Bump the python-minor group across 1 directory with 21 updates

[dependabot]

Warning

Dependabot will stop supporting python v3.9!

Please upgrade to one of the following versions: v3.9, v3.10, v3.11, v3.12, v3.13, or v3.14.

Updates the requirements on rich, ruff, pyright, build, pydantic, certifi, cryptography, cyclonedx-python-lib, distlib, docutils, idna, lxml, nh3, packaging, pydantic-core, python-discovery, sqlalchemy, tzdata, virtualenv, wcwidth and psutil to permit the latest version.
Updates rich from 13.9.4 to 15.0.0

Release notes

Sourced from rich's releases.

The So Long 3.8 Release

A few fixes. The major version bump is to honor the passing of 3.8 support which reached its EOL in October 7, 2024

[15.0.0] - 2026-04-12

Changed

• Breaking change: Dropped support for Python3.8

Fixed

• Fixed empty print ignoring the end parameter Textualize/rich#4075
• Fixed Text.from_ansi removing newlines Textualize/rich#4076
• Fixed FileProxy.isatty not proxying Textualize/rich#4077
• Fixed inline code in Markdown tables cells Textualize/rich#4079

The Faster Startup Release

No new features in this release, but there should be improved startup time for Rich apps, and potentially improved runtime if you have a lot of links.

[14.3.4] - 2026-04-11

Changed

• Improved import time with lazy loading Textualize/rich#4070
• Changed link id generation to avoid random number generation at runtime Textualize/rich#3845

The infinite Release

Fixed a infinite loop in split_graphemes

[14.3.3] - 2026-02-19

Fixed

• Fixed infinite loop with cells.split_graphemes Textualize/rich#4006

The ZWJy release

A fix for cell_len edge cases

[14.3.2] - 2026-02-01

Fixed

• Fixed solo ZWJ crash Textualize/rich#3953
• Fixed control codes reporting width of 1 Textualize/rich#3953

The Nerdy Fix release

Fixed issue with characters outside of unicode range reporting 0 cell size

[14.3.1] - 2026-01-24

... (truncated)

Changelog

Sourced from rich's changelog.

[15.0.0] - 2026-04-12

Changed

• Breaking change: Dropped support for Python3.8

Fixed

• Fixed empty print ignoring the end parameter Textualize/rich#4075
• Fixed Text.from_ansi removing newlines Textualize/rich#4076
• Fixed FileProxy.isatty not proxying Textualize/rich#4077
• Fixed inline code in Markdown tables cells Textualize/rich#4079

[14.3.4] - 2026-04-11

Changed

• Improved import time with lazy loading Textualize/rich#4070
• Changed link id generation to avoid random number generation at runtime Textualize/rich#3845

[14.3.3] - 2026-02-19

Fixed

• Fixed infinite loop with cells.split_graphemes Textualize/rich#4006

[14.3.2] - 2026-02-01

Fixed

• Fixed solo ZWJ crash Textualize/rich#3953
• Fixed control codes reporting width of 1 Textualize/rich#3953

[14.3.1] - 2026-01-24

Fixed

• Fixed characters out of unicode range reporting a cell size if 0 Textualize/rich#3944

[14.3.0] - 2026-01-24

Fixed

• IPython now respects when a Console instance is passed to pretty.install Textualize/rich#3915
• Fixed extraneous blank line on non-interactive disabled Progress Textualize/rich#3905
• Fixed extra padding on first cell in columns Textualize/rich#3935
• Fixed trailing whitespace removed when soft_wrap=True Textualize/rich#3937
• Fixed style new-lines when soft_wrap = True and a print style is set Textualize/rich#3938

Added

... (truncated)

Commits

• 6ac483c correction
• 458a910 Merge pull request #4080 from Textualize/bump1500
• 82e06e0 changelog
• d6556bc bump to 15.0.0
• ffe2edc Merge pull request #4079 from Textualize/inline-table-code
• cf3b5a1 changelog
• 77f0edb remove comments
• 7ef2d05 fix inline code in table cells
• 19c67b9 Merge pull request #4077 from Textualize/isattry
• 494b795 changelog
• Additional commits viewable in compare view

Updates ruff from 0.15.10 to 0.15.16

Release notes

Sourced from ruff's releases.

0.15.16

Release Notes

Released on 2026-06-04.

Preview features

• [flake8-async] Implement yield-in-context-manager-in-async-generator (ASYNC119) (#24644)
• [pylint] Narrow diagnostic range and exclude cases without exception handlers (PLW0717) (#25440)
• [ruff] Treat yield before break from a terminal loop as terminal (RUF075) (#25447)

Bug fixes

• [eradicate] Avoid flagging ruff:ignore comments as code (ERA001) (#25537)
• [eradicate] Fix ERA001/RUF100 conflict when noqa is on commented-out code (#25414)
• [pyflakes] Avoid removing the format call when it would change behavior (F523) (#25320)
• [pylint] Avoid syntax errors in invalid character replacements in f-strings before Python 3.12 (PLE2510, PLE2512, PLE2513, PLE2514, PLE2515) (#25544)
• [pyupgrade] Avoid converting format calls with more kinds of side effects (UP032) (#25484)

Rule changes

• [flake8-pytest-style] Avoid fixes for ambiguous argnames and argvalues combinations (PT006) (#24776)

Performance

• Drop excess capacity from statement suites during parsing (#25368)

Documentation

• [pydocstyle] Improve discoverability of rules enabled for each convention (#24973)
• [ruff] Restore example code for Python versions before 3.15 (RUF017) (#25439)
• Fix typo bin/active → bin/activate in tutorial (#25473)

Other changes

• Shrink additional parser AST collections (#25465)

Contributors

• @​Redslayer112
• @​koriyoshi2041
• @​George-Ogden
• @​TejasAmle
• @​anishgirianish
• @​ntBre
• @​MichaReiser
• @​loganrosen
• @​RafaelJohn9
• @​adityasingh2400

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.16

Released on 2026-06-04.

Preview features

• [flake8-async] Implement yield-in-context-manager-in-async-generator (ASYNC119) (#24644)
• [pylint] Narrow diagnostic range and exclude cases without exception handlers (PLW0717) (#25440)
• [ruff] Treat yield before break from a terminal loop as terminal (RUF075) (#25447)

Bug fixes

• [eradicate] Avoid flagging ruff:ignore comments as code (ERA001) (#25537)
• [eradicate] Fix ERA001/RUF100 conflict when noqa is on commented-out code (#25414)
• [pyflakes] Avoid removing the format call when it would change behavior (F523) (#25320)
• [pylint] Avoid syntax errors in invalid character replacements in f-strings before Python 3.12 (PLE2510, PLE2512, PLE2513, PLE2514, PLE2515) (#25544)
• [pyupgrade] Avoid converting format calls with more kinds of side effects (UP032) (#25484)

Rule changes

• [flake8-pytest-style] Avoid fixes for ambiguous argnames and argvalues combinations (PT006) (#24776)

Performance

• Drop excess capacity from statement suites during parsing (#25368)

Documentation

• [pydocstyle] Improve discoverability of rules enabled for each convention (#24973)
• [ruff] Restore example code for Python versions before 3.15 (RUF017) (#25439)
• Fix typo bin/active → bin/activate in tutorial (#25473)

Other changes

• Shrink additional parser AST collections (#25465)

Contributors

• @​Redslayer112
• @​koriyoshi2041
• @​George-Ogden
• @​TejasAmle
• @​anishgirianish
• @​ntBre
• @​MichaReiser
• @​loganrosen
• @​RafaelJohn9
• @​adityasingh2400

0.15.15

... (truncated)

Commits

• 6c498ab Bump 0.15.16 (#25635)
• e51e132 [flake8-async] Implement yield-in-context-manager-in-async-generator (`AS...
• 7c6dcd9 [ty] Add caching for pattern match narrowing (#25613)
• 27058fc [ty] Compact retained definition and expression identities (#25606)
• bf80d05 Fix CODEOWNERS syntax (#25622)
• 10ccd51 Shrink additional parser AST collections (#25465)
• 0d7135f [ty] Upgrade Salsa (#25545)
• 49493a3 [ty] Show type alias value on hover (#25381)
• 85207d3 [ty] sys.implementation.version is not sys.version_info (#25608)
• a8a0614 [ty] Avoid retaining duplicate function signatures (#25609)
• Additional commits viewable in compare view

Updates pyright from 1.1.408 to 1.1.410

Commits

• 509391a Pyright NPM Package update to 1.1.410 (#361)
• d7508e5 [pyright updated to 1.1.409] Update Version (#359)
• See full diff in compare view

Updates build from 1.4.3 to 1.4.4

Release notes

Sourced from build's releases.

1.4.4

What's Changed

• 🐛 fix(release): generate consistent CHANGELOG heading levels by @​gaborbernat in pypa/build#1032
• docs: move source links by @​henryiii in pypa/build#1034
• revert: drop PEP 660 change by @​henryiii in pypa/build#1039
• fix: ignore installed when running pip by @​henryiii in pypa/build#1040
• fix: revert part of #973 by @​henryiii in pypa/build#1044
• chore: report coverage failure lines by @​henryiii in pypa/build#1046
• tests: fix issue with uv run by @​henryiii in pypa/build#1048
• docs: reorganize testing docs for copy/paste by @​abitrolly in pypa/build#1043
• tests: keep environment from leaking in Python 3.15 by @​henryiii in pypa/build#1049
• docs: fix issue with changelog generation by @​henryiii in pypa/build#1050

Full Changelog: pypa/build@1.4.3...1.4.4

Changelog

Sourced from build's changelog.

#################### 1.5.0 (2026-04-30) ####################

---

Features

---

• Drop Python 3.9 support - by :user:henryiii (:issue:1036)

---

Bugfixes

---

• Make --ignore-installed opt-in from the API via fresh=True - by :user:henryiii (:issue:1056)

---

Miscellaneous

---

• :issue:1033

#################### 1.4.4 (2026-04-22) ####################

---

Bugfixes

---

• Fix release pipeline generating CHANGELOG.rst entries with inconsistent heading levels, which broke sphinx -W and pinned Read the Docs stable at 1.4.0 - by :user:gaborbernat. (:issue:1031)
• Revert :pr:1039 from build 1.4.3, no longer check direct_url (for now) - by :user:henryiii (:issue:1039)
• Add --ignore-installed to pip install command to prevent issues with packages already present in the isolated build environment - by :user:henryiii (:issue:1037) (:issue:1040)
• Partial revert of :pr:973, keeping log messages in one entry, multiple lines. (:issue:1044)

---

Miscellaneous

---

• :issue:1048, :issue:1049

#################### 1.4.3 (2026-04-10) ####################

---

Features

---

... (truncated)

Commits

• 70666a2 chore: prepare for 1.4.4
• 653d865 docs: fix issue with changelog generation (#1050)
• 373b9ee tests: keep environment from leaking in Python 3.15 (#1049)
• e37e2ae docs: reorganize testing docs for copy/paste (#1043)
• e9c194a tests: fix issue with uv run (#1048)
• 03b7d70 chore: report coverage failure lines (#1046)
• 2afa3b5 fix: revert part of #973 (#1044)
• b336f60 pre-commit: bump repositories (#1045)
• 6d8039a fix: ignore installed when running pip (#1040)
• ebf6eba revert: drop PEP 660 change (#1039)
• Additional commits viewable in compare view

Updates pydantic from 2.13.0 to 2.13.4

Release notes

Sourced from pydantic's releases.

v2.13.4 2026-05-06

v2.13.4 (2026-05-06)

What's Changed

Packaging

• Bump libc from 0.2.155 to 0.2.185 by @​Viicos in #13109
• Adapt pydantic-core linker flags on macOS by @​washingtoneg and @​Viicos in #13147

Fixes

• Preserve RootModel core metadata by @​Viicos in #13129

Full Changelog: pydantic/pydantic@v2.13.3...v2.13.4

v2.13.3 2026-04-20

v2.13.3 (2026-04-20)

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #13096

Full Changelog: pydantic/pydantic@v2.13.2...v2.13.3

v2.13.2 2026-04-17

v2.13.2 (2026-04-17)

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

Full Changelog: pydantic/pydantic@v2.13.1...v2.13.2

v2.13.1 2026-04-15

v2.13.1 (2026-04-15)

What's Changed

Fixes

• Fix ValidationInfo.data missing with model_validate_json() by @​davidhewitt in #13079

Full Changelog: pydantic/pydantic@v2.13.0...v2.13.1

Changelog

Sourced from pydantic's changelog.

v2.13.4 (2026-05-06)

GitHub release

What's Changed

Packaging

• Bump libc from 0.2.155 to 0.2.185 by @​Viicos in #13109
• Adapt pydantic-core linker flags on macOS by @​washingtoneg and @​Viicos in #13147

Fixes

• Preserve RootModel core metadata by @​Viicos in #13129

v2.13.3 (2026-04-20)

GitHub release

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #13096

v2.13.2 (2026-04-17)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

v2.13.1 (2026-04-15)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.data missing with model_validate_json() by @​davidhewitt in #13079

Commits

• cf67d4b Fix linting
• f0d8a21 Prepare release v2.13.4
• 5e3fe1d Check for pydantic tag pattern in CI
• 7f9edcc Document tagging conventions
• b46a0c9 Adapt pydantic-core linker flags on macOS
• 50629c8 Update to PyPy 7.3.22
• 8522ebb Preserve RootModel core metadata
• a37f3af Adapt MISSING sentinel test to work with unreleased typing_extensions ver...
• 909259a Remove Logfire example in documentation
• 2c4174c Bump libc from 0.2.155 to 0.2.185
• Additional commits viewable in compare view

Updates certifi from 2026.2.25 to 2026.5.20

Commits

• d7ea151 2026.05.20 (#413)
• 5dddfb0 2026.04.22 (#410)
• f99eccd Bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (#404)
• 918bed0 Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#405)
• 0a49067 Bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 (#403)
• acf6ce8 Bump actions/download-artifact from 8.0.0 to 8.0.1 (#398)
• feb0ed2 Bump actions/download-artifact from 7.0.0 to 8.0.0 (#397)
• d9c11a5 Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#396)
• See full diff in compare view

Updates cryptography from 46.0.7 to 48.0.1

Changelog

Sourced from cryptography's changelog.

48.0.1 - 2026-06-09

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 4.0.1.
.. _v48-0-0:
48.0.0 - 2026-05-04

• BACKWARDS INCOMPATIBLE: Support for Python 3.8 has been removed. cryptography now requires Python 3.9 or later.

• BACKWARDS INCOMPATIBLE: Loading an X.509 CRL whose inner TBSCertList.signature algorithm does not match the outer signatureAlgorithm now raises ValueError. Previously, such CRLs were parsed successfully and only rejected during signature validation.

• Added support for :doc:/hazmat/primitives/asymmetric/mlkem and :doc:/hazmat/primitives/asymmetric/mldsa when using OpenSSL 3.5.0 or later, in addition to the existing AWS-LC and BoringSSL support. This means post-quantum algorithms are now available to users of our wheels.

  • Note: Going forward, we do not guarantee that all functionality in cryptography will be available when building against OpenSSL. See :doc:/statements/state-of-openssl for more information.

.. _v47-0-0:

47.0.0 - 2026-04-24

* Support for Python 3.8 is deprecated and will be removed in the next
  ``cryptography`` release.
* **BACKWARDS INCOMPATIBLE:** Support for binary elliptic curves
  (``SECT*`` classes) has been removed. These curves are rarely used and
  have additional security considerations that make them undesirable.
* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.x has been removed.
  OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC
  continue to be supported.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 4.1.
* **BACKWARDS INCOMPATIBLE:** Loading keys with unsupported algorithms or
  keys with unsupported explicit curve encodings now raises
  :class:`~cryptography.exceptions.UnsupportedAlgorithm` instead of
  ``ValueError``. This change affects
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_der_public_key`,
  and :meth:`~cryptography.x509.Certificate.public_key` when called on
  certificates with unsupported public key algorithms.
</tr></table> 

... (truncated)

Commits

• de987ce 48.0.1 version bump and changelog (#14996)
• 8e03e30 bump for 48.0.0 release (#14796)
• 295e0d2 Add AGENTS.md with CLAUDE.md symlink (#14794)
• 104a2de Bump BoringSSL, OpenSSL, AWS-LC in CI (#14793)
• 67ec1e5 call check_length early on AesSiv::encrypt (#14792)
• b2da57a changelog for mldsa/mlkem for openssl (#14791)
• 3cf44ad ML-KEM OpenSSL support (#14781)
• 2e31639 ML-DSA OpenSSL support (#14773)
• 5affe5a fix rust nightly clippy (#14790)
• 2e73ca4 bump rust-openssl dep and update EcPoint::mul_generator to mul_generator2 (#1...
• Additional commits viewable in compare view

Updates cyclonedx-python-lib from 11.7.0 to 11.9.0

Release notes

Sourced from cyclonedx-python-lib's releases.

v11.9.0 (2026-06-08)

Features

• Add support for license expression details (#908, b502381)

---

What's Changed

• chore(deps): bump snok/install-poetry from 1.4.1 to 1.4.2 by @​dependabot[bot] in CycloneDX/cyclonedx-python-lib#990
• chore(deps): update m2r2 requirement from >=0.3.2 to >=0.3.4 by @​dependabot[bot] in CycloneDX/cyclonedx-python-lib#970
• feat: add support for license expression details by @​Churro in CycloneDX/cyclonedx-python-lib#908

Full Changelog: CycloneDX/cyclonedx-python-lib@v11.8.0...v11.9.0

v11.8.0 (2026-06-04)

Documentation

• Update CDX summary (#951, 752b162)

Features

• Add support CycloneDX 1.7.1 & 1.6.2 & 1.5.1 (#985, 303889b)

• Pull SPDX license IDs v1.1-3.28.0 (#986, 42ff044)

---

What's Changed

• chore: extract glob for pyupgrade to separate script for cross-platform compatibility by @​peschuster in CycloneDX/cyclonedx-python-lib#950
• docs: update CDX summary by @​jkowalleck in CycloneDX/cyclonedx-python-lib#951
• chore: fix test coverage reporting by @​jkowalleck in CycloneDX/cyclonedx-python-lib#956
• chore(deps-dev): update tomli requirement from 2.3.0 to 2.4.1 by @​dependabot[bot] in CycloneDX/cyclonedx-python-lib#954
• chore(release): use own GH app for releasing by @​jkowalleck in CycloneDX/cyclonedx-python-lib#958
• chore(ci): pin GitHub Actions to immutable SHAs while preserving tag tracking by @​Copilot in CycloneDX/cyclonedx-python-lib#961
• chore: add zizmor workflow to harden GitHub Actions security by @​Copilot in CycloneDX/cyclonedx-python-lib#968
• Update PULL_REQUEST_TEMPLATE.md by @​jkowalleck in CycloneDX/cyclonedx-python-lib#974
• chore: Update CONTRIBUTING.md by @​jkowalleck in CycloneDX/cyclonedx-python-lib#975
• chore(ci): comments for pinned actions by @​jkowalleck in CycloneDX/cyclonedx-python-lib#984
• feat: add support CycloneDX 1.7.1 & 1.6.2 & 1.5.1 by @​jkowalleck in CycloneDX/cyclonedx-python-lib#985
• chore(deps): bump actions/create-github-app-token from 3.1.1 to 3.2.0 by @​dependabot[bot] in CycloneDX/cyclonedx-python-lib#982
• chore(deps): bump actions/download-artifact from 7.0.0 to 8.0.1 by @​dependabot[bot] in CycloneDX/cyclonedx-python-lib#964
• chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.1 by @​dependabot[bot] in CycloneDX/cyclonedx-python-lib#963
• feat: pull SPDX license IDs v1.1-3.28.0 by @​jkowalleck in CycloneDX/cyclonedx-python-lib#986

Full Changelog: CycloneDX/cyclonedx-python-lib@v11.7.0...v11.8.0

... (truncated)

Changelog

Sourced from cyclonedx-python-lib's changelog.

v11.9.0 (2026-06-08)

Features

• Add support for license expression details (#908, b502381)

v11.8.0 (2026-06-04)

Documentation

• Update CDX summary (#951, 752b162)

Features

• Add support CycloneDX 1.7.1 & 1.6.2 & 1.5.1 (#985, 303889b)

• Pull SPDX license IDs v1.1-3.28.0 (#986, 42ff044)

Commits

• 150777e chore(release): 11.9.0
• b502381 feat: add support for license expression details (#908)
• 2ce770f chore(deps): update m2r2 requirement from >=0.3.2 to >=0.3.4 (#970)
• 5854695 chore(deps): bump snok/install-poetry from 1.4.1 to 1.4.2 (#990)
• e537812 chore(release): 11.8.0
• 42ff044 feat: pull SPDX license IDs v1.1-3.28.0 (#986)
• 590402a chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.1 (#963)
• 051abce chore(deps): bump actions/download-artifact from 7.0.0 to 8.0.1 (#964)
• bc961ef chore(deps): bump actions/create-github-app-token from 3.1.1 to 3.2.0 (#982)
• 303889b feat: add support CycloneDX 1.7.1 & 1.6.2 & 1.5.1 (#985)
• Additional commits viewable in compare view

Updates distlib from 0.4.0 to 0.4.2

Changelog

Sourced from distlib's changelog.

0.4.2

Released: 2026-06-08


locators


Fix URL percent-encoding using space-padding instead of zero-padding. Thanks to
Kadir Can Ozden for the patch.


Harden decompression against malicious input. Thanks to tonghuaroot for the patch,
which was adapted slightly.




manifest

Use os.lstat in findall to correctly detect symlinked directories. Thanks to
Kadir Can Ozden for the patch.



metadata

Improve logic to incorporate newer metadata versions.



resources

Ensure that constructed resource paths don't escape the package. Thanks to
tonghuaroot for the patch.



util


Fix #255: Update cache_from_source() for Python 3.15. Thanks to Victor Stinner
for the patch.


Check during unarchiving that the destination directory isn't escaped via symlinks.
Thanks to tonghuaroot for the patch.


Improved performance of normalize_name using dual replace. Thanks to
Hugo van Kemenade for the patch.




wheel


Add checks that installed files don't escape the installation directory. Thanks to
tonghuaroot for the patch.


Add checks when mounting extensions to ensure path containment. Thanks to
tonghuaroot for the patch.




0.4.1

... (truncated)

Commits

• 8183ea6 Update change log.
• 55ca016 Changes for 0.4.2.
• 7e282ab Update metadata logic to incorporate newer versions.
• fa4ea50 Remove non-portable portion of test.
• e06a1d5 Further refine tests.
• ccd2bb0 Update unit tests.
• ab58056 Formatting tidy-up.
• 4d4c926 Add checks when mounting extensions to ensure path containment.
• 9efc6fd Check during unarchiving that the destination directory isn't escaped via sym...
• 63fd4f1 Ensure that constructed resource paths don't escape the package.
• Additional commits viewable in compare view

Updates docutils from 0.22.4 to 0.23

Commits

• See full diff in compare view

Updates idna from 3.11 to 3.18

Changelog

Sourced from idna's changelog.

3.18 (2026-06-02)

• When decoding a domain, add a display argument that will pass through invalid labels rather than raising an exception.

3.17 (2026-05-28)

• Substantial 75% reduction in memory usage through new data structures and some optimization in processing speed.
• Added a general 1024-character input length cap to the public validation, conversion, and codec entry points. This is well above any legitimate domain or label and guards against pathological inputs.

3.16 (2026-05-22)

• Add a command-line interface (python -m idna, also available as the idna script). Encodes or decodes one or more domains supplied as arguments or on standard input, with options to select A-label or U-label output and control error handling.
• Raise the minimum supported Python version to 3.9
• Various code quality improvements

3.15 (2026-05-12)

• Enforce DNS-length cap on individual labels early in check_label, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.
• Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared _unicode_dots_re from idna.core in the codec module.
• Use raise ... from err for proper exception chaining and switch internal string formatting to f-strings.
• Allow flit_core 4.x in the build backend.
• Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.
• Add Dependabot configuration for GitHub Actions.
• Convert README and HISTORY from reStructuredText to Markdown.
• Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.

3.14 (2026-05-10)

• Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass

... (truncated)

Commits

• f39ea90 Release 3.18
• 40f4e40 Pre-release 3.18rc0
• 1a5bf80 Merge pull request #253 from kjd/lenient-decode
• 5bbb26f Merge branch 'master' into lenient-decode
• c532bae Rename decode() lenient= option to display= (issue #248)
• 0b1758b Merge pull request #252 from kjd/release-3.17
• f48619c Release 3.17
• 7421ba8 Pre-release 3.17rc0
• 22ebb73 Merge pull request #251 from kjd/structure-optimizations
• 2a7ac0a Drop redundant parallel-arrays comment from uts46data
• Additional commits viewable in compare view

Updates lxml from 6.0.4 to 6.1.1

Changelog

Sourced from lxml's changelog.

6.1.1 (2026-05-18)

Bugs fixed

• The known link attributes in lxml.html.defs.link_attrs were missing xlink:href, which can be used for URL bypass attacks in embedded SVG/MathML/etc. content. GHSA-4jhm-jv67-739f

• The Linux wheels use a patched libxslt 1.1.43, fixing CVE-2025-7424 and CVE-2025-11731.

• The Windows wheels use libxslt 1.1.45, fixing CVE-2025-7424 and CVE-2025-11731.

6.1.0 (2026-04-17)

This release fixes a possible external entity injection (XXE) vulnerability in iterparse() and the ETCompatXMLParser.

Features added

• GH#486: The HTML ARIA accessibility attributes were added to the set of safe attributes in lxml.html.defs. This allows lxml_html_clean to pass them through. Patch by oomsveta.

• The default chunk size for reading from file-likes in iterparse() is now configurable with a new chunk_size argument.

Bugs fixed

• LP#2146291: The resolve_entities option was still set to True for iterparse and ETCompatXMLParser, allowing for external entity injection (XXE) when using these parsers without setting this option explicitly. The default was now changed to 'internal' only (as for the normal XML and HTML parsers since lxml 5.0). Issue found by Sihao Qiu as CVE-2026-41066.

Commits

• b4a4c59 Build: Fix build in Py3.8.
• a116dcb Fix typo: type annotions -> type annotations in PEP 560 comments (GH-504)
• 7287a75 Prepare release of 6.1.1.
• 5927a6d Add missing "xlink:href" to the known HTML link attributes.
• 23efeb4 Build: Fix build in Py3.8.
• 2c0563b Build: Add bug patch for libxslt 1.1.43 and apply it during the static librar...
• 8a35fcc Fix doctest in PyPy3.9.
• 43722f4 Update changelog.
• 8747040 Name version of option change in docstring.
• 6c36e6c Fix pypistats URL in download statistics script.
• Additional commits viewable in compare view

Updates nh3 from 0.3.4 to 0.3.5

Release notes

Sourced from nh3's releases.

...

Description has been truncated