chore(deps): bump the pip group across 1 directory with 9 updates

[dependabot[bot]]

Bumps the pip group with 9 updates in the / directory:

Package	From	To
scikit-learn	1.2.1	1.5.0
pydantic	2.1.1	2.4.0
black	22.12.0	24.3.0
tqdm	4.64.1	4.66.3
idna	3.4	3.7
pillow	10.2.0	10.3.0
requests	2.31.0	2.32.2
tornado	6.3.3	6.4.1
urllib3	1.26.18	1.26.19

Updates scikit-learn from 1.2.1 to 1.5.0

Release notes

Sourced from scikit-learn's releases.

Scikit-learn 1.5.0

We're happy to announce the 1.5.0 release.

You can read the release highlights under https://scikit-learn.org/stable/auto_examples/release_highlights/plot_release_highlights_1_5_0.html and the long version of the change log under https://scikit-learn.org/stable/whats_new/v1.5.html

This version supports Python versions 3.9 to 3.12.

You can upgrade with pip as usual:

pip install -U scikit-learn

The conda-forge builds can be installed using:

conda install -c conda-forge scikit-learn

Scikit-learn 1.4.2

We're happy to announce the 1.4.2 release.

This release only includes support for numpy 2.

This version supports Python versions 3.9 to 3.12.

You can upgrade with pip as usual:

pip install -U scikit-learn

Scikit-learn 1.4.1.post1

We're happy to announce the 1.4.1.post1 release.

You can see the changelog here: https://scikit-learn.org/stable/whats_new/v1.4.html#version-1-4-1-post1

This version supports Python versions 3.9 to 3.12.

You can upgrade with pip as usual:

pip install -U scikit-learn

The conda-forge builds can be installed using:

conda install -c conda-forge scikit-learn

... (truncated)

Commits

• b51d0c9 trigger whell builder [cd build]
• 919ae9b MAINT Reoder what's new for 1.5 (#29039)
• 0ac28ad DOC Release highlights 1.5 (#29007)
• 729b54d test py3.12 against numpy 2 [cd build]
• 1e50434 set version
• ffbe4ab DOC remove obsolete SVM example (#27108)
• 4647729 DOC Fix time complexity of MLP (#28592)
• 9bd7047 FIX convergence criterion of MeanShift (#28951)
• b79420f FIX add long long for int32/int64 windows compat in NumPy 2.0 (#29029)
• 37f544d DOC replace pandas with Polars in examples/gaussian_process/plot_gpr_co2.py (...
• Additional commits viewable in compare view

Updates pydantic from 2.1.1 to 2.4.0

Release notes

Sourced from pydantic's releases.

v2.4.0 2023-09-25

What's Changed

Packaging

• Update pydantic-core to 2.10.0 by @​samuelcolvin in #7542

New Features

• Add Base64Url types by @​dmontagu in #7286
• Implement optional number to str coercion by @​lig in #7508
• Allow access to field_name and data in all validators if there is data and a field name by @​samuelcolvin in #7542
• Add BaseModel.model_validate_strings and TypeAdapter.validate_strings by @​hramezani in #7552
• Add Pydantic plugins experimental implementation by @​lig @​samuelcolvin and @​Kludex in #6820

Changes

• Do not override model_post_init in subclass with private attrs by @​Viicos in #7302
• Make fields with defaults not required in the serialization schema by default by @​dmontagu in #7275
• Mark Extra as deprecated by @​disrupted in #7299
• Make EncodedStr a dataclass by @​Kludex in #7396
• Move annotated_handlers to be public by @​samuelcolvin in #7569

Performance

• Simplify flattening and inlining of CoreSchema by @​adriangb in #7523
• Remove unused copies in CoreSchema walking by @​adriangb in #7528
• Add caches for collecting definitions and invalid schemas from a CoreSchema by @​adriangb in #7527
• Eagerly resolve discriminated unions and cache cases where we can't by @​adriangb in #7529
• Replace dict.get and dict.setdefault with more verbose versions in CoreSchema building hot paths by @​adriangb in #7536
• Cache invalid CoreSchema discovery by @​adriangb in #7535
• Allow disabling CoreSchema validation for faster startup times by @​adriangb in #7565

Fixes

• Fix config detection for TypedDict from grandparent classes by @​dmontagu in #7272
• Fix hash function generation for frozen models with unusual MRO by @​dmontagu in #7274
• Make strict config overridable in field for Path by @​hramezani in #7281
• Use ser_json_<timedelta|bytes> on default in GenerateJsonSchema by @​Kludex in #7269
• Adding a check that alias is validated as an identifier for Python by @​andree0 in #7319
• Raise an error when computed field overrides field by @​sydney-runkle in #7346
• Fix applying SkipValidation to referenced schemas by @​adriangb in #7381
• Enforce behavior of private attributes having double leading underscore by @​lig in #7265
• Standardize __get_pydantic_core_schema__ signature by @​hramezani in #7415
• Fix generic dataclass fields mutation bug (when using TypeAdapter) by @​sydney-runkle in #7435
• Fix TypeError on model_validator in wrap mode by @​pmmmwh in #7496
• Improve enum error message by @​hramezani in #7506
• Make repr work for instances that failed initialization when handling ValidationErrors by @​dmontagu in #7439
• Fixed a regular expression denial of service issue by limiting whitespaces by @​prodigysml in #7360
• Fix handling of UUID values having UUID.version=None by @​lig in #7566

... (truncated)

Changelog

Sourced from pydantic's changelog.

v2.4.0 (2023-09-22)

GitHub release

What's Changed

Packaging

• Update pydantic-core to 2.10.0 by @​samuelcolvin in #7542

New Features

• Add Base64Url types by @​dmontagu in #7286
• Implement optional number to str coercion by @​lig in #7508
• Allow access to field_name and data in all validators if there is data and a field name by @​samuelcolvin in #7542
• Add BaseModel.model_validate_strings and TypeAdapter.validate_strings by @​hramezani in #7552
• Add Pydantic plugins experimental implementation by @​lig @​samuelcolvin and @​Kludex in #6820

Changes

• Do not override model_post_init in subclass with private attrs by @​Viicos in #7302
• Make fields with defaults not required in the serialization schema by default by @​dmontagu in #7275
• Mark Extra as deprecated by @​disrupted in #7299
• Make EncodedStr a dataclass by @​Kludex in #7396
• Move annotated_handlers to be public by @​samuelcolvin in #7569

Performance

• Simplify flattening and inlining of CoreSchema by @​adriangb in #7523
• Remove unused copies in CoreSchema walking by @​adriangb in #7528
• Add caches for collecting definitions and invalid schemas from a CoreSchema by @​adriangb in #7527
• Eagerly resolve discriminated unions and cache cases where we can't by @​adriangb in #7529
• Replace dict.get and dict.setdefault with more verbose versions in CoreSchema building hot paths by @​adriangb in #7536
• Cache invalid CoreSchema discovery by @​adriangb in #7535
• Allow disabling CoreSchema validation for faster startup times by @​adriangb in #7565

Fixes

• Fix config detection for TypedDict from grandparent classes by @​dmontagu in #7272
• Fix hash function generation for frozen models with unusual MRO by @​dmontagu in #7274
• Make strict config overridable in field for Path by @​hramezani in #7281
• Use ser_json_<timedelta|bytes> on default in GenerateJsonSchema by @​Kludex in #7269
• Adding a check that alias is validated as an identifier for Python by @​andree0 in #7319
• Raise an error when computed field overrides field by @​sydney-runkle in #7346
• Fix applying SkipValidation to referenced schemas by @​adriangb in #7381
• Enforce behavior of private attributes having double leading underscore by @​lig in #7265
• Standardize __get_pydantic_core_schema__ signature by @​hramezani in #7415
• Fix generic dataclass fields mutation bug (when using TypeAdapter) by @​sydney-runkle in #7435
• Fix TypeError on model_validator in wrap mode by @​pmmmwh in #7496
• Improve enum error message by @​hramezani in #7506

... (truncated)

Commits

• 1f59075 fix unintentional drop of character in HISTORY (#7600)
• 7183c3e adding mkdocs_run_deps to docs (#7602)
• cd44ac1 Add missing @​Kludex mention to the HISTORY.md (#7603)
• 6136b9a Prepare release 2.4.0 (#7568)
• 389c074 Revert unecessary regex change from e4393ae (#7599)
• 4279fc5 WIP fixing redirects (#7596)
• 829af25 Improvements to version info message (#7594)
• cc4b8c2 Small improvements to import performance (#7590)
• 0af0cc3 revert plugin performance regression (#7589)
• 0c760c0 improve formatting of generated release notes (#7592)
• Additional commits viewable in compare view

Updates black from 22.12.0 to 24.3.0

Release notes

Sourced from black's releases.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

• Don't move comments along with delimiters, which could cause crashes (#4248)
• Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
• Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

• Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

• Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

• Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

• Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
• Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
• Checking for newline before adding one on docstring that is almost at the line limit (#4185)
• Remove redundant parentheses in case statement if guards (#4214).

Configuration

... (truncated)

Changelog

Sourced from black's changelog.

24.3.0

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503.

This release also fixes a bug in Black's AST safety check that allowed Black to make incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

• Don't move comments along with delimiters, which could cause crashes (#4248)
• Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270)
• Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273)

Performance

• Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278)

Documentation

• Note what happens when --check is used with --quiet (#4236)

24.2.0

Stable style

• Fixed a bug where comments where mistakenly removed along with redundant parentheses (#4218)

Preview style

• Move the hug_parens_with_braces_and_square_brackets feature to the unstable style due to an outstanding crash and proposed formatting tweaks (#4198)
• Fixed a bug where base expressions caused inconsistent formatting of ** in tenary expression (#4154)
• Checking for newline before adding one on docstring that is almost at the line limit (#4185)
• Remove redundant parentheses in case statement if guards (#4214).

... (truncated)

Commits

• 552baf8 Prepare release 24.3.0 (#4279)
• f000936 Fix catastrophic performance in lines_with_leading_tabs_expanded() (#4278)
• 7b5a657 Fix --line-ranges behavior when ranges are at EOF (#4273)
• 1abcffc Use regex where we ignore case on windows (#4252)
• 719e674 Fix 4227: Improve documentation for --quiet --check (#4236)
• e5510af update plugin url for Thonny (#4259)
• 6af7d11 Fix AST safety check false negative (#4270)
• f03ee11 Ensure blib2to3.pygram is initialized before use (#4224)
• e4bfedb fix: Don't move comments while splitting delimiters (#4248)
• d0287e1 Make trailing comma logic more concise (#4202)
• Additional commits viewable in compare view

Updates tqdm from 4.64.1 to 4.66.3

Release notes

Sourced from tqdm's releases.

tqdm v4.66.3 stable

• cli: eval safety (fixes CVE-2024-34062, GHSA-g7vv-2v7x-gj9p)

tqdm v4.66.2 stable

• pandas: add DataFrame.progress_map (#1549)
• notebook: fix HTML padding (#1506)
• keras: fix resuming training when verbose>=2 (#1508)
• fix format_num negative fractions missing leading zero (#1548)
• fix Python 3.12 DeprecationWarning on import (#1519)
• linting: use f-strings (#1549)
• update tests (#1549)
  • fix pandas warnings
  • fix asv (airspeed-velocity/asv#1323)
  • fix macos notebook docstring indentation
• CI: bump actions (#1549)

tqdm v4.66.1 stable

• fix utils.envwrap types (#1493 <- #1491, #1320 <- #966, #1319)
  • e.g. cloudwatch & kubernetes workaround: export TQDM_POSITION=-1
• drop mentions of unsupported Python versions

tqdm v4.66.0 stable

• environment variables to override defaults (TQDM_*) (#1491 <- #1061, #950 <- #614, #1318, #619, #612, #370)
  • e.g. in CI jobs, export TQDM_MININTERVAL=5 to avoid log spam
  • add tests & docs for tqdm.utils.envwrap
• fix & update CLI completion
• fix & update API docs
• minor code tidy: replace os.path => pathlib.Path
• fix docs image hosting
• release with CI bot account again (cli/cli#6680)

tqdm v4.65.2 stable

• exclude examples from distributed wheel (#1492)

tqdm v4.65.1 stable

• migrate setup.{cfg,py} => pyproject.toml (#1490)
  • fix asv benchmarks
  • update docs
• fix snap build (#1490)
• fix & update tests (#1490)
  • fix flaky notebook tests
  • bump pre-commit
  • bump workflow actions

tqdm v4.65.0 stable

• add Python 3.11 and drop Python 3.6 support (#1439, #1419, #502 <- #720, #620)
• misc code & docs tidy
• fix & update CI workflows & tests

Commits

• 4e613f8 Merge pull request from GHSA-g7vv-2v7x-gj9p
• b53348c cli: eval safety
• cc372d0 bump version, merge pull request #1549 from tqdm/devel
• e9f0c05 use PyPI trusted publishing
• 7323d5b slight makefile clean
• 5306125 tests: bump pre-commit
• 4a6fd4f fix datetime.utcfromtimestamp py3.12 warning (#1519)
• 6f13759 tests: fix macos notebook indentation
• 3abcd2a tests: fix asv
• a4d15c8 tests: fix pandas warnings
• Additional commits viewable in compare view

Updates idna from 3.4 to 3.7

Release notes

Sourced from idna's releases.

v3.7

What's Changed

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: https://github.com/kjd/idna/compare/v3.6...v3.7

Changelog

Sourced from idna's changelog.

3.7 (2024-04-11) ++++++++++++++++

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

3.6 (2023-11-25) ++++++++++++++++

• Fix regression to include tests in source distribution.

3.5 (2023-11-24) ++++++++++++++++

• Update to Unicode 15.1.0
• String codec name is now "idna2008" as overriding the system codec "idna" was not working.
• Fix typing error for codec encoding
• "setup.cfg" has been added for this release due to some downstream lack of adherence to PEP 517. Should be removed in a future release so please prepare accordingly.
• Removed reliance on a symlink for the "idna-data" tool to comport with PEP 517 and the Python Packaging User Guide for sdist archives.
• Added security reporting protocol for project

Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions to this release.

Commits

• 1d365e1 Release v3.7
• c1b3154 Merge pull request #172 from kjd/optimize-contextj
• 0394ec7 Merge branch 'master' into optimize-contextj
• cd58a23 Merge pull request #152 from elliotwutingfeng/dev
• 5beb28b More efficient resolution of joiner contexts
• 1b12148 Update ossf/scorecard-action to v2.3.1
• d516b87 Update Github actions/checkout to v4
• c095c75 Merge branch 'master' into dev
• 60a0a4c Fix typo in GitHub Actions workflow key
• 5918a0e Merge branch 'master' into dev
• Additional commits viewable in compare view

Updates pillow from 10.2.0 to 10.3.0

Release notes

Sourced from pillow's releases.

10.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html

Changes

• CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [@​hugovk]
• Use functools.lru_cache for hopper() #7912 [@​hugovk]
• Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [@​radarhere]
• Improve speed of loading QOI images #7925 [@​radarhere]
• Added RGB to I;16N conversion #7920 [@​radarhere]
• Add --report argument to main.py to omit supported formats #7818 [@​nulano]
• Added RGB to I;16, I;16L and I;16B conversion #7918 [@​radarhere]
• Fix editable installation with custom build backend and configuration options #7658 [@​nulano]
• Fix putdata() for I;16N on big-endian #7209 [@​Yay295]
• Determine MPO size from markers, not EXIF data #7884 [@​radarhere]
• Improved conversion from RGB to RGBa, LA and La #7888 [@​radarhere]
• Support FITS images with GZIP_1 compression #7894 [@​radarhere]
• Use I;16 mode for 9-bit JPEG 2000 images #7900 [@​scaramallion]
• Raise ValueError if kmeans is negative #7891 [@​radarhere]
• Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [@​radarhere]
• Raise ValueError for negative values when loading P1-P3 PPM images #7882 [@​radarhere]
• Added reading of JPEG2000 palettes #7870 [@​radarhere]
• Added alpha_quality argument when saving WebP images #7872 [@​radarhere]
• Fixed joined corners for ImageDraw rounded_rectangle() non-integer dimensions #7881 [@​radarhere]
• Removed Python and NumPy pinning on Cygwin #7880 [@​radarhere]
• Update UnidentifiedImageError and version imports #7644 [@​radarhere]
• Stop reading EPS image at EOF marker #7753 [@​radarhere]
• PSD layer co-ordinates may be negative #7706 [@​radarhere]
• Use subprocess with CREATE_NO_WINDOW flag in ImageShow WindowsViewer #7791 [@​radarhere]
• When saving GIF frame that restores to background color, do not fill identical pixels #7788 [@​radarhere]
• Fixed reading PNG iCCP compression method #7823 [@​radarhere]
• Allow writing IFDRational to UNDEFINED tag #7840 [@​radarhere]
• Fix logged tag name when loading Exif data #7842 [@​radarhere]
• Use maximum frame size in IHDR chunk when saving APNG images #7821 [@​radarhere]
• Prevent opening P TGA images without a palette #7797 [@​radarhere]
• Use palette when loading ICO images #7798 [@​radarhere]
• Use consistent arguments for load_read and load_seek #7713 [@​radarhere]
• Turn off nullability warnings for macOS SDK #7827 [@​radarhere]
• Fix shift-sign issue in Convert.c #7838 [@​r-barnes]
• winbuild: Refactor dependency versions into constants #7843 [@​hugovk]
• Build macOS arm64 wheels natively #7852 [@​radarhere]
• Fixed typo #7855 [@​radarhere]
• Open 16-bit grayscale PNGs as I;16 #7849 [@​radarhere]
• Handle truncated chunks at the end of PNG images #7709 [@​lajiyuan]
• Match mask size to pasted image size in GifImagePlugin #7779 [@​radarhere]
• Changed SupportsGetMesh protocol to be public #7841 [@​radarhere]
• Release GIL while calling WebPAnimDecoderGetNext #7782 [@​evanmiller]
• Fixed reading FLI/FLC images with a prefix chunk #7804 [@​twolife]
• Updated package name for Tidelift #7810 [@​radarhere]
• Removed unused code #7744 [@​radarhere]

... (truncated)

Changelog

Sourced from pillow's changelog.

10.3.0 (2024-04-01)

• CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [radarhere, hugovk]

• Deprecate eval(), replacing it with lambda_eval() and unsafe_eval() #7927 [radarhere, hugovk]

• Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [radarhere]

• Add --report argument to __main__.py to omit supported formats #7818 [nulano, radarhere, hugovk]

• Added RGB to I;16, I;16L, I;16B and I;16N conversion #7918, #7920 [radarhere]

• Fix editable installation with custom build backend and configuration options #7658 [nulano, radarhere]

• Fix putdata() for I;16N on big-endian #7209 [Yay295, hugovk, radarhere]

• Determine MPO size from markers, not EXIF data #7884 [radarhere]

• Improved conversion from RGB to RGBa, LA and La #7888 [radarhere]

• Support FITS images with GZIP_1 compression #7894 [radarhere]

• Use I;16 mode for 9-bit JPEG 2000 images #7900 [scaramallion, radarhere]

• Raise ValueError if kmeans is negative #7891 [radarhere]

• Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [radarhere]

• Raise ValueError for negative values when loading P1-P3 PPM images #7882 [radarhere]

• Added reading of JPEG2000 palettes #7870 [radarhere]

• Added alpha_quality argument when saving WebP images #7872 [radarhere]

... (truncated)

Commits

• 5c89d88 10.3.0 version bump
• 63cbfcf Update CHANGES.rst [ci skip]
• 2776126 Merge pull request #7928 from python-pillow/lcms
• aeb51cb Merge branch 'main' into lcms
• 5beb0b6 Update CHANGES.rst [ci skip]
• cac6ffa Merge pull request #7927 from python-pillow/imagemath
• f5eeeac Name as 'options' in lambda_eval and unsafe_eval, but '_dict' in deprecated eval
• facf3af Added release notes
• 2a93aba Use strncpy to avoid buffer overflow
• a670597 Update CHANGES.rst [ci skip]
• Additional commits viewable in compare view

Updates requests from 2.31.0 to 2.32.2

Release notes

Sourced from requests's releases.

v2.32.2

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

v2.32.1

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

v2.32.0

2.32.0 (2024-05-20)

🐍 PYCON US 2024 EDITION 🐍

Security

• Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)

Improvements

• verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
• Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

• Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
• Fixed deserialization bug in JSONDecodeError. (#6629)
• Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

... (truncated)

Changelog

Sourced from requests's changelog.

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

2.32.0 (2024-05-20)

Security

• Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)

Improvements

• verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
• Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

• Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
• Fixed deserialization bug in JSONDecodeError. (#6629)
• Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

Deprecations

... (truncated)

Commits

• 88dce9d v2.32.2
• c98e4d1 Merge pull request #6710 from nateprewitt/api_rename
• 92075b3 Add deprecation warning
• aa1461b Move _get_connection to get_connection_with_tls_context
• 970e8ce v2.32.1
• d6ebc4a v2.32.0
• 9a40d12 Avoid reloading root certificates to improve concurrent performance (#6667)
• 0c030f7 Merge pull request #6702 from nateprewitt/no_char_detection
• 555b870 Allow character detection dependencies to be optional in post-packaging steps