Bump the pip group across 1 directory with 7 updates

[dependabot]

Bumps the pip group with 7 updates in the /loc.gov JSON API/Chronicling_America_Title_Essay_Datasets directory:

Package	From	To
certifi	2022.12.7	2023.7.22
fonttools	4.32.0	4.43.0
jinja2	3.0.1	3.1.3
pillow	9.3.0	10.3.0
requests	2.28.1	2.31.0
tornado	6.1	6.3.3
urllib3	1.26.10	1.26.18

Updates certifi from 2022.12.7 to 2023.7.22

Commits

• 8fb96ed 2023.07.22
• afe7722 Bump actions/setup-python from 4.6.1 to 4.7.0 (#230)
• 2038739 Bump dessant/lock-threads from 3.0.0 to 4.0.1 (#229)
• 44df761 Hash pin Actions and enable dependabot (#228)
• 8b3d7ba 2023.05.07
• 53da240 ci: Add Python 3.12-dev to the testing (#224)
• c2fc3b1 Create a Security Policy (#222)
• c211ef4 Set up permissions to github workflows (#218)
• 2087de5 Don't let deprecation warning fail CI (#219)
• e0b9fc5 remove paragraphs about 1024-bit roots from README
• Additional commits viewable in compare view

Updates fonttools from 4.32.0 to 4.43.0

Release notes

Sourced from fonttools's releases.

4.43.0

• [subset] Set up lxml XMLParser(resolve_entities=False) when parsing OT-SVG documents to prevent XML External Entity (XXE) attacks (9f61271dc): https://codeql.github.com/codeql-query-help/python/py-xxe/
• [varLib.iup] Added workaround for a Cython bug in iup_delta_optimize that was leading to IUP tolerance being incorrectly initialised, resulting in sub-optimal deltas (60126435d, cython/cython#5732).
• [varLib] Added new command-line entry point fonttools varLib.avar to add an avar table to an existing VF from axes mappings in a .designspace file (0a3360e52).
• [instancer] Fixed bug whereby no longer used variation regions were not correctly pruned after VarData optimization (#3268).
• Added support for Python 3.12 (#3283).

4.42.1

• [t1Lib] Fixed several Type 1 issues (#3238, #3240).
• [otBase/packer] Allow sharing tables reached by different offset sizes (#3241, #3236, 457f11c2).
• [varLib/merger] Fix Cursive attachment merging error when all anchors are NULL (#3248, #3247).
• [ttLib] Fixed warning when calling addMultilingualName and ttFont parameter was not passed on to findMultilingualName (#3253).

4.42.0

• [varLib] Use sentinel value 0xFFFF to mark a glyph advance in hmtx/vmtx as non participating, allowing sparse masters to contain glyphs for variation purposes other than {H,V}VAR (#3235).
• [varLib/cff] Treat empty glyphs in non-default masters as missing, thus not participating in CFF2 delta computation, similarly to how varLib already treats them for gvar (#3234).
• Added varLib.avarPlanner script to deduce 'correct' avar v1 axis mappings based on glyph average weights (#3223).

4.41.1

• [subset] Fixed perf regression in v4.41.0 by making NameRecordVisitor only visit tables that do contain nameID references (#3213, #3214).
• [varLib.instancer] Support instancing fonts containing null ConditionSet offsets in FeatureVariationRecords (#3211, #3212).
• [statisticsPen] Report font glyph-average weight/width and font-wide slant.
• [fontBuilder] Fixed head.created date incorrectly set to 0 instead of the current timestamp, regression introduced in v4.40.0 (#3210).
• [varLib.merger] Support sparse CursivePos masters (#3209).

4.41.0

• [fontBuilder] Fixed bug in setupOS2 with default panose attribute incorrectly being set to a dict instead of a Panose object (#3201).
• [name] Added method to removeUnusedNameRecords in the user range (#3185).
• [varLib.instancer] Fixed issue with L4 instancing (moving default) (#3179).
• [cffLib] Use latin1 so we can roundtrip non-ASCII in {Full,Font,Family}Name (#3202).
• [designspaceLib] Mark as optional in docs (as it is in the code).
• [glyf-1] Fixed drawPoints() bug whereby last cubic segment becomes quadratic (#3189, #3190).
• [fontBuilder] Propagate the 'hidden' flag to the fvar Axis instance (#3184).
• [fontBuilder] Update setupAvar() to also support avar 2, fixing _add_avar() call site (#3183).
• Added new voltLib.voltToFea submodule (originally Tiro Typeworks' "Volto") for converting VOLT OpenType Layout sources to FEA format (#3164).

4.40.0

• Published native binary wheels to PyPI for all the python minor versions and platform and architectures currently supported that would benefit from this. They will include precompiled Cython-accelerated modules (e.g. cu2qu) without requiring to compile them from source. The pure-python wheel and source distribution will continue to be published as always (pip will automatically chose them when no binary wheel is available for the given platform, e.g. pypy). Use pip install --no-binary=fonttools fonttools to expliclity request pip to install from the pure-python source.
• [designspaceLib|varLib] Add initial support for specifying axis mappings and build avar2 table from those (#3123).
• [feaLib] Support variable ligature caret position (#3130).
• [varLib|glyf] Added option to --drop-implied-oncurves; test for impliable oncurve points either before or after rounding (#3146, #3147, #3155, #3156).
• [TTGlyphPointPen] Don't error with empty contours, simply ignore them (#3145).
• [sfnt] Fixed str vs bytes remnant of py3 transition in code dealing with de/compiling WOFF metadata (#3129).
• [instancer-solver] Fixed bug when moving default instance with sparse masters (#3139, #3140).
• [feaLib] Simplify variable scalars that don’t vary (#3132).
• [pens] Added filter pen that explicitly emits closing line when lastPt != movePt (#3100).
• [varStore] Improve optimize algorithm and better document the algorithm (#3124, #3127).
  Added quantization option (#3126).
• Added CI workflow config file for building native binary wheels (#3121).
• [fontBuilder] Added glyphDataFormat=0 option; raise error when glyphs contain cubic outlines but glyphDataFormat was not explicitly set to 1 (#3113, #3119).

... (truncated)

Changelog

Sourced from fonttools's changelog.

4.43.0 (released 2023-09-29)

• [subset] Set up lxml XMLParser(resolve_entities=False) when parsing OT-SVG documents to prevent XML External Entity (XXE) attacks (9f61271dc): https://codeql.github.com/codeql-query-help/python/py-xxe/
• [varLib.iup] Added workaround for a Cython bug in iup_delta_optimize that was leading to IUP tolerance being incorrectly initialised, resulting in sub-optimal deltas (60126435d, cython/cython#5732).
• [varLib] Added new command-line entry point fonttools varLib.avar to add an avar table to an existing VF from axes mappings in a .designspace file (0a3360e52).
• [instancer] Fixed bug whereby no longer used variation regions were not correctly pruned after VarData optimization (#3268).
• Added support for Python 3.12 (#3283).

4.42.1 (released 2023-08-20)

• [t1Lib] Fixed several Type 1 issues (#3238, #3240).
• [otBase/packer] Allow sharing tables reached by different offset sizes (#3241, #3236).
• [varLib/merger] Fix Cursive attachment merging error when all anchors are NULL (#3248, #3247).
• [ttLib] Fixed warning when calling addMultilingualName and ttFont parameter was not passed on to findMultilingualName (#3253).

4.42.0 (released 2023-08-02)

• [varLib] Use sentinel value 0xFFFF to mark a glyph advance in hmtx/vmtx as non participating, allowing sparse masters to contain glyphs for variation purposes other than {H,V}VAR (#3235).
• [varLib/cff] Treat empty glyphs in non-default masters as missing, thus not participating in CFF2 delta computation, similarly to how varLib already treats them for gvar (#3234).
• Added varLib.avarPlanner script to deduce 'correct' avar v1 axis mappings based on glyph average weights (#3223).

4.41.1 (released 2023-07-21)

• [subset] Fixed perf regression in v4.41.0 by making NameRecordVisitor only visit tables that do contain nameID references (#3213, #3214).
• [varLib.instancer] Support instancing fonts containing null ConditionSet offsets in FeatureVariationRecords (#3211, #3212).
• [statisticsPen] Report font glyph-average weight/width and font-wide slant.
• [fontBuilder] Fixed head.created date incorrectly set to 0 instead of the current timestamp, regression introduced in v4.40.0 (#3210).
• [varLib.merger] Support sparse CursivePos masters (#3209).

4.41.0 (released 2023-07-12)

... (truncated)

Commits

• 145460e Release 4.43.0
• 64f3fd8 Update changelog [skip ci]
• 7aea49e Merge pull request #3283 from hugovk/main
• 4470c44 Bump requirements.txt to support Python 3.12
• 0c87cba Bump scipy for Python 3.12 support
• eda6fa5 Add support for Python 3.12
• 0e033b0 Bump reportlab from 3.6.12 to 3.6.13 in /Doc
• 6012643 [iup] Work around cython bug
• b14268a [iup] Remove copy/pasta
• 0a3360e [varLib.avar] New module to compile avar from .designspace file
• Additional commits viewable in compare view

Updates jinja2 from 3.0.1 to 3.1.3

Release notes

Sourced from jinja2's releases.

3.1.3

This is a fix release for the 3.1.x feature branch.

• Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.
• Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-3
• Milestone: https://github.com/pallets/jinja/milestone/15?closed=1

3.1.2

This is a fix release for the 3.1.0 feature release.

• Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-2
• Milestone: https://github.com/pallets/jinja/milestone/13?closed=1

3.1.1

• Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-1
• Milestone: https://github.com/pallets/jinja/milestone/12?closed=1

3.1.0

This is a feature release, which includes new features and removes previously deprecated features. The 3.1.x branch is now the supported bugfix branch, the 3.0.x branch has become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. We also encourage upgrading to MarkupSafe 2.1.1, the latest version at this time.

• Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-0
• Milestone: https://github.com/pallets/jinja/milestone/8?closed=1
• MarkupSafe changes: https://markupsafe.palletsprojects.com/en/2.1.x/changes/#version-2-1-1

3.0.3

• Changes: https://jinja.palletsprojects.com/en/3.0.x/changes/#version-3-0-3

3.0.2

• Changes: https://jinja.palletsprojects.com/en/3.0.x/changes/#version-3-0-2

Changelog

Sourced from jinja2's changelog.

Version 3.1.3

Released 2024-01-10

• Fix compiler error when checking if required blocks in parent templates are empty. :pr:1858
• xmlattr filter does not allow keys with spaces. GHSA-h5c8-rqwp-cp95
• Make error messages stemming from invalid nesting of {% trans %} blocks more helpful. :pr:1918

Version 3.1.2

Released 2022-04-28

• Add parameters to Environment.overlay to match __init__. :issue:1645
• Handle race condition in FileSystemBytecodeCache. :issue:1654

Version 3.1.1

Released 2022-03-25

• The template filename on Windows uses the primary path separator. :issue:1637

Version 3.1.0

Released 2022-03-24

• Drop support for Python 3.6. :pr:1534

• Remove previously deprecated code. :pr:1544

  • WithExtension and AutoEscapeExtension are built-in now.
  • contextfilter and contextfunction are replaced by pass_context. evalcontextfilter and evalcontextfunction are replaced by pass_eval_context. environmentfilter and environmentfunction are replaced by pass_environment.
  • Markup and escape should be imported from MarkupSafe.
  • Compiled templates from very old Jinja versions may need to be recompiled.
  • Legacy resolve mode for Context subclasses is no longer supported. Override resolve_or_missing instead of

... (truncated)

Commits

• d9de4bb release version 3.1.3
• 50124e1 skip test pypi
• 9ea7222 use trusted publishing
• da703f7 use trusted publishing
• bce1746 use trusted publishing
• 7277d80 update pre-commit hooks
• 5c8a105 Make nested-trans-block exceptions nicer (#1918)
• 19a55db Make nested-trans-block exceptions nicer
• 7167953 Merge pull request from GHSA-h5c8-rqwp-cp95
• 7dd3680 xmlattr filter disallows keys with spaces
• Additional commits viewable in compare view

Updates pillow from 9.3.0 to 10.3.0

Release notes

Sourced from pillow's releases.

10.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html

Changes

• CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [@​hugovk]
• Use functools.lru_cache for hopper() #7912 [@​hugovk]
• Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [@​radarhere]
• Improve speed of loading QOI images #7925 [@​radarhere]
• Added RGB to I;16N conversion #7920 [@​radarhere]
• Add --report argument to main.py to omit supported formats #7818 [@​nulano]
• Added RGB to I;16, I;16L and I;16B conversion #7918 [@​radarhere]
• Fix editable installation with custom build backend and configuration options #7658 [@​nulano]
• Fix putdata() for I;16N on big-endian #7209 [@​Yay295]
• Determine MPO size from markers, not EXIF data #7884 [@​radarhere]
• Improved conversion from RGB to RGBa, LA and La #7888 [@​radarhere]
• Support FITS images with GZIP_1 compression #7894 [@​radarhere]
• Use I;16 mode for 9-bit JPEG 2000 images #7900 [@​scaramallion]
• Raise ValueError if kmeans is negative #7891 [@​radarhere]
• Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [@​radarhere]
• Raise ValueError for negative values when loading P1-P3 PPM images #7882 [@​radarhere]
• Added reading of JPEG2000 palettes #7870 [@​radarhere]
• Added alpha_quality argument when saving WebP images #7872 [@​radarhere]
• Fixed joined corners for ImageDraw rounded_rectangle() non-integer dimensions #7881 [@​radarhere]
• Removed Python and NumPy pinning on Cygwin #7880 [@​radarhere]
• Update UnidentifiedImageError and version imports #7644 [@​radarhere]
• Stop reading EPS image at EOF marker #7753 [@​radarhere]
• PSD layer co-ordinates may be negative #7706 [@​radarhere]
• Use subprocess with CREATE_NO_WINDOW flag in ImageShow WindowsViewer #7791 [@​radarhere]
• When saving GIF frame that restores to background color, do not fill identical pixels #7788 [@​radarhere]
• Fixed reading PNG iCCP compression method #7823 [@​radarhere]
• Allow writing IFDRational to UNDEFINED tag #7840 [@​radarhere]
• Fix logged tag name when loading Exif data #7842 [@​radarhere]
• Use maximum frame size in IHDR chunk when saving APNG images #7821 [@​radarhere]
• Prevent opening P TGA images without a palette #7797 [@​radarhere]
• Use palette when loading ICO images #7798 [@​radarhere]
• Use consistent arguments for load_read and load_seek #7713 [@​radarhere]
• Turn off nullability warnings for macOS SDK #7827 [@​radarhere]
• Fix shift-sign issue in Convert.c #7838 [@​r-barnes]
• winbuild: Refactor dependency versions into constants #7843 [@​hugovk]
• Build macOS arm64 wheels natively #7852 [@​radarhere]
• Fixed typo #7855 [@​radarhere]
• Open 16-bit grayscale PNGs as I;16 #7849 [@​radarhere]
• Handle truncated chunks at the end of PNG images #7709 [@​lajiyuan]
• Match mask size to pasted image size in GifImagePlugin #7779 [@​radarhere]
• Changed SupportsGetMesh protocol to be public #7841 [@​radarhere]
• Release GIL while calling WebPAnimDecoderGetNext #7782 [@​evanmiller]
• Fixed reading FLI/FLC images with a prefix chunk #7804 [@​twolife]
• Updated package name for Tidelift #7810 [@​radarhere]
• Removed unused code #7744 [@​radarhere]

... (truncated)

Changelog

Sourced from pillow's changelog.

10.3.0 (2024-04-01)

• CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [radarhere, hugovk]

• Deprecate eval(), replacing it with lambda_eval() and unsafe_eval() #7927 [radarhere, hugovk]

• Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [radarhere]

• Add --report argument to __main__.py to omit supported formats #7818 [nulano, radarhere, hugovk]

• Added RGB to I;16, I;16L, I;16B and I;16N conversion #7918, #7920 [radarhere]

• Fix editable installation with custom build backend and configuration options #7658 [nulano, radarhere]

• Fix putdata() for I;16N on big-endian #7209 [Yay295, hugovk, radarhere]

• Determine MPO size from markers, not EXIF data #7884 [radarhere]

• Improved conversion from RGB to RGBa, LA and La #7888 [radarhere]

• Support FITS images with GZIP_1 compression #7894 [radarhere]

• Use I;16 mode for 9-bit JPEG 2000 images #7900 [scaramallion, radarhere]

• Raise ValueError if kmeans is negative #7891 [radarhere]

• Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [radarhere]

• Raise ValueError for negative values when loading P1-P3 PPM images #7882 [radarhere]

• Added reading of JPEG2000 palettes #7870 [radarhere]

• Added alpha_quality argument when saving WebP images #7872 [radarhere]

... (truncated)

Commits

• 5c89d88 10.3.0 version bump
• 63cbfcf Update CHANGES.rst [ci skip]
• 2776126 Merge pull request #7928 from python-pillow/lcms
• aeb51cb Merge branch 'main' into lcms
• 5beb0b6 Update CHANGES.rst [ci skip]
• cac6ffa Merge pull request #7927 from python-pillow/imagemath
• f5eeeac Name as 'options' in lambda_eval and unsafe_eval, but '_dict' in deprecated eval
• facf3af Added release notes
• 2a93aba Use strncpy to avoid buffer overflow
• a670597 Update CHANGES.rst [ci skip]
• Additional commits viewable in compare view

Updates requests from 2.28.1 to 2.31.0

Release notes

Sourced from requests's releases.

v2.31.0

2.31.0 (2023-05-22)

Security

• Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential forwarding of Proxy-Authorization headers to destination servers when following HTTPS redirects.

  When proxies are defined with user info (https://user:pass@proxy:8080), Requests will construct a Proxy-Authorization header that is attached to the request to authenticate with the proxy.

  In cases where Requests receives a redirect response, it previously reattached the Proxy-Authorization header incorrectly, resulting in the value being sent through the tunneled connection to the destination server. Users who rely on defining their proxy credentials in the URL are strongly encouraged to upgrade to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy credentials once the change has been fully deployed.

  Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability.

  Full details can be read in our Github Security Advisory and CVE-2023-32681.

v2.30.0

2.30.0 (2023-05-03)

Dependencies

• ⚠️ Added support for urllib3 2.0. ⚠️

  This may contain minor breaking changes so we advise careful testing and reviewing https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html prior to upgrading.

  Users who wish to stay on urllib3 1.x can pin to urllib3<2.

v2.29.0

2.29.0 (2023-04-26)

Improvements

• Requests now defers chunked requests to the urllib3 implementation to improve standardization. (#6226)
• Requests relaxes header component requirements to support bytes/str subclasses. (#6356)

... (truncated)

Changelog

Sourced from requests's changelog.

2.31.0 (2023-05-22)

Security

• Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential forwarding of Proxy-Authorization headers to destination servers when following HTTPS redirects.

  When proxies are defined with user info (https://user:pass@proxy:8080), Requests will construct a Proxy-Authorization header that is attached to the request to authenticate with the proxy.

  In cases where Requests receives a redirect response, it previously reattached the Proxy-Authorization header incorrectly, resulting in the value being sent through the tunneled connection to the destination server. Users who rely on defining their proxy credentials in the URL are strongly encouraged to upgrade to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy credentials once the change has been fully deployed.

  Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability.

  Full details can be read in our Github Security Advisory and CVE-2023-32681.

2.30.0 (2023-05-03)

Dependencies

• ⚠️ Added support for urllib3 2.0. ⚠️

  This may contain minor breaking changes so we advise careful testing and reviewing https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html prior to upgrading.

  Users who wish to stay on urllib3 1.x can pin to urllib3<2.

2.29.0 (2023-04-26)

Improvements

• Requests now defers chunked requests to the urllib3 implementation to improve standardization. (#6226)
• Requests relaxes header component requirements to support bytes/str subclasses. (#6356)

2.28.2 (2023-01-12)

... (truncated)

Commits

• 147c851 v2.31.0
• 74ea7cf Merge pull request from GHSA-j8r2-6x86-q33q
• 3022253 test on pypy 3.8 and pypy 3.9 on windows and macos (#6424)
• b639e66 test on py3.12 (#6448)
• d3d5044 Fixed a small typo (#6452)
• 2ad18e0 v2.30.0
• f2629e9 Remove strict parameter (#6434)
• 87d63de v2.29.0
• 51716c4 enable the warnings plugin (#6416)
• a7da1ab try on ubuntu 22.04 (#6418)
• Additional commits viewable in compare view

Updates tornado from 6.1 to 6.3.3

Changelog

Sourced from tornado's changelog.

Release notes

.. toctree:: :maxdepth: 2

releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1 releases/v3.2.0 releases/v3.1.1 releases/v3.1.0 releases/v3.0.2 releases/v3.0.1 releases/v3.0.0 releases/v2.4.1 releases/v2.4.0 releases/v2.3.0 releases/v2.2.1

... (truncated)

Commits

• e4d6984 Merge pull request #3307 from bdarnell/branch6.3
• 6a9e6fb ci: Don't test py312 in branch6.3
• 5c8a9a4 Set version to 6.3.3
• 7dfe8b5 httpserver_test: Add ExpectLog to fix CI
• 217295b http1connection: Make content-length parsing more strict
• e3aa6c5 Merge pull request #3267 from bdarnell/branch6.3
• 34f5c1c Version 6.3.2
• 32ad07c web: Fix an open redirect in StaticFileHandler
• e0fa53e Merge pull request #3257 from bdarnell/build-workflow-wstest-warning
• f5a1d5c ci: Only run pypi actions from the main repo
• Additional commits viewable in compare view

Updates urllib3 from 1.26.10 to 1.26.18

Release notes

Sourced from urllib3's releases.

1.26.18

• Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (GHSA-g4mx-q9vg-27p4)

1.26.17

• Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. (GHSA-v845-jxx5-vc9f)

1.26.16

• Fixed thread-safety issue where accessing a PoolManager with many distinct origins would cause connection pools to be closed while requests are in progress (#2954)

1.26.15

• Fix socket timeout value when HTTPConnection is reused (urllib3/urllib3#2645)
• Remove "!" character from the unreserved characters in IPv6 Zone ID parsing (urllib3/urllib3#2899)
• Fix IDNA handling of 'x80' byte (urllib3/urllib3#2901)

1.26.14

• Fixed parsing of port 0 (zero) returning None, instead of 0 (#2850)
• Removed deprecated HTTPResponse.getheaders() calls in urllib3.contrib module.

1.26.13

• Deprecated the HTTPResponse.getheaders() and HTTPResponse.getheader() methods.
• Fixed an issue where parsing a URL with leading zeroes in the port would be rejected even when the port number after removing the zeroes was valid.
• Fixed a deprecation warning when using cryptography v39.0.0.
• Removed the <4 in the Requires-Python packaging metadata field.

1.26.12

• Deprecated the urllib3[secure] extra and the urllib3.contrib.pyopenssl module. Both will be removed in v2.x. See this GitHub issue for justification and info on how to migrate.

1.26.11

If you or your organization rely on urllib3 consider supporting us via GitHub Sponsors.

⚠️ urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

• Fixed an issue where reading more than 2 GiB in a call to HTTPResponse.read would raise an OverflowError on Python 3.9 and earlier.

Changelog

Sourced from urllib3's changelog.

1.26.18 (2023-10-17)

• Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses.

1.26.17 (2023-10-02)

• Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. ([#3139](https://github.com/urllib3/urllib3/issues/3139) <https://github.com/urllib3/urllib3/pull/3139>_)

1.26.16 (2023-05-23)

• Fixed thread-safety issue where accessing a PoolManager with many distinct origins would cause connection pools to be closed while requests are in progress ([#2954](https://github.com/urllib3/urllib3/issues/2954) <https://github.com/urllib3/urllib3/pull/2954>_)

1.26.15 (2023-03-10)

• Fix socket timeout value when HTTPConnection is reused ([#2645](https://github.com/urllib3/urllib3/issues/2645) <https://github.com/urllib3/urllib3/issues/2645>__)
• Remove "!" character from the unreserved characters in IPv6 Zone ID parsing ([#2899](https://github.com/urllib3/urllib3/issues/2899) <https://github.com/urllib3/urllib3/issues/2899>__)
• Fix IDNA handling of '\x80' byte ([#2901](https://github.com/urllib3/urllib3/issues/2901) <https://github.com/urllib3/urllib3/issues/2901>__)

1.26.14 (2023-01-11)

• Fixed parsing of port 0 (zero) returning None, instead of 0. ([#2850](https://github.com/urllib3/urllib3/issues/2850) <https://github.com/urllib3/urllib3/issues/2850>__)
• Removed deprecated getheaders() calls in contrib module. Fixed the type hint of PoolKey.key_retries by adding bool to the union. ([#2865](https://github.com/urllib3/urllib3/issues/2865) <https://github.com/urllib3/urllib3/issues/2865>__)

1.26.13 (2022-11-23)

• Deprecated the HTTPResponse.getheaders() and HTTPResponse.getheader() methods.
• Fixed an issue where parsing a URL with leading zeroes in the port would be rejected even when the port number after removing the zeroes was valid.
• Fixed a deprecation warning when using cryptography v39.0.0.
• Removed the <4 in the Requires-Python packaging metadata field.

1.26.12 (2022-08-22)

• Deprecated the urllib3[secure] extra and the urllib3.contrib.pyopenssl module. Both will be removed in v2.x. See this GitHub issue <https://github.com/urllib3/urllib3/issues/2680>_ for justification and info on how to migrate.

1.26.11 (2022-07-25)

• Fixed an issue where reading more than 2 GiB in a call to HTTPResponse.read would

... (truncated)

Commits

• 9c2c230 Release 1.26.18 (#3159)
• b594c5c Merge pull request from GHSA-g4mx-q9vg-27p4
• 944f0eb [1.26] Use vendored six in urllib3.contrib.securetransport
• c9016bf Release 1.26.17
• 0122035 Backport GHSA-v845-jxx5-vc9f (#3139)
• e63989f Fix installing brotli extra on Python 2.7
• 2e7a24d [1.26] Configure OS for RTD to fix building docs
• 57181d6 [1.26] Improve error message when calling urllib3.request() (#3058)
• 3c01480 [1.26] Run coverage even with failed jobs
• d94029b Release 1.26.16
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Superseded by #63.