Skip to content

Bump the dependabot group with 6 updates#357

Merged
jmichelp merged 1 commit intomainfrom
dependabot/pip/dependabot-f71b4b7018
Apr 29, 2026
Merged

Bump the dependabot group with 6 updates#357
jmichelp merged 1 commit intomainfrom
dependabot/pip/dependabot-f71b4b7018

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 29, 2026

Bumps the dependabot group with 6 updates:

Package From To
certifi 2026.2.25 2026.4.22
idna 3.12 3.13
packaging 26.1 26.2
wheel 0.46.2 0.47.0
xxhash 3.6.0 3.7.0
pip 26.0 26.1

Updates certifi from 2026.2.25 to 2026.4.22

Commits
  • 5dddfb0 2026.04.22 (#410)
  • f99eccd Bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (#404)
  • 918bed0 Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#405)
  • 0a49067 Bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 (#403)
  • acf6ce8 Bump actions/download-artifact from 8.0.0 to 8.0.1 (#398)
  • feb0ed2 Bump actions/download-artifact from 7.0.0 to 8.0.0 (#397)
  • d9c11a5 Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#396)
  • See full diff in compare view

Updates idna from 3.12 to 3.13

Changelog

Sourced from idna's changelog.

3.13 (2026-04-22) +++++++++++++++++

  • Correct classification error for codepoint U+A7F1
Commits
  • 89cdfd2 Release v3.13
  • 1eb0686 Pre-release 3.13
  • 5f20d1e Merge pull request #220 from kjd/unicode-next
  • 4ea8425 Regenerate idnadata.py with correct NFKC_CF data
  • fd47341 Use NFKC_CF from Unicode data files instead of Python's unicodedata module
  • a5304a4 Merge pull request #219 from kjd/release-3.12
  • See full diff in compare view

Updates packaging from 26.1 to 26.2

Release notes

Sourced from packaging's releases.

26.2

What's Changed

Fixes:

Documentation:

Internal:

New Contributors

Full Changelog: pypa/packaging@26.1...26.2

Changelog

Sourced from packaging's changelog.

26.2 - 2026-04-24


Fixes:

    

  • Fix incorrect sysconfig var name for pyemscripten in (:pull:1160)
    • 

  • Make Version, Specifier, SpecifierSet, Tag, Marker, and Requirement pickle-safe
    
and backward-compatible with pickles created in 25.0-26.1 (including references to the removed
    
packaging._structures module) (:pull:1163, :pull:1168, :pull:1170, :pull:1171)
    • 

  • Re-export ExceptionGroup in metadata for now in (:pull:1164)
    • 



Documentation:


    

  • Add errors section and fix missing details in (:pull:1159)
    • 

  • Document our property-based test suite in (:pull:1167)
    • 

  • Fix a DirectUrl typo in (:pull:1167)
    • 

  • Add example of is_unsatisfiable in (:pull:1166)
    • 



Internal:


    

  • Enable the auditor persona on zizmor in (:pull:1158)
    • 

  • Test new pickle guarantees in (:pull:1174)
    • 

  • Use new native ReadTheDocs uv integration in (:pull:1175)
Commits

Updates wheel from 0.46.2 to 0.47.0

Release notes

Sourced from wheel's releases.

0.47.0

  • Added the wheel info subcommand to display metadata about wheel files without unpacking them (#639)
  • Fixed WheelFile raising Missing RECORD file when the wheel filename contains uppercase characters (e.g. Django-3.2.5.whl) but the .dist-info directory inside uses normalized lowercase naming (#411)

0.46.3

  • Fixed ImportError: cannot import name '_setuptools_logging' from 'wheel' when installed alongside an old version of setuptools and running the bdist_wheel command (#676)
Changelog

Sourced from wheel's changelog.

Release Notes

0.47.0 (2026-04-22)

  • Added the wheel info subcommand to display metadata about wheel files without unpacking them ([#639](https://github.com/pypa/wheel/issues/639) <https://github.com/pypa/wheel/issues/639>_)
  • Fixed WheelFile raising Missing RECORD file when the wheel filename contains uppercase characters (e.g. Django-3.2.5.whl) but the .dist-info directory inside uses normalized lowercase naming ([#411](https://github.com/pypa/wheel/issues/411) <https://github.com/pypa/wheel/issues/411>_)

0.46.3 (2026-01-22)

  • Fixed ImportError: cannot import name '_setuptools_logging' from 'wheel' when installed alongside an old version of setuptools and running the bdist_wheel command ([#676](https://github.com/pypa/wheel/issues/676) <https://github.com/pypa/wheel/issues/676>_)

0.46.2 (2026-01-22)

  • Restored the bdist_wheel command for compatibility with setuptools older than v70.1
  • Importing wheel.bdist_wheel now emits a FutureWarning instead of a DeprecationWarning
  • Fixed wheel unpack potentially altering the permissions of files outside of the destination tree with maliciously crafted wheels (CVE-2026-24049)

0.46.1 (2025-04-08)

  • Temporarily restored the wheel.macosx_libfile module ([#659](https://github.com/pypa/wheel/issues/659) <https://github.com/pypa/wheel/issues/659>_)

0.46.0 (2025-04-03)

  • Dropped support for Python 3.8
  • Removed the bdist_wheel setuptools command implementation and entry point. The wheel.bdist_wheel module is now just an alias to setuptools.command.bdist_wheel, emitting a deprecation warning on import.
  • Removed vendored packaging in favor of a run-time dependency on it
  • Made the wheel.metadata module private (with a deprecation warning if it's imported
  • Made the wheel.cli package private (no deprecation warning)
  • Fixed an exception when calling the convert command with an empty description field

0.45.1 (2024-11-23)

  • Fixed pure Python wheels converted from eggs and wininst files having the ABI tag in the file name

... (truncated)

Commits
  • efd83a7 Created a new release
  • bb69216 Reordered the changelog entries
  • d5a1763 fix(wheelfile): resolve .dist-info path case-insensitively when reading wheel...
  • 5718957 [pre-commit.ci] pre-commit autoupdate (#685)
  • 6258068 chore: log_level is better than log_cli_level (#684)
  • 2975deb Require tox >= 4.22
  • 47674ba chore: add check-sdist to checks (#681)
  • 56223f6 __package____spec__.parent (#679)
  • 0ce509e Added the wheel info subcommand (#669)
  • 39039c0 Improved the index page
  • Additional commits viewable in compare view

Updates xxhash from 3.6.0 to 3.7.0

Release notes

Sourced from xxhash's releases.

v3.7.0

  • Drop support for Python 3.7
  • Build armv7l manylinux/musllinux wheels
  • Build riscv64 manylinux/musllinux wheels
  • Build android and ios wheels

Full list of changes: ifduyue/python-xxhash@v3.6.0...v3.7.0

Changelog

Sourced from xxhash's changelog.

v3.7.0 2025-04-25


- Drop support for Python 3.7
- Build armv7l manylinux/musllinux wheels
- Build riscv64 manylinux/musllinux wheels
- Build android and ios wheels
Commits
  • 404589e Prepare 3.7.0
  • d3cd664 Bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0
  • 0d7d943 Bump pypa/cibuildwheel from 3.4.0 to 3.4.1
  • c4b8775 Bump actions/download-artifact from 7 to 8
  • 1ae3e5b Bump actions/upload-artifact from 6 to 7
  • 8faaa34 Bump pypa/cibuildwheel from 3.3.1 to 3.4.0
  • 4ba9b0c Bump docker/setup-qemu-action from 3 to 4
  • 43bb203 Bump actions/download-artifact from 6 to 7
  • a7a3bd2 Bump actions/upload-artifact from 5 to 6
  • c35bf01 Bump pypa/cibuildwheel from 3.3.0 to 3.3.1
  • Additional commits viewable in compare view

Updates pip from 26.0 to 26.1

Changelog

Sourced from pip's changelog.

26.1 (2026-04-26)

Deprecations and Removals

  • Drop support for Python 3.9. ([#13795](https://github.com/pypa/pip/issues/13795) <https://github.com/pypa/pip/issues/13795>_)

Features

  • Add experimental support to read requirements from standardized pylock.toml files (-r pylock.toml). ([#13876](https://github.com/pypa/pip/issues/13876) <https://github.com/pypa/pip/issues/13876>_)
  • Allow --uploaded-prior-to to accept a duration in days (e.g., P3D for 3 days ago). ([#13674](https://github.com/pypa/pip/issues/13674) <https://github.com/pypa/pip/issues/13674>_)

Enhancements

  • Speed up dependency resolution when there are complex conflicts. ([#13859](https://github.com/pypa/pip/issues/13859) <https://github.com/pypa/pip/issues/13859>_)
  • Reduce memory usage when resolving large dependency trees. ([#13843](https://github.com/pypa/pip/issues/13843) <https://github.com/pypa/pip/issues/13843>_)
  • Emit a deprecation warning when pip imports an unexpected module after installation of a distribution has started. ([#13912](https://github.com/pypa/pip/issues/13912) <https://github.com/pypa/pip/issues/13912>_)
  • Allow URL constraints to apply to requirements with extras. ([#12018](https://github.com/pypa/pip/issues/12018) <https://github.com/pypa/pip/issues/12018>_)
  • Allow unpinned requirements to use hashes from constraints. Constraints like {name}=={version} --hash=... feeds into hash verification for a corresponding requirement. ([#9243](https://github.com/pypa/pip/issues/9243) <https://github.com/pypa/pip/issues/9243>_)
  • Improve conflict reports that involve direct URLs. ([#13932](https://github.com/pypa/pip/issues/13932) <https://github.com/pypa/pip/issues/13932>_)
  • Show all errors instead of first error for faulty dependency_groups definitions. ([#13917](https://github.com/pypa/pip/issues/13917) <https://github.com/pypa/pip/issues/13917>_)

Bug Fixes

  • Fix recovery hint for missing RECORD file to use --ignore-installed instead of --force-reinstall. ([#12645](https://github.com/pypa/pip/issues/12645) <https://github.com/pypa/pip/issues/12645>_)
  • Fix misleading error message when a constraint file cannot be opened. ([#13226](https://github.com/pypa/pip/issues/13226) <https://github.com/pypa/pip/issues/13226>_)
  • Show the filename rather than the full URL when downloading files from non-PyPI indexes in non-verbose mode. ([#13494](https://github.com/pypa/pip/issues/13494) <https://github.com/pypa/pip/issues/13494>_)
  • Remove the adjacent __pycache__ directory when a .py file is removed. ([#13725](https://github.com/pypa/pip/issues/13725) <https://github.com/pypa/pip/issues/13725>_)
  • Force UTF-8 encoding for :pep:723 metadata. ([#13861](https://github.com/pypa/pip/issues/13861) <https://github.com/pypa/pip/issues/13861>_)
  • Minor performance improvement when filtering candidates during resolution. ([#13916](https://github.com/pypa/pip/issues/13916) <https://github.com/pypa/pip/issues/13916>_)
  • Fix a hang on Windows when stdout is closed during verbose output. ([#13927](https://github.com/pypa/pip/issues/13927) <https://github.com/pypa/pip/issues/13927>_)
  • Common path prefixes are determined by path segment, not character by character. ([#13847](https://github.com/pypa/pip/issues/13847) <https://github.com/pypa/pip/issues/13847>_)
  • Fix installing .tar.gz source distributions that look like a zip file. ([#13867](https://github.com/pypa/pip/issues/13867) <https://github.com/pypa/pip/issues/13867>_)

Vendored Libraries

  • Upgrade certifi to 2026.2.25
  • Upgrade packaging to 26.2
  • Upgrade requests to 2.33.1
  • Upgrade tomli to 2.3.1
  • Upgrade urllib3 to 2.6.3

... (truncated)

Commits
  • 90b2b3e Bump for release
  • 193f289 Update AUTHORS.txt
  • 63c3709 Merge pull request #13876 from sbidoul/install-from-pylock-reqs-sbi
  • e5fe702 Merge pull request #13949 from pypa/revert-13888-resolver-editable-links
  • 122a14a Revert "Allow editable installs to satisfy direct-URL dependencies (#13888)"
  • c335252 -r pylock.toml: add pip-wheel -r pylock.toml test
  • ba2fc12 -r pylock.toml: proper error with remote pylock.toml containing directory ent...
  • 747c4ae Merge pull request #13948 from ichard26/reword-news
  • 3517841 -r pylock: refine filename pylock-ness test
  • 2f7ad8c -r pylock.toml: fix crash with pip wheel and pip lock
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the dependabot group with 6 updates
c4d2190 
Bumps the dependabot group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [certifi](https://github.com/certifi/python-certifi) | `2026.2.25` | `2026.4.22` |
| [idna](https://github.com/kjd/idna) | `3.12` | `3.13` |
| [packaging](https://github.com/pypa/packaging) | `26.1` | `26.2` |
| [wheel](https://github.com/pypa/wheel) | `0.46.2` | `0.47.0` |
| [xxhash](https://github.com/ifduyue/python-xxhash) | `3.6.0` | `3.7.0` |
| [pip](https://github.com/pypa/pip) | `26.0` | `26.1` |


Updates `certifi` from 2026.2.25 to 2026.4.22
- [Commits](certifi/python-certifi@2026.02.25...2026.04.22)

Updates `idna` from 3.12 to 3.13
- [Release notes](https://github.com/kjd/idna/releases)
- [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst)
- [Commits](kjd/idna@v3.12...v3.13)

Updates `packaging` from 26.1 to 26.2
- [Release notes](https://github.com/pypa/packaging/releases)
- [Changelog](https://github.com/pypa/packaging/blob/main/CHANGELOG.rst)
- [Commits](pypa/packaging@26.1...26.2)

Updates `wheel` from 0.46.2 to 0.47.0
- [Release notes](https://github.com/pypa/wheel/releases)
- [Changelog](https://github.com/pypa/wheel/blob/main/docs/news.rst)
- [Commits](pypa/wheel@0.46.2...0.47.0)

Updates `xxhash` from 3.6.0 to 3.7.0
- [Release notes](https://github.com/ifduyue/python-xxhash/releases)
- [Changelog](https://github.com/ifduyue/python-xxhash/blob/master/CHANGELOG.rst)
- [Commits](ifduyue/python-xxhash@v3.6.0...v3.7.0)

Updates `pip` from 26.0 to 26.1
- [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst)
- [Commits](pypa/pip@26.0...26.1)

---
updated-dependencies:
- dependency-name: certifi
  dependency-version: 2026.4.22
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependabot
- dependency-name: idna
  dependency-version: '3.13'
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependabot
- dependency-name: packaging
  dependency-version: '26.2'
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependabot
- dependency-name: wheel
  dependency-version: 0.47.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependabot
- dependency-name: xxhash
  dependency-version: 3.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependabot
- dependency-name: pip
  dependency-version: '26.1'
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependabot
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python labels Apr 29, 2026
@jmichelp jmichelp enabled auto-merge April 29, 2026 07:38
@coveralls
Copy link
Copy Markdown

coveralls commented Apr 29, 2026

Coverage Report for CI Build 25096709661

Coverage remained the same at 88.617%

Details

  • Coverage remained the same as the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

Coverage Stats

Coverage Status
Relevant Lines: 3470
Covered Lines: 3075
Line Coverage: 88.62%
Coverage Strength: 0.89 hits per line
💛 - Coveralls

@jmichelp jmichelp added this pull request to the merge queue Apr 29, 2026
Merged via the queue into main with commit 060a998 Apr 29, 2026
35 checks passed
@dependabot dependabot Bot deleted the dependabot/pip/dependabot-f71b4b7018 branch April 29, 2026 08:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmichelp jmichelp jmichelp approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@coveralls @jmichelp