Skip to content

Bump the uv group across 1 directory with 11 updates#35

Merged
DamianS21 merged 1 commit intomainfrom
dependabot/uv/uv-1c9420bfd5
Mar 16, 2026
Merged

Bump the uv group across 1 directory with 11 updates#35
DamianS21 merged 1 commit intomainfrom
dependabot/uv/uv-1c9420bfd5

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 16, 2026

Bumps the uv group with 10 updates in the / directory:

Package From To
authlib 1.6.0 1.6.9
brotli 1.1.0 1.2.0
cryptography 45.0.4 46.0.5
filelock 3.12.4 3.20.3
h2 4.2.0 4.3.0
marshmallow 4.0.0 4.1.2
pip 25.1.1 26.0
pymdown-extensions 10.16 10.16.1
urllib3 2.5.0 2.6.3
wheel 0.45.1 0.46.2

Updates authlib from 1.6.0 to 1.6.9

Release notes

Sourced from authlib's releases.

v1.6.9

Full Changelog: authlib/authlib@v1.6.8...v1.6.9

Changes in jose module

  • Not using header's jwk automatically
  • Add ES256K into default jwt algorithms
  • Remove deprecated algorithm from default registry
  • Generate random cek when cek length doesn't match

v1.6.8

Full Changelog: authlib/authlib@v1.6.7...v1.6.8

  • Add EdDSA to default jwt instance.

v1.6.7

Full Changelog: authlib/authlib@v1.6.6...v1.6.7

Set supported algorithms for the default jwt instance.

v1.6.6

What's Changed

New Contributors

Full Changelog: authlib/authlib@v1.6.5...v1.6.6

v1.6.5

What's Changed

New Contributors

Full Changelog: authlib/authlib@v1.6.4...v1.6.5

v1.6.4

What's Changed

... (truncated)

Changelog

Sourced from authlib's changelog.

Changelog

.. meta:: :description: The full list of changes between each Authlib release.

Here you can see the full list of changes between each Authlib release.

Version 1.7.0

Unreleased

  • Add support for OpenID Connect RP-Initiated Logout 1.0 <https://openid.net/specs/openid-connect-rpinitiated-1_0.html>_. See :ref:specs/rpinitiated for details. :issue:500
  • Per RFC 6749 Section 3.3, the scope parameter is now optional at both authorization and token endpoints. client.get_allowed_scope() is called to determine the default scope when omitted. :issue:845
  • Stop support for Python 3.9, start support Python 3.14. :pr:850
  • Allow AuthorizationServerMetadata.validate() to compose with RFC extension classes.
  • Fix expires_at=0 being incorrectly treated as None. :issue:530
  • Allow ResourceProtector decorator to be used without parentheses. :issue:604
  • Implement RFC9700 PKCE downgrade countermeasure.
  • Set User-Agent header when fetching server metadata and JWKs. :issue:704
  • RFC7523 accepts the issuer URL as a valid audience. :issue:730

Upgrade Guide: :ref:joserfc_upgrade.

Version 1.6.6

Released on Dec 12, 2025

  • get_jwt_config takes a client parameter, :pr:844.
  • Fix incorrect signature when Content-Type is x-www-form-urlencoded for OAuth 1.0 Client, :pr:778.
  • Use expires_in in OAuth2Token when expires_at is unparsable, :pr:842.
  • Always track state in session for OAuth client integrations.

Version 1.6.5

Released on Oct 2, 2025

  • RFC7591 generate_client_info and generate_client_secret take a request parameter.
  • Add size limitation when decode JWS/JWE to prevent DoS.
  • Add size limitation for DEF JWE zip algorithm.

Version 1.6.4

... (truncated)

Commits
  • 9266eaa chore: release 1.6.9
  • b9bb2b2 fix(oidc): fail close at validating c_hash and at_hash
  • 1b0a1d9 fix(jose): generate random cek when cek length doesn't match
  • 5be3c51 fix(jose): add ES256K into default jwt algorithms
  • 48b345f fix(jose): remove deprecated algorithm from default registry
  • a5d4b2d fix(jose): do not use header's jwk automatically
  • a769f34 chore: release 1.6.8
  • 84f3fa2 fix: add EdDSA to default jwt algorithms
  • 38e872a chore: release 1.6.7
  • b87c32e fix: remove "none" algorithm from default jwt instance
  • Additional commits viewable in compare view

Updates brotli from 1.1.0 to 1.2.0

Release notes

Sourced from brotli's releases.

v1.2.0

SECURITY

  • python: added Decompressor::can_accept_more_data method and optional output_buffer_limit argument Decompressor::process; that allows mitigation of unexpectedly large output; reported by Charles Chan (https://github.com/charleswhchan)

Added

  • decoder / encoder: added static initialization to reduce binary size
  • python: allow limiting decoder output (see SECURITY section)
  • CLI: brcat alias; allow decoding concatenated brotli streams
  • kt: pure Kotlin decoder
  • cgo: support "raw" dictionaries
  • build: Bazel modules

Removed

  • java: dropped finalize() for native entities

Fixed

  • java: in compress pass correct length to native encoder

Improved

  • build: install man pages
  • build: updated / fixed / refined Bazel buildfiles
  • encoder: faster encoding
  • cgo: link via pkg-config
  • python: modernize extension / allow multi-phase module initialization

Changed

  • decoder / encoder: static tables use "small" model (allows 2GiB+ binaries)

v1.2.0 RC2

What's Changed (compared to RC1)

v1.2.0 RC1

IMPORTANT: though this is a pre-release for v1.2.0, it is expected that some changes will be added before release; most notably concerning build files: patches applied by Alpine, Debian, Conan, VCPKG will be partially/fully integrated.

SECURITY

  • python: added Decompressor::can_accept_more_data method and optional output_buffer_limit argument Decompressor::process; that allows mitigation of unexpectedly large output; reported by Charles Chan (https://github.com/charleswhchan)

Added

  • decoder / encoder: added static initialization to reduce binary size
  • python: allow limiting decoder output (see SECURITY section)

... (truncated)

Changelog

Sourced from brotli's changelog.

[1.2.0] - 2025-10-27

SECURITY

  • python: added Decompressor::can_accept_more_data method and optional output_buffer_limit argument Decompressor::process; that allows mitigation of unexpectedly large output; reported by Charles Chan (https://github.com/charleswhchan)

Added

  • decoder / encoder: added static initialization to reduce binary size
  • python: allow limiting decoder output (see SECURITY section)
  • CLI: brcat alias; allow decoding concatenated brotli streams
  • kt: pure Kotlin decoder
  • cgo: support "raw" dictionaries
  • build: Bazel modules

Removed

  • java: dropped finalize() for native entities

Fixed

  • java: in compress pass correct length to native encoder

Improved

  • build: install man pages
  • build: updated / fixed / refined Bazel buildfiles
  • encoder: faster encoding
  • cgo: link via pkg-config
  • python: modernize extension / allow multi-phase module initialization

Changed

  • decoder / encoder: static tables use "small" model (allows 2GiB+ binaries)
Commits

Updates cryptography from 45.0.4 to 46.0.5

Changelog

Sourced from cryptography's changelog.

46.0.5 - 2026-02-10


* An attacker could create a malicious public key that reveals portions of your
  private key when using certain uncommon elliptic curves (binary curves).
  This version now includes additional security checks to prevent this attack.
  This issue only affects binary elliptic curves, which are rarely used in
  real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and
  Atuin Automated Vulnerability Discovery Engine** for reporting the issue.
  **CVE-2026-26007**
* Support for ``SECT*`` binary elliptic curves is deprecated and will be
  removed in the next release.

.. v46-0-4:


46.0.4 - 2026-01-27

  • Dropped support for win_arm64 wheels_.
  • Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.

.. _v46-0-3:

46.0.3 - 2025-10-15


* Fixed compilation when using LibreSSL 4.2.0.

.. _v46-0-2:


46.0.2 - 2025-09-30

  • Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.4.

.. _v46-0-1:

46.0.1 - 2025-09-16


* Fixed an issue where users installing via ``pip`` on Python 3.14 development
  versions would not properly install a dependency.
* Fixed an issue building the free-threaded macOS 3.14 wheels.

.. _v46-0-0:


46.0.0 - 2025-09-16

  • BACKWARDS INCOMPATIBLE: Support for Python 3.7 has been removed.

... (truncated)

Commits

Updates filelock from 3.12.4 to 3.20.3

Release notes

Sourced from filelock's releases.

3.20.3

What's Changed

Full Changelog: tox-dev/filelock@3.20.2...3.20.3

3.20.2

What's Changed

New Contributors

Full Changelog: tox-dev/filelock@3.20.1...3.20.2

3.20.1

What's Changed

Full Changelog: tox-dev/filelock@3.20.0...3.20.1

3.20.0

What's Changed

New Contributors

Full Changelog: tox-dev/filelock@3.19.1...3.20.0

3.19.1

What's Changed

... (truncated)

Changelog

Sourced from filelock's changelog.

########### Changelog ###########

3.25.2 (2026-03-11)

  • 🐛 fix(unix): suppress EIO on close in Docker bind mounts :pr:513

3.25.1 (2026-03-09)

  • [pre-commit.ci] pre-commit autoupdate :pr:510 - by :user:pre-commit-ci[bot]
  • 🐛 fix(win): restore best-effort lock file cleanup on release :pr:511
  • [pre-commit.ci] pre-commit autoupdate :pr:508 - by :user:pre-commit-ci[bot]
  • 📝 docs(logo): add branded project logo :pr:507

3.25.0 (2026-03-01)

  • ✨ feat(async): add AsyncReadWriteLock :pr:506
  • Standardize .github files to .yaml suffix
  • build(deps): bump actions/download-artifact from 7 to 8 :pr:503 - by :user:dependabot[bot]
  • build(deps): bump actions/upload-artifact from 6 to 7 :pr:502 - by :user:dependabot[bot]
  • Move SECURITY.md to .github/SECURITY.md
  • Add security policy
  • Add permissions to check workflow :pr:500
  • [pre-commit.ci] pre-commit autoupdate :pr:499 - by :user:pre-commit-ci[bot]

3.24.3 (2026-02-19)

  • 🐛 fix(unix): handle ENOENT race on FUSE/NFS during acquire :pr:495
  • 🐛 fix(ci): add trailing blank line after changelog entries :pr:492

3.24.2 (2026-02-16)

  • 🐛 fix(rw): close sqlite3 cursors and skip SoftFileLock Windows race :pr:491
  • 🐛 fix(test): resolve flaky write non-starvation test :pr:490
  • 📝 docs: restructure using Diataxis framework :pr:489

3.24.1 (2026-02-15)

... (truncated)

Commits

Updates h2 from 4.2.0 to 4.3.0

Changelog

Sourced from h2's changelog.

4.3.0 (2025-08-23)

API Changes (Backward Incompatible)

  • Reject header names and values containing illegal characters, based on RFC 9113, section 8.2.1. The main Python API is compatible, but some previously valid requests/response headers might now be blocked. Use the validate_inbound_headers config option if needed. Thanks to Sebastiano Sartor (sebsrt) for the report.
  • Convert emitted events into Python dataclass, which introduces new constructors with required arguments. Instantiating these events without arguments, as previously commonly used API pattern, will no longer work.

API Changes (Backward Compatible)

  • h2 events now have tighter type bounds, e.g. stream_id is guaranteed to not be None for most events now. This simplifies downstream type checking.
  • Various typing-related improvements.

Bugfixes

  • Fix error value when opening a new stream on too many open streams.
Commits
  • 1aae569 v4.3.0
  • 9e4bbed merge surrounding whitespace and uppercase validators into illegal character ...
  • 035e989 be stricter about which characters to accept for headers
  • 883ed37 reject header names and values containing unpermitted characters \r, \n, ...
  • 0583911 lint: fix TC006
  • bbd3d90 fix(packaging): bump twine to pass meta check wildcard bugs
  • ea3140f cleanup
  • 9ce83ff exclude RDT from sdist
  • 492d3db Update .readthedocs.yaml
  • 243461d Create RTD config
  • Additional commits viewable in compare view

Updates marshmallow from 4.0.0 to 4.1.2

Changelog

Sourced from marshmallow's changelog.

4.1.2 (2025-12-19)

Bug fixes:

  • :cve:2025-68480: Merge error store messages without rebuilding collections. Thanks 카푸치노 for reporting and :user:deckar01 for the fix.

4.1.1 (2025-11-05)

Bug fixes:

  • Ensure URL validator is case-insensitive when using custom schemes (:pr:2874). Thanks :user:T90REAL for the PR.

4.1.0 (2025-11-01)

Other changes:

  • Add __len__ implementation to missing so that it can be used with validate.Length <marshmallow.validate.Length> (:pr:2861). Thanks :user:agentgodzilla for the PR.
  • Drop support for Python 3.9 (:pr:2363).
  • Test against Python 3.14 (:pr:2864).

4.0.1 (2025-08-28)

Bug fixes:

  • Fix wildcard import of from marshmallow import * (:pr:2823). Thanks :user:Florian-Laport for the PR.
Commits
  • 692e79d Merge pull request #2876 from marshmallow-code/delint
  • 045c5f6 [pre-commit.ci] auto fixes from pre-commit.com hooks
  • 94c4d98 Delint
  • d24a0c9 Merge commit from fork
  • 1682640 Bump version and update changelog
  • 36f8787 Only deep copy error message collections
  • 70141f4 Add test coverage for error message modification
  • 218d98a Merge error store messages without rebuilding collections
  • 80f1110 Bump version and update changelog
  • 10fe10b Merge pull request #2874 from T90REAL/fix_case_sensitivity
  • Additional commits viewable in compare view

Updates pip from 25.1.1 to 26.0

Changelog

Sourced from pip's changelog.

26.0 (2026-01-30)

Deprecations and Removals

  • Remove support for non-bare project names in egg fragments. Affected users should use the Direct URL requirement syntax <https://packaging.python.org/en/latest/specifications/version-specifiers/#direct-references>. ([#13157](https://github.com/pypa/pip/issues/13157) <https://github.com/pypa/pip/issues/13157>)

Features

  • Display pip's command-line help in colour, if possible. ([#12134](https://github.com/pypa/pip/issues/12134) <https://github.com/pypa/pip/issues/12134>_)

  • Support installing dependencies declared with inline script metadata (:pep:723) with --requirements-from-script. ([#12891](https://github.com/pypa/pip/issues/12891) <https://github.com/pypa/pip/issues/12891>_)

  • Add --all-releases and --only-final options to control pre-release and final release selection during package installation. ([#13221](https://github.com/pypa/pip/issues/13221) <https://github.com/pypa/pip/issues/13221>_)

  • Add --uploaded-prior-to option to only consider packages uploaded prior to a given datetime when the upload-time field is available from a remote index. ([#13625](https://github.com/pypa/pip/issues/13625) <https://github.com/pypa/pip/issues/13625>_)

  • Add --use-feature inprocess-build-deps to request that build dependencies are installed within the same pip install process. This new mechanism is faster, supports --no-clean and --no-cache-dir reliably, and supports prompting for authentication.

    Enabling this feature will also enable --use-feature build-constraints. This feature will become the default in a future pip version. ([#9081](https://github.com/pypa/pip/issues/9081) <https://github.com/pypa/pip/issues/9081>_)

  • pip cache purge and pip cache remove now clean up empty directories and legacy files left by older pip versions. ([#9058](https://github.com/pypa/pip/issues/9058) <https://github.com/pypa/pip/issues/9058>_)

Bug Fixes

  • Fix selecting pre-release versions when only pre-releases match. For example, package>1.0 with versions 1.0, 2.0rc1 now installs 2.0rc1 instead of failing. ([#13746](https://github.com/pypa/pip/issues/13746) <https://github.com/pypa/pip/issues/13746>_)
  • Revisions in version control URLs now must be percent-encoded. For example, use git+https://example.com/repo.git@issue%231 to specify the branch issue#1. If you previously used a branch name containing a % character in a version control URL, you now need to replace it with %25 to ensure correct percent-encoding. ([#13407](https://github.com/pypa/pip/issues/13407) <https://github.com/pypa/pip/issues/13407>_)
  • Preserve original casing when a path is displayed. ([#6823](https://github.com/pypa/pip/issues/6823) <https://github.com/pypa/pip/issues/6823>_)
  • Fix bash completion when the $IFS variable has been modified from its default. ([#13555](https://github.com/pypa/pip/issues/13555) <https://github.com/pypa/pip/issues/13555>_)
  • Precompute Python requirements on each candidate, reducing time of long resolutions. ([#13656](https://github.com/pypa/pip/issues/13656) <https://github.com/pypa/pip/issues/13656>_)
  • Skip redundant work converting version objects to strings when using the importlib.metadata backend. ([#13660](https://github.com/pypa/pip/issues/13660) <https://github.com/pypa/pip/issues/13660>_)
  • Fix pip index versions to honor only-binary/no-binary options. ([#13682](https://github.com/pypa/pip/issues/13682) <https://github.com/pypa/pip/issues/13682>_)
  • Fix fallthrough logic for options, allowing overriding global options with defaults from user config. ([#13703](https://github.com/pypa/pip/issues/13703) <https://github.com/pypa/pip/issues/13703>_)
  • Use a path-segment prefix comparison, not char-by-char. ([#13777](https://github.com/pypa/pip/issues/13777) <https://github.com/pypa/pip/issues/13777>_)

Vendored Libraries

... (truncated)

Commits

Updates pymdown-extensions from 10.16 to 10.16.1

Release notes

Sourced from pymdown-extensions's releases.

10.6.1

10.16.1

  • FIX: Inefficient regular expression pattern for figure caption numbers.
Commits

Updates urllib3 from 2.5.0 to 2.6.3

Release notes

Sourced from urllib3's releases.

2.6.3

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

2.6.2

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

  • Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (urllib3/urllib3#3734)

2.6.1

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

  • Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. (#3731)

2.6.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

  • Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by @​Cycloctane, 8.9 High, GHSA-2xpw-w6gg-jr37)
  • Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by @​illia-v, 8.9 High, GHSA-gm62-xv2j-4w53)

[!IMPORTANT]

  • If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.

... (truncated)

Changelog

Sourced from urllib3's changelog.

2.6.3 (2026-01-07)

  • Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)
  • Started treating Retry-After times greater than 6 hours as 6 hours by default. ([#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743>__)
  • Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. ([#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752>__)

2.6.2 (2025-12-11)

  • Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. ([#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734>__)

2.6.1 (2025-12-08)

  • Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. ([#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731>__)

2.6.0 (2025-12-05)

Security

  • Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
  • Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

  • If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using

... (truncated)

Commits
  • 0248277 Release 2.6.3
  • 8864ac4 Merge commit from fork
  • 70cecb2 Fix Scorecard issues related to vulnerable dev dependencies (#3755)
  • 41f249a Move "v2.0 Migration Guide" to the end of the table of contents (#3747)
  • fd4dffd Patch VerifiedHTTPSConnection for Emscripten (#3752)
  • 13f0bfd Handle massive values in Retry-After when calculating time to sleep for (#3743)
  • 8c480bf Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#3748)
  • 4b40616 Bump actions/cache from 4.3.0 to 5.0.1 (#3750)
  • 82b8479 Bump actions/download-artifact from 6.0.0 to 7.0.0 (#3749)
  • 34284cb Mention experimental features in the security policy (#3746)
  • Additional commits viewable in compare view

Updates virtualenv from 20.31.2 to 16.7.12

Changelog

Sourced from virtualenv's changelog.

v16.7.12 (2020-07-22)

Bugfixes ^^^^^^^^

  • Fix Python 2.7, 3.4 and 3.5 failing - by gaborbernat

v16.7.11 (2020-07-20)

Bugfixes ^^^^^^^^

  • Don't attempt to use setuptools 44+ with Python 3.4 - by hroncok ([#1677](https://github.com/pypa/virtualenv/issues/1677) <https://github.com/pypa/virtualenv/issues/1677>_)
  • Preserve compatibility with Python 3.10 - by hroncok ([#2109](https://github.com/pypa/virtualenv/issues/2109) <https://github.com/pypa/virtualenv/issues/2109>_)
  • Bump embedded pip/setuptools/wheel - by gaborbernat ([#2151](https://github.com/pypa/virtualenv/issues/2151) <https://github.com/pypa/virtualenv/issues/2151>_)

v16.7.10 (2020-02-24)

Bugfixes ^^^^^^^^

  • fix error printing in bailout for Python < 2.7 - by AdamWill and hroncok ([#1651](https://github.com/pypa/virtualenv/issues/1651) <https://github.com/pypa/virtualenv/issues/1651>_)

v16.7.9 (2019-12-15)

Bugfixes ^^^^^^^^

  • upgrade setuptools from 41.6.0 to 42.0.2 ([#1460](https://github.com/pypa/virtualenv/issues/1460) <https://github.com/pypa/virtualenv/issues/1460>_)

v16.7.8 (2019-11-22)

Bugfixes ^^^^^^^^

  • upgrade setuptools from 41.4.0 to 41.6.0 ([#1442](https://github.com/pypa/virtualenv/issues/1442) <https://github.com/pypa/virtualenv/issues/1442>_)

v16.7.7 (2019-10-22)

Bugfixes

... (truncated)

Commits

Updates wheel from 0.45.1 to 0.46.2

Release notes

Sourced from wheel's releases.

0.46.2

  • Restored the bdist_wheel command for compatibility with setuptools older than v70.1
  • Importing wheel.bdist_wheel now emits a FutureWarning instead of a DeprecationWarning
  • Fixed wheel unpack potentially altering the permissions of files outside of the destination tree with maliciously crafted wheels (CVE-2026-24049)

0.46.1

  • Temporarily restored the wheel.macosx_libfile module (#659)

0.46.0

  • Dropped support for Python 3.8
  • Removed the bdist_wheel setuptools command implementation and entry point. The wheel.bdist_wheel module is now just an alias to setuptools.command.bdist_wheel, emitting a deprecation warning on import.
  • Removed vendored packaging in favor of a run-time dependency on it
  • Made the wheel.metadata module private (with a deprecation warning if it's imported
  • Made the wheel.cli package private (no deprecation warning)
  • Fixed an exception when calling the convert command with an empty description field
Changelog

Sourced from wheel's changelog.

Release Notes

UNRELEASED

  • Added the wheel info subcommand to display metadata about wheel files without unpacking them ([#639](https://github.com/pypa/wheel/issues/639) <https://github.com/pypa/wheel/issues/639>_)

0.46.3 (2026-01-22)

  • Fixed ImportError: cannot import name '_setuptools_logging' from 'wheel' when installed alongside an old version of setuptools and running the bdist_wheel command ([#676](https://github.com/pypa/wheel/issues/676) <https://github.com/pypa/wheel/issues/676>_)

0.46.2 (2026-01-22)

  • Restored the bdist_wheel command for compatibility with setuptools older than v70.1
  • Importing wheel.bdist_wheel now emits a FutureWarning instead of a DeprecationWarning
  • Fixed wheel unpack potentially altering the permissions of files outside of the destination tree with maliciously crafted wheels (CVE-2026-24049)

0.46.1 (2025-04-08)

  • Temporarily restored the wheel.macosx_libfile module ([#659](https://github.com/pypa/wheel/issues/659) <https://github.com/pypa/wheel/issues/659>_)

0.46.0 (2025-04-03)

  • Dropped support for Python 3.8
  • Removed the bdist_wheel setuptools command implementation and entry point. The wheel.bdist_wheel module is now just an alias to setuptools.command.bdist_wheel, emitting a deprecation warning on import.
  • Removed vendored packaging in favor of a run-time dependency on it
  • Made the wheel.metadata module private (with a deprecation warning if it's imported
  • Made the wheel.cli package private (no deprecation warning)
  • Fixed an exception when calling the convert command with an empty description field

0.45.1 (2024-11-23)

  • Fixed pure Python wheels converted from eggs and wininst files having the ABI tag in the file name

0.45.0 (2024-11-08)

  • Refactored the convert command to not need setuptools to be installed
  • Don't configure setuptools logging unless running bdist_wheel

... (truncated)

Commits

@dependabot
Bump the uv group across 1 directory with 11 updates
a881cd4 
Bumps the uv group with 10 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [authlib](https://github.com/authlib/authlib) | `1.6.0` | `1.6.9` |
| [brotli](https://github.com/google/brotli) | `1.1.0` | `1.2.0` |
| [cryptography](https://github.com/pyca/cryptography) | `45.0.4` | `46.0.5` |
| [filelock](https://github.com/tox-dev/py-filelock) | `3.12.4` | `3.20.3` |
| [h2](https://github.com/python-hyper/h2) | `4.2.0` | `4.3.0` |
| [marshmallow](https://github.com/marshmallow-code/marshmallow) | `4.0.0` | `4.1.2` |
| [pip](https://github.com/pypa/pip) | `25.1.1` | `26.0` |
| [pymdown-extensions](https://github.com/facelessuser/pymdown-extensions) | `10.16` | `10.16.1` |
| [urllib3](https://github.com/urllib3/urllib3) | `2.5.0` | `2.6.3` |
| [wheel](https://github.com/pypa/wheel) | `0.45.1` | `0.46.2` |



Updates `authlib` from 1.6.0 to 1.6.9
- [Release notes](https://github.com/authlib/authlib/releases)
- [Changelog](https://github.com/authlib/authlib/blob/main/docs/changelog.rst)
- [Commits](authlib/authlib@v1.6.0...v1.6.9)

Updates `brotli` from 1.1.0 to 1.2.0
- [Release notes](https://github.com/google/brotli/releases)
- [Changelog](https://github.com/google/brotli/blob/master/CHANGELOG.md)
- [Commits](google/brotli@go/cbrotli/v1.1.0...v1.2.0)

Updates `cryptography` from 45.0.4 to 46.0.5
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@45.0.4...46.0.5)

Updates `filelock` from 3.12.4 to 3.20.3
- [Release notes](https://github.com/tox-dev/py-filelock/releases)
- [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst)
- [Commits](tox-dev/filelock@3.12.4...3.20.3)

Updates `h2` from 4.2.0 to 4.3.0
- [Changelog](https://github.com/python-hyper/h2/blob/master/CHANGELOG.rst)
- [Commits](python-hyper/h2@v4.2.0...v4.3.0)

Updates `marshmallow` from 4.0.0 to 4.1.2
- [Changelog](https://github.com/marshmallow-code/marshmallow/blob/dev/CHANGELOG.rst)
- [Commits](marshmallow-code/marshmallow@4.0.0...4.1.2)

Updates `pip` from 25.1.1 to 26.0
- [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst)
- [Commits](pypa/pip@25.1.1...26.0)

Updates `pymdown-extensions` from 10.16 to 10.16.1
- [Release notes](https://github.com/facelessuser/pymdown-extensions/releases)
- [Commits](facelessuser/pymdown-extensions@10.16...10.16.1)

Updates `urllib3` from 2.5.0 to 2.6.3
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@2.5.0...2.6.3)

Updates `virtualenv` from 20.31.2 to 16.7.12
- [Release notes](https://github.com/pypa/virtualenv/releases)
- [Changelog](https://github.com/pypa/virtualenv/blob/16.7.12/docs/changes.rst)
- [Commits](pypa/virtualenv@20.31.2...16.7.12)

Updates `wheel` from 0.45.1 to 0.46.2
- [Release notes](https://github.com/pypa/wheel/releases)
- [Changelog](https://github.com/pypa/wheel/blob/main/docs/news.rst)
- [Commits](pypa/wheel@0.45.1...0.46.2)

---
updated-dependencies:
- dependency-name: authlib
  dependency-version: 1.6.9
  dependency-type: indirect
  dependency-group: uv
- dependency-name: brotli
  dependency-version: 1.2.0
  dependency-type: indirect
  dependency-group: uv
- dependency-name: cryptography
  dependency-version: 46.0.5
  dependency-type: indirect
  dependency-group: uv
- dependency-name: filelock
  dependency-version: 3.20.3
  dependency-type: indirect
  dependency-group: uv
- dependency-name: h2
  dependency-version: 4.3.0
  dependency-type: indirect
  dependency-group: uv
- dependency-name: marshmallow
  dependency-version: 4.1.2
  dependency-type: indirect
  dependency-group: uv
- dependency-name: pip
  dependency-version: '26.0'
  dependency-type: indirect
  dependency-group: uv
- dependency-name: pymdown-extensions
  dependency-version: 10.16.1
  dependency-type: indirect
  dependency-group: uv
- dependency-name: urllib3
  dependency-version: 2.6.3
  dependency-type: indirect
  dependency-group: uv
- dependency-name: virtualenv
  dependency-version: 16.7.12
  dependency-type: indirect
  dependency-group: uv
- dependency-name: wheel
  dependency-version: 0.46.2
  dependency-type: indirect
  dependency-group: uv
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot requested a review from a team as a code owner March 16, 2026 15:35
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Mar 16, 2026
This was referenced Mar 16, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@DamianS21 DamianS21 merged commit 542f3e3 into main Mar 16, 2026
3 checks passed
@DamianS21 DamianS21 deleted the dependabot/uv/uv-1c9420bfd5 branch March 16, 2026 15:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DamianS21 DamianS21 DamianS21 approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DamianS21