Bump the production-dependencies group across 1 directory with 10 updates

[dependabot]

Bumps the production-dependencies group with 10 updates in the / directory:

Package	From	To
backrefs	6.2	7.0
certifi	2026.2.25	2026.4.22
idna	3.11	3.13
pathspec	1.0.4	1.1.1
urllib3	2.6.3	2.7.0
build	1.4.3	1.5.0
python-discovery	1.2.2	1.3.0
virtualenv	21.2.4	21.3.1
wheel	0.46.3	0.47.0
pip	26.1	26.1.1

Updates backrefs from 6.2 to 7.0

Release notes

Sourced from backrefs's releases.

7.0

• BREAK: Remove deprecated \e and \h support.
• NEW: Drop Python 3.9 support.
• NEW: Lazy load Unicode tables as required.
• FIX: Fix bad name for value for Joining Group, which was previously non_joining, but should have been no_joining_group.
• FIX: Update Unicode script to handle unexpected changes in alias of non-explicit value names.

Commits

• 02197c0 Lazy load tables as needed (#201)
• 0a68733 remove deprecated support for \e and \h (#200)
• bfcafc7 Drop Python 3.9 support (#199)
• 7780144 Fix Unicode property generator script in relation to property values (#197)
• See full diff in compare view

Updates certifi from 2026.2.25 to 2026.4.22

Commits

• 5dddfb0 2026.04.22 (#410)
• f99eccd Bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (#404)
• 918bed0 Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#405)
• 0a49067 Bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 (#403)
• acf6ce8 Bump actions/download-artifact from 8.0.0 to 8.0.1 (#398)
• feb0ed2 Bump actions/download-artifact from 7.0.0 to 8.0.0 (#397)
• d9c11a5 Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#396)
• See full diff in compare view

Updates idna from 3.11 to 3.13

Changelog

Sourced from idna's changelog.

3.13 (2026-04-22)

• Correct classification error for codepoint U+A7F1

3.12 (2026-04-21)

• Update to Unicode 17.0.0.
• Issue a deprecation warning for the transitional argument.
• Added lazy-loading to provide some performance improvements.
• Removed vestiges of code related to Python 2 support, including segmentation of data structures specific to Jython.

Thanks to Rodrigo Nogueira for contributions to this release.

Commits

• 89cdfd2 Release v3.13
• 1eb0686 Pre-release 3.13
• 5f20d1e Merge pull request #220 from kjd/unicode-next
• 4ea8425 Regenerate idnadata.py with correct NFKC_CF data
• fd47341 Use NFKC_CF from Unicode data files instead of Python's unicodedata module
• a5304a4 Merge pull request #219 from kjd/release-3.12
• d80d6f9 Release v3.12
• 1bb44dd Merge pull request #218 from kjd/release-candidate-3.12rc0
• 909c49d Release candidate for 3.12
• c5459a1 Merge pull request #217 from kjd/housekeeping-2
• Additional commits viewable in compare view

Updates pathspec from 1.0.4 to 1.1.1

Release notes

Sourced from pathspec's releases.

v1.1.1

Release v1.1.1. See CHANGES.rst.

v1.1.0

Release v1.1.0. See CHANGES.rst.

Changelog

Sourced from pathspec's changelog.

1.1.1 (2026-04-26)

Improvements:

• Improved type checking with mypy and pyright.

Bug fixes:

• Fixed typing on PathSpec[TPattern] to PathSpec[TPattern_co].
• Added missing variant type-hint type[Pattern] to PathSpec.from_lines() parameter pattern_factory.
• Fixed possible type error when using + and += operators on PathSpec.

1.1.0 (2026-04-22)

New features:

• Issue [#108](https://github.com/cpburnz/python-pathspec/issues/108)_: Specialize pattern type for PathSpec as PathSpec[TPattern] for better debugging of PathSpec().patterns.

Bug fixes:

• Issue [#93](https://github.com/cpburnz/python-pathspec/issues/93)_: Git discards invalid range notation. GitIgnoreSpecPattern now discards patterns with invalid range notation like Git.
• Pull [#106](https://github.com/cpburnz/python-pathspec/issues/106)_: Fix escape() not escaping backslash characters.

Improvements:

• Pull [#110](https://github.com/cpburnz/python-pathspec/issues/110)_: Nicer debug print outs (and str for regex pattern).

.. _Pull [#106](https://github.com/cpburnz/python-pathspec/issues/106): cpburnz/python-pathspec#106 .. _Issue [#108](https://github.com/cpburnz/python-pathspec/issues/108): cpburnz/python-pathspec#108 .. _Pull [#110](https://github.com/cpburnz/python-pathspec/issues/110): cpburnz/python-pathspec#110

Commits

• ecf71a9 Release v1.1.1
• 6727491 Improve type checking with mypy and pyright
• c9249c8 Release v1.1.0
• a1abeba Test Iron Proxy for CI
• 0b04dae Test Iron Proxy for CI
• ccaedca Test Iron Proxy for CI
• 06391d8 Test Iron Proxy for CI
• 45907bf Test Iron Proxy for CI
• 0d7c7de Pin all Github actions
• 36fadda Specialize patterns
• Additional commits viewable in compare view

Updates urllib3 from 2.6.3 to 2.7.0

Release notes

Sourced from urllib3's releases.

2.7.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

• Decompression-bomb safeguards of the streaming API were bypassed:

  1. When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially. (Reported by @​Cycloctane)
  2. During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli library. (Reported by @​kimkou2024)

  See GHSA-mf9v-mfxr-j63j for details.

• HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by @​christos-spearbit)

Deprecations and Removals

• Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (urllib3/urllib3#3763)
• Removed support for end-of-life Python 3.9. (urllib3/urllib3#3720)
• Removed support for end-of-life PyPy3.10. (urllib3/urllib3#4979)
• Bumped the minimum supported pyOpenSSL version to 19.0.0. (urllib3/urllib3#3777)

Bugfixes

• Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. (urllib3/urllib3#3636)
• Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True. (urllib3/urllib3#4967)
• Fixed HTTPResponse.stream() and HTTPResponse.read_chunked() to handle amt=0. (urllib3/urllib3#3793)
• Updated _TYPE_BODY type alias to include missing Iterable[str], matching the documented and runtime behavior of chunked request bodies. (urllib3/urllib3#3798)
• Fixed LocationParseError when paths resembling schemeless URIs were passed to HTTPConnectionPool.urlopen(). (urllib3/urllib3#3352)
• Fixed BaseHTTPResponse.readinto() type annotation to accept memoryview in addition to bytearray, matching the io.RawIOBase.readinto contract and enabling use with io.BufferedReader without type errors. (urllib3/urllib3#3764)

Changelog

Sourced from urllib3's changelog.

2.7.0 (2026-05-07)

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

• Decompression-bomb safeguards of the streaming API were bypassed:

  1. When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially.
  2. During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli <https://pypi.org/project/brotli/>__ library.

  See GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__ for details.

• HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>__)

Deprecations and Removals

• Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. ([#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763>__)
• Removed support for end-of-life Python 3.9. ([#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720>__)
• Removed support for end-of-life PyPy3.10. ([#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979>__)
• Bumped the minimum supported pyOpenSSL version to 19.0.0. ([#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777>__)

Bugfixes

• Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. ([#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636>__)
• Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True.

... (truncated)

Commits

• 9a950b9 Release 2.7.0
• 5ec0de4 Merge commit from fork
• 2bdcc44 Merge commit from fork
• f45b0df Fix a misleading example for ProxyManager (#4970)
• 577193c Switch to nightly PyPy3.11 in CI for now (#4984)
• e90af45 Avoid infinite loop in HTTPResponse.read_chunked when amt=0 (#4974)
• 67ed74f Bump dev dependencies (#4972)
• 3abd481 Upgrade mypy to version 1.20.2 (#4978)
• 2b8725d Drop support for EOL PyPy3.10 (#4979)
• 2944b2a Upgrade setup-chrome and setup-firefox to fix warnings (#4973)
• Additional commits viewable in compare view

Updates build from 1.4.3 to 1.5.0

Release notes

Sourced from build's releases.

1.5.0

What's Changed

• ci: try to improve release docs by @​henryiii in pypa/build#1051
• feat: drop 3.9, require 3.10+ by @​henryiii in pypa/build#1036
• chore: tox toml by @​henryiii in pypa/build#1033
• fix: api should not ignore installed, only CLI by @​henryiii in pypa/build#1056

Full Changelog: pypa/build@1.4.4...1.5.0

1.4.4

What's Changed

• 🐛 fix(release): generate consistent CHANGELOG heading levels by @​gaborbernat in pypa/build#1032
• docs: move source links by @​henryiii in pypa/build#1034
• revert: drop PEP 660 change by @​henryiii in pypa/build#1039
• fix: ignore installed when running pip by @​henryiii in pypa/build#1040
• fix: revert part of #973 by @​henryiii in pypa/build#1044
• chore: report coverage failure lines by @​henryiii in pypa/build#1046
• tests: fix issue with uv run by @​henryiii in pypa/build#1048
• docs: reorganize testing docs for copy/paste by @​abitrolly in pypa/build#1043
• tests: keep environment from leaking in Python 3.15 by @​henryiii in pypa/build#1049
• docs: fix issue with changelog generation by @​henryiii in pypa/build#1050

Full Changelog: pypa/build@1.4.3...1.4.4

Changelog

Sourced from build's changelog.

#################### 1.5.0 (2026-04-30) ####################

---

Features

---

• Drop Python 3.9 support - by :user:henryiii (:issue:1036)

---

Bugfixes

---

• Make --ignore-installed opt-in from the API via fresh=True - by :user:henryiii (:issue:1056)

---

Miscellaneous

---

• :issue:1033

#################### 1.4.4 (2026-04-22) ####################

---

Bugfixes

---

• Fix release pipeline generating CHANGELOG.rst entries with inconsistent heading levels, which broke sphinx -W and pinned Read the Docs stable at 1.4.0 - by :user:gaborbernat. (:issue:1031)
• Revert :pr:1039 from build 1.4.3, no longer check direct_url (for now) - by :user:henryiii (:issue:1039)
• Add --ignore-installed to pip install command to prevent issues with packages already present in the isolated build environment - by :user:henryiii (:issue:1037) (:issue:1040)
• Partial revert of :pr:973, keeping log messages in one entry, multiple lines. (:issue:1044)

---

Miscellaneous

---

• :issue:1048, :issue:1049

#################### 1.4.3 (2026-04-10) ####################

---

Features

---

... (truncated)

Commits

• 615d04c chore: prepare for 1.5.0
• 776f702 fix: api should not ignore installed, only CLI (#1056)
• 42da4c4 pre-commit: bump repositories (#1055)
• b445cd2 chore: tox toml (#1033)
• c44c143 feat: drop 3.9, require 3.10+ (#1036)
• a9bb456 build(deps): bump astral-sh/setup-uv from 8.0.0 to 8.1.0 in the actions group...
• cb33511 ci: try to improve release docs (#1051)
• 70666a2 chore: prepare for 1.4.4
• 653d865 docs: fix issue with changelog generation (#1050)
• 373b9ee tests: keep environment from leaking in Python 3.15 (#1049)
• Additional commits viewable in compare view

Updates python-discovery from 1.2.2 to 1.3.0

Release notes

Sourced from python-discovery's releases.

1.3.0

What's Changed

• ✨ feat(discovery): add iter_interpreters for enumeration by @​gaborbernat in tox-dev/python-discovery#71

Full Changelog: tox-dev/python-discovery@1.2.2...1.3.0

Changelog

Sourced from python-discovery's changelog.

Features - 1.3.0

• Add :func:~python_discovery.iter_interpreters for enumerating every discovered interpreter, with PATH and UV-install support for non-CPython implementations listed in :data:~python_discovery.KNOWN_IMPLEMENTATIONS (:pull:71)

---

v1.2.2 (2026-04-06)

---

Commits

• 00052bd ✨ feat(discovery): add iter_interpreters for enumeration (#71)
• 791d139 build(deps): bump astral-sh/setup-uv from 8.0.0 to 8.1.0 (#68)
• 77273ad [pre-commit.ci] pre-commit autoupdate (#70)
• 6b5d73b [pre-commit.ci] pre-commit autoupdate (#69)
• 0868856 [pre-commit.ci] pre-commit autoupdate (#67)
• eb2aa7a build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#66)
• 5b19eea [pre-commit.ci] pre-commit autoupdate (#64)
• 3aa7d33 build(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 (#63)
• See full diff in compare view

Updates virtualenv from 21.2.4 to 21.3.1

Release notes

Sourced from virtualenv's releases.

21.3.1

What's Changed

• 👷 ci: retry transient apt failures on Linux by @​gaborbernat in pypa/virtualenv#3139
• 🐛 fix(seed): bump embedded pip to 26.1.1 by @​gaborbernat in pypa/virtualenv#3138

Full Changelog: pypa/virtualenv@21.3.0...21.3.1

21.3.0

What's Changed

• 🐛 fix(type): stop ty flagging default_source on Action by @​gaborbernat in pypa/virtualenv#3124
• feat: Reintroduce xonsh shell support by @​anki-code in pypa/virtualenv#3125
• 🐛 fix(test): prevent PowerShell activation test from crashing xdist workers on Windows by @​gaborbernat in pypa/virtualenv#3128
• docs: Add usage instruction for Xonsh activation by @​anki-code in pypa/virtualenv#3130
• Upgrade embedded pip/setuptools/wheel by @​github-actions[bot] in pypa/virtualenv#3132

New Contributors

• @​anki-code made their first contribution in pypa/virtualenv#3125

Full Changelog: pypa/virtualenv@21.2.4...21.3.0

Changelog

Sourced from virtualenv's changelog.

Bugfixes - 21.3.1

• Upgrade embedded wheels:

  • pip to 26.1.1 from 26.1 (:issue:3138)

---

v21.3.0 (2026-04-27)

---

Features - 21.3.0

• Re-introduce xonsh shell activator (activate.xsh) previously removed in 20.7.0, and make the plugin loader prefer virtualenv's built-in entry points so a third-party package cannot override them by registering a duplicate name. (:issue:3003)

Bugfixes - 21.3.0

• Upgrade embedded wheels:

  • pip to 26.1 (:issue:3132)

---

v21.2.4 (2026-04-14)

---

Commits

• 12ab495 release 21.3.1
• 22eadc4 [pre-commit.ci] pre-commit autoupdate (#3137)
• 6651daf 🐛 fix(seed): bump embedded pip to 26.1.1 (#3138)
• 936a36a 👷 ci: retry transient apt failures on Linux (#3139)
• cb5a7d1 [pre-commit.ci] pre-commit autoupdate (#3133)
• e917cc2 release 21.3.0
• 21152f1 Upgrade embedded pip/setuptools/wheel (#3132)
• 096bdcd chore(deps): bump astral-sh/setup-uv from 8.0.0 to 8.1.0 (#3131)
• 01610dc docs: Add usage instruction for Xonsh activation (#3130)
• fb6ec7c 🐛 fix(test): prevent PowerShell activation test from crashing xdist workers o...
• Additional commits viewable in compare view

Updates wheel from 0.46.3 to 0.47.0

Release notes

Sourced from wheel's releases.

0.47.0

• Added the wheel info subcommand to display metadata about wheel files without unpacking them (#639)
• Fixed WheelFile raising Missing RECORD file when the wheel filename contains uppercase characters (e.g. Django-3.2.5.whl) but the .dist-info directory inside uses normalized lowercase naming (#411)

Changelog

Sourced from wheel's changelog.

Release Notes

0.47.0 (2026-04-22)

• Added the wheel info subcommand to display metadata about wheel files without unpacking them ([#639](https://github.com/pypa/wheel/issues/639) <https://github.com/pypa/wheel/issues/639>_)
• Fixed WheelFile raising Missing RECORD file when the wheel filename contains uppercase characters (e.g. Django-3.2.5.whl) but the .dist-info directory inside uses normalized lowercase naming ([#411](https://github.com/pypa/wheel/issues/411) <https://github.com/pypa/wheel/issues/411>_)

0.46.3 (2026-01-22)

• Fixed ImportError: cannot import name '_setuptools_logging' from 'wheel' when installed alongside an old version of setuptools and running the bdist_wheel command ([#676](https://github.com/pypa/wheel/issues/676) <https://github.com/pypa/wheel/issues/676>_)

0.46.2 (2026-01-22)

• Restored the bdist_wheel command for compatibility with setuptools older than v70.1
• Importing wheel.bdist_wheel now emits a FutureWarning instead of a DeprecationWarning
• Fixed wheel unpack potentially altering the permissions of files outside of the destination tree with maliciously crafted wheels (CVE-2026-24049)

0.46.1 (2025-04-08)

• Temporarily restored the wheel.macosx_libfile module ([#659](https://github.com/pypa/wheel/issues/659) <https://github.com/pypa/wheel/issues/659>_)

0.46.0 (2025-04-03)

• Dropped support for Python 3.8
• Removed the bdist_wheel setuptools command implementation and entry point. The wheel.bdist_wheel module is now just an alias to setuptools.command.bdist_wheel, emitting a deprecation warning on import.
• Removed vendored packaging in favor of a run-time dependency on it
• Made the wheel.metadata module private (with a deprecation warning if it's imported
• Made the wheel.cli package private (no deprecation warning)
• Fixed an exception when calling the convert command with an empty description field

0.45.1 (2024-11-23)

• Fixed pure Python wheels converted from eggs and wininst files having the ABI tag in the file name

... (truncated)

Commits

• efd83a7 Created a new release
• bb69216 Reordered the changelog entries
• d5a1763 fix(wheelfile): resolve .dist-info path case-insensitively when reading wheel...
• 5718957 [pre-commit.ci] pre-commit autoupdate (#685)
• 6258068 chore: log_level is better than log_cli_level (#684)
• 2975deb Require tox >= 4.22
• 47674ba chore: add check-sdist to checks (#681)
• 56223f6 __package__ → __spec__.parent (#679)
• 0ce509e Added the wheel info subcommand (#669)
• 39039c0 Improved the index page
• Additional commits viewable in compare view

Updates pip from 26.1 to 26.1.1

Changelog

Sourced from pip's changelog.

26.1.1 (2026-05-04)

Bug Fixes

• Fix issue where uninstallation left behind empty directories. Revert the removal of the adjacent __pycache__ directory when a .py file is removed. ([#13973](https://github.com/pypa/pip/issues/13973) <https://github.com/pypa/pip/issues/13973>_)

Commits

• 4432a37 Bump for release
• 4943e17 Merge pull request #13973 from pypa/revert-13725-vfazio-remove-all-optimizati...
• e9e7b90 Add news
• 0ff6964 Revert "Remove pycache when package is removed"
• cc6b082 Merge pull request #13951 from sbidoul/release/26.1
• b2671f1 Bump for development
• See full diff in compare view

[nishtha-kalra]

@dependabot rebase