Build(deps): Bump the pip-dependencies group across 1 directory with 35 updates

[dependabot]

Bumps the pip-dependencies group with 35 updates in the / directory:

Package	From	To
celery	5.5.3	5.6.3
python-dotenv	1.1.1	1.2.2
psutil	7.0.0	7.2.2
alembic	1.16.5	1.18.4
beautifulsoup4	4.13.5	4.14.3
certifi	2025.10.5	2026.4.22
charset-normalizer	3.4.3	3.4.7
click	8.1.8	8.4.0
flask	3.1.2	3.1.3
google-auth	2.40.3	2.53.0
google-auth-oauthlib	1.2.2	1.4.0
greenlet	3.2.4	3.5.0
idna	3.10	3.15
importlib-metadata	8.7.0	9.0.0
importlib-resources	6.5.2	7.1.0
kombu	5.5.4	5.6.2
mako	1.3.10	1.3.12
markupsafe	3.0.2	3.0.3
pillow	11.3.0	12.2.0
pyasn1	0.6.1	0.6.3
pytest	8.4.2	9.0.3
requests	2.32.5	2.34.2
soupsieve	2.8	2.8.3
sqlalchemy	2.0.43	2.0.49
urllib3	2.5.0	2.7.0
wcwidth	0.2.13	0.7.0
websocket-client	1.8.0	1.9.0
wsproto	1.2.0	1.3.2
werkzeug	3.1.3	3.1.8
zipp	3.23.0	3.23.1
wtforms	3.2.1	3.2.2
jsonschema	4.25.1	4.26.0
flask-admin	2.0.1	2.2.0
psycopg2-binary	2.9.10	2.9.12
flask-jwt-extended	4.7.1	4.7.4

Updates celery from 5.5.3 to 5.6.3

Release notes

Sourced from celery's releases.

v5.6.3

What's Changed

• Fix Django worker recursion bug + defensive checks for pool_cls.module by @​maycuatroi1 in celery/celery#10048
• Docs: Update user_preload_options example to use click. by @​jorsyk in celery/celery#10056
• Fix invalid configuration key "bootstrap_servers" in Kafka demo by @​jorsyk in celery/celery#10060
• Fix broken images on PyPI page by @​Timour-Ilyas in celery/celery#10066
• Remove broken reference. by @​sueannioanis in celery/celery#10071
• Removed --dist=loadscope from smoke tests by @​Nusnus in celery/celery#10073
• Docs: Clarify task_retry signal args may be None by @​GangEunzzang in celery/celery#10076
• Update example for Django by @​sbc-khacnha in celery/celery#10081
• Make tests compatible with pymongo >= 4.16 by @​cjwatson in celery/celery#10074
• fix: source install of cassandra-driver by @​Izzette in celery/celery#10105
• fix: register task cross-reference role in Sphinx extension by @​veeceey in celery/celery#10100
• fix: avoid cycle detection in native delayed delivery by @​Izzette in celery/celery#10095
• fix(asynpool): avoid AttributeError when proc lacks _sentinel_poll by @​mriddle in celery/celery#10086
• fix dusk_astronomical horizon sign (+18 -> -18) by @​Mr-Neutr0n in celery/celery#10121
• Fix/10106 onupdate col use lambda func by @​ChickenBenny in celery/celery#10108
• Fix warm shutdown RuntimeError with eventlet>=0.37.0 (#10083) by @​ChickenBenny in celery/celery#10123
• Fix 10109 db backend connection health by @​ChickenBenny in celery/celery#10124
• Database Backend filter unsupport sql engine arguments with nullpool #7355 by @​ChickenBenny in celery/celery#10134
• fix(beat): correct argument order in Service.reduce by @​bysiber in celery/celery#10137
• ci: declare explicit read-only token permissions in workflow jobs by @​Rohan5commit in celery/celery#10139
• chore: 'boto3to' to 'boto3 to' by @​cuiweixie in celery/celery#10133
• Database Backend: Add missing index on date_done (Fixes #10097) by @​ChickenBenny in celery/celery#10098
• docs: fix typo in CONTRIBUTING.rst by @​Rohan5commit in celery/celery#10141
• Refer to Flower / Prometheus for monitoring by @​WilliamDEdwards in celery/celery#10140
• docs: remove duplicated words in broker and routing docs by @​Rohan5commit in celery/celery#10146
• docs: fix stale version reference and grammar in README by @​kelsonbrito50 in celery/celery#10145
• docs: fix wording in Celery 5.3 worker pool notes by @​Rohan5commit in celery/celery#10149
• docs: fix duplicated wording in 3.1 changelog entry by @​Rohan5commit in celery/celery#10152
• docs: fix changelog typo in context manager wording by @​Rohan5commit in celery/celery#10144
• Fix/10096 worker fails to reconnect after redis failover by @​ChickenBenny in celery/celery#10151
• Improve on_after_finalize signal documentation by @​Br1an67 in celery/celery#10155
• Add non-commutative example to clarify partial arg ordering in canvas docs by @​Br1an67 in celery/celery#10157
• Remove redundant test_isa_mapping test (fixes #10077) by @​daniel7an in celery/celery#10103
• Upgrade pytest-celery to >=1.3.0 and adopt PYTEST_CELERY_PKG build arg by @​Nusnus in celery/celery#10162
• Remove deprecated args from redis get_connection call by @​JaeHyuckSa in celery/celery#10036
• Fix #6912 rpc backend reconnection error by @​ChickenBenny in celery/celery#10179
• Fix NameError with TYPE_CHECKING annotations on Python 3.14+ (PEP 649) by @​drichardson in celery/celery#10165
• docs: Add elaboration on prefetch multiplier settings (worker_prefetch_multiplier) and worker_eta_task_limit by @​tsangwailam in celery/celery#10181
• Fix O(K²) message bloat in a chain of chords by @​Borzik in celery/celery#10171
• Fix mock connection interfaces to prevent TypeError during exception handling by @​ChickenBenny in celery/celery#10178
• fix(trace): dispatch chain/callbacks on dedup fast-path for redelivered tasks by @​aurangzaib048 in celery/celery#10159
• Extract reconnect_on_error to BaseResultConsumer by @​ChickenBenny in celery/celery#10189
• pep 649 by @​ericbuehl in celery/celery#10187
• Fix#9722 friendly status errors for CLI by @​ChickenBenny in celery/celery#10190
• docs: clarify after_return behavior for retried tasks by @​KianAnbarestani in celery/celery#10192
• Add compression header to message protocol docs by @​Br1an67 in celery/celery#10156
• docs: fix duplicated word in bootsteps comment by @​Rohan5commit in celery/celery#10153
• Remove outdated autoreloader section from extending docs by @​Br1an67 in celery/celery#10154

... (truncated)

Changelog

Sourced from celery's changelog.

5.6.3

:release-date: 2026-03-26 :release-by: Tomer Nosrati

What's Changed

- Fix Django worker recursion bug + defensive checks for pool_cls.__module__ ([#10048](https://github.com/celery/celery/issues/10048))
- Docs: Update user_preload_options example to use click. ([#10056](https://github.com/celery/celery/issues/10056))
- Fix invalid configuration key "bootstrap_servers" in Kafka demo ([#10060](https://github.com/celery/celery/issues/10060))
- Fix broken images on PyPI page ([#10066](https://github.com/celery/celery/issues/10066))
- Remove broken reference. ([#10071](https://github.com/celery/celery/issues/10071))
- Removed --dist=loadscope from smoke tests ([#10073](https://github.com/celery/celery/issues/10073))
- Docs: Clarify task_retry signal args may be None ([#10076](https://github.com/celery/celery/issues/10076))
- Update example for Django ([#10081](https://github.com/celery/celery/issues/10081))
- Make tests compatible with pymongo >= 4.16 ([#10074](https://github.com/celery/celery/issues/10074))
- fix: source install of cassandra-driver ([#10105](https://github.com/celery/celery/issues/10105))
- fix: register task cross-reference role in Sphinx extension ([#10100](https://github.com/celery/celery/issues/10100))
- fix: avoid cycle detection in native delayed delivery ([#10095](https://github.com/celery/celery/issues/10095))
- fix(asynpool): avoid AttributeError when proc lacks _sentinel_poll ([#10086](https://github.com/celery/celery/issues/10086))
- fix dusk_astronomical horizon sign (+18 -> -18) ([#10121](https://github.com/celery/celery/issues/10121))
- Fix/10106 onupdate col use lambda func ([#10108](https://github.com/celery/celery/issues/10108))
- Fix warm shutdown RuntimeError with eventlet>=0.37.0 ([#10083](https://github.com/celery/celery/issues/10083)) ([#10123](https://github.com/celery/celery/issues/10123))
- Fix 10109 db backend connection health ([#10124](https://github.com/celery/celery/issues/10124))
- Database Backend filter unsupport sql engine arguments with nullpool [#7355](https://github.com/celery/celery/issues/7355) ([#10134](https://github.com/celery/celery/issues/10134))
- fix(beat): correct argument order in Service.__reduce__ ([#10137](https://github.com/celery/celery/issues/10137))
- ci: declare explicit read-only token permissions in workflow jobs ([#10139](https://github.com/celery/celery/issues/10139))
- chore: 'boto3to' to 'boto3 to' ([#10133](https://github.com/celery/celery/issues/10133))
- Database Backend: Add missing index on date_done (Fixes [#10097](https://github.com/celery/celery/issues/10097)) ([#10098](https://github.com/celery/celery/issues/10098))
- docs: fix typo in CONTRIBUTING.rst ([#10141](https://github.com/celery/celery/issues/10141))
- Refer to Flower / Prometheus for monitoring ([#10140](https://github.com/celery/celery/issues/10140))
- docs: remove duplicated words in broker and routing docs ([#10146](https://github.com/celery/celery/issues/10146))
- docs: fix stale version reference and grammar in README ([#10145](https://github.com/celery/celery/issues/10145))
- docs: fix wording in Celery 5.3 worker pool notes ([#10149](https://github.com/celery/celery/issues/10149))
- docs: fix duplicated wording in 3.1 changelog entry ([#10152](https://github.com/celery/celery/issues/10152))
- docs: fix changelog typo in context manager wording ([#10144](https://github.com/celery/celery/issues/10144))
- Fix/10096 worker fails to reconnect after redis failover ([#10151](https://github.com/celery/celery/issues/10151))
- Improve on_after_finalize signal documentation ([#10155](https://github.com/celery/celery/issues/10155))
- Add non-commutative example to clarify partial arg ordering in canvas docs ([#10157](https://github.com/celery/celery/issues/10157))
- Remove redundant test_isa_mapping test (fixes [#10077](https://github.com/celery/celery/issues/10077)) ([#10103](https://github.com/celery/celery/issues/10103))
- Upgrade pytest-celery to >=1.3.0 and adopt PYTEST_CELERY_PKG build arg ([#10162](https://github.com/celery/celery/issues/10162))
- Remove deprecated args from redis get_connection call ([#10036](https://github.com/celery/celery/issues/10036))
- Fix [#6912](https://github.com/celery/celery/issues/6912) rpc backend reconnection error ([#10179](https://github.com/celery/celery/issues/10179))
- Fix NameError with TYPE_CHECKING annotations on Python 3.14+ (PEP 649) ([#10165](https://github.com/celery/celery/issues/10165))
- docs: Add elaboration on prefetch multiplier settings (worker_prefetch_multiplier) and worker_eta_task_limit ([#10181](https://github.com/celery/celery/issues/10181))
- Fix O(K²) message bloat in a chain of chords ([#10171](https://github.com/celery/celery/issues/10171))
- Fix mock connection interfaces to prevent `TypeError` during exception handling ([#10178](https://github.com/celery/celery/issues/10178))
- fix(trace): dispatch chain/callbacks on dedup fast-path for redelivered tasks ([#10159](https://github.com/celery/celery/issues/10159))
</tr></table> 

... (truncated)

Commits

• 3f4d8d7 Prepare for release: v5.6.3 (#10221)
• a989e8c fix: clear the timer while catch the exception (#10218)
• d06de5f Chore(deps): Bump nick-fields/retry from 3 to 4 (#10213)
• c3c19c3 Fix: prioritize request ignore_result over task definition (#10184)
• d23be53 Remove outdated autoreloader section from extending docs (#10154)
• ada2da7 docs: fix duplicated word in bootsteps comment\n\nSigned-off-by: Rohan Santho...
• f45f62b Add compression header to message protocol docs (#10156)
• 9a27092 docs: clarify after_return behavior for retried tasks (#10192)
• 6ee6230 Fix#9722 friendly status errors for CLI (#10190)
• a9a2d4c [pre-commit.ci] pre-commit autoupdate (#10186)
• Additional commits viewable in compare view

Updates python-dotenv from 1.1.1 to 1.2.2

Release notes

Sourced from python-dotenv's releases.

v1.2.2

Added

• Support for Python 3.14, including the free-threaded (3.14t) build. (#)

Changed

• The dotenv run command now forwards flags directly to the specified command by @​bbc2 in theskumar/python-dotenv#607
• Improved documentation clarity regarding override behavior and the reference page.
• Updated PyPy support to version 3.11.
• Documentation for FIFO file support.
• Support for Python 3.9.

Fixed

• Improved set_key and unset_key behavior when interacting with symlinks by @​bbc2 in #790c5
• Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by @​JYOuyang in theskumar/python-dotenv#590

Breaking Changes

• dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

• In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

• dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

Misc

• skip 000 permission tests for root user by @​burnout-projects in theskumar/python-dotenv#561
• Bump actions/checkout from 5 to 6 in the github-actions group by @​dependabot[bot] in theskumar/python-dotenv#593
• Add Windows testing to CI by @​bbc2 in theskumar/python-dotenv#604
• Improve workflow efficiency with best practices by @​theskumar in theskumar/python-dotenv#609
• Remove the use of sh in tests by @​bbc2 in theskumar/python-dotenv#612

New Contributors

• @​JYOuyang made their first contribution in theskumar/python-dotenv#590
• @​burnout-projects made their first contribution in theskumar/python-dotenv#561
• @​cpackham-atlnz made their first contribution in theskumar/python-dotenv#597

Full Changelog: theskumar/python-dotenv@v1.2.1...v1.2.2

v1.2.1

What's Changed

... (truncated)

Changelog

Sourced from python-dotenv's changelog.

[1.2.2] - 2026-03-01

Added

• Support for Python 3.14, including the free-threaded (3.14t) build. (#588)

Changed

• The dotenv run command now forwards flags directly to the specified command by [@​bbc2] in #607
• Improved documentation clarity regarding override behavior and the reference page.
• Updated PyPy support to version 3.11.
• Documentation for FIFO file support.
• Dropped Support for Python 3.9.

Fixed

• Improved set_key and unset_key behavior when interacting with symlinks by [@​bbc2] in [790c5c0]
• Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by [@​JYOuyang] in #590

Breaking Changes

• dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

• In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

• dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

[1.2.1] - 2025-10-26

• Move more config to pyproject.toml, removed setup.cfg
• Add support for reading .env from FIFOs (Unix) by [@​sidharth-sudhir] in #586

[1.2.0] - 2025-10-26

• Upgrade build system to use PEP 517 & PEP 518 to use build and pyproject.toml by [@​EpicWink] in #583
• Add support for Python 3.14 by [@​23f3001135] in #579
• Add support for disabling of load_dotenv() using PYTHON_DOTENV_DISABLED env var. by [@​matthewfranglen] in #569

Commits

• 36004e0 Bump version: 1.2.1 → 1.2.2
• eb20252 docs: update changelog for v1.2.2
• 790c5c0 Merge commit from fork
• 43340da Remove the use of sh in tests (#612)
• 09d7cee docs: clarify override behavior and document FIFO support (#610)
• c8de288 ci: improve workflow efficiency with best practices (#609)
• 7bd9e3d Add Windows testing to CI (#604)
• 1baaf04 Drop Python 3.9 support and update to PyPy 3.11 (#608)
• 4a22cf8 ci: enable testing on Python 3.14t (free-threaded) (#588)
• e2e8e77 Fix license specifier (#597)
• Additional commits viewable in compare view

Updates psutil from 7.0.0 to 7.2.2

Changelog

Sourced from psutil's changelog.

7.2.2 — 2026-01-28 ^^^^^^^^^^^^^^^^^^

Enhancements

• :gh:2705: [Linux]: :meth:Process.wait now uses pidfd_open() + poll() (no busy loop). Requires Linux >= 5.3 and Python >= 3.9.
• :gh:2705: [macOS], [BSD]: :meth:Process.wait now uses kqueue() (no busy loop).

Bug fixes

• :gh:2701, [macOS]: fix compilation error on macOS < 10.7. (patch by :user:Sergey Fedorov <barracuda156>)
• :gh:2707, [macOS]: fix potential memory leaks in error paths of :meth:Process.memory_full_info and :meth:Process.threads.
• :gh:2708, [macOS]: :meth:Process.cmdline and :meth:Process.environ may fail with OSError: [Errno 0] Undefined error (from sysctl(KERN_PROCARGS2)). They now raise :exc:AccessDenied instead.

7.2.1 — 2025-12-29 ^^^^^^^^^^^^^^^^^^

Bug fixes

• :gh:2699, [FreeBSD], [NetBSD]: :func:heap_info does not detect small allocations (<= 1K). In order to fix that, we now flush internal jemalloc cache before fetching the metrics.

7.2.0 — 2025-12-23 ^^^^^^^^^^^^^^^^^^

Enhancements

• :gh:1275: new :func:heap_info and :func:heap_trim functions, providing direct access to the platform's native C :term:heap allocator (glibc, mimalloc, libmalloc). Useful to create tools to detect memory leaks.
• :gh:2403, [Linux]: publish wheels for Linux musl.
• :gh:2680: unit tests are no longer installed / part of the distribution. They now live under tests/ instead of psutil/tests.

Bug fixes

• :gh:2684, [FreeBSD], [critical]: compilation fails on FreeBSD 14 due to missing include.
• :gh:2691, [Windows]: fix memory leak in :func:net_if_stats due to missing Py_CLEAR.

Compatibility notes

... (truncated)

Commits

• 9eea97d Pre-release
• 938ac64 Rm sphinxcontrib.googleanalytics; override layout.html
• 9dcbb7e Add sphinxcontrib-googleanalytics to requirements.txt
• 76eaf9a Try to add google analytics to doc
• de1cafa Update doc mentioning Process.wait() internal details
• bb30943 Refact can_use_pidfd_open() and can_use_kqueue()
• a571717 #2708, macos / cmdline / environ; raise AD instead of OSError(0) (#2709)
• 8b98c3e Pre-release
• 700b7e6 [macOS] fix potential leaks in error paths (#2707)
• 7cc7923 Windows / cmdline(): be more defensive in free()ing in case of error
• Additional commits viewable in compare view

Updates alembic from 1.16.5 to 1.18.4

Release notes

Sourced from alembic's releases.

1.18.4

Released: February 10, 2026

bug

• [bug] [operations] Reverted the behavior of Operations.add_column() that would automatically render the "PRIMARY KEY" keyword inline when a Column with primary_key=True is added. The automatic behavior, added in version 1.18.2, is now opt-in via the new Operations.add_column.inline_primary_key parameter. This change restores the ability to render a PostgreSQL SERIAL column, which is required to be primary_key=True, while not impacting the ability to render a separate primary key constraint. This also provides consistency with the Operations.add_column.inline_references parameter and gives users explicit control over SQL generation.

  To render PRIMARY KEY inline, use the Operations.add_column.inline_primary_key parameter set to True:

  op.add_column( "my_table", Column("id", Integer, primary_key=True), inline_primary_key=True )References: #1232

1.18.3

Released: January 29, 2026

bug

• [bug] [autogenerate] Fixed regression in version 1.18.0 due to #1771 where autogenerate would raise NoReferencedTableError when a foreign key constraint referenced a table that was not part of the initial table load, including tables filtered out by the EnvironmentContext.configure.include_name callable or tables in remote schemas that were not included in the initial reflection run.

  The change in #1771 was a performance optimization that eliminated additional reflection queries for tables that were only referenced by foreign keys but not explicitly included in the main reflection run. However, this optimization inadvertently removed the creation of Table objects for these referenced tables, causing autogenerate to fail when processing foreign key constraints that pointed to them.

  The fix creates placeholder Table objects for foreign key targets

... (truncated)

Commits

• See full diff in compare view

Updates beautifulsoup4 from 4.13.5 to 4.14.3

Updates certifi from 2025.10.5 to 2026.4.22

Commits

• 5dddfb0 2026.04.22 (#410)
• f99eccd Bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (#404)
• 918bed0 Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#405)
• 0a49067 Bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 (#403)
• acf6ce8 Bump actions/download-artifact from 8.0.0 to 8.0.1 (#398)
• feb0ed2 Bump actions/download-artifact from 7.0.0 to 8.0.0 (#397)
• d9c11a5 Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#396)
• 8571a4b 2026.02.25 (#395)
• 6f7de00 Bump peter-evans/create-pull-request from 8.0.0 to 8.1.0 (#390)
• a1de59b Bump actions/checkout from 6.0.1 to 6.0.2 (#391)
• Additional commits viewable in compare view

Updates charset-normalizer from 3.4.3 to 3.4.7

Release notes

Sourced from charset-normalizer's releases.

Version 3.4.7

3.4.7 (2026-04-02)

Changed

• Pre-built optimized version using mypy[c] v1.20.
• Relax setuptools constraint to setuptools>=68,<82.1.

Fixed

• Correctly remove SIG remnant in utf-7 decoded string. (#718) (#716)

Version 3.4.6

3.4.6 (2026-03-15)

Changed

• Flattened the logic in charset_normalizer.md for higher performance. Removed eligible(..) and feed(...) in favor of feed_info(...).
• Raised upper bound for mypy[c] to 1.20, for our optimized version.
• Updated UNICODE_RANGES_COMBINED using Unicode blocks v17.

Fixed

• Edge case where noise difference between two candidates can be almost insignificant. (#672)
• CLI --normalize writing to wrong path when passing multiple files in. (#702)

Misc

• Freethreaded pre-built wheels now shipped in PyPI starting with 3.14t. (#616)

Version 3.4.5

3.4.5 (2026-03-06)

Changed

• Update setuptools constraint to setuptools>=68,<=82.
• Raised upper bound of mypyc for the optional pre-built extension to v1.19.1

Fixed

• Add explicit link to lib math in our optimized build. (#692)
• Logger level not restored correctly for empty byte sequences. (#701)
• TypeError when passing bytearray to from_bytes. (#703)

Misc

• Applied safe micro-optimizations in both our noise detector and language detector.
• Rewrote the query_yes_no function (inside CLI) to avoid using ambiguous licensed code.
• Added cd.py submodule into mypyc optional compilation to reduce further the performance impact.

[!WARNING]
mypyc changed the usual binary output for the optimized wheel. Beware, especially if using PyInstaller or alike. See jawah/charset_normalizer#714

Version 3.4.4

3.4.4 (2025-10-13)

Changed

... (truncated)

Changelog

Sourced from charset-normalizer's changelog.

3.4.7 (2026-04-02)

Changed

• Pre-built optimized version using mypy[c] v1.20.
• Relax setuptools constraint to setuptools>=68,<82.1.

Fixed

• Correctly remove SIG remnant in utf-7 decoded string. (#718) (#716)

3.4.6 (2026-03-15)

Changed

• Flattened the logic in charset_normalizer.md for higher performance. Removed eligible(..) and feed(...) in favor of feed_info(...).
• Raised upper bound for mypy[c] to 1.20, for our optimized version.
• Updated UNICODE_RANGES_COMBINED using Unicode blocks v17.

Fixed

• Edge case where noise difference between two candidates can be almost insignificant. (#672)
• CLI --normalize writing to wrong path when passing multiple files in. (#702)

Misc

• Freethreaded pre-built wheels now shipped in PyPI starting with 3.14t. (#616)

3.4.5 (2026-03-06)

Changed

• Update setuptools constraint to setuptools>=68,<=82.
• Raised upper bound of mypyc for the optional pre-built extension to v1.19.1

Fixed

• Add explicit link to lib math in our optimized build. (#692)
• Logger level not restored correctly for empty byte sequences. (#701)
• TypeError when passing bytearray to from_bytes. (#703)

Misc

• Applied safe micro-optimizations in both our noise detector and language detector.
• Rewrote the query_yes_no function (inside CLI) to avoid using ambiguous licensed code.
• Added cd.py submodule into mypyc optional compilation to reduce further the performance impact.

3.4.4 (2025-10-13)

Changed

• Bound setuptools to a specific constraint setuptools>=68,<=81.
• Raised upper bound of mypyc for the optional pre-built extension to v1.18.2

Removed

• setuptools-scm as a build dependency.

Misc

... (truncated)

Commits

• 0f07891 Merge pull request #729 from jawah/release-3.4.7
• fdbeb29 chore: update dev, and ci requirements
• b66f922 chore: add ft classifier
• f94249d chore: add test cases for utf_7 recent fix
• 95c866f chore: bump version to 3.4.7
• 4f429bb chore: bump mypy pre-commit to v1.20
• b579cd6 fix: correctly remove SIG remnant in utf-7 decoded string
• 58bf944 ⬆️ Bump github/codeql-action from 4.32.4 to 4.35.1 (#728)
• 44cf8a1 ⬆️ Bump actions/download-artifact from 8.0.0 to 8.0.1 (#726)
• 362bc20 ⬆️ Bump docker/setup-qemu-action from 3.7.0 to 4.0.0 (#725)
• Additional commits viewable in compare view

Updates click from 8.1.8 to 8.4.0

Release notes

Sourced from click's releases.

8.4.0

This is the Click 8.4.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecation, or introduce potentially breaking changes.

We encourage everyone to upgrade. You can read more about our Version Support Policy on our website.

PyPI: https://pypi.org/project/click/8.4.0/ Changes: https://click.palletsprojects.com/page/changes/#version-8-4-0 Milestone https://github.com/pallets/click/milestone/30

• ParamType typing improvements. #3371

  • :class:ParamType is now a generic abstract base class, parameterized by its converted value type.
  • :meth:~ParamType.convert return types are narrowed on all concrete types (str for :class:STRING, int for :class:INT, etc.).
  • :meth:~ParamType.to_info_dict returns specific :class:~typing.TypedDict subclasses instead of dict[str, Any].
  • :class:CompositeParamType and the number-range base are now generic with abstract methods.

• Refactor convert_type to extract type inference into a private _guess_type helper, and add :func:typing.overload signatures. #3372

• Parameter typing improvements. #2805

  • :class:Parameter is now an abstract base class, making explicit that it cannot be instantiated directly.
  • :attr:Parameter.name is now str instead of str | None. When expose_value=False, the name is set to "" instead of None.
  • The ctx parameter of :meth:Parameter.get_error_hint is now typed as Context | None, matching the runtime behavior.

• Split string values from default_map for parameters with nargs > 1 or :class:Tuple type, matching environment variable behavior. #2745 #3364

• Auto-detect type=UNPROCESSED for flag_value of non-basic types (not str, int, float, or bool), so programmer-provided Python objects like classes and enum members are passed through unchanged instead of being stringified. Previously type=click.UNPROCESSED had to be set explicitly. #2012 #3363

• The error hint now uses Command.get_help_option_names to pick non-shadowed help option names, so Try '... -h' no longer points to a subcommand option that shadows -h. All surviving names are shown (-h/--help). #2790 #3208

• Fix readline functionality on non-Windows platforms. Prompt text is now passed directly to readline instead of being printed separately, allowing proper backspace, line editing, and line wrapping behavior. #2968

... (truncated)

Changelog

Sourced from click's changelog.

Version 8.4.0

Released 2026-05-17

• :class:ParamType typing improvements. :pr:3371

  • :class:ParamType is now a generic abstract base class, parameterized by its converted value type.
  • :meth:~ParamType.convert return types are narrowed on all concrete types (str for :class:STRING, int for :class:INT, etc.).
  • :meth:~ParamType.to_info_dict returns specific :class:~typing.TypedDict subclasses instead of dict[str, Any].
  • :class:CompositeParamType and the number-range base are now generic with abstract methods.

• Refactor convert_type to extract type inference into a private _guess_type helper, and add :func:typing.overload signatures. :pr:3372

• :class:Parameter typing improvements. :pr:2805

  • :class:Parameter is now an abstract base class, making explicit that it cannot be instantiated directly.
  • :attr:Parameter.name is now str instead of str | None. When expose_value=False, the name is set to "" instead of None.
  • The ctx parameter of :meth:Parameter.get_error_hint is now typed as Context | None, matching the runtime behavior.

• Split string values from default_map for parameters with nargs > 1 or :class:Tuple type, matching environment variable behavior. :issue:2745 :pr:3364

• Auto-detect type=UNPROCESSED for flag_value of non-basic types (not str, int, float, or bool), so programmer-provided Python objects like classes and enum members are passed through unchanged instead of being stringified. Previously type=click.UNPROCESSED had to be set explicitly. :issue:2012 :pr:3363

• The error hint now uses :meth:Command.get_help_option_names to pick non-shadowed help option names, so Try '... -h' no longer points to a subcommand option that shadows -h. All surviving names are shown (-h/--help). :issue:2790 :pr:3208

• Fix readline functionality on non-Windows platforms. Prompt text is now passed directly to readline instead of being printed separately, allowing proper backspace, line editing, and line wrapping behavior. :issue:2968 :pr:2969

• Use :func:os.startfile on Windows to open URLs in :func:open_url, replacing the start built-in which cannot be invoked without shell=True. :issue:3164 :pr:3186

• Fix Fish shell completion errors when option help text contains newlines. :issue:3043 :pr:3126

... (truncated)

Commits

• 41f410f Release 8.4.0
• e3e69e3 Add type annotations for instance attributes in utils (#3422)
• 3bb230d WIP: Fix HelpFormatter.write_usage producing spurious characters (#3434)
• 63274a7 click.get_pager_file: add tests (#1572 followup) (#3405)
• 0551bf5 Fix HelpFormatter.write_usage producing spurious characters
• fc41aa1 Apply class-body annotations to KeepOpenFile for consistency
• b761eda Skip some tests on Windows
• 98302ac Check PAGER usage, color preservation and edge-cases
• dbdae17 Fix documentation
• 1aa2d53 Redesigned tests and get_pager_file branching to be more clear and not set color
• Additional commits viewable in compare view

Updates flask from 3.1.2 to 3.1.3

Release notes

Sourced from flask's releases.

3.1.3

This is the Flask 3.1.3 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.3/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-3

• The session is marked as accessed for operations that only access the keys but not the values, such as in and len. GHSA-68rp-wp8r-4726

Changelog

Sourced from flask's changelog.

Version 3.1.3

Released 2026-02-18

• The session is marked as accessed for operations that only access the keys but not the values, such as in and len. :ghsa:68rp-wp8r-4726

Commits

• 22d9247 release version 3.1.3
• 089cb86 Merge commit from fork
• c17f379 request context tracks session access
• 27be933 start version 3.1.3
• 4e652d3 Abort if the instance folder cannot be created (#5903)
• 3d03098 Abort if the instance folder cannot be created
• 407eb76 document using gevent for async (#5900)
• ac5664d document using gevent for async

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.