chore(deps): bump the pip group across 1 directory with 10 updates

[dependabot]

Bumps the pip group with 10 updates in the /test/sample-test directory:

Package	From	To
certifi	2021.5.30	2024.7.4
idna	3.2	3.7
jupyter-core	4.7.1	4.11.2
oauthlib	3.1.1	3.2.2
protobuf	3.17.3	3.18.3
requests	2.26.0	2.32.2
tornado	6.1	6.4.1
urllib3	1.26.6	1.26.19
black	21.7b0	24.3.0
tqdm	4.62.2	4.66.3

Updates certifi from 2021.5.30 to 2024.7.4

Commits

• bd81538 2024.07.04 (#295)
• 06a2cbf Bump peter-evans/create-pull-request from 6.0.5 to 6.1.0 (#294)
• 13bba02 Bump actions/checkout from 4.1.6 to 4.1.7 (#293)
• e8abcd0 Bump pypa/gh-action-pypi-publish from 1.8.14 to 1.9.0 (#292)
• 124f4ad 2024.06.02 (#291)
• c2196ce --- (#290)
• fefdeec Bump actions/checkout from 4.1.4 to 4.1.5 (#289)
• 3c5fb15 Bump actions/download-artifact from 4.1.6 to 4.1.7 (#286)
• 4a9569a Bump actions/checkout from 4.1.2 to 4.1.4 (#287)
• 1fc8086 Bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 (#288)
• Additional commits viewable in compare view

Updates idna from 3.2 to 3.7

Release notes

Sourced from idna's releases.

v3.7

What's Changed

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: kjd/idna@v3.6...v3.7

Changelog

Sourced from idna's changelog.

3.7 (2024-04-11) ++++++++++++++++

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

3.6 (2023-11-25) ++++++++++++++++

• Fix regression to include tests in source distribution.

3.5 (2023-11-24) ++++++++++++++++

• Update to Unicode 15.1.0
• String codec name is now "idna2008" as overriding the system codec "idna" was not working.
• Fix typing error for codec encoding
• "setup.cfg" has been added for this release due to some downstream lack of adherence to PEP 517. Should be removed in a future release so please prepare accordingly.
• Removed reliance on a symlink for the "idna-data" tool to comport with PEP 517 and the Python Packaging User Guide for sdist archives.
• Added security reporting protocol for project

Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions to this release.

3.4 (2022-09-14) ++++++++++++++++

• Update to Unicode 15.0.0
• Migrate to pyproject.toml for build information (PEP 621)
• Correct another instance where generic exception was raised instead of IDNAError for malformed input
• Source distribution uses zeroized file ownership for improved reproducibility

Thanks to Seth Michael Larson for contributions to this release.

3.3 (2021-10-13) ++++++++++++++++

• Update to Unicode 14.0.0
• Update to in-line type annotations
• Throw IDNAError exception correctly for some malformed input
• Advertise support for Python 3.10
• Improve testing regime on Github

... (truncated)

Commits

• 1d365e1 Release v3.7
• c1b3154 Merge pull request #172 from kjd/optimize-contextj
• 0394ec7 Merge branch 'master' into optimize-contextj
• cd58a23 Merge pull request #152 from elliotwutingfeng/dev
• 5beb28b More efficient resolution of joiner contexts
• 1b12148 Update ossf/scorecard-action to v2.3.1
• d516b87 Update Github actions/checkout to v4
• c095c75 Merge branch 'master' into dev
• 60a0a4c Fix typo in GitHub Actions workflow key
• 5918a0e Merge branch 'master' into dev
• Additional commits viewable in compare view

Updates jupyter-core from 4.7.1 to 4.11.2

Release notes

Sourced from jupyter-core's releases.

4.11.1

What's Changed

• Fix inclusion of jupyter file and check in CI by @​blink1073 in jupyter/jupyter_core#276

Full Changelog: jupyter/jupyter_core@4.11.0...4.11.1

4.11.0

What's Changed

• Use hatch backend by @​blink1073 in jupyter/jupyter_core#265
• is_hidden: Use normalized paths by @​martinRenou in jupyter/jupyter_core#271

New Contributors

• @​martinRenou made their first contribution in jupyter/jupyter_core#271

Full Changelog: jupyter/jupyter_core@4.10.0...4.11.0

4.10.0

What's Changed

• Update changelog for 4.9.2 by @​blink1073 in jupyter/jupyter_core#252
• Include all files from jupyter_core by @​jonringer in jupyter/jupyter_core#253
• Add project URLs to setup.cfg by @​tlinhart in jupyter/jupyter_core#254
• Set up pre-commit by @​blink1073 in jupyter/jupyter_core#255
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jupyter/jupyter_core#257
• Add flake8 and mypy settings by @​blink1073 in jupyter/jupyter_core#256
• Clean up CI by @​blink1073 in jupyter/jupyter_core#258
• Update changelog for 4.10 Release by @​blink1073 in jupyter/jupyter_core#259

New Contributors

• @​jonringer made their first contribution in jupyter/jupyter_core#253
• @​tlinhart made their first contribution in jupyter/jupyter_core#254
• @​pre-commit-ci made their first contribution in jupyter/jupyter_core#257

Full Changelog: jupyter/jupyter_core@4.9.2...4.10.0

4.9.2

What's Changed

• set proper sys.argv[0] for subcommand by @​bnavigator in jupyter/jupyter_core#248
• Add explicit encoding in open calls by @​dlukes in jupyter/jupyter_core#249
• jupyter_config_dir - reorder home_dir initialization by @​dharmaquark in jupyter/jupyter_core#251

New Contributors

• @​bnavigator made their first contribution in jupyter/jupyter_core#248
• @​dlukes made their first contribution in jupyter/jupyter_core#249
• @​dharmaquark made their first contribution in jupyter/jupyter_core#251

Full Changelog: jupyter/jupyter_core@4.9.1...4.9.2

Changelog

Sourced from jupyter-core's changelog.

Changes in jupyter-core

5.7.2

(Full Changelog)

Maintenance and upkeep improvements

• Update Release Scripts #396 (@​blink1073)
• Enforce pytest 7 #393 (@​blink1073)
• chore: update pre-commit hooks #392 (@​pre-commit-ci)

Contributors to this release

(GitHub contributors page for this release)

@​blink1073 | @​pre-commit-ci

5.7.1

(Full Changelog)

Bugs fixed

• Derive JupyterAsyncApp from JupyterApp #389 (@​blink1073)

Contributors to this release

(GitHub contributors page for this release)

@​blink1073

5.7.0

(Full Changelog)

Enhancements made

• Modernize event loop behavior #387 (@​blink1073)

Maintenance and upkeep improvements

• chore: update pre-commit hooks #388 (@​pre-commit-ci)

Contributors to this release

... (truncated)

Commits

• a8eac8c Release 4.11.2
• 1118c8c Merge pull request from GHSA-m678-f26j-3hrp
• d3f61f3 Release 4.11.1
• e7eeb9e Fix inclusion of jupyter file and check in CI (#276)
• 035bf11 Release 4.11.0
• 45aa28b [pre-commit.ci] pre-commit autoupdate (#273)
• 73401cc [pre-commit.ci] pre-commit autoupdate (#272)
• bc6b771 is_hidden: Use normalized paths (#271)
• be38e52 [pre-commit.ci] pre-commit autoupdate (#270)
• 7b790d8 [pre-commit.ci] pre-commit autoupdate (#269)
• Additional commits viewable in compare view

Updates oauthlib from 3.1.1 to 3.2.2

Release notes

Sourced from oauthlib's releases.

3.2.2

OAuth2.0 Provider:

• CVE-2022-36087

3.2.1

In short

OAuth2.0 Provider:

• #803 : Metadata endpoint support of non-HTTPS

OAuth1.0:

• #818 : Allow IPv6 being parsed by signature

General:

• Improved and fixed documentation warnings.
• Cosmetic changes based on isort

What's Changed

• add missing slots to TokenBase by @​ariebovenberg in oauthlib/oauthlib#804
• Add CORS support for Refresh Token Grant. by @​luhn in oauthlib/oauthlib#806
• GitHub Action to lint Python code by @​cclauss in oauthlib/oauthlib#797
• Docs: fix Sphinx warnings for better ReadTheDocs generation by @​JonathanHuot in oauthlib/oauthlib#807
• Allow non-HTTPS issuer when OAUTHLIB_INSECURE_TRANSPORT. by @​luhn in oauthlib/oauthlib#803
• chore: fix typo in test by @​tamanobi in oauthlib/oauthlib#816
• Fix typo in server.rst by @​NemanjaT in oauthlib/oauthlib#819
• Fixed isort imports by @​dasm in oauthlib/oauthlib#820
• docs: Fix a few typos by @​timgates42 in oauthlib/oauthlib#822
• docs: fix typos by @​kianmeng in oauthlib/oauthlib#823

New Contributors

• @​ariebovenberg made their first contribution in oauthlib/oauthlib#804
• @​tamanobi made their first contribution in oauthlib/oauthlib#816
• @​NemanjaT made their first contribution in oauthlib/oauthlib#819
• @​kianmeng made their first contribution in oauthlib/oauthlib#823

Full Changelog: oauthlib/oauthlib@v3.2.0...v3.2.1

3.2.0

Changelog

OAuth2.0 Client:

• #795: Add Device Authorization Flow for Web Application
• #786: Add PKCE support for Client
• #783: Fallback to none in case of wrong expires_at format.

OAuth2.0 Provider:

• #790: Add support for CORS to metadata endpoint.
• #791: Add support for CORS to token endpoint.
• #787: Remove comma after Bearer in WWW-Authenticate

OAuth2.0 Provider - OIDC:

• #755: Call save_token in Hybrid code flow

... (truncated)

Changelog

Sourced from oauthlib's changelog.

3.2.2 (2022-10-17)

OAuth2.0 Provider:

• CVE-2022-36087

3.2.1 (2022-09-09)

OAuth2.0 Provider:

• #803: Metadata endpoint support of non-HTTPS

OAuth1.0:

• #818: Allow IPv6 being parsed by signature

General:

• Improved and fixed documentation warnings.
• Cosmetic changes based on isort

3.2.0 (2022-01-29)

OAuth2.0 Client:

• #795: Add Device Authorization Flow for Web Application
• #786: Add PKCE support for Client
• #783: Fallback to none in case of wrong expires_at format.

OAuth2.0 Provider:

• #790: Add support for CORS to metadata endpoint.
• #791: Add support for CORS to token endpoint.
• #787: Remove comma after Bearer in WWW-Authenticate

OAuth2.0 Provider - OIDC:

• #755: Call save_token in Hybrid code flow
• #751: OIDC add support of refreshing ID Tokens with refresh_id_token
• #751: The RefreshTokenGrant modifiers now take the same arguments as the AuthorizationCodeGrant modifiers (token, token_handler, request).

General:

• Added Python 3.9, 3.10, 3.11
• Improve Travis & Coverage

Commits

• e6c33e4 Add 3.2.2 version
• 4a4d65f Merge pull request #832 from oauthlib/3.2.1
• 88bb156 Updated date and authors
• 2e40b41 Merge pull request from GHSA-3pgj-pg6c-r5p7
• 1a45d97 Prepare 3.2.1 release
• b4bdd09 Merge pull request #818 from dasm/master
• 5d85c61 Fix IPV6 regex used to check redirect_uri
• e514826 Add check of performance of ipv6 check
• 0adbbe1 docs: fix typos
• 6569ec3 docs: Fix a few typos
• Additional commits viewable in compare view

Updates protobuf from 3.17.3 to 3.18.3

Release notes

Sourced from protobuf's releases.

Protocol Buffers v3.18.3

C++

• Reduce memory consumption of MessageSet parsing
• This release addresses a Security Advisory for C++ and Python users

Protocol Buffers v3.18.2

Java

• Improve performance characteristics of UnknownFieldSet parsing (#9371)

Protocol Buffers v3.18.1

Python

• Update setup.py to reflect that we now require at least Python 3.5 (#8989)
• Performance fix for DynamicMessage: force GetRaw() to be inlined (#9023)

Ruby

• Update ruby_generator.cc to allow proto2 imports in proto3 (#9003)

Protocol Buffers v3.18.0

C++

• Fix warnings raised by clang 11 (#8664)
• Make StringPiece constructible from std::string_view (#8707)
• Add missing capability attributes for LLVM 12 (#8714)
• Stop using std::iterator (deprecated in C++17). (#8741)
• Move field_access_listener from libprotobuf-lite to libprotobuf (#8775)
• Fix #7047 Safely handle setlocale (#8735)
• Remove deprecated version of SetTotalBytesLimit() (#8794)
• Support arena allocation of google::protobuf::AnyMetadata (#8758)
• Fix undefined symbol error around SharedCtor() (#8827)
• Fix default value of enum(int) in json_util with proto2 (#8835)
• Better Smaller ByteSizeLong
• Introduce event filters for inject_field_listener_events
• Reduce memory usage of DescriptorPool
• For lazy fields copy serialized form when allowed.
• Re-introduce the InlinedStringField class
• v2 access listener
• Reduce padding in the proto's ExtensionRegistry map.
• GetExtension performance optimizations
• Make tracker a static variable rather than call static functions
• Support extensions in field access listener
• Annotate MergeFrom for field access listener
• Fix incomplete types for field access listener
• Add map_entry/new_map_entry to SpecificField in MessageDifferencer. They record the map items which are different in MessageDifferencer's reporter.
• Reduce binary size due to fieldless proto messages
• TextFormat: ParseInfoTree supports getting field end location in addition to start.
• Fix repeated enum extension size in field listener
• Enable Any Text Expansion for Descriptors::DebugString()
• Switch from int{8,16,32,64} to int{8,16,32,64}_t

... (truncated)

Commits

• a902b39 No-op whitespace change
• ae62acd Updating version.json and repo version numbers to: 18.3
• f43ac49 Merge pull request #10542 from deannagarcia/3.18.x
• 9efdf55 Add missing includes
• d1635e1 Apply patch
• 5b37c91 Update version.json with "lts": true (#10534)
• c39d622 Merge pull request #10529 from protocolbuffers/deannagarcia-patch-5
• f77d3b6 Update version.json
• 8178b06 Merge pull request #10503 from deannagarcia/3.18.x
• 24ca839 Add version file
• Additional commits viewable in compare view

Updates requests from 2.26.0 to 2.32.2

Release notes

Sourced from requests's releases.

v2.32.2

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

v2.32.1

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

v2.32.0

2.32.0 (2024-05-20)

🐍 PYCON US 2024 EDITION 🐍

Security

• Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (GHSA-9wx4-h78v-vm56)

Improvements

• verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
• Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

• Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
• Fixed deserialization bug in JSONDecodeError. (#6629)
• Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

... (truncated)

Changelog

Sourced from requests's changelog.

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

2.32.0 (2024-05-20)

Security

• Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (GHSA-9wx4-h78v-vm56)

Improvements

• verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
• Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

• Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
• Fixed deserialization bug in JSONDecodeError. (#6629)
• Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

Deprecations

... (truncated)

Commits

• 88dce9d v2.32.2
• c98e4d1 Merge pull request #6710 from nateprewitt/api_rename
• 92075b3 Add deprecation warning
• aa1461b Move _get_connection to get_connection_with_tls_context
• 970e8ce v2.32.1
• d6ebc4a v2.32.0
• 9a40d12 Avoid reloading root certificates to improve concurrent performance (#6667)
• 0c030f7 Merge pull request #6702 from nateprewitt/no_char_detection
• 555b870 Allow character detection dependencies to be optional in post-packaging steps
• d6dded3 Merge pull request #6700 from franekmagiera/update-redirect-to-invalid-uri-test
• Additional commits viewable in compare view

Updates tornado from 6.1 to 6.4.1

Changelog

Sourced from tornado's changelog.

Release notes

.. toctree:: :maxdepth: 2

releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1 releases/v3.2.0 releases/v3.1.1 releases/v3.1.0 releases/v3.0.2 releases/v3.0.1 releases/v3.0.0 releases/v2.4.1 releases/v2.4.0 releases/v2.3.0

... (truncated)

Commits

• 2a0e1d1 Merge pull request #3388 from bdarnell/release-641
• b7af4e8 Release notes and version bump for version 6.4.1
• d65f6e7 Merge pull request #3387 from bdarnell/chunked-parsing
• 8d721a8 httputil: Only strip tabs and spaces from header values
• 7786f09 Merge pull request #3386 from bdarnell/curl-crlf
• fb119c7 http1connection: Stricter handling of transfer-encoding
• b0ffc58 curl_httpclient,http1connection: Prohibit CR and LF in headers
• 0efa9a4 Merge pull request #3385 from bdarnell/update-black
• 2757c6e Merge pull request #3384 from tornadoweb/dependabot/pip/requests-2.32.2
• 291d1b6 *: Update black
• Additional commits viewable in compare view

Updates urllib3 from 1.26.6 to 1.26.19

Release notes

Sourced from urllib3's releases.

1.26.19

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support for 2023. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.

Full Changelog: urllib3/urllib3@1.26.18...1.26.19

Note that due to an issue with our release automation, no multiple.intoto.jsonl file is available for this release.

1.26.18

• Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (GHSA-g4mx-q9vg-27p4)

1.26.17

• Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. (GHSA-v845-jxx5-vc9f)

1.26.16

• Fixed thread-safety issue where accessing a PoolManager with many distinct origins would cause connection pools to be closed while requests are in progress (#2954)

1.26.15

• Fix socket timeout value when HTTPConnection is reused (urllib3/urllib3#2645)
• Remove "!" character from the unreserved characters in IPv6 Zone ID parsing (urllib3/urllib3#2899)
• Fix IDNA handling of 'x80' byte (urllib3/urllib3#2901)

1.26.14

• Fixed parsing of port 0 (zero) returning None, instead of 0 (#2850)
• Removed deprecated HTTPResponse.getheaders() calls in urllib3.contrib module.

1.26.13

• Deprecated the HTTPResponse.getheaders() and HTTPResponse.getheader() methods.
• Fixed an issue where parsing a URL with leading zeroes in the port would be rejected even when the port number after removing the zeroes was valid.
• Fixed a deprecation warning when using cryptography v39.0.0.
• Removed the <4 in the Requires-Python packaging metadata field.

1.26.12

• Deprecated the urllib3[secure] extra and the urllib3.contrib.pyopenssl module. Both will be removed in v2.x. See this GitHub issue for justification and info on how to migrate.

1.26.11

If you or your organization rely on urllib3 consider supporting us via GitHub Sponsors.

⚠️ urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

• Fixed an issue where reading more than 2 GiB in a call to HTTPResponse.read would raise an OverflowError on Python 3.9 and earlier.

... (truncated)

Changelog

Sourced from urllib3's changelog.

1.26.19 (2024-06-17)

• Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.
• Fixed handling of OpenSSL 3.2.0 new error message for misconfiguring an HTTP proxy as HTTPS. ([#3405](https://github.com/urllib3/urllib3/issues/3405) <https://github.com/urllib3/urllib3/issues/3405>__)

1.26.18 (2023-10-17)

• Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses.

1.26.17 (2023-10-02)

• Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. ([#3139](https://github.com/urllib3/urllib3/issues/3139) <https://github.com/urllib3/urllib3/pull/3139>_)

1.26.16 (2023-05-23)

• Fixed thread-safety issue where accessing a PoolManager with many distinct origins would cause connection pools to be closed while requests are in progress ([#2954](https://github.com/urllib3/urllib3/issues/2954) <https://github.com/urllib3/urllib3/pull/2954>_)

1.26.15 (2023-03-10)

• Fix socket timeout value when HTTPConnection is reused ([#2645](https://github.com/urllib3/urllib3/issues/2645) <https://github.com/urllib3/urllib3/issues/2645>__)
• Remove "!" character from the unreserved characters in IPv6 Zone ID parsing ([#2899](https://github.com/urllib3/urllib3/issues/2899) <https://github.com/urllib3/urllib3/issues/2899>__)
• Fix IDNA handling of '\x80' byte ([#2901](https://github.com/urllib3/urllib3/issues/2901) <https://github.com/urllib3/urllib3/issues/2901>__)

1.26.14 (2023-01-11)

• Fixed parsing of port 0 (zero) returning None, instead of 0. ([#2850](https://github.com/urllib3/urllib3/issues/2850) <https://github.com/urllib3/urllib3/issues/2850>__)
• Removed deprecated getheaders() calls in contrib module. Fixed the type hint of PoolKey.key_retries by adding bool to the union. ([#2865](https://github.com/urllib3/urllib3/issues/2865) <https://github.com/urllib3/urllib3/issues/2865>__)

1.26.13 (2022-11-23)

• Deprecated the HTTPResponse.getheaders() and HTTPResponse.getheader() methods.
• Fixed an issue where parsing a URL with leading zeroes in the port would be rejected even when the port number after removing the zeroes was valid.
• Fixed a deprecation warning when using cryptography v39.0.0.
• Removed the <4 in the Requires-Python packaging metadata field.

1.26.12 (2022-08-22)

• Deprecated the urllib3[secure] extra and the urllib3.contrib.pyopenssl module. Both will be removed in v2.x. See this GitHub issue <https://github.com/urllib3/urllib3/issues/2680>_

... (truncated)

Commits

• d9d85c8 Release 1.26.19
• 8528b63 [1.26] Fix downstream tests (#3409)
• 40b6d16 Merge pull request from GHSA-34jh-p97f-mpxf
• 29cfd02 Fix handling of OpenSSL 3.2.0 new error message "record layer failure" (#3405)
• b600643 [1.26] Bump RECENT_DATE (#3404)
• 7e2d389 [1.26] Fix running CPython 2.7 tests in CI (#3137)
• 9c2c230 Release 1.26.18 (#3159)
• b594c5c Merge pull request from GHSA-g4mx-q9vg-27p4
• 944f0eb [1.26] Use vendored six in urllib3.contrib.securetransport
• c9016bf Release 1.26.17
• Additional commits viewable in compare view

Updates black from 21.7b0 to 24.3.0

Release notes

Sourced from black's releases.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

• Don't move comments along with delimiters, which could cause crashes (#4248)
• Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
• Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

• Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

• Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

• Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

• Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
• Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
• Checking for newline before adding one on docstring that is almost at the line limit (#4185)
• Remove redundant parentheses in case statement if guards (#4214).

Configuration

... (truncated)

Changelog

Sourced from black's changelog.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

• Don't move comments along with delimiters, which could cause crashes (#4248)
• Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
• Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

• Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

• Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

• Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

• Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
• Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
• Checking for newline before adding one on docstring that is almost at the line limit (#4185)
• Remove redundant parentheses in case statement if guards (#4214).

... (truncated)

Commits

• See full diff in compare view

Updates tqdm from 4.62.2 to 4.66.3

Release notes

Sourced from tqdm's releases.

tqdm v4.66.3 stable

• cli: eval safety (fixes CVE-2024-34062, GHSA-g7vv-2v7x-gj9p)

tqdm v4.66.2 stable

• pandas: add DataFrame.progress_map (#1549)
• notebook: fix HTML padding (#1506)
• keras: fix resuming training when verbose>=2 (#1508)
• fix format_num negative fractions missing leading zero (#1548)
• fix Python 3.12 DeprecationWarning on import (#1519)
• linting: use f-strings (#1549)
• update tests (#1549)
  • fix pandas warnings
  • fix asv (airspeed-velocity/asv#1323)
  • fix macos notebook docstring indentation
• CI: bump actions (#1549)

tqdm v4.66.1 stable

• fix utils.envwrap types (#1493 <- #1491, #1320 <- #966, #1319)
  • e.g. cloudwatch & kubernetes workaround: export TQDM_POSITION=-1
• drop mentions of unsupported Python versions

tqdm v4.66.0 stable

• environment variables to override defaults (TQDM_*Description has been truncated