build(deps): bump the pip group across 2 directories with 6 updates

[dependabot]

Bumps the pip group with 3 updates in the / directory: scikit-learn, prefect and black.
Bumps the pip group with 4 updates in the /lessons/05-model-deployment directory: scikit-learn, gunicorn, mlflow and requests.

Updates scikit-learn from 1.0.2 to 1.5.0

Release notes

Sourced from scikit-learn's releases.

Scikit-learn 1.5.0

We're happy to announce the 1.5.0 release.

You can read the release highlights under https://scikit-learn.org/stable/auto_examples/release_highlights/plot_release_highlights_1_5_0.html and the long version of the change log under https://scikit-learn.org/stable/whats_new/v1.5.html

This version supports Python versions 3.9 to 3.12.

You can upgrade with pip as usual:

pip install -U scikit-learn

The conda-forge builds can be installed using:

conda install -c conda-forge scikit-learn

Scikit-learn 1.4.2

We're happy to announce the 1.4.2 release.

This release only includes support for numpy 2.

This version supports Python versions 3.9 to 3.12.

You can upgrade with pip as usual:

pip install -U scikit-learn

Scikit-learn 1.4.1.post1

We're happy to announce the 1.4.1.post1 release.

You can see the changelog here: https://scikit-learn.org/stable/whats_new/v1.4.html#version-1-4-1-post1

This version supports Python versions 3.9 to 3.12.

You can upgrade with pip as usual:

pip install -U scikit-learn

The conda-forge builds can be installed using:

conda install -c conda-forge scikit-learn

... (truncated)

Commits

• b51d0c9 trigger whell builder [cd build]
• 919ae9b MAINT Reoder what's new for 1.5 (#29039)
• 0ac28ad DOC Release highlights 1.5 (#29007)
• 729b54d test py3.12 against numpy 2 [cd build]
• 1e50434 set version
• ffbe4ab DOC remove obsolete SVM example (#27108)
• 4647729 DOC Fix time complexity of MLP (#28592)
• 9bd7047 FIX convergence criterion of MeanShift (#28951)
• b79420f FIX add long long for int32/int64 windows compat in NumPy 2.0 (#29029)
• 37f544d DOC replace pandas with Polars in examples/gaussian_process/plot_gpr_co2.py (...
• Additional commits viewable in compare view

Updates prefect from 2.7.9 to 2.16.5

Release notes

Sourced from prefect's releases.

2.20.16: Back to the 2.x Future

What's Changed

Bug Fixes 🐞

• backport retry delay type fix by @​zzstoatzz in PrefectHQ/prefect#16377
• Backport: deleting flows in python client prefect 2.0 by @​paulusaptus in PrefectHQ/prefect#16311
• Backport: Prevent workers from running flow runs scheduled for in process retry by @​desertaxle in PrefectHQ/prefect#16453

Integrations & Dependencies 🤝

• backport #16149 by @​zzstoatzz in PrefectHQ/prefect#16317
• Update typer requirement from !=0.12.2,=0.12.0,!=0.12.2,<0.16.0 by @​dependabot in PrefectHQ/prefect#16207

Full Changelog: PrefectHQ/prefect@2.20.15...2.20.16

Changelog

Sourced from prefect's changelog.

Release 2.16.5

Multi-select deletion of flow runs

It is now easier to bulk select and delete flow runs through the UI. Listings of filterable and selectable flow runs (e.g. on the flow runs, flow, and deployment pages) now include a top-level checkbox for (de)selecting all currently filtered flow runs for bulk deletion.

See the following pull request for implementation details:

• PrefectHQ/prefect#12356
• PrefectHQ/prefect-ui-library#2227
• PrefectHQ/prefect#12285

Visualize state changes and artifacts in the UI

Additionally, the flow run graph UI enhancements for visualizing state changes and artifacts added in 2.16.4 are now enabled by default. See the release notes in 2.16.14 for more details!

Enhancements

• Keep artifacts file in prefect-client — PrefectHQ/prefect#12316
• remove feature flagging around enhanced-deployment-experiment — PrefectHQ/prefect#12360
• Feature : #11773 UI: Add checkboxes for runs for an individual flow to allow multi-selection/-deletion — PrefectHQ/prefect#12285
• Add a capability to verify ssl certificates in Prefect CLI — PrefectHQ/prefect#11771
• Add prefect task-run command group to CLI — PrefectHQ/prefect#12307
• Correct emit background task state change events — PrefectHQ/prefect#12352
• Update CsrfTokenApi to retry failed requests due to invalid tokens — PrefectHQ/prefect#12373

Fixes

• Refactor logic to set task_key for background tasks — PrefectHQ/prefect#12337
• Correct a memory leak with the outbound task run websockets — PrefectHQ/prefect#12346
• Correctly type hint in flow run state change hooks — PrefectHQ/prefect#12231

Experimental

• Create CsrfToken model and utilities — PrefectHQ/prefect#12289
• Create csrf_token endpoint to generate tokens for clients — PrefectHQ/prefect#12297
• Integrate CsrfMiddleware into API server — PrefectHQ/prefect#12303
• Add CSRF support to client — PrefectHQ/prefect#12314
• Return 422 when CSRF is disabled and delete expired tokens — PrefectHQ/prefect#12342
• Add model_dump definition for Pydantic v2 compatibility layer — PrefectHQ/prefect#12345
• Add experimental model_json_schema definition for Pydantic V2 compatibility - PrefectHQ/prefect#12362
• Implement CSRF support in the UI — PrefectHQ/prefect#12354

Documentation

• Add upstream dependencies guide to docs — PrefectHQ/prefect#12351
• Update documentation on event and metric automation triggers — PrefectHQ/prefect#12366
• Add documentation on compound and sequence automation triggers — PrefectHQ/prefect#12374
• Add CSRF settings to common settings section in docs — PrefectHQ/prefect#12376

Uncategorized

• Pin BuildKit to 0.12.5 to fix issue with test image build — PrefectHQ/prefect#12343
• Backporting the Prefect Cloud composite trigger schemas — PrefectHQ/prefect#12378

Contributors

... (truncated)

Commits

• 6d0ad74 Add release notes for 2.16.5 (#12383)
• 6ef2190 Revert "Enhancement: Base client retry on 500 (#12084)" (#12385)
• 20612b5 CSRF is defaulting to False for now (#12386)
• 7193e1e Add experimental model_json_schema function for Pydantic V2 compatibility (...
• b2df34d Attempt to fix agent/work queue test CI flakes (#12375)
• 6e1886e Feature : #11773 UI: Add checkboxes for runs for an indivdual flow to allow m...
• c962546 Backporting the Prefect Cloud composite trigger schemas (#12378)
• 9e79cdc Add a line about appropriate settings for flow run graph layers. (#12380)
• c2416f0 add a capability to verify ssl certificate in Prefect CLI (#11771)
• 1ea9e0e Update @​prefecthq/prefect-ui-library to version 2.6.46 (#12379)
• Additional commits viewable in compare view

Updates black from 22.12.0 to 24.3.0

Release notes

Sourced from black's releases.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

• Don't move comments along with delimiters, which could cause crashes (#4248)
• Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
• Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

• Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

• Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

• Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

• Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
• Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
• Checking for newline before adding one on docstring that is almost at the line limit (#4185)
• Remove redundant parentheses in case statement if guards (#4214).

Configuration

... (truncated)

Changelog

Sourced from black's changelog.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

• Don't move comments along with delimiters, which could cause crashes (#4248)
• Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
• Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

• Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

• Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

• Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

• Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
• Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
• Checking for newline before adding one on docstring that is almost at the line limit (#4185)
• Remove redundant parentheses in case statement if guards (#4214).

... (truncated)

Commits

• 552baf8 Prepare release 24.3.0 (#4279)
• f000936 Fix catastrophic performance in lines_with_leading_tabs_expanded() (#4278)
• 7b5a657 Fix --line-ranges behavior when ranges are at EOF (#4273)
• 1abcffc Use regex where we ignore case on windows (#4252)
• 719e674 Fix 4227: Improve documentation for --quiet --check (#4236)
• e5510af update plugin url for Thonny (#4259)
• 6af7d11 Fix AST safety check false negative (#4270)
• f03ee11 Ensure blib2to3.pygram is initialized before use (#4224)
• e4bfedb fix: Don't move comments while splitting delimiters (#4248)
• d0287e1 Make trailing comma logic more concise (#4202)
• Additional commits viewable in compare view

Updates scikit-learn from 1.0.2 to 1.5.0

Release notes

Sourced from scikit-learn's releases.

Scikit-learn 1.5.0

We're happy to announce the 1.5.0 release.

You can read the release highlights under https://scikit-learn.org/stable/auto_examples/release_highlights/plot_release_highlights_1_5_0.html and the long version of the change log under https://scikit-learn.org/stable/whats_new/v1.5.html

This version supports Python versions 3.9 to 3.12.

You can upgrade with pip as usual:

pip install -U scikit-learn

The conda-forge builds can be installed using:

conda install -c conda-forge scikit-learn

Scikit-learn 1.4.2

We're happy to announce the 1.4.2 release.

This release only includes support for numpy 2.

This version supports Python versions 3.9 to 3.12.

You can upgrade with pip as usual:

pip install -U scikit-learn

Scikit-learn 1.4.1.post1

We're happy to announce the 1.4.1.post1 release.

You can see the changelog here: https://scikit-learn.org/stable/whats_new/v1.4.html#version-1-4-1-post1

This version supports Python versions 3.9 to 3.12.

You can upgrade with pip as usual:

pip install -U scikit-learn

The conda-forge builds can be installed using:

conda install -c conda-forge scikit-learn

... (truncated)

Commits

• b51d0c9 trigger whell builder [cd build]
• 919ae9b MAINT Reoder what's new for 1.5 (#29039)
• 0ac28ad DOC Release highlights 1.5 (#29007)
• 729b54d test py3.12 against numpy 2 [cd build]
• 1e50434 set version
• ffbe4ab DOC remove obsolete SVM example (#27108)
• 4647729 DOC Fix time complexity of MLP (#28592)
• 9bd7047 FIX convergence criterion of MeanShift (#28951)
• b79420f FIX add long long for int32/int64 windows compat in NumPy 2.0 (#29029)
• 37f544d DOC replace pandas with Polars in examples/gaussian_process/plot_gpr_co2.py (...
• Additional commits viewable in compare view

Updates gunicorn from 20.1.0 to 22.0.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12

** Breaking changes **

minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

** SECURITY **

fix CVE-2024-1135

1. Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
2. Packages: https://pypi.org/project/gunicorn/

Gunicorn 21.2.0 has been released

Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.

Changes:

21.2.0 - 2023-07-19
===================
fix thread worker: revert change considering connection as idle .
</tr></table> 

... (truncated)

Commits

• f63d59e bump to 22.0
• 4ac81e0 Merge pull request #3175 from e-kwsm/typo
• 401cecf Merge pull request #3179 from dhdaines/exclude-eventlet-0360
• 0243ec3 fix(deps): exclude eventlet 0.36.0
• 628a0bc chore: fix typos
• 88fc4a4 Merge pull request #3131 from pajod/patch-py12-rebased
• deae2fc CI: back off the agressive timeout
• f470382 docs: promise 3.12 compat
• 5e30bfa add changelog to project.urls (updated for PEP621)
• 481c3f9 remove setup.cfg - overridden by pyproject.toml
• Additional commits viewable in compare view

Updates mlflow from 2.1.1 to 2.16.0

Release notes

Sourced from mlflow's releases.

MLflow 2.16.0

We are excited to announce the release of MLflow 2.16.0. This release includes many major features and improvements!

Major features:

• LlamaIndex Enhancements🦙 - to provide additional flexibility to the LlamaIndex integration, we now have support for the models-from-code functionality for logging, extended engine-based logging, and broadened support for external vector stores.

• LangGraph Support - We've expanded the LangChain integration to support the agent framework LangGraph. With tracing and support for logging using the models-from-code feature, creating and storing agent applications has never been easier!

• AutoGen Tracing - Full automatic support for tracing multi-turn agent applications built with Microsoft's AutoGen framework is now available in MLflow. Enabling autologging via mlflow.autogen.autolog() will instrument your agents built with AutoGen.

• Plugin support for AI Gateway - You can now define your own provider interfaces that will work with MLflow's AI Gateway (also known as the MLflow Deployments Server). Creating an installable provider definition will allow you to connect the Gateway server to any GenAI service of your choosing.

Features:

• [UI] Add updated deployment usage examples to the MLflow artifact viewer (#13024, @​serena-ruan, @​daniellok-db)
• [Models] Support logging LangGraph applications via the models-from-code feature (#12996, @​B-Step62)
• [Models] Extend automatic authorization pass-through support for Langgraph agents (#13001, @​aravind-segu)
• [Models] Expand the support for LangChain application logging to include UCFunctionToolkit dependencies (#12966, @​aravind-segu)
• [Models] Support saving LlamaIndex engine directly via the models-from-code feature (#12978, @​B-Step62)
• [Models] Support models-from-code within the LlamaIndex flavor (#12944, @​B-Step62)
• [Models] Remove the data structure conversion of input examples to ensure enhanced compatibility with inference signatures (#12782, @​serena-ruan)
• [Models] Add the ability to retrieve the underlying model object from within pyfunc model wrappers (#12814, @​serena-ruan)
• [Models] Add spark vector UDT type support for model signatures (#12758, @​WeichenXu123)
• [Tracing] Add tracing support for AutoGen (#12913, @​B-Step62)
• [Tracing] Reduce the latency overhead for tracing (#12885, @​B-Step62)
• [Tracing] Add Async support for the trace decorator (#12877, @​MPKonst)
• [Deployments] Introduce a plugin provider system to the AI Gateway (Deployments Server) (#12611, @​gabrielfu)
• [Projects] Add support for parameter submission to MLflow Projects run in Databricks (#12854, @​WeichenXu123)
• [Model Registry] Introduce support for Open Source Unity Catalog as a model registry service (#12888, @​artjen)

Bug fixes:

• [Tracking] Reduce the contents of the model-history tag to only essential fields (#12983, @​harshilprajapati96)
• [Models] Fix the behavior of defining the device to utilize when loading transformers models (#12977, @​serena-ruan)
• [Models] Fix evaluate behavior for LlamaIndex (#12976, @​B-Step62)
• [Models] Replace pkg_resources with importlib.metadata due to package deprecation (#12853, @​harupy)
• [Tracking] Fix error handling for OpenAI autolog tracing (#12841, @​B-Step62)
• [Tracking] Fix a condition where a deadlock can occur when connecting to an SFTP artifact store (#12938, @​WeichenXu123)
• [Tracking] Fix an issue where code_paths dependencies were not properly initialized within the system path for LangChain models (#12923, @​harshilprajapati96)
• [Tracking] Fix a type error for metrics value logging (#12876, @​beomsun0829)
• [Tracking] Properly catch NVML errors when collecting GPU metrics (#12903, @​chenmoneygithub)
• [Deployments] Improve Gateway schema support for the OpenAI provider (#12781, @​danilopeixoto)
• [Model Registry] Fix deletion of artifacts when downloading from a non-standard DBFS location during UC model registration (#12821, @​smurching)

Documentation updates:

• [Docs] Add documentation guides for LangGraph support (#13025, @​BenWilson2)
• [Docs] Add additional documentation for models from code feature (#12936, @​BenWilson2)

... (truncated)

Changelog

Sourced from mlflow's changelog.

2.16.0 (2024-08-30)

We are excited to announce the release of MLflow 2.16.0. This release includes many major features and improvements!

Major features:

• LlamaIndex Enhancements🦙 - to provide additional flexibility to the LlamaIndex integration, we now have support for the models-from-code functionality for logging, extended engine-based logging, and broadened support for external vector stores.

• LangGraph Support - We've expanded the LangChain integration to support the agent framework LangGraph. With tracing and support for logging using the models-from-code feature, creating and storing agent applications has never been easier!

• AutoGen Tracing - Full automatic support for tracing multi-turn agent applications built with Microsoft's AutoGen framework is now available in MLflow. Enabling autologging via mlflow.autogen.autolog() will instrument your agents built with AutoGen.

• Plugin support for AI Gateway - You can now define your own provider interfaces that will work with MLflow's AI Gateway (also known as the MLflow Deployments Server). Creating an installable provider definition will allow you to connect the Gateway server to any GenAI service of your choosing.

Features:

• [UI] Add updated deployment usage examples to the MLflow artifact viewer (#13024, @​serena-ruan, @​daniellok-db)
• [Models] Support logging LangGraph applications via the models-from-code feature (#12996, @​B-Step62)
• [Models] Extend automatic authorization pass-through support for Langgraph agents (#13001, @​aravind-segu)
• [Models] Expand the support for LangChain application logging to include UCFunctionToolkit dependencies (#12966, @​aravind-segu)
• [Models] Support saving LlamaIndex engine directly via the models-from-code feature (#12978, @​B-Step62)
• [Models] Support models-from-code within the LlamaIndex flavor (#12944, @​B-Step62)
• [Models] Remove the data structure conversion of input examples to ensure enhanced compatibility with inference signatures (#12782, @​serena-ruan)
• [Models] Add the ability to retrieve the underlying model object from within pyfunc model wrappers (#12814, @​serena-ruan)
• [Models] Add spark vector UDT type support for model signatures (#12758, @​WeichenXu123)
• [Tracing] Add tracing support for AutoGen (#12913, @​B-Step62)
• [Tracing] Reduce the latency overhead for tracing (#12885, @​B-Step62)
• [Tracing] Add Async support for the trace decorator (#12877, @​MPKonst)
• [Deployments] Introduce a plugin provider system to the AI Gateway (Deployments Server) (#12611, @​gabrielfu)
• [Projects] Add support for parameter submission to MLflow Projects run in Databricks (#12854, @​WeichenXu123)
• [Model Registry] Introduce support for Open Source Unity Catalog as a model registry service (#12888, @​artjen)

Bug fixes:

• [Tracking] Reduce the contents of the model-history tag to only essential fields (#12983, @​harshilprajapati96)
• [Models] Fix the behavior of defining the device to utilize when loading transformers models (#12977, @​serena-ruan)
• [Models] Fix evaluate behavior for LlamaIndex (#12976, @​B-Step62)
• [Models] Replace pkg_resources with importlib.metadata due to package deprecation (#12853, @​harupy)
• [Tracking] Fix error handling for OpenAI autolog tracing (#12841, @​B-Step62)
• [Tracking] Fix a condition where a deadlock can occur when connecting to an SFTP artifact store (#12938, @​WeichenXu123)
• [Tracking] Fix an issue where code_paths dependencies were not properly initialized within the system path for LangChain models (#12923, @​harshilprajapati96)
• [Tracking] Fix a type error for metrics value logging (#12876, @​beomsun0829)
• [Tracking] Properly catch NVML errors when collecting GPU metrics (#12903, @​chenmoneygithub)
• [Deployments] Improve Gateway schema support for the OpenAI provider (#12781, @​danilopeixoto)
• [Model Registry] Fix deletion of artifacts when downloading from a non-standard DBFS location during UC model registration (#12821, @​smurching)

Documentation updates:

• [Docs] Add documentation guides for LangGraph support (#13025, @​BenWilson2)
• [Docs] Add additional documentation for models from code feature (#12936, @​BenWilson2)

... (truncated)

Commits

• 07fdad0 Run python3 dev/update_mlflow_versions.py pre-release ... (#13031)
• ebab8ff Run python3 dev/update_requirements.py --requirements-... (#13027)
• bc738eb Run python3 dev/update_ml_package_versions.py (#13026)
• 2042bd0 Run python3 dev/update_pypi_package_index.py (#13028)
• cc949ac MLflow UI Sync (#13024)
• 71570ae Add docs updates for LangGraph support (#13025)
• 9bfa231 Add mlflow.models.Model.get_tags_dict to generate model-history tag (#12...
• 8135ea8 Support saving LangGraph object via model-from-code (#12996)
• 2b33509 Fix data conversion for serving in langchain (#12987)
• 811c0f4 Change uc_function to function (#13019)
• Additional commits viewable in compare view

Updates requests from 2.28.2 to 2.32.2

Release notes

Sourced from requests's releases.

v2.32.2

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

v2.32.1

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

v2.32.0

2.32.0 (2024-05-20)

🐍 PYCON US 2024 EDITION 🐍

Security

• Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (GHSA-9wx4-h78v-vm56)

Improvements

• verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
• Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

• Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
• Fixed deserialization bug in JSONDecodeError. (#6629)
• Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

... (truncated)

Changelog

Sourced from requests's changelog.

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

2.32.0 (2024-05-20)

Security

• Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (GHSA-9wx4-h78v-vm56)

Improvements

• verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
• Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

• Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
• Fixed deserialization bug in JSONDecodeError. (#6629)
• Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

Deprecations

... (truncated)

Commits

• 88dce9d v2.32.2
• c98e4d1 Merge pull request #6710 from nateprewitt/api_rename
• 92075b3 Add deprecation warning
• aa1461b Move _get_connection to get_connection_with_tls_context
• 970e8ce v2.32.1
• d6ebc4a v2.32.0
• 9a40d12 Avoid reloading root certificates to improve concurrent performance (#6667)
• 0c030f7 Merge pull request #6702 from nateprewitt/no_char_detection
• 555b870 Allow character detection dependencies to be optional in post-packaging steps
• d6dded3 Merge pull request #6700 from franekmagiera/update-redirect-to-invalid-uri-test
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.