Bump the direct-deps group across 1 directory with 17 updates

[dependabot]

Bumps the direct-deps group with 17 updates in the / directory:

Package	From	To
asttokens	3.0.0	3.0.1
beautifulsoup4	4.14.2	4.14.3
certifi	2025.8.3	2025.11.12
charset-normalizer	3.4.3	3.4.4
curl-cffi	0.13.0	0.14.0
fonttools	4.60.1	4.61.1
idna	3.10	3.11
jupyterlab-widgets	3.0.15	3.0.16
matplotlib-inline	0.1.7	0.2.1
pillow	11.3.0	12.0.0
pyparsing	3.2.5	3.3.1
soupsieve	2.8	2.8.1
toolz	1.0.0	1.1.0
traittypes	0.2.1	0.2.3
urllib3	2.5.0	2.6.2
valimp	0.3	0.4
widgetsnbextension	4.0.14	4.0.15

Updates asttokens from 3.0.0 to 3.0.1

Commits

• bdbf396 Update mypy; add 3.14 to the CI; drop python 3.8 support (#167)
• f859c05 Add tests for astroid v2, v3, and v4 to the CI (#166)
• 84ef059 Adapt asttokens for astroid 4.x (#165)
• 9db9335 Various links improvements (#163)
• 3371ebf Merge pull request #161 from gristlabs/dependabot/pip/docs/requests-2.32.4
• 3a60115 Bump requests from 2.32.2 to 2.32.4 in /docs
• 584b51c Merge pull request #160 from gristlabs/dependabot/pip/docs/urllib3-2.5.0
• 3e9d703 Bump urllib3 from 2.2.2 to 2.5.0 in /docs
• 64d3f7c Merge pull request #158 from gristlabs/dependabot/pip/docs/jinja2-3.1.6
• 9b5fb1a Bump jinja2 from 3.1.4 to 3.1.6 in /docs
• Additional commits viewable in compare view

Updates beautifulsoup4 from 4.14.2 to 4.14.3

Updates certifi from 2025.8.3 to 2025.11.12

Commits

• 37ea150 2025.11.12 (#375)
• 2fa50bb Bump actions/upload-artifact from 4.6.2 to 5.0.0 (#374)
• 6cadb53 Bump actions/download-artifact from 5.0.0 to 6.0.0 (#373)
• fb14ac4 2025.10.05 (#371)
• 2c7c7ee Add Python 3.14 classifier in setup.py
• 1a5cb7b Bump actions/setup-python from 5.6.0 to 6.0.0 (#367)
• dea5960 Bump pypa/gh-action-pypi-publish from 1.12.4 to 1.13.0 (#366)
• 83566b7 Bump actions/checkout from 4.2.2 to 5.0.0
• ca2e121 Bump actions/download-artifact from 4.3.0 to 5.0.0
• See full diff in compare view

Updates charset-normalizer from 3.4.3 to 3.4.4

Release notes

Sourced from charset-normalizer's releases.

Version 3.4.4

3.4.4 (2025-10-13)

Changed

• Bound setuptools to a specific constraint setuptools>=68,<=81.
• Raised upper bound of mypyc for the optional pre-built extension to v1.18.2

Removed

• setuptools-scm as a build dependency.

Misc

• Enforced hashes in dev-requirements.txt and created ci-requirements.txt for security purposes.
• Additional pre-built wheels for riscv64, s390x, and armv7l architectures.
• Restore multiple.intoto.jsonl in GitHub releases in addition to individual attestation file per wheel.

Changelog

Sourced from charset-normalizer's changelog.

3.4.4 (2025-10-13)

Changed

• Bound setuptools to a specific constraint setuptools>=68,<=81.
• Raised upper bound of mypyc for the optional pre-built extension to v1.18.2

Removed

• setuptools-scm as a build dependency.

Misc

• Enforced hashes in dev-requirements.txt and created ci-requirements.txt for security purposes.
• Additional pre-built wheels for riscv64, s390x, and armv7l architectures.
• Restore multiple.intoto.jsonl in GitHub releases in addition to individual attestation file per wheel.

Commits

• b30ffdc 🔧 fix checksum step in cd.yml
• d3fbfcf 🔧 fix cd.yml
• dafbb95 Release 3.4.4 (#658)
• 1f18ffa ⬆️ raise mypy upper bound to 1.18.2
• ef4ac69 Merge branch 'release-3.4.4' of github.com:jawah/charset_normalizer into rele...
• 4b35dda 📝 write changelog for 3.4.4
• 0ec6452 🔧 update cd.yml workflow (add riscv64, s390x and armv7l)
• f341ede ⬆️ upgrade dependencies (dev, ci)
• a308841 📝 write changelog for 3.4.4
• 9c906da 🔧 update cd.yml workflow (add riscv64, s390x and armv7l)
• Additional commits viewable in compare view

Updates curl-cffi from 0.13.0 to 0.14.0

Release notes

Sourced from curl-cffi's releases.

v0.14.0

This release contains a few changes that might break the code for some people, hopefully not too many:

1. Async websocket is completed rewritten, great performance boost, but a few breaking API.
2. macOS requirement is now 15.0+, the same as GitHub actions builder, due to bundled c-ares.
3. Python requirement is now 3.10+, as we planned.

Personal notes:

I have been holding this version for a while, thinking that I should fix the unintentional macOS version upgrade and implement pro features within this release. But it turns out that 2025 has been a fruitful, but exhausting year for me. Significant number of PRs have been merged since last release, so let's make them available for all.

What's Changed

• docs: fix impersonation docs link in README to working URL by @​MrDebugger in lexiforest/curl_cffi#616
• Add support for riscv and armv7l wheels by @​lexiforest in lexiforest/curl_cffi#622
• refactor: enhance Curl class cleanup methods by @​montovaneli in lexiforest/curl_cffi#618
• chore: make async session HTTP methods truly async by @​serozhenka in lexiforest/curl_cffi#619
• CLI script curl-cffi by @​haron in lexiforest/curl_cffi#621
• Use conditional imports based on thread backend selection by @​Caellian in lexiforest/curl_cffi#625
• enhance Curl class to handle None curl cases by @​montovaneli in lexiforest/curl_cffi#631
• added response and request size to Response and parse it in session by @​manjustice in lexiforest/curl_cffi#648
• Add raise_for_status parameter to Session and AsyncSession by @​RohanDisa in lexiforest/curl_cffi#651
• Fix cURL error 77 on Windows by encoding file-path options with system ANSI codepage by @​ewnn112 in lexiforest/curl_cffi#647
• Improve Async WebSocket by @​Sh3llcod3 in lexiforest/curl_cffi#650
• Fix Content-Type header update for non-empty data in set_curl_options by @​sarperavci in lexiforest/curl_cffi#658
• Upgrade websockets and FastAPI version in tests and dev by @​lexiforest in lexiforest/curl_cffi#662
• Use timedelta for elapsed-time handling to improve Requests compatibility by @​sarperavci in lexiforest/curl_cffi#661
• Fix websocket close code validation by @​blood-worm in lexiforest/curl_cffi#673

New Contributors

• @​MrDebugger made their first contribution in lexiforest/curl_cffi#616
• @​haron made their first contribution in lexiforest/curl_cffi#621
• @​Caellian made their first contribution in lexiforest/curl_cffi#625
• @​manjustice made their first contribution in lexiforest/curl_cffi#648
• @​RohanDisa made their first contribution in lexiforest/curl_cffi#651
• @​ewnn112 made their first contribution in lexiforest/curl_cffi#647
• @​Sh3llcod3 made their first contribution in lexiforest/curl_cffi#650
• @​sarperavci made their first contribution in lexiforest/curl_cffi#658
• @​blood-worm made their first contribution in lexiforest/curl_cffi#673

Full Changelog: lexiforest/curl_cffi@v0.13.0...v0.14.0

v0.14.0b5

No release notes provided.

v0.14.0b4

What's Changed

• Added new browser versions.
• Fix Content-Type header update for non-empty data in set_curl_options by @​sarperavci in lexiforest/curl_cffi#658
• Upgrade websockets and FastAPI version in tests and dev by @​lexiforest in lexiforest/curl_cffi#662
• Use timedelta for elapsed-time handling to improve Requests compatibility by @​sarperavci in lexiforest/curl_cffi#661

... (truncated)

Commits

• e89e5d8 Bumpt version to 0.14.0
• f9f5c5a Fix websocket close code validation (#673)
• 6c096bb Bump curl-impersonate version to 1.2.5
• 28a2a98 Add safari 26.0.1, firefox 144 and chrome 142
• b6c1ba7 Use timedelta for elapsed-time handling to improve Requests compatibility (#661)
• cdcb284 Upgrade websockets and FastAPI version in tests and dev (#662)
• 81ec499 Relax websocket dependency in testing
• dfde525 Fix Content-Type header update for non-empty data in set_curl_options (#658)
• f3122db Improve Async WebSocket (#650)
• e51e818 Fix cURL error 77 on Windows (#647)
• Additional commits viewable in compare view

Updates fonttools from 4.60.1 to 4.61.1

Release notes

Sourced from fonttools's releases.

4.61.1

• [otlLib] buildCoverage: return empty Coverage instead of None (#4003, #4004).
• [instancer] bug fix in avar2 full instancing (#4002).
• [designspaceLib] Preserve empty conditionsets when serializing to XML (#4001).
• [fontBu ilder] Fix FontBuilder setupOS2() default params globally polluted (#3996, #3997).
• [ttFont] Add more typing annotations to ttFont, xmlWriter, sfnt, varLib.models and others (#3952, #3826).
• Explicitly test and declare support for Python 3.14, even though we were already shipping pre-built wheels for it (#3990).

4.61.0

• [varLib.main]: SECURITY Only use basename(vf.filename) to prevent path traversal attacks when running fonttools varLib command-line script, or code which invokes fonttools.varLib.main(). Fixes CVE-2025-66034, see: GHSA-768j-98cg-p3fv.
• [feaLib] Sort BaseLangSysRecords by tag (#3986).
• Drop support for EOL Python 3.9 (#3982).
• [instancer] Support --remove-overlaps for fonts with CFF2 table (#3975).
• [CFF2ToCFF] Add --remove-overlaps option (#3976).
• [feaLib] Raise an error for rsub with NULL target (#3979).
• [bezierTools] Fix logic bug in curveCurveIntersections (#3963).
• [feaLib] Error when condition sets have the same name (#3958).
• [cu2qu.ufo] skip processing empty glyphs to support sparse kerning masters (#3956).
• [unicodedata] Update to Unicode 17. Require unicodedata2 >= 17.0.0 when installed with 'unicode' extra.

4.60.2

• Backport release Same as 4.61.0 but without "Drop support for EOL Python 3.9" change to allow downstream projects still on Python 3.9 to avail of the security fix for CVE-2025-66034 (#3994, #3999).

Changelog

Sourced from fonttools's changelog.

4.61.1 (released 2025-12-12)

• [otlLib] buildCoverage: return empty Coverage instead of None (#4003, #4004).
• [instancer] bug fix in avar2 full instancing (#4002).
• [designspaceLib] Preserve empty conditionsets when serializing to XML (#4001).
• [fontBu ilder] Fix FontBuilder setupOS2() default params globally polluted (#3996, #3997).
• [ttFont] Add more typing annotations to ttFont, xmlWriter, sfnt, varLib.models and others (#3952, #3826).
• Explicitly test and declare support for Python 3.14, even though we were already shipping pre-built wheels for it (#3990).

4.60.2 (released 2025-12-09)

• Backport release Same as 4.61.0 but without "Drop support for EOL Python 3.9" change to allow downstream projects still on Python 3.9 to avail of the security fix for CVE-2025-66034 (#3994, #3999).

4.61.0 (released 2025-11-28)

• [varLib.main]: SECURITY Only use basename(vf.filename) to prevent path traversal attacks when running fonttools varLib command, or code which invokes fonttools.varLib.main(). Fixes CVE-2025-66034, see: GHSA-768j-98cg-p3fv.
• [feaLib] Sort BaseLangSysRecords by tag (#3986).
• Drop support for EOL Python 3.9 (#3982).
• [instancer] Support --remove-overlaps for fonts with CFF2 table (#3975).
• [CFF2ToCFF] Add --remove-overlaps option (#3976).
• [feaLib] Raise an error for rsub with NULL target (#3979).
• [bezierTools] Fix logic bug in curveCurveIntersections (#3963).
• [feaLib] Error when condition sets have the same name (#3958).
• [cu2qu.ufo] skip processing empty glyphs to support sparse kerning masters (#3956).
• [unicodedata] Update to Unicode 17. Require unicodedata2 >= 17.0.0 when installed with 'unicode' extra.

Commits

• 0a65179 Release 4.61.1
• 387af7b Update NEWS.rst
• 8d5f4a4 Merge pull request #3989 from fonttools/dependabot/github_actions/actions/che...
• aa405c9 Merge pull request #4004 from fonttools/mark-glyph-sets-non-null-empty-coverage
• 0ca5b37 update expected feaLib test empty_filter_sets_and_mark_classes.ttx
• d57f6e6 [otlLib] buildCoverage: return empty Coverage instead of None
• e988f85 [instancer] bug fix in avar2 full instancing (#4002)
• 2caea38 Merge pull request #4001 from daltonmaag/preserve-empty-conditionsets
• cba88b3 Test empty condition sets are preserved during serialisation & deserialisation
• f55e747 Update test data
• Additional commits viewable in compare view

Updates idna from 3.10 to 3.11

Changelog

Sourced from idna's changelog.

3.11 (2025-10-12)

• Update to Unicode 16.0.0, including significant changes to UTS46 processing. As a result of Unicode ending support for it, transitional processing no longer has an effect and returns the same result.
• Add support for Python 3.14, lowest supported version is Python 3.8.
• Various updates to packaging, including PEP 740 support.

Commits

• ad949ee Release v3.11
• cae4ba7 Second release candidate for 3.11
• 8adb305 Add space in RST link
• 74cb2b6 Release candidate for 3.11
• 05dab09 Format idna-data with ruff
• 90eac78 Apply ruff formatting
• a31ce7e Remove errant test vectors
• 81f0333 Omit vectors known to be broken in test suite
• a0f3257 Merge branch 'master' into unicode-16-uts46-changes
• 38d9886 Remove extra UTS46 test vector
• Additional commits viewable in compare view

Updates jupyterlab-widgets from 3.0.15 to 3.0.16

Commits

• See full diff in compare view

Updates matplotlib-inline from 0.1.7 to 0.2.1

Commits

• 30bf01b Release version 0.2.1
• 0237ddd Fix Misc Building issues. (#52)
• 6673aa6 Docstring of set_matplotlib_formats (#51)
• 20f78c4 Help string of %config InlineBackend
• 9caad5b test building wheel works
• 251a8c8 remove problematic License-expression
• 45ec4f1 Correcting by Carreau reviewe
• c91c036 Correcting for docstring of set_matplotlib_formats
• 9390396 Docstring of set_matplotlib_formats
• 011561d Release version 0.2.0
• Additional commits viewable in compare view

Updates pillow from 11.3.0 to 12.0.0

Release notes

Sourced from pillow's releases.

12.0.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.0.0.html

Removals

• Remove support for FreeType <= 2.9.0 #9159 [@​radarhere]
• Drop support for Python 3.9 #9119 [@​hugovk]
• Remove deprecations for Pillow 12.0.0 #9053 [@​radarhere]

Deprecations

• Deprecate Image._show #9186 [@​radarhere]
• Deprecate ImageCmsProfile product_name and product_info #8995 [@​lukegb]

Documentation

• ImagingHistogramInstance can use two bands #9251 [@​radarhere]
• Update 12.0.0 release notes #9247 [@​hugovk]
• Added ImageDraw alpha channel examples #9201 [@​radarhere]
• Update Python version #9230 [@​radarhere]
• Updated macOS tested Pillow versions #9209 [@​radarhere]
• Add GitHub profile link to release notes #9197 [@​radarhere]
• Split versionadded info #9190 [@​radarhere]
• Document ImageFile.MAXBLOCK #9163 [@​radarhere]
• Updated macOS version in CI targets #9157 [@​radarhere]
• Fix typos #9135 [@​radarhere]
• Added "Colors" to concepts #9067 [@​radarhere]
• Update macOS tested Pillow versions #9068 [@​radarhere]
• Thanks, folks! #9056 [@​aclark4life]
• Setup nit: "fork" should be lowercased #9055 [@​aclark4life]

Dependencies

• Update dependency cibuildwheel to v3.2.1 #9246 [@renovate[bot]]
• [pre-commit.ci] pre-commit autoupdate #9233 [@pre-commit-ci[bot]]
• Update harfbuzz to 12.1.0 #9218 [@​radarhere]
• Update libtiff to 4.7.1 #9222 [@​radarhere]
• Update FreeType to 2.14.1 on macOS and Linux wheels #9217 [@​radarhere]
• Update dependency cibuildwheel to v3.2.0 #9219 [@renovate[bot]]
• Update Ghostscript to 10.6.0 #9202 [@​radarhere]
• Update openjpeg to 2.5.4 #9215 [@​radarhere]
• Update harfbuzz to 11.5.0 #9203 [@​radarhere]
• Update dependency mypy to v1.18.2 #9213 [@renovate[bot]]
• Update dependency mypy to v1.18.1 #9207 [@renovate[bot]]
• Update github-actions #9194 [@renovate[bot]]
• Updated harfbuzz to 11.4.5 #9150 [@​radarhere]
• Update zlib-ng to 2.2.5 #9140 [@​radarhere]
• Update raqm to 0.10.3 #9137 [@​radarhere]
• Update libjpeg-turbo to 3.1.2 #9188 [@​radarhere]
• [pre-commit.ci] pre-commit autoupdate #9180 [@pre-commit-ci[bot]]

... (truncated)

Commits

• 693df7b 12.0.0 version bump
• d175bb8 Use macos-14 for iOS arm64 simulator (#9258)
• 592b2f8 Revert "Use macos-latest for iOS arm64 simulator"
• 5dddb2c Use enums for Modes and RawModes in C (#9256)
• e7b72a3 Add ImageText (#9098)
• 864d4b6 Shift bits before making value negative (#9255)
• 994a9de Install arro3 dependencies when type checking (#9254)
• d5e1601 Improved documentation
• e533ccc Merge branch 'main' into imagetext
• 95a85dc Use snake case
• Additional commits viewable in compare view

Updates pyparsing from 3.2.5 to 3.3.1

Changelog

Sourced from pyparsing's changelog.

Version 3.3.1 - December, 2025

• Added license info to metadata, following PEP-639. Thanks to Gedalia Pasternak and Marc Mueller for submitted issue and PR. Fixes #626.

Version 3.3.0 - December, 2025

=========================================================================================== The version 3.3.0 release will begin emitting DeprecationWarnings for pyparsing methods that have been renamed to PEP8-compliant names (introduced in pyparsing 3.0.0, in August, 2021, with legacy names retained as aliases). In preparation, I added in pyparsing 3.2.2 a utility for finding and replacing the legacy method names with the new names. This utility is located at pyparsing/tools/cvt_pep8_names.py. This script will scan all Python files specified on the command line, and if the -u option is selected, will replace all occurrences of the old method names with the new PEP8-compliant names, updating the files in place.

Here is an example that converts all the files in the pyparsing /examples directory:

  python -m pyparsing.tools.cvt_pyparsing_pep8_names -u examples/*.py

The new names are compatible with pyparsing versions 3.0.0 and later.

• Deprecated indentedBlock, when converted using the cvt_pyparsing_pep8_names utility, will emit UserWarnings that additional code changes will be required. This is because the new IndentedBlock class no longer requires the calling code to supply an indent stack, while adding support for nested indentation levels and grouping.

• Deprecated locatedExpr, when converted using the cvt_pyparsing_pep8_names utility, will emit UserWarnings that additional code changes may be required. The new Located class removes the extra grouping level of the parsed values. (If the original locatedExpr parser was defined with a results name, then the extra grouping is retained, so that the results name nesting works properly; in this case, no code changes would be required.)

• Updated all examples and test cases to use PEP8 names (unless the test case is specifically designed to test behavior of a legacy method). Added railroad diagrams for some examples.

• Added exception handling when calling formatted_message(), so that str(exception) always returns at least something.

• All unit tests pass with Python 3.14, including 3.14t. This does not necessarily mean that pyparsing is now thread-safe, just that when run in the free-threaded interpreter, there were no errors. None of the unit tests try to do any parsing with multiple threads - they test the basic functionality of the library, under various versions of packrat and left-recursive parsing.

... (truncated)

Commits

• d73ce7a Update CHANGES file to reflect PR 627
• 1089724 Mark for 3.3.1 dev/release
• 421d20a Update license metadata to follow PEP 639
• e4895d3 Reduced recursive grammar in tiny_parser.py to avoid
• b6b0111 Blackening before releasing
• 7fbbcbd Revert transform_string perf penalty in _flatten (introduced in 3.2.0b2)
• 336647a Update perf scripts to run additional 3.2.x releases
• 6413afc Prep for 3.3.0 release
• 9223660 Added copyright line to LICENSE file
• 92d8368 Remove obsolete comment
• Additional commits viewable in compare view

Updates soupsieve from 2.8 to 2.8.1

Release notes

Sourced from soupsieve's releases.

2.8.1

• FIX: Changes in tests to accommodate latest Python HTML parser changes.

Commits

• f899797 Adjust changelog
• 1b964a8 Switch to using Zensical for documents (#286)
• 046ce54 Adjustments for changes in HTML parser (#285)
• See full diff in compare view

Updates toolz from 1.0.0 to 1.1.0

Release notes

Sourced from toolz's releases.

Release 1.1.0

What's Changed

• Add support for Python 3.14, PyPy 3.11 (#592) by @​hendrikmakait
• Drop support for Python 3.8, PyPy 3.8 (#607) by @​eriknw
• Add note about project status (alive and maintained, but inactive) (#600) by @​mrocklin
• Use yield from in merge_sorted to improve performance (#550) by @​groutr
• Fix bug in partition_all when __len__ is incorrect; now raise IndexError (#603) by @​Mr0grog
• Modernization (#607, #608, #609, #610, #611) by @​eriknw
  • Now PEP 517-compliant; use pyproject.toml and setuptools.build_meta build backend
  • Use setuptools-git-versioning instead of versioneer.py for versioning
  • Use Trusted Publishing between Github and PyPI to publish releases to PyPI
  • Generate artifact attestation for sdist and wheel (#609)
  • Add git pre-commit checks (but this isn't documented for contributors)
    • These also get run in CI
    • Including validate-pyproject, pyupgrade, codespell, actionlint, yamllint, zizmor

New Contributors 🚀

• @​hendrikmakait made their first contribution in #592
• @​Mr0grog made their first contribution in #603

Full Changelog: pytoolz/toolz@1.0.0...1.1.0

Pre-release 1.0.1a0 Pre-release

This is a pre-release

• Support Python 3.14
• Drop support for Python 3.8
• Package and CI modernization

Full release notes will be included for 1.0.1.

Commits

• 568c2b8 Skip no-commit-to-branch in CI (#611)
• af7f85a Add sane config for pytest (#610)
• 5eee30e Use yield from. (#550)
• 5a7e078 Raise in partition_all when length is invalid (#603)
• 1fb2b9f Add artifact attestation for build provenance (#609)
• 8aca7ee Use correct URL for test-pypi for publishing test wheels (#608)
• a39cd67 Modernize to use pyproject.toml and drop versioneer (#607)
• 688a812 Test against Python 3.14-dev on CI (#592)
• 08f2604 Add Project Status section to README (#600)
• 6cb5e6d Declare support for Python 3.13
• Additional commits viewable in compare view

Updates traittypes from 0.2.1 to 0.2.3

Updates urllib3 from 2.5.0 to 2.6.2

Release notes

Sourced from urllib3's releases.

2.6.2

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (urllib3/urllib3#3734)

2.6.1

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. (#3731)

2.6.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by @​Cycloctane, 8.9 High, GHSA-2xpw-w6gg-jr37)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by @​illia-v, 8.9 High, GHSA-gm62-xv2j-4w53)

[!IMPORTANT]

• If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.
• If you use custom decompressors, please make sure to update them to respect the changed API of urllib3.response.ContentDecoder.

Features

• Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. (#3653)
• Added host and port information to string representations of HTTPConnection. (#3666)
• Added support for Python 3.14 free-threading builds explicitly. (#3696)

Removals

• Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers. Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). (#3622)

... (truncated)

Changelog

Sourced from urllib3's changelog.

2.6.2 (2025-12-11)

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. ([#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734>__)

2.6.1 (2025-12-08)

• Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. ([#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731>__)

2.6.0 (2025-12-05)

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

• If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.

• If you use custom decompressors, please make sure to update them to respect the changed API of urllib3.response.ContentDecoder.

Features

• Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. ([#3653](https://github.com/urllib3/urllib3/issues/3653) <https://github.com/urllib3/urllib3/issues/3653>__)
• Added host and port information to string representations of HTTPConnection. ([#3666](https://github.com/urllib3/urllib3/issues/3666) <https://github.com/urllib3/urllib3/issues/3666>__)
• Added support for Python 3.14 free-threading builds explicitly. ([#3696](https://github.com/urllib3/urllib3/issues/3696) <https://github.com/urllib3/urllib3/issues/3696>__)

... (truncated)

Commits

• 83f8643 Release 2.6.2

[dependabot]

Looks like these dependencies are no longer updatable, so this is no longer needed.