Bump the uv group across 1 directory with 10 updates

[dependabot]

Bumps the uv group with 10 updates in the / directory:

Package	From	To
agno	2.2.1	2.2.2
cryptography	46.0.3	46.0.5
filelock	3.20.0	3.20.3
nbconvert	7.16.6	7.17.0
pyasn1	0.6.1	0.6.2
python-multipart	0.0.20	0.0.22
starlette	0.47.2	0.49.1
urllib3	2.5.0	2.6.3
werkzeug	3.1.3	3.1.5
wheel	0.45.1	0.46.2

Updates agno from 2.2.1 to 2.2.2

Release notes

Sourced from agno's releases.

v2.2.2

Changelog

New Features:

• LLM Response Caching: You can now cache model responses by setting cache_response=True on the model class. Useful to reduce costs and speed-up development and testing scenarios. See the docs for more details.
• Support for Async SQLite: You can now use your SQLite databases asynchronously, with the AsyncSqliteDb class. See the docs.
• Support for Claude Skills: You can now use Claude's native skills for enhanced reasoning, code execution, and tool interactions. See some examples.
• Support for Tavily Extract API: Agents can now use TavilyReader for knowledge base integration and TavilyTools for enhanced URL content extraction with full async support.

Improvements:

• Storage for cancelled runs: Improved the persistence of content when a run cancellation happens.
• summary_request_message on SessionSummaryManager: This allows you to override the user instruction given to the LLM when generating session summaries.
• Team Model Inheritance: Team members automatically inherit models from their parent team when no model is specified. This applies to model, reasoning_model, parser_model, and output_model.
• Automatic MCP Connection: Now you can simply pass MCPTools and MultiMCPTools to your Agent or Team and the connection lifecycle will be handled automatically. This does mean it will connect and reconnect on each run. See the docs for best practices.
• Refresh MCP: Added refresh_connection on MCPTools and MultiMCPTools that allows connections to be refreshed. See the docs.

Bug Fixes:

• Tool State: Fixed issues related to state being stale on tools attached to agents. Agent/Team tools are now correctly handled across multiple concurrent runs (e.g. via AgentOS).
• Team sessions with JsonDb: Fix and issue getting Team sessions with nested Agent runs inside when using the JsonDb or GCSJsonDb database implementations
• Team sessions with async databases: Fix a problem persisting sessions in certain scenarios when using a Team with an asynchronous database driver.
• Sending media to model flag in Team: Pass down the send_media_to_model flag set on Team to its member agents.
• File Input in Workflows: Fixed file input breaking issue, it is now passed down to .run and .arun properly
• Async database usage when continuing a paused run: Fixed a bug when using an asynchronous database and continuing a stopped run.
• Media Reconstruction in a session: Fix to correctly read the media from db and handle reconstruction between bytes and base64 properly.
• Avoid empty memories: Fix an edge case where an Agent with access to user memories could create empty memories.

What's Changed

• fix: remove unnecessary hydration from Json db implementations by @​Mustafa-Esoofally in agno-agi/agno#5159
• feat: add LLM model response caching by @​uzaxirr in agno-agi/agno#5138
• fix: Await async save in Team._acleanup_and_store() to prevent history race condition by @​SamJupe in agno-agi/agno#5174
• chore: agent run cancel persist data in db by @​kausmeows in agno-agi/agno#5176
• feat: Makes the summary message prompt editable by @​peter-mw in agno-agi/agno#5152
• fix: Update Elevenlabs toolkit by @​Mustafa-Esoofally in agno-agi/agno#5178
• feat: added Tavily Reader and Enhanced Tavily Tool with extract by @​uzaxirr in agno-agi/agno#4983
• fix: pass send_media_to_model from Team to its members by @​kausmeows in agno-agi/agno#5199
• chore: send_media_to_model Team cleanup by @​kausmeows in agno-agi/agno#5202
• fix: files support in workflows by @​kausmeows in agno-agi/agno#5203
• Update cookbooks by @​ashpreetbedi in agno-agi/agno#5205
• feat: Add Claude Agent Skills integration by @​uzaxirr in agno-agi/agno#5119
• [feat] Enable team model inheritance to member agents [SDK-238] by @​harshsinha03 in agno-agi/agno#5207
• feat: support async sqlite by @​manuhortet in agno-agi/agno#5156
• fix: support async databases in async run continuation scenarios by @​niradler in agno-agi/agno#5206
• fix: correctly read the media in same session by @​kausmeows in agno-agi/agno#5212
• fix: Tool definition instantiation by @​dirkbrnd in agno-agi/agno#5158
• fix: handle empty memories in the OS API by @​manuhortet in agno-agi/agno#5209
• fix: MCP refreshing and connection handling by @​dirkbrnd in agno-agi/agno#5181
• fix: Convenience functions that break with async DB by @​dirkbrnd in agno-agi/agno#5183

... (truncated)

Commits

• See full diff in compare view

Updates cryptography from 46.0.3 to 46.0.5

Changelog

Sourced from cryptography's changelog.

46.0.5 - 2026-02-10

* An attacker could create a malicious public key that reveals portions of your
  private key when using certain uncommon elliptic curves (binary curves).
  This version now includes additional security checks to prevent this attack.
  This issue only affects binary elliptic curves, which are rarely used in
  real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and
  Atuin Automated Vulnerability Discovery Engine** for reporting the issue.
  **CVE-2026-26007**
* Support for ``SECT*`` binary elliptic curves is deprecated and will be
  removed in the next release.
.. v46-0-4:
46.0.4 - 2026-01-27

• Dropped support for win_arm64 wheels_.
• Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.

.. _v46-0-3:

Commits

• 06e120e bump version for 46.0.5 release (#14289)
• 0eebb9d EC check key on cofactor > 1 (#14287)
• bedf6e1 fix openssl version on 46 branch (#14220)
• e6f44fc bump for 46.0.4 and drop win arm64 due to CI issues (#14217)
• See full diff in compare view

Updates filelock from 3.20.0 to 3.20.3

Release notes

Sourced from filelock's releases.

3.20.3

What's Changed

• Fix TOCTOU symlink vulnerability in SoftFileLock by @​gaborbernat in tox-dev/filelock#465

Full Changelog: tox-dev/filelock@3.20.2...3.20.3

3.20.2

What's Changed

• Support Unix systems without O_NOFOLLOW by @​mwilliamson in tox-dev/filelock#463
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in tox-dev/filelock#464

New Contributors

• @​mwilliamson made their first contribution in tox-dev/filelock#463

Full Changelog: tox-dev/filelock@3.20.1...3.20.2

3.20.1

What's Changed

• CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file creation by @​gaborbernat in tox-dev/filelock#461

Full Changelog: tox-dev/filelock@3.20.0...3.20.1

Changelog

Sourced from filelock's changelog.

########### Changelog ###########

---

3.24.2 (2026-02-16)

---

• 🐛 fix(rw): close sqlite3 cursors and skip SoftFileLock Windows race :pr:491
• 🐛 fix(test): resolve flaky write non-starvation test :pr:490
• 📝 docs: restructure using Diataxis framework :pr:489

---

3.24.1 (2026-02-15)

---

• 🐛 fix(soft): resolve Windows deadlock and test race condition :pr:488

---

3.24.0 (2026-02-14)

---

• ✨ feat(lock): add lifetime parameter for lock expiration (#68) :pr:486
• ✨ feat(lock): add cancel_check to acquire (#309) :pr:487
• 🐛 fix(api): detect same-thread self-deadlock :pr:481
• ✨ feat(mode): respect POSIX default ACLs (#378) :pr:483
• 🐛 fix(win): eliminate lock file race in threaded usage :pr:484
• ✨ feat(lock): add poll_interval to constructor :pr:482
• 🐛 fix(unix): auto-fallback to SoftFileLock on ENOSYS :pr:480

---

3.23.0 (2026-02-14)

---

• 📝 docs: move from Unlicense to MIT :pr:479
• 📝 docs: add fasteners to similar libraries :pr:478

---

3.22.0 (2026-02-14)

---

• 🐛 fix(soft): skip stale detection on Windows :pr:477
• ✨ feat(soft): detect and break stale locks :pr:476

---

3.21.2 (2026-02-13)

---

• 🐛 fix: catch ImportError for missing sqlite3 C library :pr:475

... (truncated)

Commits

• 41b42dd Fix TOCTOU symlink vulnerability in SoftFileLock (#465)
• f2e7d40 [pre-commit.ci] pre-commit autoupdate (#464)
• 5088854 Support Unix systems without O_NOFOLLOW (#463)
• 377f622 [pre-commit.ci] pre-commit autoupdate (#460)
• 4724d7f Fix TOCTOU symlink vulnerability in lock file creation (#461)
• cb69414 Bump actions/upload-artifact from 5 to 6 (#459)
• 0769294 Bump actions/download-artifact from 6 to 7 (#458)
• 414193a [pre-commit.ci] pre-commit autoupdate (#457)
• 1456797 [pre-commit.ci] pre-commit autoupdate (#456)
• 8d6bf90 Bump actions/checkout from 5 to 6 (#455)
• Additional commits viewable in compare view

Updates nbconvert from 7.16.6 to 7.17.0

Release notes

Sourced from nbconvert's releases.

v7.17.0

7.17.0

(Full Changelog)

Enhancements made

• Add support for arbitrary browser arguments #2227 (@​shreve, @​Carreau, @​krassowski)

Bugs fixed

• Fix QtPNGExporter returning empty bytes on macOS #2264 (@​h3pdesign, @​Carreau, @​QuLogic)
• Fix CVE-2025-53000: Secure Inkscape Windows path (registry first + block CWD) #2261 (@​h3pdesign, @​krassowski, @​mberlanda, @​minrk, @​salmankadaya, @​th3gowtham)
• Fix get_export_names and get_exporter default args #2228 (@​shreve, @​krassowski)
• PyPA-Compliant Summary #2226 (@​hackowitz-af, @​Carreau)

Maintenance and upkeep improvements

• avoid cov environment on free-threaded Pythons #2267 (@​minrk)
• update pre-commit, and fix all issues. #2238 (@​Carreau)
• Drop test on 3.9, test on 3.13, 3.14, 3.14t #2237 (@​Carreau)
• Bump the actions group across 1 directory with 2 updates #2231 (@​Carreau, @​krassowski)
• Replace @flaky.flaky decorate with pytest marker #2229 (@​mgorny, @​Carreau)
• update to mermaid 11.10.0 #2224 (@​bollwyvl, @​krassowski)
• Drop support for Python 3.8, fix the CI tests #2221 (@​shreve, @​minrk)

Documentation improvements

• Use intersphinx_registry #2232 (@​Carreau, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​bollwyvl (activity) | @​Carreau (activity) | @​h3pdesign (activity) | @​hackowitz-af (activity) | @​krassowski (activity) | @​mberlanda (activity) | @​mgorny (activity) | @​minrk (activity) | @​MSeal (activity) | @​QuLogic (activity) | @​salmankadaya (activity) | @​shreve (activity) | @​th3gowtham (activity)

Changelog

Sourced from nbconvert's changelog.

7.17.0

(Full Changelog)

Enhancements made

• Add support for arbitrary browser arguments #2227 (@​shreve, @​Carreau, @​krassowski)

Bugs fixed

• Fix QtPNGExporter returning empty bytes on macOS #2264 (@​h3pdesign, @​Carreau, @​QuLogic)
• Fix CVE-2025-53000: Secure Inkscape Windows path (registry first + block CWD) #2261 (@​h3pdesign, @​krassowski, @​mberlanda, @​minrk, @​salmankadaya, @​th3gowtham)
• Fix get_export_names and get_exporter default args #2228 (@​shreve, @​krassowski)
• PyPA-Compliant Summary #2226 (@​hackowitz-af, @​Carreau)

Maintenance and upkeep improvements

• avoid cov environment on free-threaded Pythons #2267 (@​minrk)
• update pre-commit, and fix all issues. #2238 (@​Carreau)
• Drop test on 3.9, test on 3.13, 3.14, 3.14t #2237 (@​Carreau)
• Bump the actions group across 1 directory with 2 updates #2231 (@​Carreau, @​krassowski)
• Replace @flaky.flaky decorate with pytest marker #2229 (@​mgorny, @​Carreau)
• update to mermaid 11.10.0 #2224 (@​bollwyvl, @​krassowski)
• Drop support for Python 3.8, fix the CI tests #2221 (@​shreve, @​minrk)

Documentation improvements

• Use intersphinx_registry #2232 (@​Carreau, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​bollwyvl (activity) | @​Carreau (activity) | @​h3pdesign (activity) | @​hackowitz-af (activity) | @​krassowski (activity) | @​mberlanda (activity) | @​mgorny (activity) | @​minrk (activity) | @​MSeal (activity) | @​QuLogic (activity) | @​salmankadaya (activity) | @​shreve (activity) | @​th3gowtham (activity)

Commits

• 21b35d8 Publish 7.17.0
• c9ac1d1 Fix CVE-2025-53000: Secure Inkscape Windows path (registry first + block CWD)...
• b13276d avoid cov environment on free-threaded Pythons (#2267)
• 7c7055f [pre-commit.ci] auto fixes from pre-commit.com hooks
• 74f3ddd Fix QtPNGExporter returning empty bytes on macOS
• 216550b fix links
• 39777ac try to comment fialing test
• 7b591ca ruff-check
• 6ec7638 parent
• 59414b3 fix mypy
• Additional commits viewable in compare view

Updates pyasn1 from 0.6.1 to 0.6.2

Release notes

Sourced from pyasn1's releases.

Release 0.6.2

It's a minor release.

• Fixed continuation octet limits in OID/RELATIVE-OID decoder (CVE-2026-23490).
• Added support for Python 3.14.
• Added SECURITY.md policy.
• Migrated to pyproject.toml packaging.

All changes are noted in the CHANGELOG.

Changelog

Sourced from pyasn1's changelog.

Revision 0.6.2, released 16-01-2026

• CVE-2026-23490 (GHSA-63vm-454h-vhhq): Fixed continuation octet limits in OID/RELATIVE-OID decoder (thanks to tsigouris007)
• Added support for Python 3.14 [pr #97](pyasn1/pyasn1#97)
• Added SECURITY.md policy
• Fixed unit tests failing due to missing code [issue #91](pyasn1/pyasn1#91) [pr #92](pyasn1/pyasn1#92)
• Migrated to pyproject.toml packaging [pr #90](pyasn1/pyasn1#90)

Commits

• e7356f8 Prepare release 0.6.2
• 3908f14 Merge commit from fork
• 0a7e067 Add support for Python 3.14 (#97)
• 33656e9 Create Security Policy
• fa62307 fix for issue #91: unit tests failing due to missing code (#92)
• f1ed02e Package pyasn1 with pyproject.toml (#90)
• 93c4d4f Switch documentation user to pyasn1 (#89)
• See full diff in compare view

Updates python-multipart from 0.0.20 to 0.0.22

Release notes

Sourced from python-multipart's releases.

Version 0.0.22

What's Changed

• Drop directory path from filename in File 9433f4b.

---

Full Changelog: Kludex/python-multipart@0.0.21...0.0.22

Version 0.0.21

What's Changed

• Add support for Python 3.14 and drop EOL 3.8 and 3.9 by @​hugovk in Kludex/python-multipart#216

New Contributors

• @​waketzheng made their first contribution in Kludex/python-multipart#203

Full Changelog: Kludex/python-multipart@0.0.20...0.0.21

Changelog

Sourced from python-multipart's changelog.

0.0.22 (2026-01-25)

• Drop directory path from filename in File 9433f4b.

0.0.21 (2025-12-17)

• Add support for Python 3.14 and drop EOL 3.8 and 3.9 #216.

Commits

• bea7bbb Version 0.0.22 (#222)
• 0fb59a9 chore: add return type on test (#221)
• 9433f4b Merge commit from fork
• d5c91ec Bump the github-actions group with 2 updates (#219)
• 5a90631 bump uv (#218)
• 1f72955 Version 0.0.21 (#217)
• 47ecfed Add support for Python 3.14 and drop EOL 3.8 and 3.9 (#216)
• f18b709 Bump the github-actions group across 1 directory with 4 updates (#214)
• b388e9a chore: use depedency-groups in pyproject.toml (#212)
• 6113e75 Bump the github-actions group across 1 directory with 3 updates (#210)
• Additional commits viewable in compare view

Updates starlette from 0.47.2 to 0.49.1

Release notes

Sourced from starlette's releases.

Version 0.49.1

This release fixes a security vulnerability in the parsing logic of the Range header in FileResponse.

You can view the full security advisory: GHSA-7f5h-v6xp-fcq8

Fixed

• Optimize the HTTP ranges parsing logic 4ea6e22b489ec388d6004cfbca52dd5b147127c5

---

Full Changelog: Kludex/starlette@0.49.0...0.49.1

Version 0.49.0

Added

• Add encoding parameter to Config class #2996.
• Support multiple cookie headers in Request.cookies #3029.
• Use Literal type for WebSocketEndpoint encoding values #3027.

Changed

• Do not pollute exception context in Middleware when using BaseHTTPMiddleware #2976.

---

New Contributors

• @​TheWesDias made their first contribution in Kludex/starlette#3017
• @​gmos2104 made their first contribution in Kludex/starlette#3027
• @​secrett2633 made their first contribution in Kludex/starlette#2996
• @​adam-sikora made their first contribution in Kludex/starlette#2976

Full Changelog: Kludex/starlette@0.48.0...0.49.0

Version 0.48.0

Added

• Add official Python 3.14 support #3013.

Changed

• Implement RFC9110 http status names #2939.

---

New Contributors

• @​yakimka made their first contribution in Kludex/starlette#2943
• @​mbeijen made their first contribution in Kludex/starlette#2939

Full Changelog: Kludex/starlette@0.47.3...0.48.0

... (truncated)

Changelog

Sourced from starlette's changelog.

0.49.1 (October 28, 2025)

This release fixes a security vulnerability in the parsing logic of the Range header in FileResponse.

You can view the full security advisory: GHSA-7f5h-v6xp-fcq8

Fixed

• Optimize the HTTP ranges parsing logic 4ea6e22b489ec388d6004cfbca52dd5b147127c5

0.49.0 (October 28, 2025)

Added

• Add encoding parameter to Config class #2996.
• Support multiple cookie headers in Request.cookies #3029.
• Use Literal type for WebSocketEndpoint encoding values #3027.

Changed

• Do not pollute exception context in Middleware when using BaseHTTPMiddleware #2976.

0.48.0 (September 13, 2025)

Added

• Add official Python 3.14 support #3013.

Changed

• Implement RFC9110 http status names #2939.

0.47.3 (August 24, 2025)

Fixed

• Use asyncio.iscoroutinefunction for Python 3.12 and older #2984.

Commits

• 7e4b742 Version 0.49.1 (#3047)
• 4ea6e22 Merge commit from fork
• 7d88ea6 Version 0.49.0 (#3046)
• 26d66bb Do not pollute exception context in Middleware (#2976)
• a59397d Set encodings when reading config files (#2996)
• 3b7f0cb test: add test for unknown status (#3035)
• b09ce1a docs: fix legibility issues on sponsorship page (#3039)
• 0f0edcf Revert "Add Marcelo Trylesinski to the license (#3025)" (#3044)
• 3912d63 docs: add social icons (#3038)
• 4915a93 Add discord to README/docs (#3034)
• Additional commits viewable in compare view

Updates urllib3 from 2.5.0 to 2.6.3

Release notes

Sourced from urllib3's releases.

2.6.3

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by @​D47A, 8.9 High, GHSA-38jv-5279-wg99)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. (urllib3/urllib3#3743)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. (urllib3/urllib3#3752)

2.6.2

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (urllib3/urllib3#3734)

2.6.1

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. (#3731)

2.6.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by @​Cycloctane, 8.9 High, GHSA-2xpw-w6gg-jr37)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by @​illia-v, 8.9 High, GHSA-gm62-xv2j-4w53)

[!IMPORTANT]

• If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.

... (truncated)

Changelog

Sourced from urllib3's changelog.

2.6.3 (2026-01-07)

• Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. ([#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743>__)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. ([#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752>__)

2.6.2 (2025-12-11)

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. ([#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734>__)

2.6.1 (2025-12-08)

• Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. ([#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731>__)

2.6.0 (2025-12-05)

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

• If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using

... (truncated)

Commits

• 0248277 Release 2.6.3
• 8864ac4 Merge commit from fork
• 70cecb2 Fix Scorecard issues related to vulnerable dev dependencies (#3755)
• 41f249a Move "v2.0 Migration Guide" to the end of the table of contents (#3747)
• fd4dffd Patch VerifiedHTTPSConnection for Emscripten (#3752)
• 13f0bfd Handle massive values in Retry-After when calculating time to sleep for (#3743)
• 8c480bf Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#3748)
• 4b40616 Bump actions/cache from 4.3.0 to 5.0.1 (#3750)
• 82b8479 Bump actions/download-artifact from 6.0.0 to 7.0.0 (#3749)
• 34284cb Mention experimental features in the security policy (#3746)
• Additional commits viewable in compare view

Updates werkzeug from 3.1.3 to 3.1.5

Release notes

Sourced from werkzeug's releases.

3.1.5

This is the Werkzeug 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.5/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-5 Milestone: https://github.com/pallets/werkzeug/milestone/43?closed=1

• safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. GHSA-87hc-h4r5-73f7
• The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. #3065 #3077
• Fix AttributeError when initializing DebuggedApplication with pin_security=False. #3075

3.1.4

This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.4/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-4 Milestone: https://github.com/pallets/werkzeug/milestone/42?closed=1<...

Description has been truncated