Skip to content

build(deps): bump the production-dependencies group across 1 directory with 2 updates #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

build(deps): bump the production-dependencies group across 1 directory with 2 updates #9

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Dec 23, 2025
edited
Loading

Bumps the production-dependencies group with 2 updates in the /docs directory: pyparsing and urllib3.

Updates pyparsing from 3.2.5 to 3.3.1

Changelog

Sourced from pyparsing's changelog.

Version 3.3.1 - December, 2025

  • Added license info to metadata, following PEP-639. Thanks to Gedalia Pasternak and Marc Mueller for submitted issue and PR. Fixes #626.

Version 3.3.0 - December, 2025

=========================================================================================== The version 3.3.0 release will begin emitting DeprecationWarnings for pyparsing methods that have been renamed to PEP8-compliant names (introduced in pyparsing 3.0.0, in August, 2021, with legacy names retained as aliases). In preparation, I added in pyparsing 3.2.2 a utility for finding and replacing the legacy method names with the new names. This utility is located at pyparsing/tools/cvt_pep8_names.py. This script will scan all Python files specified on the command line, and if the -u option is selected, will replace all occurrences of the old method names with the new PEP8-compliant names, updating the files in place.

Here is an example that converts all the files in the pyparsing /examples directory:

  python -m pyparsing.tools.cvt_pyparsing_pep8_names -u examples/*.py

The new names are compatible with pyparsing versions 3.0.0 and later.

  • Deprecated indentedBlock, when converted using the cvt_pyparsing_pep8_names utility, will emit UserWarnings that additional code changes will be required. This is because the new IndentedBlock class no longer requires the calling code to supply an indent stack, while adding support for nested indentation levels and grouping.

  • Deprecated locatedExpr, when converted using the cvt_pyparsing_pep8_names utility, will emit UserWarnings that additional code changes may be required. The new Located class removes the extra grouping level of the parsed values. (If the original locatedExpr parser was defined with a results name, then the extra grouping is retained, so that the results name nesting works properly; in this case, no code changes would be required.)

  • Updated all examples and test cases to use PEP8 names (unless the test case is specifically designed to test behavior of a legacy method). Added railroad diagrams for some examples.

  • Added exception handling when calling formatted_message(), so that str(exception) always returns at least something.

  • All unit tests pass with Python 3.14, including 3.14t. This does not necessarily mean that pyparsing is now thread-safe, just that when run in the free-threaded interpreter, there were no errors. None of the unit tests try to do any parsing with multiple threads - they test the basic functionality of the library, under various versions of packrat and left-recursive parsing.

... (truncated)

Commits
  • d73ce7a Update CHANGES file to reflect PR 627
  • 1089724 Mark for 3.3.1 dev/release
  • 421d20a Update license metadata to follow PEP 639
  • e4895d3 Reduced recursive grammar in tiny_parser.py to avoid
  • b6b0111 Blackening before releasing
  • 7fbbcbd Revert transform_string perf penalty in _flatten (introduced in 3.2.0b2)
  • 336647a Update perf scripts to run additional 3.2.x releases
  • 6413afc Prep for 3.3.0 release
  • 9223660 Added copyright line to LICENSE file
  • 92d8368 Remove obsolete comment
  • Additional commits viewable in compare view

Updates urllib3 from 2.5.0 to 2.6.2

Release notes

Sourced from urllib3's releases.

2.6.2

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

  • Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (urllib3/urllib3#3734)

2.6.1

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

  • Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. (#3731)

2.6.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

  • Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by @​Cycloctane, 8.9 High, GHSA-2xpw-w6gg-jr37)
  • Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by @​illia-v, 8.9 High, GHSA-gm62-xv2j-4w53)

[!IMPORTANT]

  • If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.
  • If you use custom decompressors, please make sure to update them to respect the changed API of urllib3.response.ContentDecoder.

Features

  • Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. (#3653)
  • Added host and port information to string representations of HTTPConnection. (#3666)
  • Added support for Python 3.14 free-threading builds explicitly. (#3696)

Removals

  • Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers. Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). (#3622)

... (truncated)

Changelog

Sourced from urllib3's changelog.

2.6.2 (2025-12-11)

  • Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. ([#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734>__)

2.6.1 (2025-12-08)

  • Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. ([#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731>__)

2.6.0 (2025-12-05)

Security

  • Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
  • Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

  • If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.

  • If you use custom decompressors, please make sure to update them to respect the changed API of urllib3.response.ContentDecoder.

Features

  • Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. ([#3653](https://github.com/urllib3/urllib3/issues/3653) <https://github.com/urllib3/urllib3/issues/3653>__)
  • Added host and port information to string representations of HTTPConnection. ([#3666](https://github.com/urllib3/urllib3/issues/3666) <https://github.com/urllib3/urllib3/issues/3666>__)
  • Added support for Python 3.14 free-threading builds explicitly. ([#3696](https://github.com/urllib3/urllib3/issues/3696) <https://github.com/urllib3/urllib3/issues/3696>__)

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
build(deps): bump the production-dependencies group across 1 director…
688669f 
…y with 2 updates

Bumps the production-dependencies group with 2 updates in the /docs directory: [pyparsing](https://github.com/pyparsing/pyparsing) and [urllib3](https://github.com/urllib3/urllib3).


Updates `pyparsing` from 3.2.5 to 3.3.1
- [Release notes](https://github.com/pyparsing/pyparsing/releases)
- [Changelog](https://github.com/pyparsing/pyparsing/blob/master/CHANGES)
- [Commits](pyparsing/pyparsing@3.2.5...3.3.1)

Updates `urllib3` from 2.5.0 to 2.6.2
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@2.5.0...2.6.2)

---
updated-dependencies:
- dependency-name: pyparsing
  dependency-version: 3.3.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: urllib3
  dependency-version: 2.6.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Dec 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant