build(deps): bump twisted from 25.5.0 to 26.4.0

[dependabot]

Bumps twisted from 25.5.0 to 26.4.0.

Release notes

Sourced from twisted's releases.

Twisted 26.4.0 (2026-05-11)

This is the last release with support for Python 3.9.

Security

• twisted.names was fix for Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. Reported and fixed by Tomas Illuminati Balbin CVE-2026-42304 (#12626)

Features

• twisted.internet.ssl.CertificateOptions has a new constructor argument, contextForServerName, which takes a callback that will get invoked when a client sends a server name indication, with the sent servername, and returns a new OpenSSL.SSL.Context that the connection will switch to. (#4887)
• twisted.internet.endpoints.serverFromString now supports the tls endpoint type, which allows you to do twist web --listen=tls:.../certbot-dir/config/live pointed at a certbot live configuration directory and have your certbot certificates automatically discovered and served appropriately. (#9885)
• twisted.internet.reactor now has type annotations and will appear to be an object of an appropriate type, allowing for idiomatic common usages with correct type information. (#9909)
• twisted.conch.ssh.SSHUserAuthServer now supports the security key ssh types "sk-ecdsa-sha2-nistp256@openssh.com" and "sk-ssh-ed25519@openssh.com" and extracting the application property from these new key types. (#12212)

Bugfixes

• twisted.mail.smtp will now return a meaningful Failure when TLS validation fails. (#10210)
• TLS version range constraints passed to twisted.internet.ssl.CertificateOptions are now properly respected rather than excluding the version being passed as the desired constraint. (#10232)
• A potential reference cycle that might cause intermittent memory spikes while using twisted.internet.defer.inlineCallbacks was removed. (#12120)
• Trial no longer emits the error RuntimeWarning: TestResult has no addDuration method when running PyUnit tests. (#12229)
• twisted.python.rebuild.rebuild() now handles changes to sys.modules gracefully. Prior to the change, it could possibly raise a "dictionary changed size during iteration" error if the module list changed. (#12458)
• twisted.internet.protocol.ReconnectingClientFactory: Don't multiply by factor for initial delay, but use initialDelay directly. (#12478)
• twisted.internet.ssl and twisted.protocols.tls no longer mutate the pyOpenSSL context after creating pyOpenSSL connections, maintaining compatibility with an upcoming version of pyOpenSSL and increasing reliability (possibly even fixing a very rare segfault) (#12500)
• twisted.internet.testing.MemoryReactor.callWhenRunning now invokes the callback immediately, if already started. (#12514)
• Twisted now correctly detects EOF on OpenSSL 4. (#12632)

Improved Documentation

• The example code from the documentation describing how to create a custom DNS server was updated to Python3. (#12480)
• Type annotations now use modern PEP 585 built-in generics and PEP 604 union syntax throughout the project. (#12556)

Deprecations and Removals

... (truncated)

Changelog

Sourced from twisted's changelog.

Twisted 26.4.0 (2026-05-11)

This is the last release with support for Python 3.9. No changes since 26.4.0rc2.

Security

• twisted.names was fix for Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. Reported and fixed by Tomas Illuminati Balbin CVE-2026-42304 (#12626)

Features

• twisted.internet.ssl.CertificateOptions has a new constructor argument, contextForServerName, which takes a callback that will get invoked when a client sends a server name indication, with the sent servername, and returns a new OpenSSL.SSL.Context that the connection will switch to. (#4887)
• twisted.internet.endpoints.serverFromString now supports the tls endpoint type, which allows you to do twist web --listen=tls:.../certbot-dir/config/live pointed at a certbot live configuration directory and have your certbot certificates automatically discovered and served appropriately. (#9885)
• twisted.internet.reactor now has type annotations and will appear to be an object of an appropriate type, allowing for idiomatic common usages with correct type information. (#9909)
• twisted.conch.ssh.SSHUserAuthServer now supports the security key ssh types "sk-ecdsa-sha2-nistp256@openssh.com" and "sk-ssh-ed25519@openssh.com" and extracting the application property from these new key types. (#12212)

Bugfixes

• twisted.mail.smtp will now return a meaningful Failure when TLS validation fails. (#10210)
• TLS version range constraints passed to twisted.internet.ssl.CertificateOptions are now properly respected rather than excluding the version being passed as the desired constraint. (#10232)
• A potential reference cycle that might cause intermittent memory spikes while using twisted.internet.defer.inlineCallbacks was removed. (#12120)
• Trial no longer emits the error RuntimeWarning: TestResult has no addDuration method when running PyUnit tests. (#12229)
• twisted.python.rebuild.rebuild() now handles changes to sys.modules gracefully. Prior to the change, it could possibly raise a "dictionary changed size during iteration" error if the module list changed. (#12458)
• twisted.internet.protocol.ReconnectingClientFactory: Don't multiply by factor for initial delay, but use initialDelay directly. (#12478)
• twisted.internet.ssl and twisted.protocols.tls no longer mutate the pyOpenSSL context after creating pyOpenSSL connections, maintaining compatibility with an upcoming version of pyOpenSSL and increasing reliability (possibly even fixing a very rare segfault) (#12500)
• twisted.internet.testing.MemoryReactor.callWhenRunning now invokes the callback immediately, if already started. (#12514)
• Twisted now correctly detects EOF on OpenSSL 4. (#12632)

Improved Documentation

• The example code from the documentation describing how to create a custom DNS server was updated to Python3. (#12480)
• Type annotations now use modern PEP 585 built-in generics and PEP 604 union syntax throughout the project. (#12556)

Deprecations and Removals

... (truncated)

Commits

• 3dc92b7 Update version for final release.
• b69a0c7 Update version.
• b32c661 Fix tag check.
• 819185e Fix mypy.
• 290cbf5 [pre-commit.ci] auto fixes from pre-commit.com hooks
• cb9783c Manual updates for release notes.
• ac504cc Prepare the rellease.
• 2d19612 Merge commit from fork
• 44c11c7 Merge branch 'trunk' into advisory-fix-1
• 9ca319e Update src/twisted/names/newsfragments/12626.bugfix
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: python. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.