Draft: fix(deps): update all non-major dependencies (!80) · Merge requests · Information Services / DevOps / Identity and Access Management / University Card management / Card Client

This MR contains the following updates:

Package	Type	Update	Change
Lucas-C/pre-commit-hooks-safety	repository	minor	`v1.3.3` → `v1.4.2`
coverage	dev	minor	`7.6.12` → `7.13.3`
psf/black	repository	minor	`25.9.0` → `25.12.0`
pycqa/flake8	repository	minor	`7.1.0` → `7.3.0`
pytest-cov (changelog)	dev	minor	`6.0.0` → `6.3.0`
requests (source, changelog)	dependencies	minor	`~2.26.0` → `~2.32.0`
tenacity	dependencies	patch	`9.1.2` → `9.1.4`
tobix/pywine	image	minor	`3.11` → `3.14`
uis/devops/continuous-delivery/ci-templates	repository	minor	`v7.6.2` → `v7.27.8`

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.

Release Notes

Lucas-C/pre-commit-hooks-safety (Lucas-C/pre-commit-hooks-safety)

`v1.4.2`: Allowing --disable-optional-telemetry-data

Compare Source

Fixed

Allowed --disable-optional-telemetry-data to be specified instead of --disable-optional-telemetry

`v1.4.1`: More robust requirements path check & using safety<=2.3.5

Compare Source

Added

Add more robust requirements path check - cf. MR #55

Fixed

Added constraint safety<=2.3.5 in setup.py in order to be able to still use the check command. A future-proof solution could be to create a new python-safety-dependencies-scan hook, cf. issue #52

`v1.4.0`

Compare Source

Added

support for Poetry 2.0.0 - cf. MR #55

coveragepy/coveragepy (coverage)

`v7.13.3`

Compare Source

Fix: in some situations, third-party code was measured when it shouldn't have been, slowing down test execution. This happened with layered virtual environments such as uv sometimes makes. The problem is fixed, closing issue 2082_. Now any directory on sys.path that is inside a virtualenv is considered third-party code.

.. _issue 2082: #2082

.. _changes_7-13-2:

`v7.13.2`

Compare Source

Fix: when Python is installed via symlinks, for example with Homebrew, the standard library files could be incorrectly included in coverage reports. This is now fixed, closing issue 2115_.
Fix: if a data file is created with no read permissions, the combine step would fail completely. Now a warning is issued and the file is skipped. Closes issue 2117_.

.. _issue 2115: #2115 .. _issue 2117: #2117

.. _changes_7-13-1:

`v7.13.1`

Compare Source

Added: the JSON report now includes a "start_line" key for function and class regions, indicating the first line of the region in the source. Closes issue 2110_.
Added: The debug data command now takes file names as arguments on the command line, so you can inspect specific data files without needing to set the COVERAGE_FILE environment variable.
Fix: the JSON report used to report module docstrings as executed lines, which no other report did, as described in issue 2105_. This is now fixed, thanks to Jianrong Zhao.
Fix: coverage.py uses a more disciplined approach to detecting where third-party code is installed, and avoids measuring it. This shouldn't change any behavior. If you find that it does, please get in touch.
Performance: data files that will be combined now record their hash as part of the file name. This lets us skip duplicate data more quickly, speeding the combining step.
Docs: added a section explaining more about what is considered a missing branch and how it is reported: :ref:branch_explain, as requested in issue 1597. Thanks to Ayisha Mohammed <pull 2092_>.
Tests: the test suite misunderstood what core was being tested if COVERAGE_CORE wasn't set on 3.14+. This is now fixed, closing issue 2109_.

.. _issue 1597: #1597 .. _pull 2092: #2092 .. _issue 2105: #2105 .. _issue 2109: #2109 .. _issue 2110: #2110

.. _changes_7-13-0:

`v7.13.0`

Compare Source

Feature: coverage.py now supports :file:.coveragerc.toml configuration files. These files use TOML syntax and take priority over :file:pyproject.toml but lower priority than :file:.coveragerc files. Closes issue 1643_ thanks to Olena Yefymenko <pull 1952_>_.
Fix: we now include a permanent .pth file which is installed with the code, fixing issue 2084. In 7.12.1b1 this was done incorrectly: it didn't work when using the source wheel (py3-none-any). This is now fixed. Thanks, Henry Schreiner <pull 2100_>.
Deprecated: when coverage.py is installed, it creates three command entry points: coverage, coverage3, and coverage-3.10 (if installed for Python 3.10). The second and third of these are not needed and will eventually be removed. They still work for now, but print a message about their deprecation.

.. _issue 1643: #1643 .. _pull 1952: #1952 .. _pull 2100: #2100

.. _changes_7-12-1b1:

`v7.12.0`

Compare Source

The HTML report now shows separate coverage totals for statements and branches, as well as the usual combined coverage percentage. Thanks to Ryuta Otsuka for the discussion <issue 2081_>_ and the implementation <pull 2085_>_.
The JSON report now includes separate coverage totals for statements and branches, thanks to Ryuta Otsuka <pull 2090_>_.
Fix: except* clauses were not handled properly under the "sysmon" measurement core, causing KeyError exceptions as described in issue 2086_. This is now fixed.
Fix: we now defend against aggressive mocking of open() that could cause errors inside coverage.py. An example of a failure is in issue 2083_.
Fix: in unusual cases where a test suite intentionally exhausts the system's file descriptors to test handling errors in open(), coverage.py would fail when trying to open source files, as described in issue 2091_. This is now fixed.
A small tweak to the HTML report: file paths now use thin spaces around slashes to make them easier to read.

.. _issue 2081: #2081 .. _issue 2083: #2083 .. _pull 2085: #2085 .. _issue 2086: #2086 .. _pull 2090: #2090 .. _issue 2091: #2091

.. _changes_7-11-3:

`v7.11.3`

Compare Source

Fix: the 7.11.1 changes meant that conflicts between a requested measurement core and other settings would raise an error. This was a breaking change from previous behavior, as reported in issue 2076_ and issue 2078_.

The previous behavior has been restored: when the requested core conflicts with other settings, another core is used instead, and a warning is issued.
For contributors: the repo has moved from Ned's nedbat GitHub account_ to the coveragepy GitHub organization_. The default branch has changed from master to main.

.. _issue 2076: #2076 .. _issue 2078: #2078 .. _nedbat GitHub account: https://github.com/nedbat .. _coveragepy GitHub organization: https://github.com/coveragepy

.. _changes_7-11-2:

`v7.11.2`

Compare Source

Fix: using the "sysmon" measurement core in 7.11.1, if Python code was claimed to come from a non-Python file, a NotPython exception could be raised. This could happen for example with Jinja templates compiled to Python, as reported in issue 2077_. This is now fixed.
Doc: corrected the first entry in the 7.11.1 changelog.

.. _issue 2077: #2077

.. _changes_7-11-1:

`v7.11.1`

Compare Source

Fix: some chanages to details of how the measurement core is chosen, and how conflicting settings are handled. The "sysmon" core cannot be used with some conurrency settings, with dynamic context, and in Python 3.12/3.13, with branch measurement.
- If the core is not specified and defaults to "sysmon" (Python 3.14+), but other settings conflict with sysmon, then the "ctrace" core will be used instead with no warning. For concurrency conflicts, this used to produce an error, as described in issue 2064_.
- If the "sysmon" core is explicitly requested in your configuration, but other settings conflict, an error is now raised. This used to produce a warning.
Fix: some multi-line case clauses or for loops (and probably other constructs) could cause incorrect claims of missing branches with the sys.monitoring core, as described in issue 2070_. This is now fixed.
Fix: when running in pytest under coverage, a breakpoint() would stop in the wrong frame, one level down from where it should, as described in issue 1420_. This was due to a coverage change in v6.4.1 that seemed to give a slight performance improvement, but I couldn't reproduce the performance gain, so it's been reverted, fixing the debugger problem.
A new debug option --debug=core shows which core is in use and why.
Split sqlite debugging information out of the sys :ref:coverage debug <cmd_debug> and :ref:cmd_run_debug options since it's bulky and not very useful.
Updated the :ref:howitworks page to better describe the three different measurement cores.

.. _issue 1420: #1420 .. _issue 2064: #2064 .. _issue 2070: #2070

.. _changes_7-11-0:

`v7.11.0`

Compare Source

Dropped support for Python 3.9, declared support for Python 3.15 alpha.

.. _changes_7-10-7:

`v7.10.7`

Compare Source

Performance: with branch coverage in large files, generating HTML, JSON, or LCOV reports could take far too long due to some quadratic behavior when creating the function and class index pages. This is now fixed, closing issue 2048_. Thanks to Daniel Diniz for help diagnosing the problem.
Most warnings and a few errors now have links to a page in the docs explaining the specific message. Closes issue 1921_.

.. _issue 1921: #1921 .. _issue 2048: #2048

.. _changes_7-10-6:

`v7.10.6`

Compare Source

Fix: source directories were not properly communicated to subprocesses that ran in different directories, as reported in issue 1499_. This is now fixed.
Performance: Alex Gaynor continues fine-tuning <pull 2038_>_ the speed of combination, especially with many contexts.

.. _issue 1499: #1499 .. _pull 2038: #2038

.. _changes_7-10-5:

`v7.10.5`

Compare Source

Big speed improvements for coverage combine: it's now about twice as fast! Huge thanks to Alex Gaynor for pull requests 2032 <pull 2032_>, 2033 <pull 2033_>, and 2034 <pull 2034_>_.

.. _pull 2032: #2032 .. _pull 2033: #2033 .. _pull 2034: #2034

.. _changes_7-10-4:

`v7.10.4`

Compare Source

Added patch = fork for times when the built-in forking support is insufficient.
Fix: patch = execv also inherits the entire coverage configuration now.

.. _changes_7-10-3:

`v7.10.3`

Compare Source

Fixes for patch = subprocess:
- If subprocesses spawned yet more subprocesses simultaneously, some coverage could be missed. This is now fixed, closing issue 2024_.
- If subprocesses were created in other directories, their data files were stranded there and not combined into the totals, as described in issue 2025_. This is now fixed.
- On Windows (or maybe only some Windows?) the patch would fail with a ModuleNotFound error trying to import coverage. This is now fixed, closing issue 2022_.
- Originally only options set in the coverage configuration file would apply to subprocesses. Options set on the coverage run command line (such as --branch) wouldn't be communicated to the subprocesses. This could lead to combining failures, as described in issue 2021_. Now the entire configuration is used in subprocesses, regardless of its origin.
- Added debug=patch to help diagnose problems.
Fix: really close all SQLite databases, even in-memory ones. Closes issue 2017_.

.. _issue 2017: #2017 .. _issue 2021: #2021 .. _issue 2022: #2022 .. _issue 2024: #2024 .. _issue 2025: #2025

.. _changes_7-10-2:

`v7.10.2`

Compare Source

Fix: some code with NOP bytecodes could report missing branches that are actually executed. This is now fixed, closing issue 1999_. Python 3.9 still shows the problem.

.. _issue 1999: #1999

.. _changes_7-10-1:

`v7.10.1`

Compare Source

Fix: the exclusion for if TYPE_CHECKING: was wrong: it marked the branch as partial, but it should have been a line exclusion so the entire clause would be excluded. Improves issue 831_.
Fix: changed where .pth files are written for patch = subprocess, closing issue 2006_.

.. _issue 2006: #2006

.. _changes_7-10-0:

`v7.10.0`

Compare Source

A new configuration option: ":ref:config_run_patch" specifies named patches to work around some limitations in coverage measurement. These patches are available:
- patch = _exit lets coverage save its data even when :func:os._exit() <python:os._exit> is used to abruptly end the process. This closes long-standing issue 310_ as well as its duplicates: issue 312, issue 1673, issue 1845, and issue 1941.
- patch = subprocess measures coverage in Python subprocesses created with :mod:subprocess, :func:os.system, or one of the :func:execv <python:os.execl> or :func:spawnv <python:os.spawnl> family of functions. Closes old issue 367, its duplicate issue 378 and old issue 689_.
- patch = execv adjusts the :func:execv <python:os.execl> family of functions to save coverage data before ending the current program and starting the next. Not available on Windows. Closes issue 43_ after 15 years!
The HTML report now dimly colors subsequent lines in multi-line statements. They used to have no color. This gives a better indication of the amount of code missing in the report. Closes issue 1308_.
Two new exclusion patterns are part of the defaults: ... is automatically excluded as a line and if TYPE_CHECKING: is excluded as a branch. Closes issue 831_.
A new command-line option: --save-signal=USR1 specifies a signal that coverage.py will listen for. When the signal is sent, the coverage data will be saved. This makes it possible to save data from within long-running processes. Thanks, Arkady Gilinsky <pull 1998_>_.
A new configuration option: ":ref:config_report_partial_also" is a list of regexes to add as pragmas for partial branches. This parallels the ":ref:config_report_exclude_also" setting for adding line exclusion patterns.
A few file path configuration settings didn't allow for tilde expansion: :ref:config_json_output, :ref:config_lcov_output and :ref:config_run_debug_file. This is now fixed.
Wheels are included for 3.14 now that 3.14 rc1 is available.
We no longer ship a PyPy-specific wheel. PyPy will install the pure-Python wheel. Closes issue 2001_.
In the very unusual situation of not having a current frame, coverage no longer crashes when using the sysmon core, fixing issue 2005_.

.. _issue 43: #43 .. _issue 310: #310 .. _issue 312: #312 .. _issue 367: #367 .. _issue 378: #378 .. _issue 689: #689 .. _issue 831: #831 .. _issue 1308: #1308 .. _issue 1673: #1673 .. _issue 1845: #1845 .. _issue 1941: #1941 .. _pull 1998: #1998 .. _issue 2001: #2001 .. _issue 2005: #2005

.. _changes_7-9-2:

`v7.9.2`

Compare Source

Fix: complex conditionals within a line might cause a KeyError when using sys.monitoring, as reported in issue 1991_. This is now fixed.
Fix: we can now measure coverage for code in Python archive (.par) files. Thanks, Itamer Oren <pull 1984_>_.

.. _pull 1984: #1984 .. _issue 1991: #1991

.. _changes_7-9-1:

`v7.9.1`

Compare Source

The "no-ctracer" warning is not issued for Python pre-release versions. Coverage doesn't ship compiled wheels for those versions, so this was far too noisy.
On Python 3.14+, the "sysmon" core is now the default if it's supported for your configuration. Plugins and dynamic contexts are still not supported with it.

.. _changes_7-9-0:

`v7.9.0`

Compare Source

Added a [run] core configuration setting to specify the measurement core, which was previously only available through the COVERAGE_CORE environment variable. Finishes issue 1746_.
Fixed incorrect rendering of f-strings with doubled braces, closing issue 1980_.
If the C tracer core can't be imported, a warning ("no-ctracer") is issued with the reason.
The C tracer core extension module now conforms to PEP 489, closing issue 1977. Thanks, Adam Turner <pull 1978_>_.
Fixed a "ValueError: min() arg is an empty sequence" error caused by strange empty modules, found by oss-fuzz_.

.. _issue 1746: #1746 .. _issue 1977: #1977 .. _pull 1978: #1978 .. _issue 1980: #1980 .. _PEP 489: https://peps.python.org/pep-0489 .. _oss-fuzz: https://google.github.io/oss-fuzz/

.. _changes_7-8-2:

`v7.8.2`

Compare Source

Wheels are provided for Windows ARM64 on Python 3.11, 3.12, and 3.13. Thanks, Finn Womack <pull 1972_>_.

.. _issue 1971: #1971 .. _pull 1972: #1972

.. _changes_7-8-1:

`v7.8.1`

Compare Source

A number of EncodingWarnings were fixed that could appear if you've enabled PYTHONWARNDEFAULTENCODING, fixing issue 1966. Thanks, Henry Schreiner <pull 1967_>.
Fixed a race condition when using sys.monitoring with free-threading Python, closing issue 1970_.

.. _issue 1966: #1966 .. _pull 1967: #1967 .. _issue 1970: #1970

.. _changes_7-8-0:

`v7.8.0`

Compare Source

Added a new source_dirs setting for symmetry with the existing source_pkgs setting. It's preferable to the existing source setting, because you'll get a clear error when directories don't exist. Fixes issue 1942. Thanks, Jeremy Fleischman <pull 1943_>.
Fix: the PYTHONSAFEPATH environment variable new in Python 3.11 is properly supported, closing issue 1696. Thanks, Philipp A. <pull 1700_>. This works properly except for a detail when using the coverage command on Windows. There you can use python -m coverage instead if you need exact emulation.

.. _issue 1696: #1696 .. _pull 1700: #1700 .. _issue 1942: #1942 .. _pull 1943: #1943

.. _changes_7-7-1:

`v7.7.1`

Compare Source

A few small tweaks to the sys.monitoring support for Python 3.14. Please test!

.. _changes_7-7-0:

`v7.7.0`

Compare Source

The Coverage object has a new method, :meth:.Coverage.branch_stats for getting simple branch information for a module. Closes issue 1888_.
The :class:Coverage constructor<.Coverage> now has a plugins parameter for passing in plugin objects directly, thanks to Alex Gaynor <pull 1919_>_.
Many constant tests in if statements are now recognized as being optimized away. For example, previously if 13: would have been considered a branch with one path not taken. Now it is understood as always true and no coverage is missing.
The experimental sys.monitoring support now works for branch coverage if you are using Python 3.14.0 alpha 6 or newer. This should reduce the overhead coverage.py imposes on your test suite. Set the environment variable COVERAGE_CORE=sysmon to try it out.
Confirmed support for PyPy 3.11. Thanks Michał Górny.

.. _issue 1888: #1888 .. _pull 1919: #1919

.. _changes_7-6-12:

psf/black (psf/black)

`v25.12.0`

Compare Source

Highlights

Black no longer supports running with Python 3.9 (#4842)

Stable style

Fix bug where comments preceding # fmt: off/# fmt: on blocks were incorrectly removed, particularly affecting Jupytext's # %% [markdown] comments (#4845)
Fix crash when multiple # fmt: skip comments are used in a multi-part if-clause, on string literals, or on dictionary entries with long lines (#4872)
Fix possible crash when fmt: directives aren't on the top level (#4856)

Preview style

Fix fmt: skip skipping the line after instead of the line it's on (#4855)
Remove unnecessary parentheses from the left-hand side of assignments while preserving magic trailing commas and intentional multiline formatting (#4865)
Fix fix_fmt_skip_in_one_liners crashing on with statements (#4853)
Fix fix_fmt_skip_in_one_liners crashing on annotated parameters (#4854)
Fix new lines being added after imports with # fmt: skip on them (#4894)

Packaging

Releases now include arm64 Windows binaries and wheels (#4814)

Integrations

Add output-file input to GitHub Action psf/black to write formatter output to a file for artifact capture and log cleanliness (#4824)

`v25.11.0`

Compare Source

Highlights

Enable base 3.14 support (#4804)
Add support for the new Python 3.14 t-string syntax introduced by PEP 750 (#4805)

Stable style

Fix bug where comments between # fmt: off and # fmt: on were reformatted (#4811)
Comments containing fmt directives now preserve their exact formatting instead of being normalized (#4811)

Preview style

Move multiline_string_handling from --unstable to --preview (#4760)
Fix bug where module docstrings would be treated as normal strings if preceded by comments (#4764)
Fix bug where python 3.12 generics syntax split line happens weirdly (#4777)
Standardize type comments to form # type: <value> (#4645)
Fix fix_fmt_skip_in_one_liners preview feature to respect # fmt: skip for compound statements with semicolon-separated bodies (#4800)

Configuration

Add no_cache option to control caching behavior. (#4803)

Packaging

Releases now include arm64 Linux binaries (#4773)
Releases now include arm64 Windows binaries and wheels (#4814)

Output

Write unchanged content to stdout when excluding formatting from stdin using pipes (#4610)

Blackd

Implemented BlackDClient. This simple python client allows to easily send formatting requests to blackd (#4774)

Integrations

Enable 3.14 base CI (#4804)
Enhance GitHub Action psf/black to support the required-version major-version-only "stability" format when using pyproject.toml (#4770)
Improve error message for vim plugin users. It now handles independently vim version
Vim: Warn on unsupported Vim and Python versions independently (#4772)
Vim: Print the import paths when importing black fails (#4675)
Vim: Fix handling of virtualenvs that have a different Python version (#4675)

pycqa/flake8 (pycqa/flake8)

pytest-dev/pytest-cov (pytest-cov)

`v6.3.0`

Compare Source

Added support for markdown reports. Contributed by Marcos Boger in #712 <https://github.com/pytest-dev/pytest-cov/pull/712>_ and #714 <https://github.com/pytest-dev/pytest-cov/pull/714>_.
Fixed some formatting issues in docs. Anonymous contribution in #706 <https://github.com/pytest-dev/pytest-cov/pull/706>_.

`v6.2.1`

Compare Source

Added a version requirement for pytest's pluggy dependency (1.2.0, released 2023-06-21) that has the required new-style hookwrapper API.
Removed deprecated license classifier (packaging).
Disabled coverage warnings in two more situations where they have no value:
- "module-not-measured" in workers
- "already-imported" in subprocesses

`v6.2.0`

Compare Source

The plugin now adds 3 rules in the filter warnings configuration to prevent common coverage warnings being raised as obscure errors::

default:unclosed database in <sqlite3.Connection object at:ResourceWarning once::PytestCovWarning once::CoverageWarning

This fixes most of the bad interactions that are occurring on pytest 8.4 with filterwarnings=error.

The plugin will check if there already matching rules for the 3 categories (ResourceWarning, PytestCovWarning, CoverageWarning) and message (unclosed database in <sqlite3.Connection object at) before adding the filters.

This means you can have this in your pytest configuration for complete oblivion (not recommended, if that is not clear)::

filterwarnings = [ "error", "ignore:unclosed database in <sqlite3.Connection object at:ResourceWarning", "ignore::PytestCovWarning", "ignore::CoverageWarning", ]

`v6.1.1`

Compare Source

Fixed breakage that occurs when --cov-context and the no_cover marker are used together.

`v6.1.0`

Compare Source

Change terminal output to use full width lines for the coverage header. Contributed by Tsvika Shapira in #678 <https://github.com/pytest-dev/pytest-cov/pull/678>_.
Removed unnecessary CovFailUnderWarning. Fixes #675 <https://github.com/pytest-dev/pytest-cov/issues/675>_.
Fixed the term report not using the precision specified via --cov-precision.

psf/requests (requests)

`v2.32.5`

Compare Source

Bugfixes

The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

Added support for Python 3.14.
Dropped support for Python 3.8 following its end of support.

`v2.32.4`

Compare Source

Security

CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

Improvements

Numerous documentation improvements

Deprecations

Added support for pypy 3.11 for Linux and macOS.
Dropped support for pypy 3.9 following its end of support.

`v2.32.3`

Compare Source

Bugfixes

Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of HTTPAdapter. (#6716)
Fixed issue where Requests started failing to run on Python versions compiled without the ssl module. (#6724)

`v2.32.2`

Compare Source

Deprecations

To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

A minimal (2-line) example has been provided in the linked MR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

`v2.32.1`

Compare Source

Bugfixes

Add missing test certs to the sdist distributed on PyPI.

`v2.32.0`

Compare Source

Security

Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)

Improvements

verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
Fixed deserialization bug in JSONDecodeError. (#6629)
Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

Deprecations

Requests has officially added support for CPython 3.12 (#6503)
Requests has officially added support for PyPy 3.9 and 3.10 (#6641)
Requests has officially dropped support for CPython 3.7 (#6642)
Requests has officially dropped support for PyPy 3.7 and 3.8 (#6641)

Documentation

Various typo fixes and doc improvements.

Packaging

Requests has started adopting some modern packaging practices. The source files for the projects (formerly requests) is now located in src/requests in the Requests sdist. (#6506)
Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system using hatchling. This should not impact the average user, but extremely old versions of packaging utilities may have issues with the new packaging format.

`v2.31.0`

Compare Source

Security

Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential forwarding of Proxy-Authorization headers to destination servers when following HTTPS redirects.

When proxies are defined with user info (https://user:pass@proxy:8080), Requests will construct a Proxy-Authorization header that is attached to the request to authenticate with the proxy.

In cases where Requests receives a redirect response, it previously reattached the Proxy-Authorization header incorrectly, resulting in the value being sent through the tunneled connection to the destination server. Users who rely on defining their proxy credentials in the URL are strongly encouraged to upgrade to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy credentials once the change has been fully deployed.

Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability.

Full details can be read in our Github Security Advisory and CVE-2023-32681.

`v2.30.0`

Compare Source

Dependencies

⚠️ Added support for urllib3 2.0. ⚠️

This may contain minor breaking changes so we advise careful testing and reviewing https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html prior to upgrading.

Users who wish to stay on urllib3 1.x can pin to urllib3<2.

`v2.29.0`

Compare Source

Improvements

Requests now defers chunked requests to the urllib3 implementation to improve standardization. (#6226)
Requests relaxes header component requirements to support bytes/str subclasses. (#6356)

`v2.28.2`

Compare Source

Dependencies

Requests now supports charset_normalizer 3.x. (#6261)

Bugfixes

Updated MissingSchema exception to suggest https scheme rather than http. (#6188)

`v2.28.1`

Compare Source

Improvements

Speed optimization in iter_content with transition to yield from. (#6170)

Dependencies

Added support for chardet 5.0.0 (#6179)
Added support for charset-normalizer 2.1.0 (#6169)

`v2.28.0`

Compare Source

Deprecations

⚠️ Requests has officially dropped support for Python 2.7. ⚠️ (#6091)
Requests has officially dropped support for Python 3.6 (including pypy3.6). (#6091)

Improvements

Wrap JSON parsing issues in Request's JSONDecodeError for payloads without an encoding to make json() API consistent. (#6097)
Parse header components consistently, raising an InvalidHeader error in all invalid cases. (#6154)
Added provisional 3.11 support with current beta build. (#6155)
Requests got a makeover and we decided to paint it black. (#6095)

Bugfixes

Fixed bug where setting CURL_CA_BUNDLE to an empty string would disable cert verification. All Requests 2.x versions before 2.28.0 are affected. (#6074)
Fixed urllib3 exception leak, wrapping urllib3.exceptions.SSLError with requests.exceptions.SSLError for content and iter_content. (#6057)
Fixed issue where invalid Windows registry entries caused proxy resolution to raise an exception rather than ignoring the entry. (#6149)
Fixed issue where entire payload could be included in the error message for JSONDecodeError. (#6036)

`v2.27.1`

Compare Source

Bugfixes

Fixed parsing issue that resulted in the auth component being dropped from proxy URLs. (#6028)

`v2.27.0`

Compare Source

Improvements

Officially added support for Python 3.10. (#5928)
Added a requests.exceptions.JSONDecodeError to unify JSON exceptions between Python 2 and 3. This gets raised in the response.json() method, and is backwards compatible as it inherits from previously thrown exceptions. Can be caught from requests.exceptions.RequestException as well. (#5856)
Improved error text for misnamed InvalidSchema and MissingSchema exceptions. This is a temporary fix until exceptions can be renamed (Schema->Scheme). (#6017)
Improved proxy parsing for proxy URLs missing a scheme. This will address recent changes to urlparse in Python 3.9+. (#5917)

Bugfixes

Fixed defect in extract_zipped_paths which could result in an infinite loop for some paths. (#5851)
Fixed handling for AttributeError when calculating length of files obtained by Tarfile.extractfile(). (#5239)
Fixed urllib3 exception leak, wrapping urllib3.exceptions.InvalidHeader with requests.exceptions.InvalidHeader. (#5914)
Fixed bug where two Host headers were sent for chunked requests. (#5391)
Fixed regression in Requests 2.26.0 where Proxy-Authorization was incorrectly stripped from all requests sent with Session.send. (#5924)
Fixed performance regression in 2.26.0 for hosts with a large number of proxies available in the environment. (#5924)
Fixed idna exception leak, wrapping UnicodeError with requests.exceptions.InvalidURL for URLs with a leading dot (.) in the domain. (#5414)

Deprecations

Requests support for Python 2.7 and 3.6 will be ending in 2022. While we don't have exact dates, Requests 2.27.x is likely to be the last release series providing support.

jd/tenacity (tenacity)

`v9.1.4`

Compare Source

What's Changed

Fix retry() annotations with async sleep= function by @Zac-HD in #555

Full Changelog: https://github.com/jd/tenacity/compare/9.1.3...9.1.4

`v9.1.3`

Compare Source

What's Changed

Apply formatting to num seconds in before_sleep_log by @aguinane in #489
Support Python 3.14 by @sandrobonazzola in #528
Typing: Accept non-standard logger in helpers logging something by @k4nar in #540
feat(wait): add wait_exception strategy by @capitan-davide in #541
docs: fix syntax error in wait_chain docstring example by @VedantMadane in #548
chore: drop Python 3.9 support (EOL) by @Zac-HD in #552
Support async sleep for sync fn-to-retry by @Zac-HD in #551

New Contributors

@aguinane made their first contribution in #489
@sandrobonazzola made their first contribution in #528
@k4nar made their first contribution in #540
@capitan-davide made their first contribution in #541
@VedantMadane made their first contribution in #548
@Zac-HD made their first contribution in #552

Full Changelog: https://github.com/jd/tenacity/compare/9.1.2...9.1.3

uis/devops/continuous-delivery/ci-templates (uis/devops/continuous-delivery/ci-templates)

`v7.27.8`: 7.27.8

Compare Source

7.27.8 (2026-02-05)

`v7.27.7`: 7.27.7

Compare Source

7.27.7 (2026-02-05)

`v7.27.6`: 7.27.6

Compare Source

7.27.6 (2026-02-05)

Bug Fixes

deps: update alpine/httpie:3.2.4 docker digest to bc4c7bc (d7ce92f)
deps: update python:3 docker digest to 1c4c033 (856a122)
deps: update python:3.14 docker digest to 1c4c033 (0182a8c)

`v7.27.5`: 7.27.5

Compare Source

7.27.5 (2026-02-04)

Bug Fixes

deps: update alpine/httpie:3.2.4 docker digest to 1f8c9cd (60f854e)

`v7.27.4`: 7.27.4

Compare Source

7.27.4 (2026-02-04)

`v7.27.3`: 7.27.3

Compare Source

7.27.3 (2026-02-04)

Bug Fixes

deps: update docker:dind docker digest to 8bcbad4 (4ccc9c3)
deps: update python:3 docker digest to fbf695a (134b929)
deps: update python:3.14 docker digest to fbf695a (da47b1e)

`v7.27.2`: 7.27.2

Compare Source

7.27.2 (2026-02-03)

`v7.27.1`: 7.27.1

Compare Source

7.27.1 (2026-02-03)

Bug Fixes

deps: update alpine/httpie:3.2.4 docker digest to bf0a912 (2fe852d)

`v7.27.0`: 7.27.0

Compare Source

7.27.0 (2026-02-02)

Features

gitlab-ci: include mandatory jobs (2342bab), closes #192

`v7.26.3`: 7.26.3

Compare Source

7.26.3 (2026-02-02)

Bug Fixes

deps: update alpine/httpie:3.2.4 docker digest to e8b8b9e (2bb77ff)

`v7.26.2`: 7.26.2

Compare Source

7.26.2 (2026-01-29)

`v7.26.1`: 7.26.1

Compare Source

7.26.1 (2026-01-29)

Bug Fixes

deps: update docker:dind docker digest to a284d31 (ab440ee)

`v7.26.0`: 7.26.0

Compare Source

7.26.0 (2026-01-28)

Features

use gitlab runner cache for pre-commit jobs (fe53b0d)

`v7.25.17`: 7.25.17

Compare Source

7.25.17 (2026-01-28)

Bug Fixes

deps: update docker:dind docker digest to 6a58fe0 (123bec6)

`v7.25.16`: 7.25.16

Compare Source

7.25.16 (2026-01-26)

Bug Fixes

deps: update alpine/httpie:3.2.4 docker digest to d3265ad (929aa91)

`v7.25.15`: 7.25.15

Compare Source

7.25.15 (2026-01-22)

`v7.25.14`: 7.25.14

Compare Source

7.25.14 (2026-01-22)

Bug Fixes

deps: update python:3 docker digest to 17bc9f1 (9106fe0)
deps: update python:3.14 docker digest to 17bc9f1 (9ae614e)

`v7.25.13`: 7.25.13

Compare Source

7.25.13 (2026-01-19)

`v7.25.12`: 7.25.12

Compare Source

7.25.12 (2026-01-19)

Bug Fixes

deps: update alpine/httpie:3.2.4 docker digest to de3d0ab (8fcb386)
deps: update docker:dind docker digest to 3a33fc8 (4d1f0cb)

`v7.25.11`: 7.25.11

Compare Source

7.25.11 (2026-01-15)

Bug Fixes

pick up only the first value for the version from the openapi.yaml (857b1dd)

`v7.25.10`: 7.25.10

Compare Source

7.25.10 (2026-01-14)

Bug Fixes

deps: update python:3 docker digest to 37cba11 (f8bd952)
deps: update python:3.14 docker digest to 37cba11 (c0cd872)

`v7.25.9`: 7.25.9

Compare Source

7.25.9 (2026-01-12)

Bug Fixes

deps: update alpine/httpie:3.2.4 docker digest to 51c2543 (26f1d48)

`v7.25.8`: 7.25.8

Compare Source

7.25.8 (2026-01-12)

Bug Fixes

deps: update docker:dind docker digest to d954272 (a5f62f1)

`v7.25.7`: 7.25.7

Compare Source

7.25.7 (2026-01-06)

Bug Fixes

deps: pin dependencies (7e5e93a)

`v7.25.6`: 7.25.6

Compare Source

7.25.6 (2026-01-05)

Bug Fixes

deps: update alpine/httpie:3.2.4 docker digest to 26adc0a (e0ed213)
deps: update python:3.14 docker digest to 6d58c1a (a892e63)

`v7.25.5`: 7.25.5

Compare Source

7.25.5 (2025-12-31)

Bug Fixes

deps: update python:3.14 docker digest to f05033a (4028511)

`v7.25.4`: 7.25.4

Compare Source

7.25.4 (2025-12-30)

Bug Fixes

deps: update python:3.14 docker digest to 8797f8e (e2c0097)

`v7.25.3`: 7.25.3

Compare Source

7.25.3 (2025-12-29)

Bug Fixes

deps: update alpine/httpie:3.2.4 docker digest to 7fe4ff7 (bfed258)

`v7.25.2`: 7.25.2

Compare Source

7.25.2 (2025-12-22)

Bug Fixes

deps: update alpine/httpie:3.2.4 docker digest to 7feb224 (d5237fc)

`v7.25.1`: 7.25.1

Compare Source

7.25.1 (2025-12-18)

Bug Fixes

deps: update python:3.14 docker digest to 492b292 (db790a4)

`v7.25.0`: 7.25.0

Compare Source

7.25.0 (2025-12-18)

Features

move remaining dind job to use dind fragment (8d344ce)

`v7.24.0`: 7.24.0

Compare Source

7.24.0 (2025-12-18)

Features

add timeout when waiting for docker in .docker-in-docker fragment (b172f4c)

`v7.23.7`: 7.23.7

Compare Source

7.23.7 (2025-12-10)

Bug Fixes

dind in poe-tests-base fragment (d777a42)

`v7.23.6`: 7.23.6

Compare Source

7.23.6 (2025-12-10)

Bug Fixes

deps: update python:3.14 docker digest to 2febcd1 (b030909)

`v7.23.5`: 7.23.5

Compare Source

7.23.5 (2025-12-09)

Bug Fixes

remove container_scanning override for multi target docker images (085386c), closes #182 #182

`v7.23.4`: 7.23.4

Compare Source

7.23.4 (2025-12-09)

Bug Fixes

deps: update python:3.14 docker digest to c1684c8 (87ab2f7)

`v7.23.3`: 7.23.3

Compare Source

7.23.3 (2025-12-08)

Bug Fixes

deps: update docker:28-dind docker digest to 2a232a4 (71efda9)

`v7.23.2`: 7.23.2

Compare Source

7.23.2 (2025-12-08)

Bug Fixes

deps: update all non-major dependencies (b2a5bf1)
deps: update alpine/httpie:3.2.4 docker digest to 2b01527 (a0ce1f6)

`v7.23.1`: 7.23.1

Compare Source

7.23.1 (2025-12-05)

`v7.23.0`: 7.23.0

Compare Source

7.23.0 (2025-11-28)

Features

tox-tests to use dind config from fragments (c765400)

`v7.22.1`: 7.22.1

Compare Source

7.22.1 (2025-11-25)

Bug Fixes

add missing before_script reference to dind in .terraform-test-cleanup (2852ccd)

`v7.22.0`: 7.22.0

Compare Source

7.22.0 (2025-11-24)

Features

docker-in-docker: add waiting before_script to fragment (2b0924e), closes #178

`v7.21.0`: 7.21.0

Compare Source

7.21.0 (2025-11-19)

Features

re-work maven jobs rules (da9962b)
re-work maven jobs rules: try to re-name the job (4efa101)

`v7.20.3`: 7.20.3

Compare Source

7.20.3 (2025-11-03)

Bug Fixes

use only needed bits of Terraform-Module.gitlab-ci.yml to avoid duplicate jobs (ff646a0)

`v7.20.2`: 7.20.2

Compare Source

7.20.2 (2025-10-30)

Bug Fixes

check-latest-tag-in-changelog: skip job if tag is an alpha or beta release (210ffd5)

`v7.20.1`: 7.20.1

Compare Source

7.20.1 (2025-10-29)

Bug Fixes

allow no test coverage in maven (40db7bf)

`v7.20.0`: 7.20.0

Compare Source

7.20.0 (2025-10-28)

Features

add code coverage to maven jobs (53c1345)

`v7.19.2`: 7.19.2

Compare Source

7.19.2 (2025-10-23)

Bug Fixes

maven.gitab-ci.yml: added missing GKE_RUNNER_TAG on build_artifact (470fc86)

`v7.19.1`: 7.19.1

Compare Source

7.19.1 (2025-10-23)

Bug Fixes

maven.gitlab-ci.yml: update publish to use CI_COMMIT_TAG for a release, or script for snapshot (e616bd4)

`v7.19.0`: 7.19.0

Compare Source

7.19.0 (2025-10-16)

Features

add poe-based test runner proof of concept (8e159c9)

`v7.18.0`: 7.18.0

Compare Source

7.18.0 (2025-10-02)

Features

python: remove Python 3.9 from default Python version list (6468459), closes #167

`v7.17.7`: 7.17.7

Compare Source

7.17.7 (2025-10-02)

Bug Fixes

python-tox: increase Kubernetes memory limit for python-tox jobs (461ab04)

`v7.17.6`: 7.17.6

Compare Source

7.17.6 (2025-10-01)

Bug Fixes

terraform: set kubernetes CPU requests for terraform jobs (5c75c2d)

`v7.17.5`: 7.17.5

Compare Source

7.17.5 (2025-09-30)

Bug Fixes

exclude modules example sub-dirs from trivy scan (3adf47a)

`v7.17.4`: 7.17.4

Compare Source

7.17.4 (2025-09-29)

Bug Fixes

yarn: bump k8s memory limit for yarn:pack jobs (739da6d), closes #158 #158

`v7.17.3`: 7.17.3

Compare Source

7.17.3 (2025-09-29)

`v7.17.2`: 7.17.2

Compare Source

7.17.2 (2025-09-25)

Bug Fixes

mandatory-jobs: reduce cpu and memory requests for SAST jobs (9d3526a)

`v7.17.1`: 7.17.1

Compare Source

7.17.1 (2025-09-25)

Bug Fixes

pre-commit: certdir variable must be an empty string (d608c55)

`v7.17.0`: 7.17.0

Compare Source

7.17.0 (2025-09-24)

Features

mandatory-jobs: increase runner resources for failing SAST jobs (cfb7fd5)

`v7.16.0`: 7.16.0

Compare Source

7.16.0 (2025-09-19)

Features

🎸 Move standard job to Generic GKE Runner (59d2a0e)

`v7.15.2`: 7.15.2

Compare Source

7.15.2 (2025-09-17)

`v7.15.1`: 7.15.1

Compare Source

7.15.1 (2025-09-11)

Bug Fixes

maven.gitlab-ci.yml: moved PUBLISH_NEW_VERSION within .maven:publish script (e02809e)
maven.gitlab-ci.yml: updated semantic commit message pattern matching and logic (b9ad541)
maven.gitlab-ci.yml: updated semantic commit message pattern matching and logic (e8071e1)
maven.gitlab-ci.yml: updated semantic commit message pattern matching and logic (2574c8c)