build(deps): bump the pip group across 4 directories with 9 updates

[dependabot[bot]]

Bumps the pip group with 9 updates in the /samples/clip-search directory:

Package	From	To
transformers	4.31.0	4.36.0
aiohttp	3.8.5	3.9.0
certifi	2023.5.7	2023.7.22
fonttools	4.41.1	4.43.0
jinja2	3.1.2	3.1.3
pillow	10.0.0	10.0.1
pyarrow	12.0.1	14.0.1
starlette	0.27.0	0.35.1
urllib3	2.0.4	2.0.7

Bumps the pip group with 3 updates in the /samples/faiss_semantic_similarity directory: fonttools, jinja2 and pillow. Bumps the pip group with 2 updates in the /samples/semantic-search-fastapi directory: certifi and urllib3.

Updates transformers from 4.31.0 to 4.36.0

Release notes

Sourced from transformers's releases.

v4.36: Mixtral, Llava/BakLlava, SeamlessM4T v2, AMD ROCm, F.sdpa wide-spread support

New model additions

Mixtral

Mixtral is the new open-source model from Mistral AI announced by the blogpost Mixtral of Experts. The model has been proven to have comparable capabilities to Chat-GPT according to the benchmark results shared on the release blogpost.

The architecture is a sparse Mixture of Experts with Top-2 routing strategy, similar as NllbMoe architecture in transformers. You can use it through AutoModelForCausalLM interface:

>>> import torch
>>> from transformers import AutoModelForCausalLM, AutoTokenizer
>>> model = AutoModelForCausalLM.from_pretrained("mistralai/Mixtral-8x7B", torch_dtype=torch.float16, device_map="auto")
>>> tokenizer = AutoTokenizer.from_pretrained("mistralai/Mistral-8x7B")
>>> prompt = "My favourite condiment is"
>>> model_inputs = tokenizer([prompt], return_tensors="pt").to(device)
>>> model.to(device)
>>> generated_ids = model.generate(**model_inputs, max_new_tokens=100, do_sample=True)
>>> tokenizer.batch_decode(generated_ids)[0]

The model is compatible with existing optimisation tools such Flash Attention 2, bitsandbytes and PEFT library. The checkpoints are release under mistralai organisation on the Hugging Face Hub.

Llava / BakLlava

Llava is an open-source chatbot trained by fine-tuning LlamA/Vicuna on GPT-generated multimodal instruction-following data. It is an auto-regressive language model, based on the transformer architecture. In other words, it is an multi-modal version of LLMs fine-tuned for chat / instructions.

The Llava model was proposed in Improved Baselines with Visual Instruction Tuning by Haotian Liu, Chunyuan Li, Yuheng Li and Yong Jae Lee.

• [Llava] Add Llava to transformers by @​younesbelkada in #27662
• [LLaVa] Some improvements by @​NielsRogge in #27895

The integration also includes BakLlava which is a Llava model trained with Mistral backbone.

The mode is compatible with "image-to-text" pipeline:

from transformers import pipeline
from PIL import Image    
import requests
model_id = "llava-hf/llava-1.5-7b-hf"
</tr></table>

... (truncated)

Commits

• 1466677 Release: v4.36.0
• accccdd [Add Mixtral] Adds support for the Mixtral MoE (#27942)
• 0676d99 [from_pretrained] Make from_pretrained fast again (#27709)
• 9f18cc6 Fix SDPA dispatch & make SDPA CI compatible with torch<2.1.1 (#27940)
• 7ea21f1 [LLaVa] Some improvements (#27895)
• 5e620a9 Fix SeamlessM4Tv2ModelIntegrationTest (#27911)
• e96c1de Skip UnivNetModelTest::test_multi_gpu_data_parallel_forward (#27912)
• 8d8970e [BEiT] Fix test (#27934)
• 235be08 [DETA] fix backbone freeze/unfreeze function (#27843)
• df5c5c6 Fix typo (#27918)
• Additional commits viewable in compare view

Updates aiohttp from 3.8.5 to 3.9.0

Release notes

Sourced from aiohttp's releases.

3.9.0

Features

• Introduced AppKey for static typing support of Application storage. See https://docs.aiohttp.org/en/stable/web_advanced.html#application-s-config

  (#5864)

• Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called. The period can be adjusted with the shutdown_timeout parameter. -- by :user:Dreamsorcerer. See https://docs.aiohttp.org/en/latest/web_advanced.html#graceful-shutdown

  (#7188)

• Added handler_cancellation <https://docs.aiohttp.org/en/stable/web_advanced.html#web-handler-cancellation>_ parameter to cancel web handler on client disconnection. -- by :user:mosquito This (optionally) reintroduces a feature removed in a previous release. Recommended for those looking for an extra level of protection against denial-of-service attacks.

  (#7056)

• Added support for setting response header parameters max_line_size and max_field_size.

  (#2304)

• Added auto_decompress parameter to ClientSession.request to override ClientSession._auto_decompress. -- by :user:Daste745

  (#3751)

• Changed raise_for_status to allow a coroutine.

  (#3892)

• Added client brotli compression support (optional with runtime check).

  (#5219)

• Added client_max_size to BaseRequest.clone() to allow overriding the request body size. -- :user:anesabml.

  (#5704)

• Added a middleware type alias aiohttp.typedefs.Middleware.

  (#5898)

• Exported HTTPMove which can be used to catch any redirection request that has a location -- :user:dreamsorcerer.

  (#6594)

... (truncated)

Changelog

Sourced from aiohttp's changelog.

3.9.0 (2023-11-18)

Features

• Introduced AppKey for static typing support of Application storage. See https://docs.aiohttp.org/en/stable/web_advanced.html#application-s-config

  [#5864](https://github.com/aio-libs/aiohttp/issues/5864) <https://github.com/aio-libs/aiohttp/issues/5864>_

• Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called. The period can be adjusted with the shutdown_timeout parameter. -- by :user:Dreamsorcerer. See https://docs.aiohttp.org/en/latest/web_advanced.html#graceful-shutdown

  [#7188](https://github.com/aio-libs/aiohttp/issues/7188) <https://github.com/aio-libs/aiohttp/issues/7188>_

• Added handler_cancellation <https://docs.aiohttp.org/en/stable/web_advanced.html#web-handler-cancellation>_ parameter to cancel web handler on client disconnection. -- by :user:mosquito This (optionally) reintroduces a feature removed in a previous release. Recommended for those looking for an extra level of protection against denial-of-service attacks.

  [#7056](https://github.com/aio-libs/aiohttp/issues/7056) <https://github.com/aio-libs/aiohttp/issues/7056>_

• Added support for setting response header parameters max_line_size and max_field_size.

  [#2304](https://github.com/aio-libs/aiohttp/issues/2304) <https://github.com/aio-libs/aiohttp/issues/2304>_

• Added auto_decompress parameter to ClientSession.request to override ClientSession._auto_decompress. -- by :user:Daste745

  [#3751](https://github.com/aio-libs/aiohttp/issues/3751) <https://github.com/aio-libs/aiohttp/issues/3751>_

• Changed raise_for_status to allow a coroutine.

  [#3892](https://github.com/aio-libs/aiohttp/issues/3892) <https://github.com/aio-libs/aiohttp/issues/3892>_

• Added client brotli compression support (optional with runtime check).

  [#5219](https://github.com/aio-libs/aiohttp/issues/5219) <https://github.com/aio-libs/aiohttp/issues/5219>_

• Added client_max_size to BaseRequest.clone() to allow overriding the request body size. -- :user:anesabml.

  [#5704](https://github.com/aio-libs/aiohttp/issues/5704) <https://github.com/aio-libs/aiohttp/issues/5704>_

• Added a middleware type alias aiohttp.typedefs.Middleware.

  [#5898](https://github.com/aio-libs/aiohttp/issues/5898) <https://github.com/aio-libs/aiohttp/issues/5898>_

• Exported HTTPMove which can be used to catch any redirection request that has a location -- :user:dreamsorcerer.

... (truncated)

Commits

• 45b2c2c Release v3.9.0 (#7843)
• 5d59d3d Release v3.9.0rc0 (#7840)
• c806814 Release v3.9.0rc0 (#7838)
• e07a1bd Use timestamp instead of datetime to achieve faster cookie expiration… (#7837)
• 53476df Disallow arbitrary sequence types in version (#7835) (#7836)
• 9d712f2 Bump mypy from 1.6.1 to 1.7.0 (#7833)
• 63a805e Bump python-on-whales from 0.66.0 to 0.67.0 (#7832)
• cb94533 Ensure writer is always reset on completion (#7815) (#7826)
• c0f9017 [PR #7821/366ba40f backport][3.9] Only check origin if insecure scheme and th...
• 9d498ca Bump sphinx from 7.1.1 to 7.2.6 (#7606)
• Additional commits viewable in compare view

Updates certifi from 2023.5.7 to 2023.7.22

Commits

• 8fb96ed 2023.07.22
• afe7722 Bump actions/setup-python from 4.6.1 to 4.7.0 (#230)
• 2038739 Bump dessant/lock-threads from 3.0.0 to 4.0.1 (#229)
• 44df761 Hash pin Actions and enable dependabot (#228)
• See full diff in compare view

Updates fonttools from 4.41.1 to 4.43.0

Release notes

Sourced from fonttools's releases.

4.43.0

• [subset] Set up lxml XMLParser(resolve_entities=False) when parsing OT-SVG documents to prevent XML External Entity (XXE) attacks (9f61271dc): https://codeql.github.com/codeql-query-help/python/py-xxe/
• [varLib.iup] Added workaround for a Cython bug in iup_delta_optimize that was leading to IUP tolerance being incorrectly initialised, resulting in sub-optimal deltas (60126435d, cython/cython#5732).
• [varLib] Added new command-line entry point fonttools varLib.avar to add an avar table to an existing VF from axes mappings in a .designspace file (0a3360e52).
• [instancer] Fixed bug whereby no longer used variation regions were not correctly pruned after VarData optimization (#3268).
• Added support for Python 3.12 (#3283).

4.42.1

• [t1Lib] Fixed several Type 1 issues (#3238, #3240).
• [otBase/packer] Allow sharing tables reached by different offset sizes (#3241, #3236, 457f11c2).
• [varLib/merger] Fix Cursive attachment merging error when all anchors are NULL (#3248, #3247).
• [ttLib] Fixed warning when calling addMultilingualName and ttFont parameter was not passed on to findMultilingualName (#3253).

4.42.0

• [varLib] Use sentinel value 0xFFFF to mark a glyph advance in hmtx/vmtx as non participating, allowing sparse masters to contain glyphs for variation purposes other than {H,V}VAR (#3235).
• [varLib/cff] Treat empty glyphs in non-default masters as missing, thus not participating in CFF2 delta computation, similarly to how varLib already treats them for gvar (#3234).
• Added varLib.avarPlanner script to deduce 'correct' avar v1 axis mappings based on glyph average weights (#3223).

Changelog

Sourced from fonttools's changelog.

4.43.0 (released 2023-09-29)

• [subset] Set up lxml XMLParser(resolve_entities=False) when parsing OT-SVG documents to prevent XML External Entity (XXE) attacks (9f61271dc): https://codeql.github.com/codeql-query-help/python/py-xxe/
• [varLib.iup] Added workaround for a Cython bug in iup_delta_optimize that was leading to IUP tolerance being incorrectly initialised, resulting in sub-optimal deltas (60126435d, cython/cython#5732).
• [varLib] Added new command-line entry point fonttools varLib.avar to add an avar table to an existing VF from axes mappings in a .designspace file (0a3360e52).
• [instancer] Fixed bug whereby no longer used variation regions were not correctly pruned after VarData optimization (#3268).
• Added support for Python 3.12 (#3283).

4.42.1 (released 2023-08-20)

• [t1Lib] Fixed several Type 1 issues (#3238, #3240).
• [otBase/packer] Allow sharing tables reached by different offset sizes (#3241, #3236).
• [varLib/merger] Fix Cursive attachment merging error when all anchors are NULL (#3248, #3247).
• [ttLib] Fixed warning when calling addMultilingualName and ttFont parameter was not passed on to findMultilingualName (#3253).

4.42.0 (released 2023-08-02)

• [varLib] Use sentinel value 0xFFFF to mark a glyph advance in hmtx/vmtx as non participating, allowing sparse masters to contain glyphs for variation purposes other than {H,V}VAR (#3235).
• [varLib/cff] Treat empty glyphs in non-default masters as missing, thus not participating in CFF2 delta computation, similarly to how varLib already treats them for gvar (#3234).
• Added varLib.avarPlanner script to deduce 'correct' avar v1 axis mappings based on glyph average weights (#3223).

Commits

• 145460e Release 4.43.0
• 64f3fd8 Update changelog [skip ci]
• 7aea49e Merge pull request #3283 from hugovk/main
• 4470c44 Bump requirements.txt to support Python 3.12
• 0c87cba Bump scipy for Python 3.12 support
• eda6fa5 Add support for Python 3.12
• 0e033b0 Bump reportlab from 3.6.12 to 3.6.13 in /Doc
• 6012643 [iup] Work around cython bug
• b14268a [iup] Remove copy/pasta
• 0a3360e [varLib.avar] New module to compile avar from .designspace file
• Additional commits viewable in compare view

Updates jinja2 from 3.1.2 to 3.1.3

Release notes

Sourced from jinja2's releases.

3.1.3

This is a fix release for the 3.1.x feature branch.

• Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.
• Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-3
• Milestone: https://github.com/pallets/jinja/milestone/15?closed=1

Changelog

Sourced from jinja2's changelog.

Version 3.1.3

Released 2024-01-10

• Fix compiler error when checking if required blocks in parent templates are empty. :pr:1858
• xmlattr filter does not allow keys with spaces. GHSA-h5c8-rqwp-cp95
• Make error messages stemming from invalid nesting of {% trans %} blocks more helpful. :pr:1918

Commits

• d9de4bb release version 3.1.3
• 50124e1 skip test pypi
• 9ea7222 use trusted publishing
• da703f7 use trusted publishing
• bce1746 use trusted publishing
• 7277d80 update pre-commit hooks
• 5c8a105 Make nested-trans-block exceptions nicer (#1918)
• 19a55db Make nested-trans-block exceptions nicer
• 7167953 Merge pull request from GHSA-h5c8-rqwp-cp95
• 7dd3680 xmlattr filter disallows keys with spaces
• Additional commits viewable in compare view

Updates pillow from 10.0.0 to 10.0.1

Release notes

Sourced from pillow's releases.

10.0.1

https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html

Changes

• Updated libwebp to 1.3.2 #7395 [@​radarhere]
• Updated zlib to 1.3 #7344 [@​radarhere]

Changelog

Sourced from pillow's changelog.

10.0.1 (2023-09-15)

• Updated libwebp to 1.3.2 #7395 [radarhere]

• Updated zlib to 1.3 #7344 [radarhere]

Commits

• e34d346 Updated order
• a62f240 10.0.1 version bump
• d50250d Added release notes for 10.0.1
• b4c7d4b Update CHANGES.rst [ci skip]
• 730f746 Updated libwebp to 1.3.2
• b0e2804 Updated zlib to 1.3
• See full diff in compare view

Updates pyarrow from 12.0.1 to 14.0.1

Commits

• ba53748 MINOR: [Release] Update versions for 14.0.1
• 529f376 MINOR: [Release] Update .deb/.rpm changelogs for 14.0.1
• b84bbca MINOR: [Release] Update CHANGELOG.md for 14.0.1
• f141709 GH-38607: [Python] Disable PyExtensionType autoload (#38608)
• 5a37e74 GH-38431: [Python][CI] Update fs.type_name checks for s3fs tests (#38455)
• 2dcee3f MINOR: [Release] Update versions for 14.0.0
• 297428c MINOR: [Release] Update .deb/.rpm changelogs for 14.0.0
• 3e9734f MINOR: [Release] Update CHANGELOG.md for 14.0.0
• 9f90995 GH-38332: [CI][Release] Resolve symlinks in RAT lint (#38337)
• bd61239 GH-35531: [Python] C Data Interface PyCapsule Protocol (#37797)
• Additional commits viewable in compare view

Updates starlette from 0.27.0 to 0.35.1

Release notes

Sourced from starlette's releases.

Version 0.35.1

Fixed

• Stop using the deprecated "method" parameter in FileResponse inside of StaticFiles #2406.
• Make typing-extensions optional again #2409.

---

Full Changelog: https://github.com/encode/starlette/compare/0.35.0...0.35.1

Version 0.35.0

Added

• Add *args to Middleware and improve its type hints #2381.

Fixed

• Use Iterable instead Iterator on iterate_in_threadpool #2362.

Changes

• Handle root_path to keep compatibility with mounted ASGI applications and WSGI #2400.
• Turn scope["client"] to None on TestClient #2377.

---

Full Changelog: https://github.com/encode/starlette/compare/0.34.0...0.35.0

Version 0.34.0

Added

• Use ParamSpec for run_in_threadpool #2375.
• Add UploadFile.__repr__ #2360.

Fixed

• Merge URLs properly on TestClient #2376.
• Take weak ETags in consideration on StaticFiles #2334.

Deprecated

• Deprecate FileResponse(method=...) parameter #2366.

---

Full Changelog: https://github.com/encode/starlette/compare/0.33.0...0.34.0

Version 0.33.0

Added

... (truncated)

Changelog

Sourced from starlette's changelog.

0.35.1

January 11, 2024

Fixed

• Stop using the deprecated "method" parameter in FileResponse inside of StaticFiles #2406.
• Make typing-extensions optional again #2409.

0.35.0

January 11, 2024

Added

• Add *args to Middleware and improve its type hints #2381.

Fixed

• Use Iterable instead Iterator on iterate_in_threadpool #2362.

Changes

• Handle root_path to keep compatibility with mounted ASGI applications and WSGI #2400.
• Turn scope["client"] to None on TestClient #2377.

0.34.0

December 16, 2023

Added

• Use ParamSpec for run_in_threadpool #2375.
• Add UploadFile.__repr__ #2360.

Fixed

• Merge URLs properly on TestClient #2376.
• Take weak ETags in consideration on StaticFiles #2334.

Deprecated

• Deprecate FileResponse(method=...) parameter #2366.

0.33.0

December 1, 2023

Added

... (truncated)

Commits

• c817605 Version 0.35.1 (#2410)
• 6c4ffee Make typing-extensions optional again (#2409)
• 3734e85 ♻️ Do not use the deprecated method parameter in FileResponse inside of `...
• 1081520 Version 0.35.0 (#2404)
• c3c6314 ♻️ Refactor logic to handle root_path to keep compatibility with ASGI and c...
• 8f2307d Bump trio from 0.22.2 to 0.23.2 (#2395)
• d28d491 Bump ruff from 0.1.6 to 0.1.9 (#2396)
• 5f9da0b Bump coverage from 7.3.2 to 7.4.0 (#2397)
• 04684c2 Bump typing-extensions from 4.8.0 to 4.9.0 (#2393)
• 8924759 Bump importlib-metadata from 6.9.0 to 7.0.1 (#2394)
• Additional commits viewable in compare view

Updates urllib3 from 2.0.4 to 2.0.7

Release notes

Sourced from urllib3's releases.

2.0.7

• Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (GHSA-g4mx-q9vg-27p4)

2.0.6

• Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. (GHSA-v845-jxx5-vc9f)

2.0.5

• Allowed pyOpenSSL third-party module without any deprecation warning. #3126
• Fixed default blocksize of HTTPConnection classes to match high-level classes. Previously was 8KiB, now 16KiB. #3066

Changelog

Sourced from urllib3's changelog.

2.0.7 (2023-10-17)

• Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses.

2.0.6 (2023-10-02)

• Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.

2.0.5 (2023-09-20)

• Allowed pyOpenSSL third-party module without any deprecation warning. ([#3126](https://github.com/urllib3/urllib3/issues/3126) <https://github.com/urllib3/urllib3/issues/3126>__)
• Fixed default blocksize of HTTPConnection classes to match high-level classes. Previously was 8KiB, now 16KiB. ([#3066](https://github.com/urllib3/urllib3/issues/3066) <https://github.com/urllib3/urllib3/issues/3066>__)

Commits

• 56f01e0 Release 2.0.7
• 4e50fbc Merge pull request from GHSA-g4mx-q9vg-27p4
• 80808b0 Fix docs build on Python 3.12 (#3144)
• f28deff Add 1.26.17 to the current changelog
• 262e3e3 Release 2.0.6
• 644124e Merge pull request from GHSA-v845-jxx5-vc9f
• 740380c Bump cryptography from 41.0.3 to 41.0.4 (#3131)
• d9f85a7 Release 2.0.5
• d41f412 Undeprecate pyOpenSSL module (#3127)
• b6c04cb Fix a link to "absolute URI" definition (#3128)
• Additional commits viewable in compare view

Updates fonttools from 4.42.0 to 4.43.0

Release notes

Sourced from fonttools's releases.

4.43.0

• [subset] Set up lxml XMLParser(resolve_entities=False) when parsing OT-SVG documents to prevent XML External Entity (XXE) attacks (9f61271dc): https://codeql.github.com/codeql-query-help/python/py-xxe/
• [varLib.iup] Added workaround for a Cython bug in iup_delta_optimize that was leading to IUP tolerance being incorrectly initialised, resulting in sub-optimal deltas (60126435d, cython/cython#5732).
• [varLib] Added new command-line entry point fonttools varLib.avar to add an avar table to an existing VF from axes mappings in a .designspace file (0a3360e52).
• [instancer] Fixed bug whereby no longer used variation regions were not correctly pruned after VarData optimization (#3268).
• Added support for Python 3.12 (#3283).

4.42.1

• [t1Lib] Fixed several Type 1 issues (#3238, #3240).
• [otBase/packer] Allow sharing tables reached by different offset sizes (#3241, #3236, 457f11c2).
• [varLib/merger] Fix Cursive attachment merging error when all anchors are NULL (#3248, #3247).
• [ttLib] Fixed warning when calling addMultilingualName and ttFont parameter was not passed on to findMultilingualName (#3253).

4.42.0

• [varLib] Use sentinel value 0xFFFF to mark a glyph advance in hmtx/vmtx as non participating, allowing sparse masters to contain glyphs for variation purposes other than {H,V}VAR (#3235).
• [varLib/cff] Treat empty glyphs in non-default masters as missing, thus not participating in CFF2 delta computation, similarly to how varLib already treats them for gvar (#3234).
• Added varLib.avarPlanner script to deduce 'correct' avar v1 axis mappings based on glyph average weights (#3223).

Changelog

Sourced from fonttools's changelog.

4.43.0 (released 2023-09-29)

• [subset] Set up lxml XMLParser(resolve_entities=False) when parsing OT-SVG documents to prevent XML External Entity (XXE) attacks (9f61271dc): https://codeql.github.com/codeql-query-help/python/py-xxe/
• [varLib.iup] Added workaround for a Cython bug in iup_delta_optimize that was leading to IUP tolerance being incorrectly initialised, resulting in sub-optimal deltas (60126435d, cython/cython#5732).
• [varLib] Added new command-line entry point fonttools varLib.avar to add an avar table to an existing VF from axes mappings in a .designspace file (0a3360e52).
• [instancer] Fixed bug whereby no longer used variation regions were not correctly pruned after VarData optimization (#3268).
• Added support for Python 3.12 (#3283).

4.42.1 (released 2023-08-20)

• [t1Lib] Fixed several Type 1 issues (#3238, #3240).
• [otBase/packer] Allow sharing tables reached by different offset sizes (#3241, #3236).
• [varLib/merger] Fix Cursive attachment merging error when all anchors are NULL (#3248, #3247).
• [ttLib] Fixed warning when calling addMultilingualName and ttFont parameter was not passed on to findMultilingualName (#3253).

4.42.0 (released 2023-08-02)

• [varLib] Use sentinel value 0xFFFF to mark a glyph advance in hmtx/vmtx as non participating, allowing sparse masters to contain glyphs for variation purposes other than {H,V}VAR (#3235).
• [varLib/cff] Treat empty glyphs in non-default masters as missing, thus not participating in CFF2 delta computation, similarly to how varLib already treats them for gvar (#3234).
• Added varLib.avarPlanner script to deduce 'correct' avar v1 axis mappings based on glyph average weights (#3223).

Commits

• 145460e Release 4.43.0
• 64f3fd8 Update changelog [skip ci]
• 7aea49e Merge pull request #3283 from hugovk/main
• 4470c44 Bump requirements.txt to support Python 3.12
• 0c87cba Bump scipy for Python 3.12 support
• eda6fa5 Add support for Python 3.12
• 0e033b0 Bump reportlab from 3.6.12 to 3.6.13 in /Doc
• 6012643 [iup] Work around cython bug
• b14268a [iup] Remove copy/pasta
• 0a3360e [varLib.avar] New module to compile avar from .designspace file
• Additional commits viewable in compare view

Updates jinja2 from 3.1.2 to 3.1.3

Release notes

Sourced from jinja2's releases.

3.1.3

This is a fix release for the 3.1.x feature branch.

• Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.
• Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-3
• Milestone: https://github.com/pallets/jinja/milestone/15?closed=1

Changelog

Sourced from jinja2's changelog.

Version 3.1.3

Released 2024-01-10

• Fix compiler error when checking if required blocks in parent templates are empty. :pr:1858
• xmlattr filter does not allow keys with spaces. GHSA-h5c8-rqwp-cp95
• Make error messages stemming from invalid nesting of {% trans %} blocks more helpful. :pr:1918

Commits

• d9de4bb release version 3.1.3
• 50124e1 skip test pypi
• 9ea7222 use trusted publishing
• da703f7 use trusted publishing
• bce1746 use trusted publishing
• 7277d80 update pre-commit hooks
• 5c8a105 Make nested-trans-block exceptions nicer (#1918)
• 19a55db Make nested-trans-block exceptions nicer
• 7167953 Merge pull request from GHSA-h5c8-rqwp-cp95
• 7dd3680 xmlattr filter disallows keys with spaces
• Additional commits viewable in compare view

Updates pillow from 10.0.0 to 10.0.1

Release notes

Sourced from pillow's releases.

10.0.1

https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html

Changes

• Updated libwebp to 1.3.2 #7395 [@​radarhere]
• Updated zlib to 1.3 #7344 [@​radarhere]

Changelog

Sourced from pillow's changelog.

10.0.1 (2023-09-15)

• Updated libwebp to 1.3.2 #7395 [radarhere]

• Updated zlib to 1.3 #7344 [radarhere]

Commits

• e34d346 Updated order
• a62f240 10.0.1 version bump
• d50250d Added release notes for 10.0.1
• b4c7d4b Update CHANGES.rst [ci skip]
• 730f746 Updated libwebp to 1.3.2
• b0e2804 Updated zlib to 1.3
• See full diff in compare view

Updates certifi from 2023.5.7 to 2023.7.22

Commits

• 8fb96ed 2023.07.22
• afe7722 Bump actions/setup-python from 4.6.1 to 4.7.0 (#230)
• 2038739 Bump dessant/lock-threads from 3.0.0 to 4.0.1 (#229)
• 44df761 Hash pin Actions and enable dependabot (#228)
• See full diff in compare view

Updates urllib3 from 1.26.15 to 1.26.18

Release notes

Sourced from urllib3's releases.

2.0.7

• Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (GHSA-g4mx-q9vg-27p4)

2.0.6

• Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. (GHSA-v845-jxx5-vc9f)

2.0.5

• Allowed pyOpenSSL third-party module without any deprecation warning. #3126
• Fixed default blocksize of HTTPConnection classes to match high-level classes. Previously was 8KiB, now 16KiB. #3066

Changelog

Sourced from urllib3's changelog.

2.0.7 (2023-10-17)

• Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses.

2.0.6 (2023-10-02)

• Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.

2.0.5 (2023-09-20)

• Allowed pyOpenSSL third-party module without any deprecation warning. ([#3126](https://github.com/urllib3/urllib3/issues/3126) <https://github.com/urllib3/urllib3/issues/3126>__)
• Fixed default blocksize of HTTPConnection classes to match high-level classes. Previously was 8KiB, now 16KiB. ([#3066](https://github.com/urllib3/urllib3/issues/3066) <https://github.com/urllib3/urllib3/issues/3066>__)

Commits

• 56f01e0 Release 2.0.7
• 4e50fbc Merge pull request from GHSA-g4mx-q9vg-27p4
• 80808b0 Fix docs build on Python 3.12 (#3144)
• f28deff Add 1.26.17 to the current changelog
• 262e3e3 Release 2.0.6
• 644124e Merge pull request from GHSA-v845-jxx5-vc9f
• 740380c Bump cryptography from 41.0.3 to 41.0.4 (#3131)
• d9f85a7 Release 2.0.5
• d41f412 Undeprecate pyOpenSSL module (
  dependabot[bot] commented 8 months ago

  Superseded by #31.