deps(deps): bump the python-minor-patch group with 33 updates

[dependabot]

Bumps the python-minor-patch group with 33 updates:

Package	From	To
eth-abi	5.1.0	5.2.0
bitstring	4.3.1	4.4.0
click	8.3.1	8.4.1
cookiecutter	2.6.0	2.7.1
flask	3.1.2	3.1.3
humanize	4.14.0	4.15.0
jsonschema	4.25.1	4.26.0
mistune	3.2.1	3.3.1
numpy	2.3.5	2.4.6
psutil	7.1.3	7.2.2
pyasn1	0.6.1	0.6.3
pygments	2.19.2	2.20.0
pynacl	1.6.1	1.6.2
requests	2.32.5	2.34.2
tabulate	0.9.0	0.10.0
ujson	5.11.0	5.13.0
werkzeug	3.1.4	3.1.8
zope-interface	8.1.1	8.5
furo	2025.9.25	2025.12.19
pip-licenses	5.5.0	5.5.5
sphinx-autodoc-typehints	3.5.2	3.6.1
pytest	9.0.2	9.1.1
pytest-cov	7.0.0	7.1.0
tox	4.32.0	4.55.1
ruff	0.14.9	0.15.18
bandit	1.9.2	1.9.4
build	1.3.0	1.5.0
wheel	0.45.1	0.47.0
pyinstaller	6.17.0	6.21.0
myst-parser	4.0.1	5.1.0
sphinx-autoapi	3.6.1	3.8.0
sphinx-design	0.6.1	0.7.0
linkify-it-py	2.0.3	2.1.0

Updates eth-abi from 5.1.0 to 5.2.0

Changelog

Sourced from eth-abi's changelog.

eth-abi v5.2.0 (2025-01-14)

Features

- Merge template, adding ``py313`` support, replace ``bumpversion`` with ``bump-my-version``, raise required ``hypothesis`` versions. (`[#241](https://github.com/ethereum/eth-abi/issues/241) <https://github.com/ethereum/eth-abi/issues/241>`__)
Internal Changes - for eth-abi Contributors

• Merge template, fixing docs CI and other various updates ([#236](https://github.com/ethereum/eth-abi/issues/236) <https://github.com/ethereum/eth-abi/issues/236>__)

Commits

• bbf60c2 Bump version: 5.1.0 → 5.2.0
• 05414f6 Compile release notes for v5.2.0
• c6be9de Merge pull request #241 from pacrob/upgrade-template
• b74f580 new hypothesis pins and fix things it breaks
• 8d66e07 merge template and fill vars
• 4be68af Put python3.8 support back in:
• c6a24e4 Update version update note
• 8388742 correct use of file
• 1280617 run mypy local
• 6a927ac drop py38, add py13, add 2024 to license
• Additional commits viewable in compare view

Updates bitstring from 4.3.1 to 4.4.0

Changelog

Sourced from bitstring's changelog.

March 2026: version 4.4.0

This version adds a new optional Rust-based backend. This is turned off by default so shouldn't affect users. The new backend uses the tibs library, which is by the same author as bitstring and should allow some nice optimisations as the whole stack can work together.

For now the Rust backend is about the same speed as the C backend (which uses bitarray) so there are no real advantages to use it yet. If you do want to try it then you'll need to set the BITSTRING_USE_RUST_CORE environment variable.

BITSTRING_USE_RUST_CORE=1 python your_script.py

You can check which backend is being used using bitstring.options.using_rust_core which should be False unless you've enabled it as detailed above.

The plan is to remove the C backend in version 5, which will allow lots of code simplifications and further performance improvements.

The tibs dependency is a bit experimental and difficult to test on every possible platform. If you experience any issues with installation then please file a bug report.

The only other change is explicit support for Python 3.14.

Commits

• 68853eb Removing the release candidate tag.
• 8489c9c Advert for tibs :)
• 0ca2f82 Docs for using_rust_core
• d2fe9cf Tagging a release candidate.
• 6a415a4 Reinstating previously failing test.
• 2873c3a Changing BitStore.find to return int | None instead of using -1.
• bf76db5 Making using_rust_core a property.
• 6703ab4 Reverting last change.
• 01213a3 Moving _imul to BitArray instead of Bits
• 73382e9 Renaming internal methods to be closer to the Tibs naming.
• Additional commits viewable in compare view

Updates click from 8.3.1 to 8.4.1

Release notes

Sourced from click's releases.

8.4.1

This is the Click 8.4.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.4.1/ Changes: https://click.palletsprojects.com/page/changes/#version-8-4-1 Milestone: https://github.com/pallets/click/milestone/32?closed=1

• get_parameter_source() is available during eager callbacks and type conversion again. #3458 #3484
• Zsh completion scripts parse correctly on Windows. #3277 # 3466
• Shell completion of Choice Enum values produces a valid completion result. #3015
• Fix empty byte-string handling in echo. #3487
• Fix closed file error with echo_via_pager. #3449

8.4.0

This is the Click 8.4.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecation, or introduce potentially breaking changes.

We encourage everyone to upgrade. You can read more about our Version Support Policy on our website.

PyPI: https://pypi.org/project/click/8.4.0/ Changes: https://click.palletsprojects.com/page/changes/#version-8-4-0 Milestone https://github.com/pallets/click/milestone/30

• ParamType typing improvements. #3371

  • :class:ParamType is now a generic abstract base class, parameterized by its converted value type.
  • :meth:~ParamType.convert return types are narrowed on all concrete types (str for :class:STRING, int for :class:INT, etc.).
  • :meth:~ParamType.to_info_dict returns specific :class:~typing.TypedDict subclasses instead of dict[str, Any].
  • :class:CompositeParamType and the number-range base are now generic with abstract methods.

• Refactor convert_type to extract type inference into a private _guess_type helper, and add :func:typing.overload signatures. #3372

• Parameter typing improvements. #2805

  • :class:Parameter is now an abstract base class, making explicit that it cannot be instantiated directly.
  • :attr:Parameter.name is now str instead of str | None. When expose_value=False, the name is set to "" instead of None.
  • The ctx parameter of :meth:Parameter.get_error_hint is now typed as Context | None, matching the runtime behavior.

• Split string values from default_map for parameters with nargs > 1 or :class:Tuple type, matching environment variable behavior.

... (truncated)

Changelog

Sourced from click's changelog.

Version 8.4.1

Released 2026-05-21

• get_parameter_source() is available during eager callbacks and type conversion again. {issue}3458 {pr}3484
• Zsh completion scripts parse correctly on Windows. {issue}3277 {pr}3466
• Shell completion of Enum values used as Choice options produces a valid completion result. {issue}3015 {pr}3471
• Fix empty byte-string handling in echo. {issue}3487 {pr}3493
• Fix closed file error with echo_via_pager. {issue}3449 {pr}3482
• Fix open_url on Windows when the file path contains spaces. {issue}2994 {pr}3478

Version 8.4.0

Released 2026-05-17

• {class}ParamType typing improvements. {pr}3371

  • {class}ParamType is now a generic abstract base class, parameterized by its converted value type.
  • {meth}~ParamType.convert return types are narrowed on all concrete types (str for {class}STRING, int for {class}INT, etc.).
  • {meth}~ParamType.to_info_dict returns specific {class}~typing.TypedDict subclasses instead of dict[str, Any].
  • {class}CompositeParamType and the number-range base are now generic with abstract methods.

• Refactor convert_type to extract type inference into a private _guess_type helper, and add {func}typing.overload signatures. {pr}3372

• {class}Parameter typing improvements. {pr}2805

  • {class}Parameter is now an abstract base class, making explicit that it cannot be instantiated directly.
  • {attr}Parameter.name is now str instead of str | None. When expose_value=False, the name is set to "" instead of None.
  • The ctx parameter of {meth}Parameter.get_error_hint is now typed as Context | None, matching the runtime behavior.

• Split string values from default_map for parameters with nargs > 1 or {class}Tuple type, matching environment variable behavior. {issue}2745 {pr}3364

• Auto-detect type=UNPROCESSED for flag_value of non-basic types

... (truncated)

Commits

• 6eeb50e release version 8.4.1
• 67921d5 change log and doc fixes (#3495)
• 9c41f46 Fix changelog and version admonitions
• 6cb3477 fix skip condition
• 5ee8e31 fix I/O operation on closed file error with CliRunner and echo_via_pager (#3482)
• becbde5 pager doesn't close std streams
• a5f5aa6 Handle empty bytes in echo (#3493)
• 4d3db84 handle empty bytes in echo
• d42f15b Fix get_parameter_source() during type conversion and eager callbacks (#3484)
• 0baa8db Document ctx.params bypass with test and doc
• Additional commits viewable in compare view

Updates cookiecutter from 2.6.0 to 2.7.1

Release notes

Sourced from cookiecutter's releases.

Cookiecutter 2.7.1: The One Where It Knows Its Own Name

You know that thing where you release an album, it's on the shelves, people are buying it, and then someone points out the spine says it's your previous album? That's what happened with Cookiecutter 2.7.0. We put out the long-awaited release with 27 improvements and 17 contributors, and cookiecutter -V proudly announced: 2.6.0.

$ cookiecutter -V
Cookiecutter 2.6.0
$ # narrator voice: it was not 2.6.0

Go on, run this and see for yourself that the 2.7.1 release knows its own version number now:

uv tool upgrade cookiecutter

What's fixed

cookiecutter -V now reports the real version. Rather than patch VERSION.txt, this release removes it entirely. The version is now read from package metadata at runtime, so pyproject.toml is the single source of truth and there's nothing left to drift. Thanks @​bollwyvl for the bug report PR and for suggesting the importlib.metadata approach, and thanks @​tranzystorekk for filing #2195!

What's better

CI runs each Python version as its own job. Tests for 3.10 through 3.14 used to run sequentially inside a single job per OS, which pushed Windows past 30 minutes. Each version now runs in parallel with a 15-minute timeout. Windows tests focus on the boundary versions (3.10 and 3.14) since intermediate versions add little signal beyond Ubuntu and macOS.

Contributors

@​audreyfeldroy (Audrey M. Roy Greenfeld) and @​pydanny (Daniel Roy Greenfeld) built this release, with help from Claude roleplaying as David Bowie.

Thanks to @​bollwyvl (Nicholas Bollweg) for the version fix PR and the importlib.metadata suggestion, and @​tranzystorekk for reporting the version mismatch.

2.7.0

Cookiecutter 2.7.0 is tested on Python 3.10 through 3.14, ships with a security policy documenting the trust model for template hook scripts, and publishes to PyPI with cryptographic provenance so you can verify every release. Seventeen contributors from the community helped build it.

uv tool upgrade cookiecutter

What's new

A security policy that explains what you're trusting. Cookiecutter templates can run arbitrary code through hook scripts, and that's by design. The new SECURITY.md lays out the trust model: what Cookiecutter sandboxes (nothing), what's in scope for vulnerability reports, and how to report them privately through GitHub. If you maintain templates or run unfamiliar ones, this is worth reading.

Python 3.10 through 3.14. Full test coverage across five Python versions. If you're on 3.7, 3.8, or 3.9, this is the release where you'll want to upgrade.

Pretty-printed JSON in templates. The jsonify Jinja2 extension takes an indent argument, so you can generate formatted JSON in your templates instead of single-line blobs. Thanks @​pabloxio! (#2050)

Boolean variables from the command line. Pass use_docker=y via --no-input and it arrives as a proper boolean in your template context. Thanks @​tylermilner! (#2029)

Structured bug reports. The GitHub issue form collects environment details upfront, so maintainers can reproduce your issue faster.

Tutorial videos and slides. Conference talk recordings and slide decks linked from the docs. Thanks @​datasharp! (#2137)

... (truncated)

Commits

• 083dd3c Release 2.7.1
• 59e7eb1 Ground the runtime version in package metadata instead of a hand-maintained file
• 730d2eb Run each Python version as its own CI job instead of sequentially
• db674d8 Reflect that PyPI publishing runs automatically on tag push
• 718f685 Release 2.7.0
• 14da090 Let contributors focus on what interests them, not a milestone plan
• a4a7e99 Give release managers a safe, documented path from version bump to PyPI
• cf3bd2f Drop the Release Drafter integration
• 0ff1fa8 Tell template creators what Cookiecutter actually gives them
• 154d946 Modernize the README around uv and a leaner project page
• Additional commits viewable in compare view

Updates flask from 3.1.2 to 3.1.3

Release notes

Sourced from flask's releases.

3.1.3

This is the Flask 3.1.3 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.3/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-3

• The session is marked as accessed for operations that only access the keys but not the values, such as in and len. GHSA-68rp-wp8r-4726

Changelog

Sourced from flask's changelog.

Version 3.1.3

Released 2026-02-18

• The session is marked as accessed for operations that only access the keys but not the values, such as in and len. :ghsa:68rp-wp8r-4726

Commits

• 22d9247 release version 3.1.3
• 089cb86 Merge commit from fork
• c17f379 request context tracks session access
• 27be933 start version 3.1.3
• 4e652d3 Abort if the instance folder cannot be created (#5903)
• 3d03098 Abort if the instance folder cannot be created
• 407eb76 document using gevent for async (#5900)
• ac5664d document using gevent for async
• 4f79d5b Increase required flit_core version to 3.11 (#5865)
• fe3b215 Increase required flit_core version to 3.11
• Additional commits viewable in compare view

Updates humanize from 4.14.0 to 4.15.0

Release notes

Sourced from humanize's releases.

4.15.0

Added

• Add locale support for decimal separator in intword (#287) @​hugovk
• Add support for Python 3.15 (#275) @​hugovk

Changed

• Replace pre-commit with prek (#276) @​hugovk

Fixed

• naturaldelta: round the value to nearest unit that makes sense (#272) @​dangillet
• Fix plural form for intword and improve performance (#273) @​dangillet
• Replace Exception with more specific FileNotFoundError (#286) @​hugovk

Commits

• 2ddb590 Replace Exception with more specific FileNotFoundError (#286)
• e87f2e2 Add locale support for decimal separator in intword (#287)
• 7175184 Add locale support for decimal separator in intword
• 2526999 Update config (#285)
• ba532d9 Replace Exception with more specific FileNotFoundError
• bdc49ea Don't ignore UP038, it's been removed from Ruff
• 86f116b Add seven-day cooldown to Renovate
• e3f7116 No need for setup-python with prek-action
• 3dca143 naturaldelta: round the value to nearest unit that makes sense (#272)
• bac6f26 Apply suggestion from @​hugovk
• Additional commits viewable in compare view

Updates jsonschema from 4.25.1 to 4.26.0

Release notes

Sourced from jsonschema's releases.

v4.26.0

What's Changed

• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in python-jsonschema/jsonschema#1400
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in python-jsonschema/jsonschema#1405
• Bump astral-sh/setup-uv from 6.5.0 to 6.6.0 by @​dependabot[bot] in python-jsonschema/jsonschema#1406
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in python-jsonschema/jsonschema#1407
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in python-jsonschema/jsonschema#1413
• Bump astral-sh/setup-uv from 6.6.0 to 6.6.1 by @​dependabot[bot] in python-jsonschema/jsonschema#1412
• Bump pypa/gh-action-pypi-publish from 1.12.4 to 1.13.0 by @​dependabot[bot] in python-jsonschema/jsonschema#1410
• Bump softprops/action-gh-release from 2.3.2 to 2.3.3 by @​dependabot[bot] in python-jsonschema/jsonschema#1409
• Bump actions/setup-python from 5 to 6 by @​dependabot[bot] in python-jsonschema/jsonschema#1411
• validators: avoid urllib.request at import-time by @​gudnimg in python-jsonschema/jsonschema#1416
• Bump astral-sh/setup-uv from 6.6.1 to 6.8.0 by @​dependabot[bot] in python-jsonschema/jsonschema#1417
• Bump softprops/action-gh-release from 2.3.3 to 2.3.4 by @​dependabot[bot] in python-jsonschema/jsonschema#1418
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in python-jsonschema/jsonschema#1415
• Bump softprops/action-gh-release from 2.3.4 to 2.4.1 by @​dependabot[bot] in python-jsonschema/jsonschema#1419
• Bump github/codeql-action from 3 to 4 by @​dependabot[bot] in python-jsonschema/jsonschema#1420
• Bump astral-sh/setup-uv from 6.8.0 to 7.1.0 by @​dependabot[bot] in python-jsonschema/jsonschema#1421
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in python-jsonschema/jsonschema#1424
• Bump astral-sh/setup-uv from 7.1.0 to 7.1.1 by @​dependabot[bot] in python-jsonschema/jsonschema#1423
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in python-jsonschema/jsonschema#1425
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in python-jsonschema/jsonschema#1429
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in python-jsonschema/jsonschema#1431
• Bump softprops/action-gh-release from 2.4.1 to 2.4.2 by @​dependabot[bot] in python-jsonschema/jsonschema#1432
• Bump astral-sh/setup-uv from 7.1.1 to 7.1.2 by @​dependabot[bot] in python-jsonschema/jsonschema#1430
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in python-jsonschema/jsonschema#1434
• Bump astral-sh/setup-uv from 7.1.2 to 7.1.4 by @​dependabot[bot] in python-jsonschema/jsonschema#1435
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in python-jsonschema/jsonschema#1436
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in python-jsonschema/jsonschema#1437
• Bump softprops/action-gh-release from 2.4.2 to 2.5.0 by @​dependabot[bot] in python-jsonschema/jsonschema#1438
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in python-jsonschema/jsonschema#1439
• Document uuid format by @​sim642 in python-jsonschema/jsonschema#1440
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in python-jsonschema/jsonschema#1441
• Bump astral-sh/setup-uv from 7.1.4 to 7.1.6 by @​dependabot[bot] in python-jsonschema/jsonschema#1442
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in python-jsonschema/jsonschema#1443

New Contributors

• @​gudnimg made their first contribution in python-jsonschema/jsonschema#1416
• @​sim642 made their first contribution in python-jsonschema/jsonschema#1440

Full Changelog: python-jsonschema/jsonschema@v4.25.1...v4.26.0

Changelog

Sourced from jsonschema's changelog.

v4.26.0

• Decrease import time by delaying importing of urllib.request (#1416).

Commits

• a727743 Add a changelog entry for 4.26.
• 6d28c13 Update the lockfile.
• 739499e Update pre-commit hooks.
• cb2d779 Merge pull request #1443 from python-jsonschema/pre-commit-ci-update-config
• e6bbbb7 [pre-commit.ci] pre-commit autoupdate
• d56037a Merge pull request #1442 from python-jsonschema/dependabot/github_actions/ast...
• e54ce13 Bump astral-sh/setup-uv from 7.1.4 to 7.1.6
• 1f7c9fb Partially update docs requirements.
• 241aec9 Merge pull request #1441 from python-jsonschema/pre-commit-ci-update-config
• 2818efb Apache-2.0 -> nongpl
• Additional commits viewable in compare view

Updates mistune from 3.2.1 to 3.3.1

Release notes

Sourced from mistune's releases.

v3.3.1

   🐞 Bug Fixes

• abbr: Update process_text method in abrr, adding parse_emphasis parameter  -  by @​lepture (ae850)
• directive: Use correct file path for include directive  -  by @​lepture (18c21)

    View changes on GitHub

v3.3.0

   🐞 Bug Fixes

• Resolve O(n^2) DoS in parse_link_text (CWE-400)  -  by bhanugoudm041 (b6b49)
• Resolve O(n^2) DoS in parse_link_text (CWE-400)-Type handling/testing done  -  by bhanugoudm041 (b3af8)
• block: Avoid quadratic ref link scans  -  by @​lepture (2b04d)
• cli: Add entrypoint and utf-8 output  -  by @​lepture (2f244)
• directives: Constrain include targets  -  by @​lepture (1bef3)
• formatting: Avoid quadratic marker scans  -  by @​lepture (96d0f)
• image: Validate figure width option  -  by @​lepture (e3e51)
• inline: Avoid bracket parsing DoS  -  by @​lepture (25f25)
• math: Reject currency patterns and cross-line matches in inline math  -  by @​geopanther (566e1)
• math: Support display and backtick math  -  by @​lepture (1141e)
• renderer: Render plugin list and table nodes  -  by @​lepture (614b0)
• renderer: Block encoded unsafe URL schemes  -  by @​lepture (c7101)
• toc: Avoid generated id collisions  -  by @​lepture (c4093)

   🏎 Performance

• Improve performance  -  by @​lepture (bf95c)

    View changes on GitHub

Changelog

Sourced from mistune's changelog.

Version 3.3.1

Released on Jun 22, 2026

• Fix abbr plugin compatibility with escaped inline text.
• Normalize included Markdown line endings before parsing directives.

Version 3.3.0

Released on Jun 21, 2026

• Improve CommonMark compatibility and parser performance.
• Add command line entrypoint with UTF-8 output.
• Support display and backtick math.
• Render plugin list and table nodes in Markdown renderer.
• Escape leading block markers in Markdown renderer.
• Fix RST renderer for block quotes nested in lists.
• Avoid generated heading ID collisions in TOC.
• Harden URL, image, figure, and include directive handling.
• Fix quadratic scans in inline links, reference links, and formatting markers.
• Fix math escaping, currency pattern matching, and cross-line matching.

Commits

• 36de47c chore: release 3.3.1
• 18c21d7 fix(directive): use correct file path for include directive
• ae850f5 fix(abbr): update process_text method in abrr, adding parse_emphasis parameter
• 15c3b79 chore: release 3.3.0
• bdc01ad tests: increase run time on pypy
• 7cf1814 tests: increase run time for pypy
• 6dfdc3d tests: add more tests
• 17c50f6 chore: fix mypy issues
• 63abe4b chore: use ruff check and format
• e6c1b18 chore: resolve mypy issues
• Additional commits viewable in compare view

Updates numpy from 2.3.5 to 2.4.6

Release notes

Sourced from numpy's releases.

v2.4.6 (May 18, 2026)

NumPy 2.4.6 Release Notes

NumPy 2.4.6 is a quick release that fixes a regression discovered in the 2.4.5 release.

This release supports Python versions 3.11-3.14

Contributors

A total of 4 people contributed to this release. People with a "+" by their names contributed a patch for the first time.

• !EarlMilktea
• Charles Harris
• Sebastian Berg
• Warren Weckesser

Pull requests merged

A total of 4 pull requests were merged for this release.

• #31444: MAINT: Prepare 2.4.x for further development
• #31453: BUG: Fix regression in arr.conj()
• #31459: BUG: np.linalg.svd(..., hermitian=True) returns non-unitary...
• #31460: BUG: Don't call INCREF/DECREF on descr in NpyStringAcquireAllocator...

v2.4.5 (May 15, 2026)

NumPy 2.4.5 Release Notes

NumPy 2.4.5 is a patch release that fixes bugs discovered after the 2.4.4 release, has some typing improvements, and maintains infrastructure.

This release supports Python versions 3.11-3.14

Contributors

A total of 17 people contributed to this release. People with a "+" by their names contributed a patch for the first time.

• Aleksei Nikiforov
• Anarion Zuo +
• Ankit Ahlawat
• Breno Favaretto +
• Charles Harris
• Igor Krivenko +
• Ijtihed Kilani +
• Joren Hammudoglu
• Maarten Baert +

... (truncated)

Changelog

Sourced from numpy's changelog.

This is a walkthrough of the NumPy 2.4.0 release on Linux, which will be the first feature release using the numpy/numpy-release <https://github.com/numpy/numpy-release>__ repository.

The commands can be copied into the command line, but be sure to replace 2.4.0 with the correct version. This should be read together with the :ref:general release guide <prepare_release>.

Facility preparation

Before beginning to make a release, use the requirements/*_requirements.txt files to ensure that you have the needed software. Most software can be installed with pip, but some will require apt-get, dnf, or whatever your system uses for software. You will also need a GitHub personal access token (PAT) to push the documentation. There are a few ways to streamline things:

• Git can be set up to use a keyring to store your GitHub personal access token. Search online for the details.

Prior to release

Add/drop Python versions

When adding or dropping Python versions, multiple config and CI files need to be edited in addition to changing the minimum version in pyproject.toml. Make these changes in an ordinary PR against main and backport if necessary. We currently release wheels for new Python versions after the first Python RC once manylinux and cibuildwheel support that new Python version.

Backport pull requests

Changes that have been marked for this release must be backported to the maintenance/2.4.x branch.

Update 2.4.0 milestones

Look at the issues/prs with 2.4.0 milestones and either push them off to a later version, or maybe remove the milestone. You may need to add a milestone.

Check the numpy-release repo

... (truncated)

Commits

• b832a09 Merge pull request #31462 from charris/prepare-2.4.6
• 57cc147 REL: Prepare for the NumPy 2.4.6 release
• 0c72b0b Merge pull request #31459 from charris/backport-31347
• 9778d26 BUG: core: Don't call INCREF/DECREF on descr in NpyStringAcquireAllocator. (#...
• e0e3876 BUG: core: Don't call INCREF/DECREF on descr in NpyStringAcquireAllocator. (#...
• d1bffeb BUG: np.linalg.svd(..., hermitian=True) returns non-unitary vh (#31347)
• 8d8d7e5 Merge pull request #31453 from seberg/issue-31452
• bddaab7 BUG: Fix regression in arr.conj()
• 37a1ecc Merge pull request #31444 from charris/begin-2.4.6
• 3c0e043 MAINT: Prepare 2.4.x for further development
• Additional commits viewable in compare view

Updates psutil from 7.1.3 to 7.2.2

Changelog

Sourced from psutil's changelog.

7.2.2 — 2026-01-28 ^^^^^^^^^^^^^^^^^^

Enhancements

• :gh:2705: [Linux]: :meth:Process.wait now uses pidfd_open() + poll() (no busy loop). Requires Linux >= 5.3 and Python >= 3.9.
• :gh:2705: [macOS], [BSD]: :meth:Process.wait now uses kqueue() (no busy loop).

Bug fixes

• :gh:2701, [macOS]: fix compilation error on macOS < 10.7. (patch by :user:Sergey Fedorov <barracuda156>)
• :gh:2707, [macOS]: fix potential memory leaks in error paths of :meth:Process.memory_full_info and :meth:Process.threads.
• :gh:2708, [macOS]: :meth:Process.cmdline and :meth:Process.environ may fail with OSError: [Errno 0] Undefined error (from sysctl(KERN_PROCARGS2)). They now raise :exc:AccessDenied instead.

7.2.1 — 2025-12-29 ^^^^^^^^^^^^^^^^^^

Bug fixes

• :gh:2699, [FreeBSD], [NetBSD]: :func:heap_info does not detect small allocations (<= 1K). In order to fix that, we now flush internal jemalloc cache before fetching the metrics.

7.2.0 — 2025-12-23 ^^^^^^^^^^^^^^^^^^

Enhancements

• :gh:1275: new :func:heap_info and :func:heap_trim functions, providing direct access to the platform's native C :term:heap allocator (glibc, mimalloc, libmalloc). Useful to create tools to detect memory leaks.
• :gh:2403, [Linux]: publish wheels for Linux musl.
• :gh:2680: unit tests are no longer installed / part of the distribution. They now live under tests/ instead of psutil/tests.

Bug fixes

• :gh:2684, [FreeBSD], [critical]: compilation fails on FreeBSD 14 due to missing include.
• :gh:2691, [Windows]: fix memory leak in :func:net_if_stats due to missing Py_CLEAR.

Compatibility notes

... (truncated)

Commits

• 9eea97d Pre-release
• 938ac64 Rm sphinxcontrib.googleanalytics; override layout.html
• 9dcbb7e Add sphinxcontrib-googleanalytics to requirements.txt
• 76eaf9a Try to add google analytics to doc
• de1cafa Update doc mentioning Process.wait() internal details
• bb30943 Refact can_use_pidfd_open() and can_use_kqueue()
• a571717 #2708, macos / cmdline / environ; raise AD instead of OSError(0) (#2709)
• 8b98c3e Pre-release
• 700b7e6 [macOS] fix potential leaks in error paths (#2707)
• 7cc7923 Windows / cmdline(): be more defensive in free()ing in case of error
• Additional commits viewable in compare view

Updates pyasn1 from 0.6.1 to 0.6.3

Release notes

Sourced from pyasn1's releases.

Release 0.6.3

It's a minor release.

• Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (CVE-2026-30922).
• Fixed OverflowError from oversized BER length field.
• Fixed DeprecationWarning stacklevel for deprecated attributes.
• Fixed asDateTime incorrect fractional seconds parsing.

All changes are noted in the CHANGELOG.

Release 0.6.2

It's a minor release.

• Fixed continuation octet limits in OID/RELATIVE-OID decoder (CVE-2026-23490).
• Added support for Python 3.14.
• Added SECURITY.md policy.
• Migrated to pyproject.toml packaging.

All changes are noted in the CHANGELOG.

Changelog

Sourced from pyasn1's changelog.

Revision 0.6.3, released 16-03-2026

• CVE-2026-30922 (GHSA-jr27-m4p2-rc6r): Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (thanks for reporting, romanticpragmatism)
• Fixed OverflowError from oversized BER length field [issue #54](pyasn1/pyasn1#54) [pr #100](pyasn1/pyasn1#100)
• Fix...

  Description has been truncated

[dependabot]

Labels

The following labels could not be found: python. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.