Bump the pip group across 1 directory with 6 updates

[dependabot]

Bumps the pip group with 6 updates in the / directory:

Package	From	To
certifi	2021.10.8	2024.7.4
gitpython	3.1.27	3.1.41
idna	3.3	3.7
pyjwt	2.3.0	2.4.0
requests	2.27.1	2.32.4
urllib3	1.26.9	2.6.0

Updates certifi from 2021.10.8 to 2024.7.4

Commits

• bd81538 2024.07.04 (#295)
• 06a2cbf Bump peter-evans/create-pull-request from 6.0.5 to 6.1.0 (#294)
• 13bba02 Bump actions/checkout from 4.1.6 to 4.1.7 (#293)
• e8abcd0 Bump pypa/gh-action-pypi-publish from 1.8.14 to 1.9.0 (#292)
• 124f4ad 2024.06.02 (#291)
• c2196ce --- (#290)
• fefdeec Bump actions/checkout from 4.1.4 to 4.1.5 (#289)
• 3c5fb15 Bump actions/download-artifact from 4.1.6 to 4.1.7 (#286)
• 4a9569a Bump actions/checkout from 4.1.2 to 4.1.4 (#287)
• 1fc8086 Bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 (#288)
• Additional commits viewable in compare view

Updates gitpython from 3.1.27 to 3.1.41

Release notes

Sourced from gitpython's releases.

3.1.41 - fix Windows security issue

The details about the Windows security issue can be found in this advisory.

Special thanks go to @​EliahKagan who reported the issue and fixed it in a single stroke, while being responsible for an incredible amount of improvements that he contributed over the last couple of months ❤️.

What's Changed

• Add __all__ in git.exc by @​EliahKagan in gitpython-developers/GitPython#1719
• Set submodule update cadence to weekly by @​EliahKagan in gitpython-developers/GitPython#1721
• Never modify sys.path by @​EliahKagan in gitpython-developers/GitPython#1720
• Bump git/ext/gitdb from 8ec2390 to ec58b7e by @​dependabot in gitpython-developers/GitPython#1722
• Revise comments, docstrings, some messages, and a bit of code by @​EliahKagan in gitpython-developers/GitPython#1725
• Use zero-argument super() by @​EliahKagan in gitpython-developers/GitPython#1726
• Remove obsolete note in _iter_packed_refs by @​EliahKagan in gitpython-developers/GitPython#1727
• Reorganize test_util and make xfail marks precise by @​EliahKagan in gitpython-developers/GitPython#1729
• Clarify license and make module top comments more consistent by @​EliahKagan in gitpython-developers/GitPython#1730
• Deprecate compat.is_, rewriting all uses by @​EliahKagan in gitpython-developers/GitPython#1732
• Revise and restore some module docstrings by @​EliahKagan in gitpython-developers/GitPython#1735
• Make the rmtree callback Windows-only by @​EliahKagan in gitpython-developers/GitPython#1739
• List all non-passing tests in test summaries by @​EliahKagan in gitpython-developers/GitPython#1740
• Document some minor subtleties in test_util.py by @​EliahKagan in gitpython-developers/GitPython#1749
• Always read metadata files as UTF-8 in setup.py by @​EliahKagan in gitpython-developers/GitPython#1748
• Test native Windows on CI by @​EliahKagan in gitpython-developers/GitPython#1745
• Test macOS on CI by @​EliahKagan in gitpython-developers/GitPython#1752
• Let close_fds be True on all platforms by @​EliahKagan in gitpython-developers/GitPython#1753
• Fix IndexFile.from_tree on Windows by @​EliahKagan in gitpython-developers/GitPython#1751
• Remove unused TASKKILL fallback in AutoInterrupt by @​EliahKagan in gitpython-developers/GitPython#1754
• Don't return with operand when conceptually void by @​EliahKagan in gitpython-developers/GitPython#1755
• Group .gitignore entries by purpose by @​EliahKagan in gitpython-developers/GitPython#1758
• Adding dubious ownership handling by @​marioaag in gitpython-developers/GitPython#1746
• Avoid brittle assumptions about preexisting temporary files in tests by @​EliahKagan in gitpython-developers/GitPython#1759
• Overhaul noqa directives by @​EliahKagan in gitpython-developers/GitPython#1760
• Clarify some Git.execute kill_after_timeout limitations by @​EliahKagan in gitpython-developers/GitPython#1761
• Bump actions/setup-python from 4 to 5 by @​dependabot in gitpython-developers/GitPython#1763
• Don't install black on Cygwin by @​EliahKagan in gitpython-developers/GitPython#1766
• Extract all "import gc" to module level by @​EliahKagan in gitpython-developers/GitPython#1765
• Extract remaining local "import gc" to module level by @​EliahKagan in gitpython-developers/GitPython#1768
• Replace xfail with gc.collect in TestSubmodule.test_rename by @​EliahKagan in gitpython-developers/GitPython#1767
• Enable CodeQL by @​EliahKagan in gitpython-developers/GitPython#1769
• Replace some uses of the deprecated mktemp function by @​EliahKagan in gitpython-developers/GitPython#1770
• Bump github/codeql-action from 2 to 3 by @​dependabot in gitpython-developers/GitPython#1773
• Run some Windows environment variable tests only on Windows by @​EliahKagan in gitpython-developers/GitPython#1774
• Fix TemporaryFileSwap regression where file_path could not be Path by @​EliahKagan in gitpython-developers/GitPython#1776
• Improve hooks tests by @​EliahKagan in gitpython-developers/GitPython#1777
• Fix if items of Index is of type PathLike by @​stegm in gitpython-developers/GitPython#1778
• Better document IterableObj.iter_items and improve some subclasses by @​EliahKagan in gitpython-developers/GitPython#1780
• Revert "Don't install black on Cygwin" by @​EliahKagan in gitpython-developers/GitPython#1783
• Add missing pip in $PATH on Cygwin CI by @​EliahKagan in gitpython-developers/GitPython#1784
• Shorten Iterable docstrings and put IterableObj first by @​EliahKagan in gitpython-developers/GitPython#1785
• Fix incompletely revised Iterable/IterableObj docstrings by @​EliahKagan in gitpython-developers/GitPython#1786
• Pre-deprecate setting Git.USE_SHELL by @​EliahKagan in gitpython-developers/GitPython#1782

... (truncated)

Commits

• f288738 bump patch level
• ef3192c Merge pull request #1792 from EliahKagan/popen
• 1f3caa3 Further clarify comment in test_hook_uses_shell_not_from_cwd
• 3eb7c2a Move safer_popen from git.util to git.cmd
• c551e91 Extract shared logic for using Popen safely on Windows
• 15ebb25 Clarify comment in test_hook_uses_shell_not_from_cwd
• f44524a Avoid spurious "location may have moved" on Windows
• a42ea0a Cover absent/no-distro bash.exe in hooks "not from cwd" test
• 7751436 Extract venv management from test_installation
• 66ff4c1 Omit CWD in search for bash.exe to run hooks on Windows
• Additional commits viewable in compare view

Updates idna from 3.3 to 3.7

Release notes

Sourced from idna's releases.

v3.7

What's Changed

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: kjd/idna@v3.6...v3.7

Changelog

Sourced from idna's changelog.

3.7 (2024-04-11) ++++++++++++++++

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

3.6 (2023-11-25) ++++++++++++++++

• Fix regression to include tests in source distribution.

3.5 (2023-11-24) ++++++++++++++++

• Update to Unicode 15.1.0
• String codec name is now "idna2008" as overriding the system codec "idna" was not working.
• Fix typing error for codec encoding
• "setup.cfg" has been added for this release due to some downstream lack of adherence to PEP 517. Should be removed in a future release so please prepare accordingly.
• Removed reliance on a symlink for the "idna-data" tool to comport with PEP 517 and the Python Packaging User Guide for sdist archives.
• Added security reporting protocol for project

Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions to this release.

3.4 (2022-09-14) ++++++++++++++++

• Update to Unicode 15.0.0
• Migrate to pyproject.toml for build information (PEP 621)
• Correct another instance where generic exception was raised instead of IDNAError for malformed input
• Source distribution uses zeroized file ownership for improved reproducibility

Thanks to Seth Michael Larson for contributions to this release.

Commits

• 1d365e1 Release v3.7
• c1b3154 Merge pull request #172 from kjd/optimize-contextj
• 0394ec7 Merge branch 'master' into optimize-contextj
• cd58a23 Merge pull request #152 from elliotwutingfeng/dev
• 5beb28b More efficient resolution of joiner contexts
• 1b12148 Update ossf/scorecard-action to v2.3.1
• d516b87 Update Github actions/checkout to v4
• c095c75 Merge branch 'master' into dev
• 60a0a4c Fix typo in GitHub Actions workflow key
• 5918a0e Merge branch 'master' into dev
• Additional commits viewable in compare view

Updates pyjwt from 2.3.0 to 2.4.0

Release notes

Sourced from pyjwt's releases.

2.4.0

Security

• [CVE-2022-29217] Prevent key confusion through non-blocklisted public key formats. GHSA-ffqj-6fqr-9h24

What's Changed

• Add support for Python 3.10 by @​hugovk in jpadilla/pyjwt#699
• Don't use implicit optionals by @​rekyungmin in jpadilla/pyjwt#705
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jpadilla/pyjwt#708
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jpadilla/pyjwt#710
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jpadilla/pyjwt#711
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jpadilla/pyjwt#712
• documentation fix: show correct scope for decode_complete() by @​sseering in jpadilla/pyjwt#661
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jpadilla/pyjwt#716
• Explicit check the key for ECAlgorithm by @​estin in jpadilla/pyjwt#713
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jpadilla/pyjwt#720
• api_jwk: Add PyJWKSet.getitem by @​woodruffw in jpadilla/pyjwt#725
• Update usage.rst by @​guneybilen in jpadilla/pyjwt#727
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jpadilla/pyjwt#728
• fix: Update copyright information by @​kkirsche in jpadilla/pyjwt#729
• Docs: mention performance reasons for reusing RSAPrivateKey when encoding by @​dmahr1 in jpadilla/pyjwt#734
• Fixed typo in usage.rst by @​israelabraham in jpadilla/pyjwt#738
• Add detached payload support for JWS encoding and decoding by @​fviard in jpadilla/pyjwt#723
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jpadilla/pyjwt#740
• Raise DeprecationWarning for jwt.decode(verify=...) by @​akx in jpadilla/pyjwt#742
• Don't mutate options dictionary in .decode_complete() by @​akx in jpadilla/pyjwt#743
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in jpadilla/pyjwt#748
• Replace various string interpolations with f-strings by @​akx in jpadilla/pyjwt#744
• Update CHANGELOG.rst by @​hipertracker in jpadilla/pyjwt#751

New Contributors

• @​hugovk made their first contribution in jpadilla/pyjwt#699
• @​rekyungmin made their first contribution in jpadilla/pyjwt#705
• @​sseering made their first contribution in jpadilla/pyjwt#661
• @​estin made their first contribution in jpadilla/pyjwt#713
• @​woodruffw made their first contribution in jpadilla/pyjwt#725
• @​guneybilen made their first contribution in jpadilla/pyjwt#727
• @​dmahr1 made their first contribution in jpadilla/pyjwt#734
• @​israelabraham made their first contribution in jpadilla/pyjwt#738
• @​fviard made their first contribution in jpadilla/pyjwt#723
• @​akx made their first contribution in jpadilla/pyjwt#742
• @​hipertracker made their first contribution in jpadilla/pyjwt#751

Full Changelog: jpadilla/pyjwt@2.3.0...2.4.0

Changelog

Sourced from pyjwt's changelog.

v2.4.0 <https://github.com/jpadilla/pyjwt/compare/2.3.0...2.4.0>__

Security

- [CVE-2022-29217] Prevent key confusion through non-blocklisted public key formats. https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24
Changed

- Explicit check the key for ECAlgorithm by @estin in `[#713](https://github.com/jpadilla/pyjwt/issues/713) <https://github.com/jpadilla/pyjwt/pull/713>`__
- Raise DeprecationWarning for jwt.decode(verify=...) by @akx in `[#742](https://github.com/jpadilla/pyjwt/issues/742) <https://github.com/jpadilla/pyjwt/pull/742>`__
Fixed

- Don't use implicit optionals by @rekyungmin in `[#705](https://github.com/jpadilla/pyjwt/issues/705) <https://github.com/jpadilla/pyjwt/pull/705>`__
- documentation fix: show correct scope for decode_complete() by @sseering in `[#661](https://github.com/jpadilla/pyjwt/issues/661) <https://github.com/jpadilla/pyjwt/pull/661>`__
- fix: Update copyright information by @kkirsche in `[#729](https://github.com/jpadilla/pyjwt/issues/729) <https://github.com/jpadilla/pyjwt/pull/729>`__
- Don't mutate options dictionary in .decode_complete() by @akx in `[#743](https://github.com/jpadilla/pyjwt/issues/743) <https://github.com/jpadilla/pyjwt/pull/743>`__

Added


Add support for Python 3.10 by @hugovk in [#699](https://github.com/jpadilla/pyjwt/issues/699) <https://github.com/jpadilla/pyjwt/pull/699>__
api_jwk: Add PyJWKSet.getitem by @woodruffw in [#725](https://github.com/jpadilla/pyjwt/issues/725) <https://github.com/jpadilla/pyjwt/pull/725>__
Update usage.rst by @guneybilen in [#727](https://github.com/jpadilla/pyjwt/issues/727) <https://github.com/jpadilla/pyjwt/pull/727>__
Docs: mention performance reasons for reusing RSAPrivateKey when encoding by @dmahr1 in [#734](https://github.com/jpadilla/pyjwt/issues/734) <https://github.com/jpadilla/pyjwt/pull/734>__
Fixed typo in usage.rst by @israelabraham in [#738](https://github.com/jpadilla/pyjwt/issues/738) <https://github.com/jpadilla/pyjwt/pull/738>__
Add detached payload support for JWS encoding and decoding by @fviard in [#723](https://github.com/jpadilla/pyjwt/issues/723) <https://github.com/jpadilla/pyjwt/pull/723>__
Replace various string interpolations with f-strings by @akx in [#744](https://github.com/jpadilla/pyjwt/issues/744) <https://github.com/jpadilla/pyjwt/pull/744>__
Update CHANGELOG.rst by @hipertracker in [#751](https://github.com/jpadilla/pyjwt/issues/751) <https://github.com/jpadilla/pyjwt/pull/751>__

</code></pre>

</blockquote>

</details>

<details>

<summary>Commits</summary>

<ul>

<li><a href="https://github.com/jpadilla/pyjwt/commit/83ff831a4d11190e3a0bed781da43f8d84352653&quot;&gt;&lt;code&gt;83ff831&lt;/code&gt;&lt;/a> chore: update changelog</li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/4c1ce8fd9019dd312ff257b5141cdb6d897379d9&quot;&gt;&lt;code&gt;4c1ce8f&lt;/code&gt;&lt;/a> chore: update changelog</li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/96f3f0275745c5a455c019a0d3476a054980e8ea&quot;&gt;&lt;code&gt;96f3f02&lt;/code&gt;&lt;/a> fix: failing advisory test</li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc&quot;&gt;&lt;code&gt;9c52867&lt;/code&gt;&lt;/a> Merge pull request from GHSA-ffqj-6fqr-9h24</li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/24b29adfebcb4f057a3cef5aaf35653bc0c1c8cc&quot;&gt;&lt;code&gt;24b29ad&lt;/code&gt;&lt;/a> Update CHANGELOG.rst (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/751&quot;&gt;#751&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/31f5acb8fb3ec6cdfe2b1b0a4a8f329b5f3ca67f&quot;&gt;&lt;code&gt;31f5acb&lt;/code&gt;&lt;/a> Replace various string interpolations with f-strings (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/744&quot;&gt;#744&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/5581a31c21de70444c1162bcfa29f7e0fc86edda&quot;&gt;&lt;code&gt;5581a31&lt;/code&gt;&lt;/a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/748&quot;&gt;#748&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/3d4d82248f1120c87f1f4e0e8793eaa1d54843a6&quot;&gt;&lt;code&gt;3d4d822&lt;/code&gt;&lt;/a> Don't mutate options dictionary in .decode_complete() (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/743&quot;&gt;#743&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/1f1fe15bb41846c602b3e106176b2c692b93a613&quot;&gt;&lt;code&gt;1f1fe15&lt;/code&gt;&lt;/a> Add a deprecation warning when jwt.decode() is called with the legacy verify=...</li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/35fa28e59d99b99c6a780d2a029a74d6bbba8b1e&quot;&gt;&lt;code&gt;35fa28e&lt;/code&gt;&lt;/a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/740&quot;&gt;#740&lt;/a&gt;)&lt;/li>

<li>Additional commits viewable in <a href="https://github.com/jpadilla/pyjwt/compare/2.3.0...2.4.0&quot;&gt;compare view</a></li>

</ul>

</details>
<br />


Updates requests from 2.27.1 to 2.32.4

Release notes
Sourced from requests's releases.

v2.32.4
2.32.4 (2025-06-10)
Security

CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file. (#6965)

Improvements

Numerous documentation improvements

Deprecations

Added support for pypy 3.11 for Linux and macOS. (#6926)
Dropped support for pypy 3.9 following its end of support. (#6926)

v2.32.3
2.32.3 (2024-05-29)
Bugfixes

Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (#6716)
Fixed issue where Requests started failing to run on Python versions compiled
without the ssl module. (#6724)

v2.32.2
2.32.2 (2024-05-21)
Deprecations


To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed _get_connection to
a new public API, get_connection_with_tls_context. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
get_connection is considered deprecated in all versions of Requests>=2.32.0.
A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (#6710)


v2.32.1
2.32.1 (2024-05-20)
Bugfixes

Add missing test certs to the sdist distributed on PyPI.

v2.32.0
2.32.0 (2024-05-20)


... (truncated)


Changelog
Sourced from requests's changelog.

2.32.4 (2025-06-10)
Security

CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file.

Improvements

Numerous documentation improvements

Deprecations

Added support for pypy 3.11 for Linux and macOS.
Dropped support for pypy 3.9 following its end of support.

2.32.3 (2024-05-29)
Bugfixes

Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (#6716)
Fixed issue where Requests started failing to run on Python versions compiled
without the ssl module. (#6724)

2.32.2 (2024-05-21)
Deprecations


To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed _get_connection to
a new public API, get_connection_with_tls_context. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
get_connection is considered deprecated in all versions of Requests>=2.32.0.
A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (#6710)


2.32.1 (2024-05-20)
Bugfixes

Add missing test certs to the sdist distributed on PyPI.

2.32.0 (2024-05-20)
Security


... (truncated)


Commits

021dc72 Polish up release tooling for last manual release
821770e Bump version and add release notes for v2.32.4
59f8aa2 Add netrc file search information to authentication documentation (#6876)
5b4b64c Add more tests to prevent regression of CVE 2024 47081
7bc4587 Add new test to check netrc auth leak (#6962)
96ba401 Only use hostname to do netrc lookup instead of netloc
7341690 Merge pull request #6951 from tswast/patch-1
6716d7c remove links
a7e1c74 Update docs/conf.py
c799b81 docs: fix dead links to kenreitz.org
Additional commits viewable in compare view




Updates urllib3 from 1.26.9 to 2.6.0

Release notes
Sourced from urllib3's releases.

2.6.0
🚀 urllib3 is fundraising for HTTP/2 support
urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.
Thank you for your support.
Security

Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by @​Cycloctane, 8.9 High, GHSA-2xpw-w6gg-jr37)
Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by @​illia-v, 8.9 High, GHSA-gm62-xv2j-4w53)


[!IMPORTANT]

If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to  benefit from the security fixes and avoid warnings. Prefer using  urllib3[brotli] to install a compatible Brotli package automatically.
If you use custom decompressors, please make sure to update them to  respect the changed API of urllib3.response.ContentDecoder.


Features

Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. (#3653)
Added host and port information to string representations of HTTPConnection. (#3666)
Added support for Python 3.14 free-threading builds explicitly. (#3696)

Removals

Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers. Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). (#3622)

Bugfixes

Fixed redirect handling in urllib3.PoolManager when an integer is passed for the retries parameter. (#3649)
Fixed HTTPConnectionPool when used in Emscripten with no explicit port. (#3664)
Fixed handling of SSLKEYLOGFILE with expandable variables. (#3700)

Misc

Changed the zstd extra to install backports.zstd instead of zstandard on Python 3.13 and before. (#3693)
Improved the performance of content decoding by optimizing BytesQueueBuffer class. (#3710)
Allowed building the urllib3 package with newer setuptools-scm v9.x. (#3652)
Ensured successful urllib3 builds by setting Hatchling requirement to ≥ 1.27.0. (#3638)

2.5.0
🚀 urllib3 is fundraising for HTTP/2 support
urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.
Thank you for your support.


... (truncated)


Changelog
Sourced from urllib3's changelog.

2.6.0 (2025-12-05)
Security

Fixed a security issue where streaming API could improperly handle highly
compressed HTTP content ("decompression bombs") leading to excessive resource
consumption even when a small amount of data was requested. Reading small
chunks of compressed data is safer and much more efficient now.
(GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
Fixed a security issue where an attacker could compose an HTTP response with
virtually unlimited links in the Content-Encoding header, potentially
leading to a denial of service (DoS) attack by exhausting system resources
during decoding. The number of allowed chained encodings is now limited to 5.
(GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::


If urllib3 is not installed with the optional urllib3[brotli] extra, but
your environment contains a Brotli/brotlicffi/brotlipy package anyway, make
sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to
benefit from the security fixes and avoid warnings. Prefer using
urllib3[brotli] to install a compatible Brotli package automatically.


If you use custom decompressors, please make sure to update them to
respect the changed API of urllib3.response.ContentDecoder.


Features

Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. ([#3653](https://github.com/urllib3/urllib3/issues/3653) <https://github.com/urllib3/urllib3/issues/3653>__)
Added host and port information to string representations of HTTPConnection. ([#3666](https://github.com/urllib3/urllib3/issues/3666) <https://github.com/urllib3/urllib3/issues/3666>__)
Added support for Python 3.14 free-threading builds explicitly. ([#3696](https://github.com/urllib3/urllib3/issues/3696) <https://github.com/urllib3/urllib3/issues/3696>__)

Removals

Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers.
Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). ([#3622](https://github.com/urllib3/urllib3/issues/3622) <https://github.com/urllib3/urllib3/issues/3622>__)

Bugfixes

Fixed redirect handling in urllib3.PoolManager when an integer is passed
for the retries parameter. ([#3649](https://github.com/urllib3/urllib3/issues/3649) <https://github.com/urllib3/urllib3/issues/3649>__)
Fixed HTTPConnectionPool when used in Emscripten with no explicit port. ([#3664](https://github.com/urllib3/urllib3/issues/3664) <https://github.com/urllib3/urllib3/issues/3664>__)
Fixed handling of SSLKEYLOGFILE with expandable variables. ([#3700](https://github.com/urllib3/urllib3/issues/3700) <https://github.com/urllib3/urllib3/issues/3700>__)



... (truncated)


Commits

720f484 Release 2.6.0
24d7b67 Merge commit from fork
c19571d Merge commit from fork
816fcf0 Bump actions/setup-python from 6.0.0 to 6.1.0 (#3725)
18af0a1 Improve speed of BytesQueueBuffer.get() by using memoryview (#3711)
1f6abac Bump versions of pre-commit hooks (#3716)
1c8fbf7 Bump actions/checkout from 5.0.0 to 6.0.0 (#3722)
7784b9e Add Python 3.15 to CI (#3717)
0241c9e Updated docs to reflect change in optional zstd dependency from zstandard t...
7afcabb Expand environment variable of SSLKEYLOGFILE (#3705)
Additional commits viewable in compare view




Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options


You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

You can disable automated security fix PRs for this repo from the Security Alerts page.