Skip to content

Bump the python-packages group with 8 updates#1

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/python-packages-0f51c301dd
Open

Bump the python-packages group with 8 updates#1
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/python-packages-0f51c301dd

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 27, 2026

Copy link
Copy Markdown

Updates the requirements on black, pytest, pylint, streamlit, pandas, requests, beautifulsoup4 and lxml to permit the latest version.
Updates black to 26.3.1

Release notes

Sourced from black's releases.

26.3.1

Stable style

  • Prevent Jupyter notebook magic masking collisions from corrupting cells by using exact-length placeholders for short magics and aborting if a placeholder can no longer be unmasked safely (#5038)

Configuration

  • Always hash cache filename components derived from --python-cell-magics so custom magic names cannot affect cache paths (#5038)

Blackd

  • Disable browser-originated requests by default, add configurable origin allowlisting and request body limits, and bound executor submissions to improve backpressure (#5039)
Changelog

Sourced from black's changelog.

Version 26.3.1

Stable style

  • Prevent Jupyter notebook magic masking collisions from corrupting cells by using exact-length placeholders for short magics and aborting if a placeholder can no longer be unmasked safely (#5038)

Configuration

  • Always hash cache filename components derived from --python-cell-magics so custom magic names cannot affect cache paths (#5038)

Blackd

  • Disable browser-originated requests by default, add configurable origin allowlisting and request body limits, and bound executor submissions to improve backpressure (#5039)

Version 26.3.0

Stable style

  • Don't double-decode input, causing non-UTF-8 files to be corrupted (#4964)
  • Fix crash on standalone comment in lambda default arguments (#4993)
  • Preserve parentheses when # type: ignore comments would be merged with other comments on the same line, preventing AST equivalence failures (#4888)

Preview style

  • Fix bug where if guards in case blocks were incorrectly split when the pattern had a trailing comma (#4884)
  • Fix string_processing crashing on unassigned long string literals with trailing commas (one-item tuples) (#4929)
  • Simplify implementation of the power operator "hugging" logic (#4918)

Packaging

  • Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in frozen environments (#4930)

Performance

  • Introduce winloop for windows as an alternative to uvloop (#4996)
  • Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop() (#4996)
  • Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop installation and creation of either a uvloop/winloop eventloop or default eventloop (#4996)

... (truncated)

Commits

Updates pytest to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

  • #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

  • #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

    Previously this resulted in an internal assertion failure during plugin loading.

    Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

  • #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

  • #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

  • #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

  • #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
  • #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
  • #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
  • #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

  • #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

    -- by aleguy02

Commits

Updates pylint to 4.0.5

Commits
  • 88e1ab7 Bump pylint to 4.0.5, update changelog (#10860)
  • d96d489 [Backport maintenance/4.0.x] Relax isort version constraint to allow isort 8 ...
  • 0b08ccb Fix dynamic color mapping for "fail-on" messages when using multiple reporter...
  • 154dba4 [Backport maintenance/4.0.x] Fix FP for invalid-name with typing.Final on...
  • 7b73bfd Disable unspecified-encoding for py-version above Python 3.15 (#10800)
  • 4cc98be [Backport maintenance/4.0.x] Fix setting options for import order checker (#1...
  • f0d30a2 Sync astroid version with requirements file again
  • 38bdf02 [Backport maintenance/4.0.x] Fix logging-unsupported-format when logging ...
  • f08c33a [Backport maintenance/4.0.x] Properly detect self.fail() as a terminating...
  • e16f942 Bump pylint to 4.0.4, update changelog
  • Additional commits viewable in compare view

Updates streamlit to 1.56.0

Release notes

Sourced from streamlit's releases.

1.56.0

What's Changed

New Features 🎉

Bug Fixes 🐛

Other Changes

... (truncated)

Commits

Updates pandas to 3.0.2

Release notes

Sourced from pandas's releases.

pandas 3.0.2

We are pleased to announce the release of pandas 3.0.2. This is a patch release in the 3.0.x series and includes some regression fixes and bug fixes. We recommend that all users of the 3.0.x series upgrade to this version.

See the full whatsnew for a list of all the changes.

Pandas 3.0 supports Python 3.11 and higher. The release can be installed from PyPI:

python -m pip install --upgrade pandas==3.0.*

Or from conda-forge

conda install -c conda-forge pandas=3.0

Please report any issues with the release on the pandas issue tracker.

Thanks to all the contributors who made this release possible.

Commits
  • ab90747 RLS: 3.0.2 (#64934)
  • 6f27013 Backport PR #64931 on branch 3.0.x (DOC/BLD: temporary disable upload of docs...
  • 48ddc60 Backport PR #64664 on branch 3.0.x (BUG: DataFrame.sum() crashes on empty Dat...
  • 8774488 [backport 3.0.x] PERF: fix slow python loop in validation for ArrowStringArra...
  • 33af6cc Backport PR #64133 on branch 3.0.x (BUG: str.find returns byte offset instead...
  • 4ef49d8 [backport 3.0.x] BUG: fix convert_dtypes dropping values from sliced mixed-dt...
  • 0668f34 [backport 3.0.x] BUG: Fix HDFStore.put with StringDtype columns and compressi...
  • 23f2f44 [backport 3.0.x] BUG: Suppress unnecessary RuntimeWarning in to_datetime with...
  • 83ba804 Backport PR #64886: BUG: Compute Variance of Complex Numbers Correctly (#64892)
  • bb5ca1a Backport PR #64386 on branch 3.0.x (BUG: fix sort_index AssertionError with R...
  • Additional commits viewable in compare view

Updates requests to 2.33.1

Release notes

Sourced from requests's releases.

v2.33.1

2.33.1 (2026-03-30)

Bugfixes

  • Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
  • Fixed Content-Type header parsing for malformed values. (#7309)
  • Improved error consistency for malformed header values. (#7308)

New Contributors

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2331-2026-03-30

Changelog

Sourced from requests's changelog.

2.33.1 (2026-03-30)

Bugfixes

  • Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
  • Fixed Content-Type header parsing for malformed values. (#7309)
  • Improved error consistency for malformed header values. (#7308)

2.33.0 (2026-03-25)

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

  • Various typo fixes and doc improvements.

2.32.5 (2025-08-18)

Bugfixes

  • The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

  • Added support for Python 3.14.

... (truncated)

Commits

Updates beautifulsoup4 to 4.14.3

Updates lxml to 6.1.0

Changelog

Sourced from lxml's changelog.

6.1.0 (2026-04-17)

This release fixes a possible external entity injection (XXE) vulnerability in iterparse() and the ETCompatXMLParser.

Features added

  • GH#486: The HTML ARIA accessibility attributes were added to the set of safe attributes in lxml.html.defs. This allows lxml_html_clean to pass them through. Patch by oomsveta.

  • The default chunk size for reading from file-likes in iterparse() is now configurable with a new chunk_size argument.

Bugs fixed

  • LP#2146291: The resolve_entities option was still set to True for iterparse and ETCompatXMLParser, allowing for external entity injection (XXE) when using these parsers without setting this option explicitly. The default was now changed to 'internal' only (as for the normal XML and HTML parsers since lxml 5.0). Issue found by Sihao Qiu as CVE-2026-41066.

6.0.4 (2026-04-12)

Bugs fixed

  • LP#2148019: Spurious MemoryError during namespace cleanup.

6.0.3 (2026-04-09)

Bugs fixed

  • Several out of memory error cases now raise MemoryError that were not handled before.

  • Slicing with large step values (outside of +/- sys.maxsize) could trigger undefined C behaviour.

  • LP#2125399: Some failing tests were fixed or disabled in PyPy.

  • LP#2138421: Memory leak in error cases when setting the public_id or system_url of a document.

... (truncated)

Commits
  • 43722f4 Update changelog.
  • 8747040 Name version of option change in docstring.
  • 6c36e6c Fix pypistats URL in download statistics script.
  • c7d76d6 Change security policy to point to Github security advisories.
  • 378ccf8 Update project income report.
  • 315270b Docs: Reduce TOC depth of package pages and move module contents first.
  • 6dbba7f Docs: Show current year in copyright line.
  • e4385bf Update project income report.
  • 5bed1e1 Validate file hashes in release download script.
  • c13ee10 Prepare release of 6.1.0.
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Updates the requirements on [black](https://github.com/psf/black), [pytest](https://github.com/pytest-dev/pytest), [pylint](https://github.com/pylint-dev/pylint), [streamlit](https://github.com/streamlit/streamlit), [pandas](https://github.com/pandas-dev/pandas), [requests](https://github.com/psf/requests), [beautifulsoup4](https://www.crummy.com/software/BeautifulSoup/bs4/) and [lxml](https://github.com/lxml/lxml) to permit the latest version.

Updates `black` to 26.3.1
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](psf/black@23.7.0...26.3.1)

Updates `pytest` to 9.0.3
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@7.4.0...9.0.3)

Updates `pylint` to 4.0.5
- [Release notes](https://github.com/pylint-dev/pylint/releases)
- [Commits](pylint-dev/pylint@pylint-3.0.0a0...v4.0.5)

Updates `streamlit` to 1.56.0
- [Release notes](https://github.com/streamlit/streamlit/releases)
- [Commits](streamlit/streamlit@1.11.1...1.56.0)

Updates `pandas` to 3.0.2
- [Release notes](https://github.com/pandas-dev/pandas/releases)
- [Commits](pandas-dev/pandas@v1.4.3...v3.0.2)

Updates `requests` to 2.33.1
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.29.0...v2.33.1)

Updates `beautifulsoup4` to 4.14.3

Updates `lxml` to 6.1.0
- [Release notes](https://github.com/lxml/lxml/releases)
- [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt)
- [Commits](lxml/lxml@lxml-4.9.3...lxml-6.1.0)

---
updated-dependencies:
- dependency-name: black
  dependency-version: 26.3.1
  dependency-type: direct:production
  dependency-group: python-packages
- dependency-name: pytest
  dependency-version: 9.0.3
  dependency-type: direct:production
  dependency-group: python-packages
- dependency-name: pylint
  dependency-version: 4.0.5
  dependency-type: direct:production
  dependency-group: python-packages
- dependency-name: streamlit
  dependency-version: 1.56.0
  dependency-type: direct:production
  dependency-group: python-packages
- dependency-name: pandas
  dependency-version: 3.0.2
  dependency-type: direct:production
  dependency-group: python-packages
- dependency-name: requests
  dependency-version: 2.33.1
  dependency-type: direct:production
  dependency-group: python-packages
- dependency-name: beautifulsoup4
  dependency-version: 4.14.3
  dependency-type: direct:production
  dependency-group: python-packages
- dependency-name: lxml
  dependency-version: 6.1.0
  dependency-type: direct:production
  dependency-group: python-packages
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Apr 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants