Bump scrapy from 2.13.3 to 2.13.4

[dependabot]

Bumps scrapy from 2.13.3 to 2.13.4.

Release notes

Sourced from scrapy's releases.

2.13.4

Fix for the CVE-2025-6176 security issue: improved protection against decompression bombs in HttpCompressionMiddleware for responses compressed using the br and deflate methods. Requires brotli >= 1.2.0.

Full changelog

Changelog

Sourced from scrapy's changelog.

Scrapy 2.13.4 (2025-11-17)

Security bug fixes

-   Improved protection against decompression bombs in
    :class:`~scrapy.downloadermiddlewares.httpcompression.HttpCompressionMiddleware`
    for responses compressed using the ``br`` and ``deflate`` methods: if a
    single compressed chunk would be larger than the response size limit (see
    :setting:`DOWNLOAD_MAXSIZE`) when decompressed, decompression is no longer
    carried out. This is especially important for the ``br`` (Brotli) method
    that can provide a very high compression ratio. Please, see the
    `CVE-2025-6176`_ and `GHSA-2qfp-q593-8484`_ security advisories for more
    information.
    (:issue:`7134`)
.. _CVE-2025-6176: https://nvd.nist.gov/vuln/detail/CVE-2025-6176
.. _GHSA-2qfp-q593-8484: https://github.com/advisories/GHSA-2qfp-q593-8484

Modified requirements

• The minimum supported version of the optional brotli package is now 1.2.0. (:issue:7134)

• The brotlicffi and brotlipy packages can no longer be used to decompress Brotli-compressed responses. Please install the brotli package instead. (:issue:7134)

Other changes

-   Restricted the maximum supported Twisted version to ``25.5.0``, as Scrapy
    currently uses some private APIs changed in later Twisted versions.
    (:issue:`7142`)


Stopped setting the COVERAGE_CORE environment variable in tests, it

didn't have an effect but caused the coverage module to produce a

warning or an error.

(:issue:7137)


Removed the documentation build dependency on the deprecated

sphinx-hoverxref module.

(:issue:6786, :issue:6922)


.. _release-2.13.3:

Commits

• 2f62ab5 Bump version: 2.13.3 → 2.13.4
• 31a9c03 Release notes for 2.13.4. (#7144)
• c44b8df Cherry-pick: Mitigate brotli and deflate decompression bombs DoS (#7134)
• d091256 Remove the deprecated sphinx-hoverxref (#6922)
• c83ca70 Don't force the unavailable sysmon coverage core. (#7137)
• 85e4e6c Pin Twisted to <= 25.5.0 due to internal API changes.
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)