fix(deps): update pypi group by renovate[bot] · Pull Request #111 · ChipWolf/BadgeSort

renovate · 2025-12-05T18:07:58Z

This PR contains the following updates:

Package	Change	Age	Confidence
poetry-core	`2.2.1` → `2.3.2`
pytest (changelog)	`9.0.1` → `9.0.2`
pytest-cov (changelog)	`7.0.0` → `7.1.0`
requests (changelog)	`2.32.5` → `2.33.1`
urllib3 (changelog)	`2.5.0` → `2.6.3`

Release Notes

python-poetry/poetry-core (poetry-core)

`v2.3.2`

Compare Source

Changed

Update list of supported licenses (#917).

Fixed

Fix an issue where platform_release could not be parsed on Debian Trixie (#930).
Fix an issue where using project.readme.text in the pyproject.toml file resulted in broken metadata (#914).
Fix an issue where dependency groups were considered equal when their resolved dependencies were equal, even if the groups themselves were not (#919).
Fix an issue where removing a dependency from a group that included another group resulted in other dependencies being added to the included group (#922).
Fix an issue where PEP 735 include-group entries were lost when [tool.poetry.group] also defined include-groups for the same group (#924).
Fix an issue where the union of <value> not in <marker> constraints was wrongly treated as always satisfied (#925).
Fix an issue where a post release with a local version identifier was wrongly allowed by a > version constraint (#921).
Fix an issue where a version with the local version identifier 0 was treated as equal to the corresponding public version (#920).
Fix an issue where a != <version> constraint wrongly disallowed pre releases and post releases of the specified version (#929).
Fix an issue where in and not in constraints were wrongly not allowed by specific compound constraints (#927).
Fix an issue where data entries in generated setup.py files were duplicated (#923).

`v2.3.1`

Compare Source

Changed

Update list of supported licenses (#912).

Fixed

Fix an issue where platform_release could not be parsed on Windows Server (#911).

`v2.3.0`

Compare Source

Added

Add (optional) size and upload_time to Link and Package.files (#905).

Changed

Drop support for Python 3.9 (#897).
Normalize versions (#893).
Remove helper function to create temporary directories (#337).
Improve type hint of Package.files (#904).
Update list of supported licenses (#890,
#895).

Fixed

Fix an issue where unsatisfiable requirements did not raise an error (#891).
Fix an issue where the implicit main group did not exist if it was explicitly declared as not having any dependencies (#892).
Fix an issue where python_full_version markers with pre-release versions were parsed incorrectly (#893).

pytest-dev/pytest (pytest)

`v9.0.2`

Compare Source

pytest 9.0.2 (2025-12-06)

Bug fixes

#13896: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.

You may enable it again by passing -p terminalprogress. We may enable it by default again once compatibility improves in the future.

Additionally, when the environment variable TERM is dumb, the escape codes are no longer emitted, even if the plugin is enabled.
#13904: Fixed the TOML type of the tmp_path_retention_count settings in the API reference from number to string.
#13946: The private config.inicfg attribute was changed in a breaking manner in pytest 9.0.0.
Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim.
It will be deprecated in pytest 9.1 and removed in pytest 10.
#13965: Fixed quadratic-time behavior when handling unittest subtests in Python 3.10.

Improved documentation

#4492: The API Reference now contains cross-reference-able documentation of pytest's command-line flags <command-line-flags>.

pytest-dev/pytest-cov (pytest-cov)

`v7.1.0`

Compare Source

Fixed total coverage computation to always be consistent, regardless of reporting settings.
Previously some reports could produce different total counts, and consequently can make --cov-fail-under behave different depending on
reporting options.
See #641 <https://github.com/pytest-dev/pytest-cov/issues/641>_.
Improve handling of ResourceWarning from sqlite3.

The plugin adds warning filter for sqlite3 ResourceWarning unclosed database (since 6.2.0).
It checks if there is already existing plugin for this message by comparing filter regular expression.
When filter is specified on command line the message is escaped and does not match an expected message.
A check for an escaped regular expression is added to handle this case.

With this fix one can suppress ResourceWarning from sqlite3 from command line::

pytest -W "ignore:unclosed database in <sqlite3.Connection object at:ResourceWarning" ...
Various improvements to documentation.
Contributed by Art Pelling in #718 <https://github.com/pytest-dev/pytest-cov/pull/718>_ and
"vivodi" in #738 <https://github.com/pytest-dev/pytest-cov/pull/738>.
Also closed #736 <https://github.com/pytest-dev/pytest-cov/issues/736>.
Fixed some assertions in tests.
Contributed by in Markéta Machová in #722 <https://github.com/pytest-dev/pytest-cov/pull/722>_.
Removed unnecessary coverage configuration copying (meant as a backup because reporting commands had configuration side-effects before coverage 5.0).

psf/requests (requests)

`v2.33.1`

Compare Source

Bugfixes

Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary
files in the tmp directory. (#7305)
Fixed Content-Type header parsing for malformed values. (#7309)
Improved error consistency for malformed header values. (#7308)

`v2.33.0`

Compare Source

Announcements

📣 Requests is adding inline types. If you have a typed code base that
uses Requests, please take a look at #7271. Give it a try, and report
any gaps or feedback you may have in the issue. 📣

Security

CVE-2026-25645 requests.utils.extract_zipped_paths now extracts
contents to a non-deterministic location to prevent malicious file
replacement. This does not affect default usage of Requests, only
applications calling the utility function directly.

Improvements

Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

Fixed an issue where an empty netrc entry could cause
malformed authentication to be applied to Requests on
Python 3.11+. (#7205)

Deprecations

Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

Various typo fixes and doc improvements.

urllib3/urllib3 (urllib3)

`v2.6.3`

Compare Source

==================

Fixed a high-severity security issue where decompression-bomb safeguards of
the streaming API were bypassed when HTTP redirects were followed.
(GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)
Started treating Retry-After times greater than 6 hours as 6 hours by
default. (#3743 <https://github.com/urllib3/urllib3/issues/3743>__)
Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten.
(#3752 <https://github.com/urllib3/urllib3/issues/3752>__)

`v2.6.2`

Compare Source

==================

Fixed HTTPResponse.read_chunked() to properly handle leftover data in
the decoder's buffer when reading compressed chunked responses.
(#3734 <https://github.com/urllib3/urllib3/issues/3734>__)

`v2.6.1`

Compare Source

==================

Restore previously removed HTTPResponse.getheaders() and
HTTPResponse.getheader() methods.
(#3731 <https://github.com/urllib3/urllib3/issues/3731>__)

`v2.6.0`

Compare Source

==================

Security

Fixed a security issue where streaming API could improperly handle highly
compressed HTTP content ("decompression bombs") leading to excessive resource
consumption even when a small amount of data was requested. Reading small
chunks of compressed data is safer and much more efficient now.
(GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
Fixed a security issue where an attacker could compose an HTTP response with
virtually unlimited links in the Content-Encoding header, potentially
leading to a denial of service (DoS) attack by exhausting system resources
during decoding. The number of allowed chained encodings is now limited to 5.
(GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

If urllib3 is not installed with the optional urllib3[brotli] extra, but
your environment contains a Brotli/brotlicffi/brotlipy package anyway, make
sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to
benefit from the security fixes and avoid warnings. Prefer using
urllib3[brotli] to install a compatible Brotli package automatically.
If you use custom decompressors, please make sure to update them to
respect the changed API of urllib3.response.ContentDecoder.

Features

Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. (#3653 <https://github.com/urllib3/urllib3/issues/3653>__)
Added host and port information to string representations of HTTPConnection. (#3666 <https://github.com/urllib3/urllib3/issues/3666>__)
Added support for Python 3.14 free-threading builds explicitly. (#3696 <https://github.com/urllib3/urllib3/issues/3696>__)

Removals

Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers.
Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). (#3622 <https://github.com/urllib3/urllib3/issues/3622>__)

Bugfixes

Fixed redirect handling in urllib3.PoolManager when an integer is passed
for the retries parameter. (#3649 <https://github.com/urllib3/urllib3/issues/3649>__)
Fixed HTTPConnectionPool when used in Emscripten with no explicit port. (#3664 <https://github.com/urllib3/urllib3/issues/3664>__)
Fixed handling of SSLKEYLOGFILE with expandable variables. (#3700 <https://github.com/urllib3/urllib3/issues/3700>__)

Misc

Changed the zstd extra to install backports.zstd instead of zstandard on Python 3.13 and before. (#3693 <https://github.com/urllib3/urllib3/issues/3693>__)
Improved the performance of content decoding by optimizing BytesQueueBuffer class. (#3710 <https://github.com/urllib3/urllib3/issues/3710>__)
Allowed building the urllib3 package with newer setuptools-scm v9.x. (#3652 <https://github.com/urllib3/urllib3/issues/3652>__)
Ensured successful urllib3 builds by setting Hatchling requirement to >= 1.27.0. (#3638 <https://github.com/urllib3/urllib3/issues/3638>__)