build(deps): Bump the python-packages group across 1 directory with 12 updates

[dependabot]

Bumps the python-packages group with 12 updates in the / directory:

Package	From	To
certifi	2025.8.3	2025.11.12
charset-normalizer	3.4.3	3.4.4
docutils	0.22	0.22.3
idna	3.10	3.11
markupsafe	3.0.2	3.0.3
numpy	2.2.1	2.3.5
requests	2.32.4	2.32.5
ruamel-yaml	0.18.14	0.18.16
ruamel-yaml-clib	0.2.12	0.2.15
serpent	1.41	1.42
sphinx	8.1.3	9.0.4
urllib3	2.5.0	2.6.0

Updates certifi from 2025.8.3 to 2025.11.12

Commits

• 37ea150 2025.11.12 (#375)
• 2fa50bb Bump actions/upload-artifact from 4.6.2 to 5.0.0 (#374)
• 6cadb53 Bump actions/download-artifact from 5.0.0 to 6.0.0 (#373)
• fb14ac4 2025.10.05 (#371)
• 2c7c7ee Add Python 3.14 classifier in setup.py
• 1a5cb7b Bump actions/setup-python from 5.6.0 to 6.0.0 (#367)
• dea5960 Bump pypa/gh-action-pypi-publish from 1.12.4 to 1.13.0 (#366)
• 83566b7 Bump actions/checkout from 4.2.2 to 5.0.0
• ca2e121 Bump actions/download-artifact from 4.3.0 to 5.0.0
• See full diff in compare view

Updates charset-normalizer from 3.4.3 to 3.4.4

Release notes

Sourced from charset-normalizer's releases.

Version 3.4.4

3.4.4 (2025-10-13)

Changed

• Bound setuptools to a specific constraint setuptools>=68,<=81.
• Raised upper bound of mypyc for the optional pre-built extension to v1.18.2

Removed

• setuptools-scm as a build dependency.

Misc

• Enforced hashes in dev-requirements.txt and created ci-requirements.txt for security purposes.
• Additional pre-built wheels for riscv64, s390x, and armv7l architectures.
• Restore multiple.intoto.jsonl in GitHub releases in addition to individual attestation file per wheel.

Changelog

Sourced from charset-normalizer's changelog.

3.4.4 (2025-10-13)

Changed

• Bound setuptools to a specific constraint setuptools>=68,<=81.
• Raised upper bound of mypyc for the optional pre-built extension to v1.18.2

Removed

• setuptools-scm as a build dependency.

Misc

• Enforced hashes in dev-requirements.txt and created ci-requirements.txt for security purposes.
• Additional pre-built wheels for riscv64, s390x, and armv7l architectures.
• Restore multiple.intoto.jsonl in GitHub releases in addition to individual attestation file per wheel.

Commits

• b30ffdc 🔧 fix checksum step in cd.yml
• d3fbfcf 🔧 fix cd.yml
• dafbb95 Release 3.4.4 (#658)
• 1f18ffa ⬆️ raise mypy upper bound to 1.18.2
• ef4ac69 Merge branch 'release-3.4.4' of github.com:jawah/charset_normalizer into rele...
• 4b35dda 📝 write changelog for 3.4.4
• 0ec6452 🔧 update cd.yml workflow (add riscv64, s390x and armv7l)
• f341ede ⬆️ upgrade dependencies (dev, ci)
• a308841 📝 write changelog for 3.4.4
• 9c906da 🔧 update cd.yml workflow (add riscv64, s390x and armv7l)
• Additional commits viewable in compare view

Updates docutils from 0.22 to 0.22.3

Commits

• See full diff in compare view

Updates idna from 3.10 to 3.11

Changelog

Sourced from idna's changelog.

3.11 (2025-10-12)

• Update to Unicode 16.0.0, including significant changes to UTS46 processing. As a result of Unicode ending support for it, transitional processing no longer has an effect and returns the same result.
• Add support for Python 3.14, lowest supported version is Python 3.8.
• Various updates to packaging, including PEP 740 support.

Commits

• ad949ee Release v3.11
• cae4ba7 Second release candidate for 3.11
• 8adb305 Add space in RST link
• 74cb2b6 Release candidate for 3.11
• 05dab09 Format idna-data with ruff
• 90eac78 Apply ruff formatting
• a31ce7e Remove errant test vectors
• 81f0333 Omit vectors known to be broken in test suite
• a0f3257 Merge branch 'master' into unicode-16-uts46-changes
• 38d9886 Remove extra UTS46 test vector
• Additional commits viewable in compare view

Updates markupsafe from 3.0.2 to 3.0.3

Release notes

Sourced from markupsafe's releases.

3.0.3

This is the MarkupSafe 3.0.3 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/MarkupSafe/3.0.3/ Changes: https://markupsafe.palletsprojects.com/page/changes/#version-3-0-3 Milestone: https://github.com/pallets/markupsafe/milestone/15?closed=1

• __version__ raises DeprecationWarning instead of UserWarning. #487
• Adopt multi-phase initialization PEP 489 for the C extension. #494
• Build Windows ARM64 wheels. #485
• Build Python 3.14 wheels. #503
• Build riscv64 wheels. #505

Changelog

Sourced from markupsafe's changelog.

Version 3.0.3

Released 2025-09-27

• __version__ raises DeprecationWarning instead of UserWarning. :issue:487
• Adopt multi-phase initialisation (:pep:489) for the C extension. :issue:494
• Build Windows ARM64 wheels. :issue:485
• Build Python 3.14 wheels. :issue:503
• Build riscv64 wheels. :issue:505

Commits

• 297fc8e release version 3.0.3
• 7e4e6ce Free-threading: run with pytest-run-paralell (#507)
• 6100b9c enable riscv64 wheels (#506)
• c9d5ecf enable riscv64 wheels
• 2f9b337 tox for 3.14
• 78d951a update dev dependencies
• bb6744e add entry
• 65c4134 upgrade cibuildwheel, add cp314 wheels and test on CPython 3.14 (#504)
• 3a9bd88 add cp314 wheels
• aafe44d remove slsa provenance (#501)
• Additional commits viewable in compare view

Updates numpy from 2.2.1 to 2.3.5

Release notes

Sourced from numpy's releases.

2.3.5 (Nov 16, 2025)

NumPy 2.3.5 Release Notes

The NumPy 2.3.5 release is a patch release split between a number of maintenance updates and bug fixes. This release supports Python versions 3.11-3.14.

Contributors

A total of 10 people contributed to this release. People with a "+" by their names contributed a patch for the first time.

• Aaron Kollasch +
• Charles Harris
• Joren Hammudoglu
• Matti Picus
• Nathan Goldbaum
• Rafael Laboissière +
• Sayed Awad
• Sebastian Berg
• Warren Weckesser
• Yasir Ashfaq +

Pull requests merged

A total of 16 pull requests were merged for this release.

• #29979: MAINT: Prepare 2.3.x for further development
• #30026: SIMD, BLD: Backport FPMATH mode on x86-32 and filter successor...
• #30029: MAINT: Backport write_release.py
• #30041: TYP: Various typing updates
• #30059: BUG: Fix np.strings.slice if stop=None or start and stop >= len...
• #30063: BUG: Fix np.strings.slice if start > stop
• #30076: BUG: avoid negating INT_MIN in PyArray_Round implementation (#30071)
• #30090: BUG: Fix resize when it contains references (#29970)
• #30129: BLD: update scipy-openblas, use -Dpkg_config_path (#30049)
• #30130: BUG: Avoid compilation error of wrapper file generated with SWIG...
• #30157: BLD: use scipy-openblas 0.3.30.7 (#30132)
• #30158: DOC: Remove nonexistent order parameter docs of ma.asanyarray...
• #30185: BUG: Fix check of PyMem_Calloc return value. (#30176)
• #30217: DOC: fix links for newly rebuilt numpy-tutorials site
• #30218: BUG: Fix build on s390x with clang (#30214)
• #30237: ENH: Make FPE blas check a runtime check for all apple arm systems

v2.3.4 (Oct 15, 2025)

NumPy 2.3.4 Release Notes

The NumPy 2.3.4 release is a patch release split between a number of maintenance updates and bug fixes. This release supports Python versions 3.11-3.14. This release is based on Python 3.14.0 final.

... (truncated)

Commits

• c3d60fc Merge pull request #30238 from charris/prepare-2.3.5
• 11451fa REL: Prepare for the NumPy 2.3.5 release
• eab5bd4 Merge pull request #30237 from charris/backport-30102
• 7cea31a Fixup merge of multiarraymodule.c
• b898173 Update numpy/_core/src/common/blas_utils.h
• f755483 Report FPE ignoring in matmul in show_runtime()
• c47116f Move test to Python
• bd7b93f ooops, needs to be a calloc of course.
• 83a1517 Guard for HAVE_CBLAS and always compile the helpers
• ab680ef ENH: Make FPE blas check a runtime check for all arm systems
• Additional commits viewable in compare view

Updates requests from 2.32.4 to 2.32.5

Release notes

Sourced from requests's releases.

v2.32.5

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

Changelog

Sourced from requests's changelog.

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

Commits

• b25c87d v2.32.5
• 131e506 Merge pull request #7010 from psf/dependabot/github_actions/actions/checkout-...
• b336cb2 Bump actions/checkout from 4.2.0 to 5.0.0
• 46e939b Update publish workflow to use artifact-id instead of name
• 4b9c546 Merge pull request #6999 from psf/dependabot/github_actions/step-security/har...
• 7618dbe Bump step-security/harden-runner from 2.12.0 to 2.13.0
• 2edca11 Add support for Python 3.14 and drop support for Python 3.8 (#6993)
• fec96cd Update Makefile rules (#6996)
• d58d8aa docs: clarify timeout parameter uses seconds in Session.request (#6994)
• 91a3eab Bump github/codeql-action from 3.28.5 to 3.29.0
• Additional commits viewable in compare view

Updates ruamel-yaml from 0.18.14 to 0.18.16

Updates ruamel-yaml-clib from 0.2.12 to 0.2.15

Updates serpent from 1.41 to 1.42

Release notes

Sourced from serpent's releases.

release 1.42

Release 1.42 for Python:

• added test-requirements.txt

Commits

• f6cb65e version 1.42 (python)
• cbcdd20 include test-requirements.txt explicitly to be sure
• efec6e0 added Python 3.14
• de7d5b1 tweak
• fbd0a4f update to c# 9 (.net 5 level)
• 1cd1681 github action
• 6260c76 update .net and libs version
• 205ec92 add python 3.13 to ci
• bf8a017 add test-requirements
• d93b6b0 not so fast with the version number
• Additional commits viewable in compare view

Updates sphinx from 8.1.3 to 9.0.4

Release notes

Sourced from sphinx's releases.

Sphinx 9.0.4

Changelog: https://www.sphinx-doc.org/en/master/changes/9.0.html

Bugs fixed

• #14143: Fix spurious build warnings when translators reorder references in strings, or use translated display text in references. Patch by Matt Wang.

Sphinx 9.0.3

Changelog: https://www.sphinx-doc.org/en/master/changes/9.0.html

Bugs fixed

• #14142: autodoc: Restore some missing exports in sphinx.ext.autodoc. Patch by Adam Turner.

Sphinx 9.0.2

Changelog: https://www.sphinx-doc.org/en/master/changes/9.0.html

Bugs fixed

• #14142: autodoc: Restore sphinx.ext.autodoc.mock. Patch by Adam Turner.

Sphinx 9.0.1

Changelog: https://www.sphinx-doc.org/en/master/changes/9.0.html

Bugs fixed

• #13942: autodoc: Restore the mapping interface for options objects. Patch by Adam Turner.
• #13942: autodoc: Deprecate the mapping interface for options objects. Patch by Adam Turner.
• #13387: Update translations.

Sphinx 9.0.0

Changelog: https://www.sphinx-doc.org/en/master/changes/9.0.html

Dependencies

• #13786: Support Docutils 0.22. Patch by Adam Turner.

Incompatible changes

... (truncated)

Changelog

Sourced from sphinx's changelog.

Release 9.0.4 (released Dec 04, 2025)

Bugs fixed

• #14143: Fix spurious build warnings when translators reorder references in strings, or use translated display text in references. Patch by Matt Wang.

Release 9.0.3 (released Dec 04, 2025)

Bugs fixed

• #14142: autodoc: Restore some missing exports in :mod:!sphinx.ext.autodoc. Patch by Adam Turner.

Release 9.0.2 (released Dec 03, 2025)

Bugs fixed

• #14142: autodoc: Restore :mod:!sphinx.ext.autodoc.mock. Patch by Adam Turner.

Release 9.0.1 (released Dec 01, 2025)

Bugs fixed

• #13942: autodoc: Restore the mapping interface for options objects. Patch by Adam Turner.
• #13942: autodoc: Deprecate the mapping interface for options objects. Patch by Adam Turner.
• #13387: Update translations.

Release 9.0.0 (released Nov 30, 2025)

Dependencies

• #13786: Support Docutils 0.22_. Patch by Adam Turner.

  .. _Docutils 0.22: https://docutils.sourceforge.io/RELEASE-NOTES.html#release-0-22-2026-07-29

... (truncated)

Commits

• 8ddba7e Bump to 9.0.4 final
• 6959633 [bot]: Update message catalogues (#14155)
• 88a4a97 Allow reordered refs and translated display text in pending_xref (#14144)
• f666208 Bump version
• df8a9e7 Bump to 9.0.3 final
• bd89f96 Import names from defining module
• 7d05936 autodoc: Restore some missing exports
• b745a11 Bump version
• 1ac581c Bump to 9.0.2 final
• 1281a83 autodoc: Restore mock module for compatibility (#14152)
• Additional commits viewable in compare view

Updates urllib3 from 2.5.0 to 2.6.0

Release notes

Sourced from urllib3's releases.

2.6.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by @​Cycloctane, 8.9 High, GHSA-2xpw-w6gg-jr37)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by @​illia-v, 8.9 High, GHSA-gm62-xv2j-4w53)

[!IMPORTANT]

• If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.
• If you use custom decompressors, please make sure to update them to respect the changed API of urllib3.response.ContentDecoder.

Features

• Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. (#3653)
• Added host and port information to string representations of HTTPConnection. (#3666)
• Added support for Python 3.14 free-threading builds explicitly. (#3696)

Removals

• Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers. Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). (#3622)

Bugfixes

• Fixed redirect handling in urllib3.PoolManager when an integer is passed for the retries parameter. (#3649)
• Fixed HTTPConnectionPool when used in Emscripten with no explicit port. (#3664)
• Fixed handling of SSLKEYLOGFILE with expandable variables. (#3700)

Misc

• Changed the zstd extra to install backports.zstd instead of zstandard on Python 3.13 and before. (#3693)
• Improved the performance of content decoding by optimizing BytesQueueBuffer class. (#3710)
• Allowed building the urllib3 package with newer setuptools-scm v9.x. (#3652)
• Ensured successful urllib3 builds by setting Hatchling requirement to ≥ 1.27.0. (#3638)

Changelog

Sourced from urllib3's changelog.

2.6.0 (2025-12-05)

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

• If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.

• If you use custom decompressors, please make sure to update them to respect the changed API of urllib3.response.ContentDecoder.

Features

• Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. ([#3653](https://github.com/urllib3/urllib3/issues/3653) <https://github.com/urllib3/urllib3/issues/3653>__)
• Added host and port information to string representations of HTTPConnection. ([#3666](https://github.com/urllib3/urllib3/issues/3666) <https://github.com/urllib3/urllib3/issues/3666>__)
• Added support for Python 3.14 free-threading builds explicitly. ([#3696](https://github.com/urllib3/urllib3/issues/3696) <https://github.com/urllib3/urllib3/issues/3696>__)

Removals

• Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers. Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). ([#3622](https://github.com/urllib3/urllib3/issues/3622) <https://github.com/urllib3/urllib3/issues/3622>__)

Bugfixes

• Fixed redirect handling in urllib3.PoolManager when an integer is passed for the retries parameter. ([#3649](https://github.com/urllib3/urllib3/issues/3649) <https://github.com/urllib3/urllib3/issues/3649>__)
• Fixed HTTPConnectionPool when used in Emscripten with no explicit port. ([#3664](https://github.com/urllib3/urllib3/issues/3664) <https://github.com/urllib3/urllib3/issues/3664>__)
• Fixed handling of SSLKEYLOGFILE with expandable variables. ([#3700](https://github.com/urllib3/urllib3/issues/3700) <https://github.com/urllib3/urllib3/issues/3700>__)

... (truncated)

Commits

• 720f484 Release 2.6.0
• 24d7b67 Merge commit from fork
• c19571d Merge commit from fork
• 816fcf0 Bump actions/setup-python from 6.0.0 to 6.1.0 (#3725)
• 18af0a1 Improve speed of BytesQueueBuffer.get() by using memoryview (#3711)
• 1f6abac Bump versions of pre-commit hooks (#3716)
• 1c8fbf7 Bump actions/checkout from 5.0.0 to 6.0.0 (#3722)
• 7784b9e Add Python 3.15 to CI (#3717)
• 0241c9e Updated docs to reflect change in optional zstd dependency from zstandard t...
• 7afcabb Expand environment variable of SSLKEYLOGFILE (#3705)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions