Bump the python-packages group across 1 directory with 22 updates

[dependabot]

Updates the requirements on apscheduler, celery, cryptography, fastapi, filelock, httpx, logfire, logfire[celery,fastapi,psycopg2,requests], pillow, pip, pydantic, pydantic-settings, redis, ruff, sentry-sdk, setuptools, sqlalchemy, sqlmodel, starlette, uvicorn, coverage and pytest to permit the latest version.
Updates apscheduler to 3.11.2

Release notes

Sourced from apscheduler's releases.

3.11.2

• Fixed an issue where a job using a CronTrigger scheduled in a repeated time interval during DST transitions could cause the scheduler to get stuck in an infinite loop (#1021; PR by @​soulofakuma)

Commits

• 0f70950 Added the release version
• bc404e6 Updated publish actions
• c3aa155 Updated pre-commit modules
• ad6b2dc Added fix for get_next_fire_time not advancing through fold with unfolded pre...
• f4df139 Added the release version
• 25be7b7 Fixed CronTrigger getting stuck on fallback DST transition (#1079)
• 1261386 Updated etcd image repository name
• b1f5636 Fixed shutdown() not raising the correct exception for some schedulers
• See full diff in compare view

Updates celery to 5.6.2

Release notes

Sourced from celery's releases.

v5.6.2

What's Changed

• Fix recursive WorkController instantiation in DjangoWorkerFixup + AttributeError when pool_cls is a string by @​bruunotrindade in celery/celery#10045
• Bugfix: Revoked tasks now immediately update backend status to REVOKED by @​Nusnus in celery/celery#9869
• Prepare for release: v5.6.2 by @​Nusnus in celery/celery#10049

New Contributors

• @​bruunotrindade made their first contribution in celery/celery#10045

Full Changelog: celery/celery@v5.6.1...v5.6.2

Changelog

Sourced from celery's changelog.

5.6.2

:release-date: 2026-01-04 :release-by: Tomer Nosrati

What's Changed

- Fix recursive WorkController instantiation in DjangoWorkerFixup + AttributeError when pool_cls is a string ([#10045](https://github.com/celery/celery/issues/10045))
- Bugfix: Revoked tasks now immediately update backend status to REVOKED ([#9869](https://github.com/celery/celery/issues/9869))
- Prepare for release: v5.6.2 ([#10049](https://github.com/celery/celery/issues/10049))
.. _version-5.6.1:
5.6.1
:release-date: 2025-12-29
:release-by: Tomer Nosrati
What's Changed

• Fix Redis Sentinel ACL authentication support (#10013)
• Fix: Broker heartbeats not sent during graceful shutdown (#9986)
• docs #5410 -- Document confirm_publish broker transport option (#10016)
• close DB pools only in prefork mode (#10020)
• Fix: Avoid unnecessary Django database connection creation during cleanup (#10015)
• reliable prefork detection (#10023)
• better coverage (#10029)
• Docs: clarify result_extended vs periodic task metadata and show headers["periodic_task_name"] example (#10030)
• Stop importing pytest_subtests (#10032)
• Only use exceptiongroup backport for Python < 3.11 (#10033)
• Prepare for release: v5.6.1 (#10037)

.. _version-5.6.0:

5.6.0

:release-date: 2025-11-30 :release-by: Tomer Nosrati

Celery v5.6.0 is now available.

Key Highlights

See :ref:`whatsnew-5.6` for a complete overview or read the main highlights below.
</tr></table> 

... (truncated)

Commits

• 6a43c84 Prepare for release: v5.6.2 (#10049)
• 333a82f Bugfix: Revoked tasks now immediately update backend status to REVOKED (#9869)
• 9d6ab11 Fix recursive WorkController instantiation in DjangoWorkerFixup + AttributeEr...
• 21dbc73 Prepare for release: v5.6.1 (#10037)
• ba20bed Only use exceptiongroup backport for Python < 3.11 (#10033)
• 2167529 Stop importing pytest_subtests
• 0527296 Bump google-cloud-firestore from 2.21.0 to 2.22.0
• 5f8659b Clarify 'result_extended' setting usage in tasks
• f19db70 Bump mypy from 1.19.0 to 1.19.1 (#10028)
• 6da72bd better coverage (#10029)
• Additional commits viewable in compare view

Updates cryptography to 46.0.3

Changelog

Sourced from cryptography's changelog.

46.0.3 - 2025-10-15

* Fixed compilation when using LibreSSL 4.2.0.
.. _v46-0-2:
46.0.2 - 2025-09-30

• Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.4.

.. _v46-0-1:

46.0.1 - 2025-09-16

* Fixed an issue where users installing via ``pip`` on Python 3.14 development
  versions would not properly install a dependency.
* Fixed an issue building the free-threaded macOS 3.14 wheels.
.. _v46-0-0:
46.0.0 - 2025-09-16

• BACKWARDS INCOMPATIBLE: Support for Python 3.7 has been removed.
• Support for OpenSSL < 3.0 is deprecated and will be removed in the next release.
• Support for x86_64 macOS (including publishing wheels) is deprecated and will be removed in two releases. We will switch to publishing an arm64 only wheel for macOS.
• Support for 32-bit Windows (including publishing wheels) is deprecated and will be removed in two releases. Users should move to a 64-bit Python installation.
• Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.3.
• We now build ppc64le manylinux wheels and publish them to PyPI.
• We now build win_arm64 (Windows on Arm) wheels and publish them to PyPI.
• Added support for free-threaded Python 3.14.
• Removed the deprecated get_attribute_for_oid method on :class:~cryptography.x509.CertificateSigningRequest. Users should use :meth:~cryptography.x509.Attributes.get_attribute_for_oid instead.
• Removed the deprecated CAST5, SEED, IDEA, and Blowfish classes from the cipher module. These are still available in :doc:/hazmat/decrepit/index.
• In X.509, when performing a PSS signature with a SHA-3 hash, it is now encoded with the official NIST SHA3 OID.

.. _v45-0-7:

... (truncated)

Commits

• c0af4dd release 46.0.3 (#13681)
• See full diff in compare view

Updates fastapi to 0.128.0

Release notes

Sourced from fastapi's releases.

0.128.0

Breaking Changes

• ➖ Drop support for pydantic.v1. PR #14609 by @​tiangolo.

Internal

• ✅ Run performance tests only on Pydantic v2. PR #14608 by @​tiangolo.

Commits

• 8322a44 🔖 Release version 0.128.0
• 4b2cfcf 📝 Update release notes
• e300630 ➖ Drop support for pydantic.v1 (#14609)
• 1b3bea8 📝 Update release notes
• 34e8841 ✅ Run performance tests only on Pydantic v2 (#14608)
• cd90c78 🔖 Release version 0.127.1
• 93f4dfd 📝 Update release notes
• 535b5da 🔊 Add a custom FastAPIDeprecationWarning (#14605)
• 6b53786 📝 Update release notes
• d98f4eb 🔧 Update pre-commit to use local Ruff instead of hook (#14604)
• Additional commits viewable in compare view

Updates filelock to 3.20.3

Release notes

Sourced from filelock's releases.

3.20.3

What's Changed

• Fix TOCTOU symlink vulnerability in SoftFileLock by @​gaborbernat in tox-dev/filelock#465

Full Changelog: tox-dev/filelock@3.20.2...3.20.3

Changelog

Sourced from filelock's changelog.

Changelog

v3.12.0 (2023-04-18)

• Make the thread local behavior something the caller can enable/disable via a flag during the lock creation, it's on by default.
• Better error handling on Windows.

v3.11.0 (2023-04-06)

• Make the lock thread local.

v3.10.7 (2023-03-27)

• Use fchmod instead of chmod to work around bug in PyPy via Anaconda.

v3.10.6 (2023-03-25)

• Enhance the robustness of the try/catch block in _soft.py. by :user:jahrules.

v3.10.5 (2023-03-25)

• Add explicit error check as certain UNIX filesystems do not support flock. by :user:jahrules.

v3.10.4 (2023-03-24)

• Update os.open to preserve mode= for certain edge cases. by :user:jahrules.

v3.10.3 (2023-03-23)

• Fix permission issue - by :user:jahrules.

v3.10.2 (2023-03-22)

• Bug fix for using filelock with threaded programs causing undesired file permissions - by :user:jahrules.

v3.10.1 (2023-03-22)

• Handle pickle for :class:filelock.Timeout :pr:203 - by :user:TheMatt2.

v3.10.0 (2023-03-15)

• Add support for explicit file modes for lockfiles :pr:192 - by :user:jahrules.

v3.9.1 (2023-03-14)

• Use time.perf_counter instead of time.monotonic for calculating timeouts.

v3.9.0 (2022-12-28)

... (truncated)

Commits

• 41b42dd Fix TOCTOU symlink vulnerability in SoftFileLock (#465)
• f2e7d40 [pre-commit.ci] pre-commit autoupdate (#464)
• 5088854 Support Unix systems without O_NOFOLLOW (#463)
• 377f622 [pre-commit.ci] pre-commit autoupdate (#460)
• 4724d7f Fix TOCTOU symlink vulnerability in lock file creation (#461)
• cb69414 Bump actions/upload-artifact from 5 to 6 (#459)
• 0769294 Bump actions/download-artifact from 6 to 7 (#458)
• 414193a [pre-commit.ci] pre-commit autoupdate (#457)
• 1456797 [pre-commit.ci] pre-commit autoupdate (#456)
• 8d6bf90 Bump actions/checkout from 5 to 6 (#455)
• Additional commits viewable in compare view

Updates httpx from 0.27.2 to 0.28.1

Release notes

Sourced from httpx's releases.

Version 0.28.1

0.28.1 (6th December, 2024)

• Fix SSL case where verify=False together with client side certificates.

Version 0.28.0

0.28.0 (28th November, 2024)

The 0.28 release includes a limited set of deprecations.

Deprecations:

We are working towards a simplified SSL configuration API.

For users of the standard verify=True or verify=False cases, or verify=<ssl_context> case this should require no changes. The following cases have been deprecated...

• The verify argument as a string argument is now deprecated and will raise warnings.
• The cert argument is now deprecated and will raise warnings.

Our revised SSL documentation covers how to implement the same behaviour with a more constrained API.

The following changes are also included:

• The deprecated proxies argument has now been removed.
• The deprecated app argument has now been removed.
• JSON request bodies use a compact representation. (#3363)
• Review URL percent escape sets, based on WHATWG spec. (#3371, #3373)
• Ensure certifi and httpcore are only imported if required. (#3377)
• Treat socks5h as a valid proxy scheme. (#3178)
• Cleanup Request() method signature in line with client.request() and httpx.request(). (#3378)
• Bugfix: When passing params={}, always strictly update rather than merge with an existing querystring. (#3364)

Changelog

Sourced from httpx's changelog.

0.28.1 (6th December, 2024)

• Fix SSL case where verify=False together with client side certificates.

0.28.0 (28th November, 2024)

Be aware that the default JSON request bodies now use a more compact representation. This is generally considered a prefered style, tho may require updates to test suites.

The 0.28 release includes a limited set of deprecations...

Deprecations:

We are working towards a simplified SSL configuration API.

For users of the standard verify=True or verify=False cases, or verify=<ssl_context> case this should require no changes. The following cases have been deprecated...

• The verify argument as a string argument is now deprecated and will raise warnings.
• The cert argument is now deprecated and will raise warnings.

Our revised SSL documentation covers how to implement the same behaviour with a more constrained API.

The following changes are also included:

• The deprecated proxies argument has now been removed.
• The deprecated app argument has now been removed.
• JSON request bodies use a compact representation. (#3363)
• Review URL percent escape sets, based on WHATWG spec. (#3371, #3373)
• Ensure certifi and httpcore are only imported if required. (#3377)
• Treat socks5h as a valid proxy scheme. (#3178)
• Cleanup Request() method signature in line with client.request() and httpx.request(). (#3378)
• Bugfix: When passing params={}, always strictly update rather than merge with an existing querystring. (#3364)

Commits

• 26d48e0 Version 0.28.1 (#3445)
• 89599a9 Fix verify=False, cert=... case. (#3442)
• 8ecb86f Add test for request params behavior changes (#3364) (#3440)
• 0cb7e5a Bump the python-packages group with 11 updates (#3434)
• 15e21e9 Updating deprecated docstring Client() class (#3426)
• 80960fa Version 0.28.0. (#3419)
• a33c878 Fix extensions type annotation. (#3380)
• ce7e14d Error on verify as str. (#3418)
• 47f4a96 Handle empty zstd responses (#3412)
• 189fc4b Update CHANGELOG.md, fix typo(s) (#3406)
• Additional commits viewable in compare view

Updates logfire to 4.19.0

Release notes

Sourced from logfire's releases.

v4.19.0

• Add DSPy integration to logfire by @​bdsaglam in #1625
• Set log level based on HTTP status code, create issues for handled exceptions in FastAPI when the status code is 5xx by @​alexmojaki in #1628
• Add OTel GenAI semantic convention attributes to LLM instrumentations by @​jimilp7 in #1619
• Minor optimization: move tweaking of ASGI send/receive span level by @​alexmojaki in #1629

Changelog

Sourced from logfire's changelog.

[v4.19.0] (2026-01-16)

• Add DSPy integration to logfire by @​bdsaglam in #1625
• Set log level based on HTTP status code, create issues for handled exceptions in FastAPI when the status code is 5xx by @​alexmojaki in #1628
• Add OTel GenAI semantic convention attributes to LLM instrumentations by @​jimilp7 in #1619
• Minor optimization: move tweaking of ASGI send/receive span level by @​alexmojaki in #1629

[v4.18.0] (2026-01-12)

• Adds aiohttp request body capture. by @​adtyavrdhn in #1595
• Claude SDK instrumentation by @​alexmojaki in #1618

[v4.17.0] (2026-01-07)

• logfire.instrument_surrealdb by @​alexmojaki in #1573
• feat(config): allow custom Views in MetricOptions by @​cyberksh in #1552
• Handle unpicklable configuration in ProcessPoolExecutor patch #1556 by @​pipinstalled in #1567
• Maintain original LLM request context when logging the streaming response by @​yiphei in #1566
• Add note about write_token permission in logfire projects commands by @​Viicos in #1545

[v4.16.0] (2025-12-04)

• Support OpenTelemetry 1.39.0, drop support for earlier versions, stop using the OTel events API/SDK by @​alexmojaki in #1562
• Add new_trace parameter to logfire.instrument by @​njz-cvm in #1499
• Fix JSON serialization error with instrument_google_genai by @​alexmojaki in #1551
• Support kwargs in ProxyLogger emit() by @​qianl15 in #1561

[v4.15.1] (2025-11-20)

• Make logfire.instrumented functions cloudpicklable by @​alexmojaki in #1542

[v4.15.0] (2025-11-19)

• Limit retried exports based on total size, not number by @​alexmojaki in #1527
• More tweaks to retrying exports by @​alexmojaki in #1531

[v4.14.2] (2025-10-24)

• Ensure OTEL_EXPORTER_OTLP_HEADERS doesn't override logfire token by @​alexmojaki in #1500

[v4.14.1] (2025-10-22)

• Skip recording exceptions on NonRecordingSpan by @​alexmojaki in #1497

[v4.14.0] (2025-10-21)

• Support OpenTelemetry 1.38, fix instrument_google_genai and instrument_langchain by @​alexmojaki in #1495

[v4.13.2] (2025-10-13)

... (truncated)

Commits

• ede767f Release v4.19.0 (#1631)
• 7a3e157 Add DSPy integration to logfire (#1625)
• 8daff1b Add Vercel AI SDK integration documentation (#1630)
• ccda603 Minor optimization: move tweaking of ASGI send/receive span level (#1629)
• 2ec0a54 Set log level based on HTTP status code, create issues for handled exceptions...
• 4f4bcbb Add OTel GenAI semantic convention attributes to LLM instrumentations (#1619)
• 1e65974 Release v4.18.0 (#1624)
• e7b89a6 Claude SDK instrumentation (#1618)
• 4074714 chore: upgrade uv in weekly deps test (#1623)
• 5126c16 optimize: default to stable pydantic in dev, keep git build for weekly CI (#1...
• Additional commits viewable in compare view

Updates logfire[celery,fastapi,psycopg2,requests] to 4.19.0

Release notes

Sourced from logfire[celery,fastapi,psycopg2,requests]'s releases.

v4.19.0

• Add DSPy integration to logfire by @​bdsaglam in #1625
• Set log level based on HTTP status code, create issues for handled exceptions in FastAPI when the status code is 5xx by @​alexmojaki in #1628
• Add OTel GenAI semantic convention attributes to LLM instrumentations by @​jimilp7 in #1619
• Minor optimization: move tweaking of ASGI send/receive span level by @​alexmojaki in #1629

Changelog

Sourced from logfire[celery,fastapi,psycopg2,requests]'s changelog.

[v4.19.0] (2026-01-16)

• Add DSPy integration to logfire by @​bdsaglam in #1625
• Set log level based on HTTP status code, create issues for handled exceptions in FastAPI when the status code is 5xx by @​alexmojaki in #1628
• Add OTel GenAI semantic convention attributes to LLM instrumentations by @​jimilp7 in #1619
• Minor optimization: move tweaking of ASGI send/receive span level by @​alexmojaki in #1629

[v4.18.0] (2026-01-12)

• Adds aiohttp request body capture. by @​adtyavrdhn in #1595
• Claude SDK instrumentation by @​alexmojaki in #1618

[v4.17.0] (2026-01-07)

• logfire.instrument_surrealdb by @​alexmojaki in #1573
• feat(config): allow custom Views in MetricOptions by @​cyberksh in #1552
• Handle unpicklable configuration in ProcessPoolExecutor patch #1556 by @​pipinstalled in #1567
• Maintain original LLM request context when logging the streaming response by @​yiphei in #1566
• Add note about write_token permission in logfire projects commands by @​Viicos in #1545

[v4.16.0] (2025-12-04)

• Support OpenTelemetry 1.39.0, drop support for earlier versions, stop using the OTel events API/SDK by @​alexmojaki in #1562
• Add new_trace parameter to logfire.instrument by @​njz-cvm in #1499
• Fix JSON serialization error with instrument_google_genai by @​alexmojaki in #1551
• Support kwargs in ProxyLogger emit() by @​qianl15 in #1561

[v4.15.1] (2025-11-20)

• Make logfire.instrumented functions cloudpicklable by @​alexmojaki in #1542

[v4.15.0] (2025-11-19)

• Limit retried exports based on total size, not number by @​alexmojaki in #1527
• More tweaks to retrying exports by @​alexmojaki in #1531

[v4.14.2] (2025-10-24)

• Ensure OTEL_EXPORTER_OTLP_HEADERS doesn't override logfire token by @​alexmojaki in #1500

[v4.14.1] (2025-10-22)

• Skip recording exceptions on NonRecordingSpan by @​alexmojaki in #1497

[v4.14.0] (2025-10-21)

• Support OpenTelemetry 1.38, fix instrument_google_genai and instrument_langchain by @​alexmojaki in #1495

[v4.13.2] (2025-10-13)

... (truncated)

Commits

• ede767f Release v4.19.0 (#1631)
• 7a3e157 Add DSPy integration to logfire (#1625)
• 8daff1b Add Vercel AI SDK integration documentation (#1630)
• ccda603 Minor optimization: move tweaking of ASGI send/receive span level (#1629)
• 2ec0a54 Set log level based on HTTP status code, create issues for handled exceptions...
• 4f4bcbb Add OTel GenAI semantic convention attributes to LLM instrumentations (#1619)
• 1e65974 Release v4.18.0 (#1624)
• e7b89a6 Claude SDK instrumentation (#1618)
• 4074714 chore: upgrade uv in weekly deps test (#1623)
• 5126c16 optimize: default to stable pydantic in dev, keep git build for weekly CI (#1...
• Additional commits viewable in compare view

Updates pillow to 12.1.0

Release notes

Sourced from pillow's releases.

12.1.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.0.html

Deprecations

• Deprecate getdata(), in favour of new get_flattened_data() #9292 [@​radarhere]

Documentation

• Specify APNG duration type when opening #9368 [@​radarhere]
• Added release notes for #9350 #9366 [@​radarhere]
• Update ImageMorph documentation #9349 [@​radarhere]
• Docs: update major bump cadence #9334 [@​hugovk]
• Add release notes for #9070 #9320 [@​radarhere]
• Updated Ubuntu version #9306 [@​radarhere]
• Update macOS tested Pillow versions #9265 [@​radarhere]

Dependencies

• Update harfbuzz to 12.3.0 #9355 [@​radarhere]
• Update xz to 5.8.2 #9343 [@​radarhere]
• Updated libjpeg-turbo to 3.1.3 #9333 [@​radarhere]
• Updated zlib-ng to 2.3.2 #9324 [@​radarhere]
• Updated libpng to 1.6.53 #9325 [@​radarhere]
• Update actions/checkout action to v6 #9323 [@renovate[bot]]
• Update dependency mypy to v1.19.0 #9322 [@renovate[bot]]
• Updated libpng to 1.6.51 #9305 [@​radarhere]
• Updated brotli to 1.2.0 #9284 [@​radarhere]
• Update libimagequant to 4.4.1 #9301 [@​radarhere]
• Update zlib-ng to 2.3.1, except on manylinux2014 aarch64 #9312 [@​radarhere]
• Updated harfbuzz to 12.2.0 #9289 [@​radarhere]
• Update github-actions #9277 [@renovate[bot]]

Testing

• Replace pre-commit with prek #9360 [@​hugovk]
• Test PyQt6 on Python 3.14 on Windows #9353 [@​radarhere]
• Test 32-bit Windows on Windows Server 2022 #9345 [@​radarhere]
• Correct variable type #9335 [@​radarhere]
• Fix ResourceWarnings in selftest.py #9332 [@​hugovk]
• Fix testing good P mode BMP images #9319 [@​radarhere]
• Test Python 3.15 pre-release #9331 [@​hugovk]
• Test ImageFont.ImageFont, in case freetype2 is not supported #9287 [@​radarhere]
• Add Fedora 43 #9290 [@​radarhere]
• Remove Fedora 41 #9260 [@​radarhere]

Type hints

• Add ImageFile context manager #9367 [@​radarhere]
• Assert fp is not None #8617 [@​radarhere]

... (truncated)

Changelog

Sourced from pillow's changelog.

Changelog (Pillow)

11.1.0 and newer

See GitHub Releases:

• https://github.com/python-pillow/Pillow/releases

11.0.0 (2024-10-15)

• Update licence to MIT-CMU #8460 [hugovk]

• Conditionally define ImageCms type hint to avoid requiring core #8197 [radarhere]

• Support writing LONG8 offsets in AppendingTiffWriter #8417 [radarhere]

• Use ImageFile.MAXBLOCK when saving TIFF images #8461 [radarhere]

• Do not close provided file handles with libtiff when saving #8458 [radarhere]

• Support ImageFilter.BuiltinFilter for I;16* images #8438 [radarhere]

• Use ImagingCore.ptr instead of ImagingCore.id #8341 [homm, radarhere, hugovk]

• Updated EPS mode when opening images without transparency #8281 [Yay295, radarhere]

• Use transparency when combining P frames from APNGs #8443 [radarhere]

• Support all resampling filters when resizing I;16* images #8422 [radarhere]

• Free memory on early return #8413 [radarhere]

• Cast int before potentially exceeding INT_MAX #8402 [radarhere]

... (truncated)

Commits

• 46f45f6 12.1.0 version bump
• c9ac097 Simplify band splitting (#9291)
• 3baedf2 Deprecate getdata(), in favour of new get_flattened_data() (#9292)
• b51a036 Specify APNG duration type when opening (#9368)
• 8d08e31 Add release notes for #9348 (#9369)
• 432707e Added release notes for #9348
• 2d58910 Specify APNG duration type when opening
• 8dee8dd Add ImageFile context manager (#9367)
• b2d9bc3 Support saving APNG float durations (#9365)
• f130c10 Allow 1 mode images in MorphOp (#9348)
• Additional commits viewable in compare view

Updates pip to 25.3

Changelog

Sourced from pip's changelog.

25.3 (2025-10-24)

Deprecations and Removals

• Remove support for the legacy setup.py develop editable method in setuptools editable installs; setuptools >= 64 is now required. ([#11457](https://github.com/pypa/pip/issues/11457) <https://github.com/pypa/pip/issues/11457>_)

• Remove the deprecated --global-option and --build-option. --config-setting is now the only way to pass options to the build backend. ([#11859](https://github.com/pypa/pip/issues/11859) <https://github.com/pypa/pip/issues/11859>_)

• Deprecate the PIP_CONSTRAINT environment variable for specifying build constraints.

  Use the --build-constraint option or the PIP_BUILD_CONSTRAINT environment variable instead. When build constraints are used, PIP_CONSTRAINT no longer affects isolated build environments. To enable this behavior without specifying any build constraints, use --use-feature=build-constraint. ([#13534](https://github.com/pypa/pip/issues/13534) <https://github.com/pypa/pip/issues/13534>_)

• Remove support for non-standard legacy wheel filenames. ([#13581](https://github.com/pypa/pip/issues/13581) <https://github.com/pypa/pip/issues/13581>_)

• Remove support for the deprecated setup.py bdist_wheel mechanism. Consequently, --use-pep517 is now always on, and --no-use-pep517 has been removed. ([#6334](https://github.com/pypa/pip/issues/6334) <https://github.com/pypa/pip/issues/6334>_)

Features

• When :pep:658 metadata is available, full distribution files are no longer downloaded when using pip lock or pip install --dry-run. ([#12603](https://github.com/pypa/pip/issues/12603) <https://github.com/pypa/pip/issues/12603>_)
• Add support for installing an editable requirement written as a Direct URL (PackageName @ URL). ([#13495](https://github.com/pypa/pip/issues/13495) <https://github.com/pypa/pip/issues/13495>_)
• Add support for build constraints via the --build-constraint option. This allows constraining the versions of packages used during the build process (e.g., setuptools) without affecting the final installation. ([#13534](https://github.com/pypa/pip/issues/13534) <https://github.com/pypa/pip/issues/13534>_)
• On ResolutionImpossible errors, include a note about causes with no candidates. ([#13588](https://github.com/pypa/pip/issues/13588) <https://github.com/pypa/pip/issues/13588>_)
• Building pip itself from source now uses flit-core instead of setuptools. This does not affect how pip installs or builds packages you use. ([#13473](https://github.com/pypa/pip/issues/13473) <https://github.com/pypa/pip/issues/13473>_)

Bug Fixes

• Handle malformed Version metadata entries and show a sensible error message instead of crashing. ([#13443](https://github.com/pypa/pip/issues/13443) <https://github.com/pypa/pip/issues/13443>_)
• Permit spaces between a filepath and extras in an install requirement. ([#13523](https://github.com/pypa/pip/issues/13523) <https://github.com/pypa/pip/issues/13523>_)
• Ensure the self-check files in the cache have the same permissions as the rest of the cache. ([#13528](https://github.com/pypa/pip/issues/13528) <https://github.com/pypa/pip/issues/13528>_)
• Avoid concurrency issues and improve performance when caching locally built wheels, especially when the temporary build directory is on a different filesystem than the cache. The wheel directory passed to the build backend is now a temporary subdirectory inside the cache directory. ([#13540](https://github.com/pypa/pip/issues/13540) <https://github.com/pypa/pip/issues/13540>_)
• Include relevant user-supplied constraints in logs when reporting dependency conflicts. ([#13545](https://github.com/pypa/pip/issues/13545) <https://github.com/pypa/pip/issues/13545>_)
• Fix a regression in configuration parsing that was turning a single value into a list and thus leading to a validation error. ([#13548](https://github.com/pypa/pip/issues/13548) <https://github.com/pypa/pip/issues/13548>_)
• For Python versions that do not support :pep:706, pip will now raise an installation error for a source distribution when it includes a symlink that points outside the source distribution archive. ([#13550](https://github.com/pypa/pip/issues/13550) <https://github.com/pypa/pip/issues/13550>_)
• Prevent --user installs if site.ENABLE_USER_SITE is set to False. ([#8794](https://github.com/pypa/pip/issues/8794) <https://github.com/pypa/pip/issues/8794>_)

... (truncated)

Commits

• a520693 Bump for release
• 0f2973e Fix up authors by adding entry to .mailmap
• 87828dc Update AUTHORS.txt
• ce6a38c Merge pull request