </ul> <p>Documentation:</p> <ul> <li>Add errors section and fix missing details in (:pull:<code>1159</code>)</li> <li>Document our property-based test suite in (:pull:<code>1167</code>)</li> <li>Fix a <code>DirectUrl</code> typo in (:pull:<code>1169</code>)</li> <li>Add example of <code>is_unsatisfiable</code> in (:pull:<code>1166</code>)</li> </ul> <p>Internal:</p> <ul> <li>Enable the auditor persona on zizmor in (:pull:<code>1158</code>)</li> <li>Test new pickle guarantees in (:pull:<code>1174</code>)</li> <li>Use new native ReadTheDocs uv integration in (:pull:<code>1175</code>)</li> </ul> <p>26.1 - 2026-04-14<br /> </code></pre></p> <p>Features:</p> <ul> <li>PEP 783: add handling for Emscripten wheel tags in (:pull:<code>804</code>) (old name used in implementation, fixed in next release)</li> <li>PEP 803: add handling for the <code>abi3.abi3t</code> free-threading tag in (:pull:<code>1099</code>)</li> <li>PEP 723: add <code>packaging.dependency_groups</code> module, based on the <code>dependency-groups</code> package in (:pull:<code>1065</code>)</li> <li>Add the <code>packaging.direct_url</code> module in (:pull:<code>944</code>)</li> <li>Add the <code>packaging.errors</code> module in (:pull:<code>1071</code>)</li> <li>Add <code>SpecifierSet.is_unsatisfiable</code> using ranges (new internals that will be expanded in future versions) in (:pull:<code>1119</code>)</li> <li>Add <code>create_compatible_tags_selector</code> to select compatible tags in (:pull:<code>1110</code>)</li> <li>Add a <code>key</code> argument to <code>SpecifierSet.filter()</code> in (:pull:<code>1068</code>)</li> <li>Support <code>&</code> and <code>|</code> for <code>Marker</code>'s in (:pull:<code>1146</code>)</li> <li>Normalize <code>Version.__replace__</code> and add <code>Version.from_parts</code> in (:pull:<code>1078</code>)</li> <li>Add an option to validate compressed tag set sort order in <code>parse_wheel_filename</code> in (:pull:<code>1150</code>)</li> </ul> <p>Behavior adaptations:</p> <ul> <li>Narrow exclusion of pre-releases for <code><V.postN</code> to match spec in (:pull:<code>1140</code>)</li> <li>Narrow exclusion of post-releases for <code>>V</code> to match spec in (:pull:<code>1141</code>)</li> <li>Rename <code>format_full_version</code> to <code>_format_full_version</code> to make it visibly private in (:pull:<code>1125</code>)</li> <li>Restrict local version to ASCII in (:pull:<code>1102</code>)</li> </ul> <p>Pylock (PEP 751) updates:</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/packaging/commit/84a87ee42483d7352f9502d78a9553da8859aa7a";><code>84a87ee</code></a> Bump for release</li> <li><a href="https://github.com/pypa/packaging/commit/4a616b65bed23c8c6d58e6b0fc1a4434d4ff1f14";><code>4a616b6</code></a> docs: a few more updates to prepare for 26.2 (<a href="https://redirect.github.com/pypa/packaging/issues/1176";>#1176</a>)</li> <li><a href="https://github.com/pypa/packaging/commit/9de6f44f1e82d4595edf3aad1c4f6f98c85935a0";><code>9de6f44</code></a> ci: use native uv integration in rtd (<a href="https://redirect.github.com/pypa/packaging/issues/1175";>#1175</a>)</li> <li><a href="https://github.com/pypa/packaging/commit/bc76e14debd1a2799d1ca8f9d9c9823f35bfa466";><code>bc76e14</code></a> chore: update changelog for 26.2 (<a href="https://redirect.github.com/pypa/packaging/issues/1161";>#1161</a>)</li> <li><a href="https://github.com/pypa/packaging/commit/3f00091c08f0aa830e33ed7db00f16f11c8ac97f";><code>3f00091</code></a> tests: add a pickle check (<a href="https://redirect.github.com/pypa/packaging/issues/1174";>#1174</a>)</li> <li><a href="https://github.com/pypa/packaging/commit/48a8a069805291186522de3eff73ea80a8ca96ad";><code>48a8a06</code></a> fix: make Requirements/Markers pickle-safe (<a href="https://redirect.github.com/pypa/packaging/issues/1171";>#1171</a>)</li> <li><a href="https://github.com/pypa/packaging/commit/823b44ed1f904084a77ae3adf0ef130af6365f84";><code>823b44e</code></a> fix: make Tags pickle-safe (<a href="https://redirect.github.com/pypa/packaging/issues/1170";>#1170</a>)</li> <li><a href="https://github.com/pypa/packaging/commit/4bed32d920ca7211dd65fdf0a1ee06376e9c4733";><code>4bed32d</code></a> fix: make Specifier / SpecifierSet pickle-safe (<a href="https://redirect.github.com/pypa/packaging/issues/1168";>#1168</a>)</li> <li><a href="https://github.com/pypa/packaging/commit/963118e37caae97bc8b72f72956c7fb4ca9857ec";><code>963118e</code></a> fix: re-export ExceptionGroup for now (<a href="https://redirect.github.com/pypa/packaging/issues/1164";>#1164</a>)</li> <li><a href="https://github.com/pypa/packaging/commit/66e34a80256c96dea11da143682950c84b8133bb";><code>66e34a8</code></a> docs(specifiers): add is_unsatisfiable() usage example (<a href="https://redirect.github.com/pypa/packaging/issues/1166";>#1166</a>)</li> <li>Additional commits viewable in <a href="https://github.com/pypa/packaging/compare/26.0...26.2";>compare view</a></li> </ul> </details> <br /> Updates `pathspec` from 1.0.4 to 1.1.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/cpburnz/python-pathspec/releases";>pathspec's releases</a>.</em></p> <blockquote> <h2>v1.1.1</h2> <p>Release v1.1.1. See <a href="https://github.com/cpburnz/python-pathspec/blob/v1.1.1/CHANGES.rst";>CHANGES.rst</a>.</p> <h2>v1.1.0</h2> <p>Release v1.1.0. See <a href="https://github.com/cpburnz/python-pathspec/blob/v1.1.0/CHANGES.rst";>CHANGES.rst</a>.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/cpburnz/python-pathspec/blob/master/CHANGES.rst";>pathspec's changelog</a>.</em></p> <blockquote> <h2>1.1.1 (2026-04-26)</h2> <p>Improvements:</p> <ul> <li>Improved type checking with mypy and pyright.</li> </ul> <p>Bug fixes:</p> <ul> <li>Fixed typing on <code>PathSpec[TPattern]</code> to <code>PathSpec[TPattern_co]</code>.</li> <li>Added missing variant type-hint <code>type[Pattern]</code> to <code>PathSpec.from_lines()</code> parameter <code>pattern_factory</code>.</li> <li>Fixed possible type error when using <code>+</code> and <code>+=</code> operators on <code>PathSpec</code>.</li> </ul> <h2>1.1.0 (2026-04-22)</h2> <p>New features:</p> <ul> <li><code>Issue [#108](https://github.com/cpburnz/python-pathspec/issues/108)</code>_: Specialize pattern type for <code>PathSpec</code> as <code>PathSpec[TPattern]</code> for better debugging of <code>PathSpec().patterns</code>.</li> </ul> <p>Bug fixes:</p> <ul> <li><code>Issue [#93](https://github.com/cpburnz/python-pathspec/issues/93)</code>_: Git discards invalid range notation. <code>GitIgnoreSpecPattern</code> now discards patterns with invalid range notation like Git.</li> <li><code>Pull [#106](https://github.com/cpburnz/python-pathspec/issues/106)</code>_: Fix escape() not escaping backslash characters.</li> </ul> <p>Improvements:</p> <ul> <li><code>Pull [#110](https://github.com/cpburnz/python-pathspec/issues/110)</code>_: Nicer debug print outs (and str for regex pattern).</li> </ul> <p>.. _<code>Pull [#106](https://github.com/cpburnz/python-pathspec/issues/106)</code>: <a href="https://redirect.github.com/cpburnz/python-pathspec/pull/106";>cpburnz/python-pathspec#106</a> .. _<code>Issue [#108](https://github.com/cpburnz/python-pathspec/issues/108)</code>: <a href="https://redirect.github.com/cpburnz/python-pathspec/issues/108";>cpburnz/python-pathspec#108</a> .. _<code>Pull [#110](https://github.com/cpburnz/python-pathspec/issues/110)</code>: <a href="https://redirect.github.com/cpburnz/python-pathspec/pull/110";>cpburnz/python-pathspec#110</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/cpburnz/python-pathspec/commit/ecf71a99ca739479d450b9830f43416ea0c519c7";><code>ecf71a9</code></a> Release v1.1.1</li> <li><a href="https://github.com/cpburnz/python-pathspec/commit/6727491ff877e570e450b078c345d9346db7e531";><code>6727491</code></a> Improve type checking with mypy and pyright</li> <li><a href="https://github.com/cpburnz/python-pathspec/commit/c9249c8b4ca165ca8c5eea191cea4c0e6f3aa827";><code>c9249c8</code></a> Release v1.1.0</li> <li><a href="https://github.com/cpburnz/python-pathspec/commit/a1abeba97f1fdbc3bc0e64e6c4d7ee9b63c4cf77";><code>a1abeba</code></a> Test Iron Proxy for CI</li> <li><a href="https://github.com/cpburnz/python-pathspec/commit/0b04daeafaea8c82a6fa3e86090061dc47c61ea6";><code>0b04dae</code></a> Test Iron Proxy for CI</li> <li><a href="https://github.com/cpburnz/python-pathspec/commit/ccaedca31c5cd904c5bb55df0f0045c675f77b7f";><code>ccaedca</code></a> Test Iron Proxy for CI</li> <li><a href="https://github.com/cpburnz/python-pathspec/commit/06391d861d68ba4763e8c377c8bb1b9392bcc76a";><code>06391d8</code></a> Test Iron Proxy for CI</li> <li><a href="https://github.com/cpburnz/python-pathspec/commit/45907bf50a5cabe525306b99e85779639d9ca55e";><code>45907bf</code></a> Test Iron Proxy for CI</li> <li><a href="https://github.com/cpburnz/python-pathspec/commit/0d7c7deb138050c8586000682134d820a176bc10";><code>0d7c7de</code></a> Pin all Github actions</li> <li><a href="https://github.com/cpburnz/python-pathspec/commit/36faddae807a997d04ccfc8cf00931819464260c";><code>36fadda</code></a> Specialize patterns</li> <li>Additional commits viewable in <a href="https://github.com/cpburnz/python-pathspec/compare/v1.0.4...v1.1.1";>compare view</a></li> </ul> </details> <br /> Updates `trove-classifiers` from 2026.1.14.14 to 2026.5.7.17 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/trove-classifiers/commit/a1105aa00670c8fc241e0bc2149a236b8be43b7a";><code>a1105aa</code></a> Add Trove classifier for Python 3.16 (<a href="https://redirect.github.com/pypa/trove-classifiers/issues/243";>#243</a>)</li> <li><a href="https://github.com/pypa/trove-classifiers/commit/eca370658f6e81c8911567eab8209aaca2924493";><code>eca3706</code></a> feat: add <code>litestar</code> classifier (<a href="https://redirect.github.com/pypa/trove-classifiers/issues/148";>#148</a>)</li> <li>See full diff in <a href="https://github.com/pypa/trove-classifiers/compare/2026.1.14.14...2026.5.7.17";>compare view</a></li> </ul> </details> <br /> Updates `virtualenv` from 21.2.0 to 21.3.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pypa/virtualenv/releases";>virtualenv's releases</a>.</em></p> <blockquote> <h2>21.3.1</h2> <!-- raw HTML omitted --> <h2>What's Changed</h2> <ul> <li>👷 ci: retry transient apt failures on Linux by <a href="https://github.com/gaborbernat";><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3139";>pypa/virtualenv#3139</a></li> <li>🐛 fix(seed): bump embedded pip to 26.1.1 by <a href="https://github.com/gaborbernat";><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3138";>pypa/virtualenv#3138</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/pypa/virtualenv/compare/21.3.0...21.3.1";>https://github.com/pypa/virtualenv/compare/21.3.0...21.3.1</a></p> <h2>21.3.0</h2> <!-- raw HTML omitted --> <h2>What's Changed</h2> <ul> <li>🐛 fix(type): stop ty flagging default_source on Action by <a href="https://github.com/gaborbernat";><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3124";>pypa/virtualenv#3124</a></li> <li>feat: Reintroduce xonsh shell support by <a href="https://github.com/anki-code";><code>@anki-code</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3125";>pypa/virtualenv#3125</a></li> <li>🐛 fix(test): prevent PowerShell activation test from crashing xdist workers on Windows by <a href="https://github.com/gaborbernat";><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3128";>pypa/virtualenv#3128</a></li> <li>docs: Add usage instruction for Xonsh activation by <a href="https://github.com/anki-code";><code>@anki-code</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3130";>pypa/virtualenv#3130</a></li> <li>Upgrade embedded pip/setuptools/wheel by <a href="https://github.com/github-actions";><code>@github-actions</code></a>[bot] in <a href="https://redirect.github.com/pypa/virtualenv/pull/3132";>pypa/virtualenv#3132</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/anki-code";><code>@anki-code</code></a> made their first contribution in <a href="https://redirect.github.com/pypa/virtualenv/pull/3125";>pypa/virtualenv#3125</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/pypa/virtualenv/compare/21.2.4...21.3.0";>https://github.com/pypa/virtualenv/compare/21.2.4...21.3.0</a></p> <h2>21.2.4</h2> <!-- raw HTML omitted --> <h2>What's Changed</h2> <ul> <li>🐛 fix(periodic-update): refuse unverified HTTPS to PyPI by default by <a href="https://github.com/gaborbernat";><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3122";>pypa/virtualenv#3122</a></li> <li>🐛 fix(zipapp): enforce ROOT containment with Path.relative_to by <a href="https://github.com/gaborbernat";><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3121";>pypa/virtualenv#3121</a></li> <li>🐛 fix(seed): validate distribution and version before pip download by <a href="https://github.com/gaborbernat";><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3120";>pypa/virtualenv#3120</a></li> <li>🐛 fix(seed): verify sha256 of bundled wheels on load by <a href="https://github.com/gaborbernat";><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3119";>pypa/virtualenv#3119</a></li> <li>🐛 fix(seed): validate wheel zip entries before extraction by <a href="https://github.com/gaborbernat";><code>@gaborbernat</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3118";>pypa/virtualenv#3118</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/pypa/virtualenv/compare/21.2.3...21.2.4";>https://github.com/pypa/virtualenv/compare/21.2.3...21.2.4</a></p> <h2>21.2.3</h2> <!-- raw HTML omitted --> <p><strong>Full Changelog</strong>: <a href="https://github.com/pypa/virtualenv/compare/21.2.2...21.2.3";>https://github.com/pypa/virtualenv/compare/21.2.2...21.2.3</a></p> <h2>21.2.2</h2> <!-- raw HTML omitted --> <h2>What's Changed</h2> <ul> <li>bump python-discovery minimum to 1.2.2 by <a href="https://github.com/rahuldevikar";><code>@rahuldevikar</code></a> in <a href="https://redirect.github.com/pypa/virtualenv/pull/3117";>pypa/virtualenv#3117</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst";>virtualenv's changelog</a>.</em></p> <blockquote> <h1>Bugfixes - 21.3.1</h1> <ul> <li> <p>Upgrade embedded wheels:</p> <ul> <li>pip to <code>26.1.1</code> from <code>26.1</code> (:issue:<code>3138</code>)</li> </ul> </li> </ul> <hr /> <p>v21.3.0 (2026-04-27)</p> <hr /> <h1>Features - 21.3.0</h1> <ul> <li>Re-introduce <code>xonsh</code> shell activator (<code>activate.xsh</code>) previously removed in 20.7.0, and make the plugin loader prefer virtualenv's built-in entry points so a third-party package cannot override them by registering a duplicate name. (:issue:<code>3003</code>)</li> </ul> <h1>Bugfixes - 21.3.0</h1> <ul> <li> <p>Upgrade embedded wheels:</p> <ul> <li>pip to <code>26.1</code> (:issue:<code>3132</code>)</li> </ul> </li> </ul> <hr /> <p>v21.2.4 (2026-04-14)</p> <hr /> <h1>Bugfixes - 21.2.4</h1> <ul> <li>Security hardening: validate each entry of a seed wheel archive before extracting it so a tampered wheel cannot escape the app-data image directory via an absolute path or <code>..</code> traversal. (:issue:<code>3118</code>)</li> <li>Security hardening: verify the SHA-256 of every bundled seed wheel when it is loaded so a corrupted or tampered file on disk fails loud instead of being handed to pip. The hash table is generated alongside <code>BUNDLE_SUPPORT</code> by <code>tasks/upgrade_wheels.py</code>. (:issue:<code>3119</code>)</li> <li>Security hardening: validate the distribution name and version specifier passed to <code>pip download</code> when acquiring a seed wheel so extras, pip flags, or shell metacharacters cannot be smuggled into the subprocess command line. (:issue:<code>3120</code>)</li> <li>Security hardening: replace the string-prefix containment check in <code>virtualenv.util.zipapp</code> with <code>Path.relative_to</code> so the zipapp extraction helpers refuse any path that does not resolve under the archive root. (:issue:<code>3121</code>)</li> <li>Security hardening: do not silently fall back to an unverified HTTPS context when the periodic update request to PyPI fails TLS verification. The returned metadata drives which wheel version virtualenv considers "up to date", so accepting an unverified response lets a network-level attacker suppress security updates. Set <code>VIRTUALENV_PERIODIC_UPDATE_INSECURE=1</code> to restore the previous behavior on hosts with broken trust stores. (:issue:<code>3122</code>)</li> </ul> <hr /> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/virtualenv/commit/12ab4957289c1963849bf04a5f35982c928c0a35";><code>12ab495</code></a> release 21.3.1</li> <li><a href="https://github.com/pypa/virtualenv/commit/22eadc4d2738af7e96d744369a7f40df34935c94";><code>22eadc4</code></a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/pypa/virtualenv/issues/3137";>#3137</a>)</li> <li><a href="https://github.com/pypa/virtualenv/commit/6651dafd919c745adca1e29e31e1d96a1c9e9e52";><code>6651daf</code></a> 🐛 fix(seed): bump embedded pip to 26.1.1 (<a href="https://redirect.github.com/pypa/virtualenv/issues/3138";>#3138</a>)</li> <li><a href="https://github.com/pypa/virtualenv/commit/936a36ae63eb8c68123cf9e23824f68aa9ac51b1";><code>936a36a</code></a> 👷 ci: retry transient apt failures on Linux (<a href="https://redirect.github.com/pypa/virtualenv/issues/3139";>#3139</a>)</li> <li><a href="https://github.com/pypa/virtualenv/commit/cb5a7d1820871cf26e370c6a954e48326ddd6c57";><code>cb5a7d1</code></a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/pypa/virtualenv/issues/3133";>#3133</a>)</li> <li><a href="https://github.com/pypa/virtualenv/commit/e917cc244e659160607c890de2cbad3a7bc2a28c";><code>e917cc2</code></a> release 21.3.0</li> <li><a href="https://github.com/pypa/virtualenv/commit/21152f1b88c49cdefda2743cddc2cf36d50e2e57";><code>21152f1</code></a> Upgrade embedded pip/setuptools/wheel (<a href="https://redirect.github.com/pypa/virtualenv/issues/3132";>#3132</a>)</li> <li><a href="https://github.com/pypa/virtualenv/commit/096bdcd72d7a6c92dcb9dee97fd429fe3e0231a5";><code>096bdcd</code></a> chore(deps): bump astral-sh/setup-uv from 8.0.0 to 8.1.0 (<a href="https://redirect.github.com/pypa/virtualenv/issues/3131";>#3131</a>)</li> <li><a href="https://github.com/pypa/virtualenv/commit/01610dc7a8ef08158c815f43dc22ceadb98b85c0";><code>01610dc</code></a> docs: Add usage instruction for Xonsh activation (<a href="https://redirect.github.com/pypa/virtualenv/issues/3130";>#3130</a>)</li> <li><a href="https://github.com/pypa/virtualenv/commit/fb6ec7c461db2b0ccfabe7ec6255368e86cfaed3";><code>fb6ec7c</code></a> 🐛 fix(test): prevent PowerShell activation test from crashing xdist workers o...</li> <li>Additional commits viewable in <a href="https://github.com/pypa/virtualenv/compare/21.2.0...21.3.1";>compare view</a></li> </ul> </details> <br /> Updates `pytest` to 9.0.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pytest-dev/pytest/releases";>pytest's releases</a>.</em></p> <blockquote> <h2>9.0.3</h2> <h1>pytest 9.0.3 (2026-04-07)</h1> <h2>Bug fixes</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/12444";>#12444</a>: Fixed <code>pytest.approx</code> which now correctly takes into account <code>~collections.abc.Mapping</code> keys order to compare them.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13634";>#13634</a>: Blocking a <code>conftest.py</code> file using the <code>-p no:</code> option is now explicitly disallowed.</p> <p>Previously this resulted in an internal assertion failure during plugin loading.</p> <p>Pytest now raises a clear <code>UsageError</code> explaining that conftest files are not plugins and cannot be disabled via <code>-p</code>.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13734";>#13734</a>: Fixed crash when a test raises an exceptiongroup with <code>__tracebackhide__ = True</code>.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14195";>#14195</a>: Fixed an issue where non-string messages passed to <!-- raw HTML omitted -->unittest.TestCase.subTest()<!-- raw HTML omitted --> were not printed.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14343";>#14343</a>: Fixed use of insecure temporary directory (CVE-2025-71176).</p> </li> </ul> <h2>Improved documentation</h2> <ul> <li><a href="https://redirect.github.com/pytest-dev/pytest/issues/13388";>#13388</a>: Clarified documentation for <code>-p</code> vs <code>PYTEST_PLUGINS</code> plugin loading and fixed an incorrect <code>-p</code> example.</li> <li><a href="https://redirect.github.com/pytest-dev/pytest/issues/13731";>#13731</a>: Clarified that capture fixtures (e.g. <code>capsys</code> and <code>capfd</code>) take precedence over the <code>-s</code> / <code>--capture=no</code> command-line options in <code>Accessing captured output from a test function <accessing-captured-output></code>.</li> <li><a href="https://redirect.github.com/pytest-dev/pytest/issues/14088";>#14088</a>: Clarified that the default <code>pytest_collection</code> hook sets <code>session.items</code> before it calls <code>pytest_collection_finish</code>, not after.</li> <li><a href="https://redirect.github.com/pytest-dev/pytest/issues/14255";>#14255</a>: TOML integer log levels must be quoted: Updating reference documentation.</li> </ul> <h2>Contributor-facing changes</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/12689";>#12689</a>: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible <a href="https://app.codecov.io/gh/pytest-dev/pytest/tests";>on the web interface</a>.</p> <p>-- by <code>aleguy02</code></p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pytest-dev/pytest/commit/a7d58d7a21b78581e636bbbdea13c66ad1657c1e";><code>a7d58d7</code></a> Prepare release version 9.0.3</li> <li><a href="https://github.com/pytest-dev/pytest/commit/089d98199c253d8f89a040243bc4f2aa6cd5ab22";><code>089d981</code></a> Merge pull request <a href="https://redirect.github.com/pytest-dev/pytest/issues/14366";>#14366</a> from bluetech/revert-14193-backport</li> <li><a href="https://github.com/pytest-dev/pytest/commit/8127eaf4ab7f6b2fdd0dc1b38343ec97aeef05ac";><code>8127eaf</code></a> Revert "Fix: assertrepr_compare respects dict insertion order (<a href="https://redirect.github.com/pytest-dev/pytest/issues/14050";>#14050</a>) (<a href="https://redirect.github.com/pytest-dev/pytest/issues/14193";>#14193</a>)"</li> <li><a href="https://github.com/pytest-dev/pytest/commit/99a7e6029e7a6e8d53e5df114b1346e035370241";><code>99a7e60</code></a> Merge pull request <a href="https://redirect.github.com/pytest-dev/pytest/issues/14363";>#14363</a> from pytest-dev/patchback/backports/9.0.x/95d8423bd...</li> <li><a href="https://github.com/pytest-dev/pytest/commit/ddee02a578da30dd43aedc39c1c1f1aaadfcee95";><code>ddee02a</code></a> Merge pull request <a href="https://redirect.github.com/pytest-dev/pytest/issues/14343";>#14343</a> from bluetech/cve-2025-71176-simple</li> <li><a href="https://github.com/pytest-dev/pytest/commit/74eac6916fee34726cb194f16c516e96fbd29619";><code>74eac69</code></a> doc: Update training info (<a href="https://redirect.github.com/pytest-dev/pytest/issues/14298";>#14298</a>) (<a href="https://redirect.github.com/pytest-dev/pytest/issues/14301";>#14301</a>)</li> <li><a href="https://github.com/pytest-dev/pytest/commit/f92dee777cfdb77d1c43633d02766ddf1f07c869";><code>f92dee7</code></a> Merge pull request <a href="https://redirect.github.com/pytest-dev/pytest/issues/14267";>#14267</a> from pytest-dev/patchback/backports/9.0.x/d6fa26c62...</li> <li><a href="https://github.com/pytest-dev/pytest/commit/7ee58acc8777c31ac6cf388d01addf5a414a7439";><code>7ee58ac</code></a> Merge pull request <a href="https://redirect.github.com/pytest-dev/pytest/issues/12378";>#12378</a> from Pierre-Sassoulas/fix-implicit-str-concat-and-d...</li> <li><a href="https://github.com/pytest-dev/pytest/commit/37da870d37e3a2f5177cae075c7b9ae279432bf8";><code>37da870</code></a> Merge pull request <a href="https://redirect.github.com/pytest-dev/pytest/issues/14259";>#14259</a> from mitre88/patch-4 (<a href="https://redirect.github.com/pytest-dev/pytest/issues/14268";>#14268</a>)</li> <li><a href="https://github.com/pytest-dev/pytest/commit/c34bfa3b7acb65b594707c714f1d8461b0304eed";><code>c34bfa3</code></a> Add explanation for string context diffs (<a href="https://redirect.github.com/pytest-dev/pytest/issues/14257";>#14257</a>) (<a href="https://redirect.github.com/pytest-dev/pytest/issues/14266";>#14266</a>)</li> <li>Additional commits viewable in <a href="https://github.com/pytest-dev/pytest/compare/8.2.0...9.0.3";>compare view</a></li> </ul> </details> <br /> Updates `click` to 8.3.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pallets/click/releases";>click's releases</a>.</em></p> <blockquote> <h2>8.3.3</h2> <p>This is the Click 8.3.3 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.</p> <p>PyPI: <a href="https://pypi.org/project/click/8.3.3/";>https://pypi.org/project/click/8.3.3/</a> Changes: <a href="https://click.palletsprojects.com/page/changes/#version-8-3-3";>https://click.palletsprojects.com/page/changes/#version-8-3-3</a> Milestone: <a href="https://github.com/pallets/click/milestone/30";>https://github.com/pallets/click/milestone/30</a></p> <ul> <li>Use :func:<code>shlex.split</code> to split pager and editor commands into <code>argv</code> lists for :class:<code>subprocess.Popen</code>, removing <code>shell=True</code>. <a href="https://redirect.github.com/pallets/click/issues/1026";>#1026</a> <a href="https://redirect.github.com/pallets/click/issues/1477";>#1477</a> <a href="https://redirect.github.com/pallets/click/issues/2775";>#2775</a></li> <li>Fix <code>TypeError</code> when rendering help for an option whose default value is an object that doesn't support equality comparison with strings, such as <code>semver.Version</code>. <a href="https://redirect.github.com/pallets/click/issues/3298";>#3298</a> <a href="https://redirect.github.com/pallets/click/issues/3299";>#3299</a></li> <li>Fix pager test pollution under parallel execution by using pytest's <code>tmp_path</code> fixture instead of a shared temporary file path. <a href="https://redirect.github.com/pallets/click/issues/3238";>#3238</a></li> <li>Treat <code>Sentinel.UNSET</code> values in a <code>default_map</code> as absent, so they fall through to the next default source instead of being used as the value. <a href="https://redirect.github.com/pallets/click/issues/3224";>#3224</a> <a href="https://redirect.github.com/pallets/click/issues/3240";>#3240</a></li> <li>Patch <code>pdb.Pdb</code> in <code>CliRunner</code> isolation so <code>pdb.set_trace()</code>, <code>breakpoint()</code>, and debuggers subclassing <code>pdb.Pdb</code> (ipdb, pdbpp) can interact with the real terminal instead of the captured I/O streams. <a href="https://redirect.github.com/pallets/click/issues/654";>#654</a> <a href="https://redirect.github.com/pallets/click/issues/824";>#824</a> <a href="https://redirect.github.com/pallets/click/issues/843";>#843</a> <a href="https://redirect.github.com/pallets/click/issues/951";>#951</a> <a href="https://redirect.github.com/pallets/click/issues/3235";>#3235</a></li> <li>Add optional randomized parallel test execution using <code>pytest-randomly</code> and <code>pytest-xdist</code> to detect test pollution and race conditions. <a href="https://redirect.github.com/pallets/click/issues/3151";>#3151</a></li> <li>Add contributor documentation for running stress tests, randomized parallel tests, and Flask smoke tests. <a href="https://redirect.github.com/pallets/click/issues/3151";>#3151</a> <a href="https://redirect.github.com/pallets/click/issues/3177";>#3177</a></li> <li>Show custom <code>show_default</code> string in prompts, matching the existing help text behavior. <a href="https://redirect.github.com/pallets/click/issues/2836";>#2836</a> <a href="https://redirect.github.com/pallets/click/issues/2837";>#2837</a> <a href="https://redirect.github.com/pallets/click/issues/3165";>#3165</a> <a href="https://redirect.github.com/pallets/click/issues/3262";>#3262</a> <a href="https://redirect.github.com/pallets/click/issues/3280";>#3280</a> <a href="https://redirect.github.com/pallets/click/issues/3328";>#3328</a></li> <li>Fix <code>default=True</code> with boolean <code>flag_value</code> always returning the <code>flag_value</code> instead of <code>True</code>. The <code>default=True</code> to <code>flag_value</code> substitution now only applies to non-boolean flags, where <code>True</code> acts as a sentinel meaning "activate this flag by default". For boolean flags, <code>default=True</code> is returned as a literal value. <a href="https://redirect.github.com/pallets/click/issues/3111";>#3111</a> <a href="https://redirect.github.com/pallets/click/issues/3239";>#3239</a></li> <li>Mark <code>make_default_short_help</code> as private API. <a href="https://redirect.github.com/pallets/click/issues/3189";>#3189</a> <a href="https://redirect.github.com/pallets/click/issues/3250";>#3250</a></li> <li><code>CliRunner</code>'s redirected streams now expose the original file descriptor via <code>fileno()</code>, so that <code>faulthandler</code>, <code>subprocess</code>, and other C-level consumers no longer crash with <code>io.UnsupportedOperation</code>. <a href="https://redirect.github.com/pallets/click/issues/2865";>#2865</a></li> <li>Change :class:<code>ParameterSource</code> to an :class:<code>~enum.IntEnum</code> and reorder its members from most to least explicit, so values can be compared to check whether a parameter was explicitly provided. <a href="https://redirect.github.com/pallets/click/issues/2879";>#2879</a> <a href="https://redirect.github.com/pallets/click/issues/3248";>#3248</a></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pallets/click/blob/main/CHANGES.rst";>click's changelog</a>.</em></p> <blockquote> <h2>Version 8.3.3</h2> <p>Released 2026-04-20</p> <ul> <li>Use :func:<code>shlex.split</code> to split pager and editor commands into <code>argv</code> lists for :class:<code>subprocess.Popen</code>, removing <code>shell=True</code>. :issue:<code>1026</code> :pr:<code>1477</code> :pr:<code>2775</code></li> <li>Fix <code>TypeError</code> when rendering help for an option whose default value is an object that doesn't support equality comparison with strings, such as <code>semver.Version</code>. :issue:<code>3298</code> :pr:<code>3299</code></li> <li>Fix pager test pollution under parallel execution by using pytest's <code>tmp_path</code> fixture instead of a shared temporary file path. :pr:<code>3238</code></li> <li>Treat <code>Sentinel.UNSET</code> values in a <code>default_map</code> as absent, so they fall through to the next default source instead of being used as the value. :issue:<code>3224</code> :pr:<code>3240</code></li> <li>Patch <code>pdb.Pdb</code> in <code>CliRunner</code> isolation so <code>pdb.set_trace()</code>, <code>breakpoint()</code>, and debuggers subclassing <code>pdb.Pdb</code> (ipdb, pdbpp) can interact with the real terminal instead of the captured I/O streams. :issue:<code>654</code> :issue:<code>824</code> :issue:<code>843</code> :pr:<code>951</code> :pr:<code>3235</code></li> <li>Add optional randomized parallel test execution using <code>pytest-randomly</code> and <code>pytest-xdist</code> to detect test pollution and race conditions. :pr:<code>3151</code></li> <li>Add contributor documentation for running stress tests, randomized parallel tests, and Flask smoke tests. :pr:<code>3151</code> :pr:<code>3177</code></li> <li>Show custom <code>show_default</code> string in prompts, matching the existing help text behavior. :issue:<code>2836</code> :pr:<code>2837</code> :pr:<code>3165</code> :pr:<code>3262</code> :pr:<code>3280</code> :pr:<code>3328</code></li> <li>Fix <code>default=True</code> with boolean <code>flag_value</code> always returning the <code>flag_value</code> instead of <code>True</code>. The <code>default=True</code> to <code>flag_value</code> substitution now only applies to non-boolean flags, where <code>True</code> acts as a sentinel meaning "activate this flag by default". For boolean flags, <code>default=True</code> is returned as a literal value. :issue:<code>3111</code> :pr:<code>3239</code></li> <li>Mark <code>make_default_short_help</code> as private API. :issue:<code>3189</code> :pr:<code>3250</code></li> <li><code>CliRunner</code>'s redirected streams now expose the original file descriptor via <code>fileno()</code>, so that <code>faulthandler</code>, <code>subprocess</code>, and other C-level consumers no longer crash with <code>io.UnsupportedOperation</code>. :issue:<code>2865</code></li> <li>Change :class:<code>ParameterSource</code> to an :class:<code>~enum.IntEnum</code> and reorder its members from most to least explicit, so values can be compared to check whether a parameter was explicitly provided. :issue:<code>2879</code> :pr:<code>3248</code></li> </ul> <h2>Version 8.3.2</h2> <p>Released 2026-04-02</p> <ul> <li>Fix handling of <code>flag_value</code> when <code>is_flag=False</code> to allow such options to be used without an explicit value. :issue:<code>3084</code> :pr:<code>3152</code></li> <li>Hide <code>Sentinel.UNSET</code> values as <code>None</code> when using <code>lookup_default()</code>. :issue:<code>3136</code> :pr:<code>3199</code> :pr:<code>3202</code> :pr:<code>3209</code> :pr:<code>3212</code> :pr:<code>3224</code></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pallets/click/commit/c06d2d0a6aee6bcc50bd8257be2a4a592f4e75d0";><code>c06d2d0</code></a> Release 8.3.3</li> <li><a href="https://github.com/pallets/click/commit/f1f191ecd2c790b161187c78e7c88440e9524e5c";><code>f1f191e</code></a> Apply format guidelines to commits since latest 8.3.2 release (<a href="https://redirect.github.com/pallets/click/issues/3343";>#3343</a>)</li> <li><a href="https://github.com/pallets/click/commit/bb59ba0fd279ca085d1113f0499b6a602ca31081";><code>bb59ba0</code></a> Apply format guidelines to commits since latest 8.3.2 release</li> <li><a href="https://github.com/pallets/click/commit/4a352253c9ff013e36d11e4a6820d36d00ff2cd4";><code>4a35225</code></a> Reduce blast-radius of <code>UNSET</code> in <code>default_map</code> (<a href="https://redirect.github.com/pallets/click/issues/3240";>#3240</a>)</li> <li><a href="https://github.com/pallets/click/commit/c07bb936de43fd303f9cfbefe248ab23fd2199c8";><code>c07bb93</code></a> Merge branch 'stable' into unset-in-default-map</li> <li><a href="https://github.com/pallets/click/commit/c7e1ba8448cbcb2cdd9c1c7f4a592e863dcc3995";><code>c7e1ba8</code></a> Reorder <code>ParameterSource</code> (<a href="https://redirect.github.com/pallets/click/issues/3248";>#3248</a>)</li> <li><a href="https://github.com/pallets/click/commit/76552ff1e8c85837f911fc34037e702ae4327eda";><code>76552ff</code></a> Show default string in prompt (<a href="https://redirect.github.com/pallets/click/issues/3328";>#3328</a>)</li> <li><a href="https://github.com/pallets/click/commit/ac5cec5fe54e5a691e7bac17f441ce9498e0744c";><code>ac5cec5</code></a> Reorder ParameterSource from most to least explicit</li> <li><a href="https://github.com/pallets/click/commit/8c452e00e6772931b7071d9316b82b77e5b8f280";><code>8c452e0</code></a> Merge branch 'stable' into show-default-string-in-prompt</li> <li><a href="https://github.com/pallets/click/commit/8c95c73bd5ef89eac638f85f1904a104ba4b1a32";><code>8c95c73</code></a> Reconcile default value passing and default activation (<a href="https://redirect.github.com/pallets/click/issues/3239";>#3239</a>)</li> <li>Additional commits viewable in <a href="https://github.com/pallets/click/compare/8.0.0...8.3.3";>compare view</a></li> </ul> </details> <br /> Updates `jinja2` to 3.1.6 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pallets/jinja/releases";>jinja2's releases</a>.</em></p> <blockquote> <h2>3.1.6</h2> <p>This is the Jinja 3.1.6 security release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.</p> <p>PyPI: <a href="https://pypi.org/project/Jinja2/3.1.6/";>https://pypi.org/project/Jinja2/3.1.6/</a> Changes: <a href="https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6";>https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6</a></p> <ul> <li>The <code>|attr</code> filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. <a href="https://github.com/pallets/jinja/security/advisories/GHSA-cpwx-vrp4-4pq7";>https://github.com/pallets/jinja/security/advisories/GHSA-cpwx-vrp4-4pq7</a></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pallets/jinja/blob/main/CHANGES.rst";>jinja2's changelog</a>.</em></p> <blockquote> <h2>Version 3.1.6</h2> <p>Released 2025-03-05</p> <ul> <li>The <code>|attr</code> filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. :ghsa:<code>cpwx-vrp4-4pq7</code></li> </ul> <h2>Version 3.1.5</h2> <p>Released 2024-12-21</p> <ul> <li>The sandboxed environment handles indirect calls to <code>str.format</code>, such as by passing a stored reference to a filter that calls its argument. :ghsa:<code>q2x7-8rv6-6q7h</code></li> <li>Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. :issue:<code>1792</code>, :ghsa:<code>gmj6-6f8f-6699</code></li> <li>Sandbox does not allow <code>clear</code> and <code>pop</code> on known mutable sequence types. :issue:<code>2032</code></li> <li>Calling sync <code>render</code> for an async template uses <code>asyncio.run</code>. :pr:<code>1952</code></li> <li>Avoid unclosed <code>auto_aiter</code> warnings. :pr:<code>1960</code></li> <li>Return an <code>aclose</code>-able <code>AsyncGenerator</code> from <code>Template.generate_async</code>. :pr:<code>1960</code></li> <li>Avoid leaving <code>root_render_func()</code> unclosed in <code>Template.generate_async</code>. :pr:<code>1960</code></li> <li>Avoid leaving async generators unclosed in blocks, includes and extends. :pr:<code>1960</code></li> <li>The runtime uses the correct <code>concat</code> function for the current environment when calling block references. :issue:<code>1701</code></li> <li>Make <code>|unique</code> async-aware, allowing it to be used after another async-aware filter. :issue:<code>1781</code></li> <li><code>|int</code> filter handles <code>OverflowError</code> from scientific notation. :issue:<code>1921</code></li> <li>Make compiling deterministic for tuple unpacking in a <code>{% set ... %}</code> call. :issue:<code>2021</code></li> <li>Fix dunder protocol (<code>copy</code>/<code>pickle</code>/etc) interaction with <code>Undefined</code> objects. :issue:<code>2025</code></li> <li>Fix <code>copy</code>/<code>pickle</code> support for the internal <code>missing</code> object. :issue:<code>2027</code></li> <li><code>Environment.overlay(enable_async)</code> is applied correctly. :pr:<code>2061</code></li> <li>The error message from <code>FileSystemLoader</code> includes the paths that were searched. :issue:<code>1661</code></li> <li><code>PackageLoader</code> shows a clearer error message when the package does not contain the templates directory. :issue:<code>1705</code></li> <li>Improve annotations for methods returning copies. :pr:<code>1880</code></li> <li><code>urlize</code> does not add <code>mailto:</code> to values like <code>@a@b</code>. :pr:<code>1870</code></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pallets/jinja/commit/15206881c006c79667fe5154fe80c01c65410679";><code>1520688</code></a> release version 3.1.6</li> <li><a href="https://github.com/pallets/jinja/commit/90457bbf33b8662926ae65cdde4c4c32e756e403";><code>90457bb</code></a> Merge commit from fork</li> <li><a href="https://github.com/pallets/jinja/commit/065334d1ee5b7210e1a0a93c37238c86858f2af7";><code>065334d</code></a> attr filter uses env.getattr</li> <li><a href="https://github.com/pallets/jinja/commit/033c20015c7ca899ab52eb921bb0f08e6d3dd145";><code>033c200</code></a> start version 3.1.6</li> <li><a href="https://github.com/pallets/jinja/commit/bc68d4efa99c5f77334f0e519628558059ae8c35";><code>bc68d4e</code></a> use global contributing guide (<a href="https://redirect.github.com/pallets/jinja/issues/2070";>#2070</a>)</li> <li><a href="https://github.com/pallets/jinja/commit/247de5e0c5062a792eb378e50e13e692885ee486";><code>247de5e</code></a> use global contributing guide</li> <li><a href="https://github.com/pallets/jinja/commit/ab8218c7a1b66b62e0ad6b941bd514e3a64a358f";><code>ab8218c</code></a> use project advisory link instead of global</li> <li><a href="https://github.com/pallets/jinja/commit/b4ffc8ff299dfd360064bea4cd2f862364601ad2";><code>b4ffc8f</code></a> release version 3.1.5 (<a href="https://redirect.github.com/pallets/jinja/issues/2066";>#2066</a>)</li> <li><a href="https://github.com/pallets/jinja/commit/877f6e51be8e1765b06d911cfaa9033775f051d1";><code>877f6e5</code></a> release version 3.1.5</li> <li><a href="https://github.com/pallets/jinja/commit/8d588592653b052f957b720e1fc93196e06f207f";><code>8d58859</code></a> remove test pypi</li> <li>Additional commits viewable in <a href="https://github.com/pallets/jinja/compare/2.11.3...3.1.6";>compare view</a></li> </ul> </details> <br /> Updates `requests` to 2.33.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/psf/requests/releases";>requests's releases</a>.</em></p> <blockquote> <h2>v2.33.1</h2> <h2>2.33.1 (2026-03-30)</h2> <p><strong>Bugfixes</strong></p> <ul> <li>Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (<a href="https://redirect.github.com/psf/requests/issues/7305";>#7305</a>)</li> <li>Fixed Content-Type header parsing for malformed values. (<a href="https://redirect.github.com/psf/requests/issues/7309";>#7309</a>)</li> <li>Improved error consistency for malformed header values. (<a href="https://redirect.github.com/psf/requests/issues/7308";>#7308</a>)</li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/ferdnyc";><code>@ferdnyc</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/7277";>psf/requests#7277</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/psf/requests/blob/main/HISTORY.md#2331-2026-03-30";>https://github.com/psf/requests/blob/main/HISTORY.md#2331-2026-03-30</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/psf/requests/blob/main/HISTORY.md";>requests's changelog</a>.</em></p> <blockquote> <h2>2.33.1 (2026-03-30)</h2> <p><strong>Bugfixes</strong></p> <ul> <li>Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (<a href="https://redirect.github.com/psf/requests/issues/7305";>#7305</a>)</li> <li>Fixed Content-Type header parsing for malformed values. (<a href="https://redirect.github.com/psf/requests/issues/7309";>#7309</a>)</li> <li>Improved error consistency for malformed header values. (<a href="https://redirect.github.com/psf/requests/issues/7308";>#7308</a>)</li> </ul> <h2>2.33.0 (2026-03-25)</h2> <p><strong>Announcements</strong></p> <ul> <li>📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at <a href="https://redirect.github.com/psf/requests/issues/7271";>#7271</a>. Give it a try, and report any gaps or feedback you may have in the issue. 📣</li> </ul> <p><strong>Security</strong></p> <ul> <li>CVE-2026-25645 <code>requests.utils.extract_zipped_paths</code> now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.</li> </ul> <p><strong>Improvements</strong></p> <ul> <li>Migrated to a PEP 517 build system using setuptools. (<a href="https://redirect.github.com/psf/requests/issues/7012";>#7012</a>)</li> </ul> <p><strong>Bugfixes</strong></p> <ul> <li>Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (<a href="https://redirect.github.com/psf/requests/issues/7205";>#7205</a>)</li> </ul> <p><strong>Deprecations</strong></p> <ul> <li>Dropped support for Python 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/7196";>#7196</a>)</li> </ul> <p><strong>Documentation</strong></p> <ul> <li>Various typo fixes and doc improvements.</li> </ul> <h2>2.32.5 (2025-08-18)</h2> <p><strong>Bugfixes</strong></p> <ul> <li>The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.</li> </ul> <p><strong>Deprecations</strong></p> <ul> <li>Added support for Python 3.14.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/psf/requests/commit/111d2b77790bf49943c0dfa09b365371c24aec7e";><code>111d2b7</code></a> v2.33.1</li> <li><a href="https://github.com/psf/requests/commit/f0198e6dfc431a2293dc16e1b1e8fcddc910a7f3";><code>f0198e6</code></a> Fix malformed value parsing for Content-Type (<a href="https://redirect.github.com/psf/requests/issues/7309";>#7309</a>)</li> <li><a href="https://github.com/psf/requests/commit/bc7dd0fc4d56e808bcdd85ac2d797b3107c89259";><code>bc7dd0f</code></a> Fix cosmetic header validity parsing regex (<a href="https://redirect.github.com/psf/requests/issues/7308";>#7308</a>)</li> <li><a href="https://github.com/psf/requests/commit/4443b1a847b190010c2972a658924b98b5db6360";><code>4443b1a</code></a> Fix unintended test extra (<a href="https://redirect.github.com/psf/requests/issues/7306";>#7306</a>)</li> <li><a href="https://github.com/psf/requests/commit/389eea58dfb2f2ee096421a812e3af29c0298951";><code>389eea5</code></a> Cleanup extracted file after extract_zipped_path test (<a href="https://redirect.github.com/psf/requests/issues/7305";>#7305</a>)</li> <li><a href="https://github.com/psf/requests/commit/7407309c8a8a73aa2f4337184025d440bbedab7a";><code>7407309</code></a> Packaging: DRY out extras definition (<a href="https://redirect.github.com/psf/requests/issues/7277";>#7277</a>)</li> <li><a href="https://github.com/psf/requests/commit/bc04dfd6dad4cb02cd92f5daa81eb562d280a761";><code>bc04dfd</code></a> v2.33.0</li> <li><a href="https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7";><code>66d21cb</code></a> Merge commit from fork</li> <li><a href="https://github.com/psf/requests/commit/8b9bc8fc0f63be84602387913c4b689f19efd028";><code>8b9bc8f</code></a> Move badges to top of README (<a href="https://redirect.github.com/psf/requests/issues/7... _Description has been truncated_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
