build(deps): bump the all-python-deps group with 7 updates

[dependabot]

Bumps the all-python-deps group with 7 updates:

Package	From	To
cachetools	6.2.4	6.2.6
gunicorn	23.0.0	24.1.1
numpy	2.4.0	2.4.2
packaging	25.0	26.0
scipy	1.16.3	1.17.0
urllib3	2.6.2	2.6.3
werkzeug	3.1.4	3.1.5

Updates cachetools from 6.2.4 to 6.2.6

Changelog

Sourced from cachetools's changelog.

v6.2.6 (2026-01-27)

• Improve typedkey performance.

• Minor documentation improvements.

• Minor testing improvements.

• Minor code readability improvements.

v6.2.5 (2026-01-25)

• Improve documentation regarding @cachedmethod with lock parameter.

• Add test cases for cache stampede scenarios.

• Update CI environment.

Commits

• 318ed71 Release v6.2.6.
• 48443ff Fix Cache.popitem test.
• 709819c Fix test method naming.
• 68e4b9c Minor documentation improvements.
• 8ee4015 Minor code readability improvements.
• ea47f99 Improve typedkey performance.
• 7158a30 Release v6.2.5.
• c9e3e26 Fix #379: Improve @​cachedmethod example by using a lock.
• d99c023 Bump copyright year.
• 5a87ee0 Add test cases for cache stampede scenarios.
• Additional commits viewable in compare view

Updates gunicorn from 23.0.0 to 24.1.1

Release notes

Sourced from gunicorn's releases.

24.1.1

Bug Fixes

• Fix forwarded_allow_ips and proxy_allow_ips to remain as strings for backward compatibility with external tools like uvicorn. Network validation now uses strict mode to detect invalid CIDR notation (e.g., 192.168.1.1/24 where host bits are set) (#3458, [PR #3459](benoitc/gunicorn#3459))

---

Full Changelog: benoitc/gunicorn@24.1.0...24.1.1

Gunicorn 24.1.0

New Features

• Official Docker Image: Gunicorn now publishes official Docker images to GitHub Container Registry ([PR #3454](benoitc/gunicorn#3454))

  • Available at ghcr.io/benoitc/gunicorn
  • Based on Python 3.12 slim image
  • Uses recommended worker formula (2 × CPU + 1)
  • Configurable via environment variables

• PROXY Protocol v2 Support: Extended PROXY protocol implementation to support the binary v2 format in addition to the existing text-based v1 format ([PR #3451](benoitc/gunicorn#3451))

  • New --proxy-protocol modes: off, v1, v2, auto
  • auto mode (default when enabled) detects v1 or v2 automatically
  • v2 binary format is more efficient and supports additional metadata
  • Works with HAProxy, AWS NLB/ALB, and other PROXY protocol v2 sources

• CIDR Network Support: --forwarded-allow-ips and --proxy-allow-from now accept CIDR notation (e.g., 192.168.0.0/16) for specifying trusted networks ([PR #3449](benoitc/gunicorn#3449))

• Socket Backlog Metric: New gunicorn.socket.backlog gauge metric reports the current socket backlog size on Linux systems ([PR #3450](benoitc/gunicorn#3450))

• InotifyReloader Enhancement: The inotify-based reloader now watches newly imported modules, not just those loaded at startup ([PR #3447](benoitc/gunicorn#3447))

Bug Fixes

• Fix signal handling regression where SIGCLD alias caused "Unhandled signal: cld" errors on Linux when workers fail during boot (#3453)
• Fix socket blocking mode on keepalive connections preventing SSL handshake failures with async workers ([PR #3452](benoitc/gunicorn#3452))
• Use smaller buffer size in finish_body() for faster timeout detection on slow or abandoned connections ([PR #3453](benoitc/gunicorn#3453))
• Handle SSLWantReadError in finish_body() to prevent worker hangs during SSL renegotiation ([PR #3448](benoitc/gunicorn#3448))
• Log SIGTERM as info level instead of warning to reduce noise in orchestrated environments ([PR #3446](benoitc/gunicorn#3446))
• Print exception details to stderr when worker fails to boot ([PR #3443](benoitc/gunicorn#3443))
• Fix unreader.unread() to prepend data to buffer instead of appending ([PR #3442](benoitc/gunicorn#3442))
• Prevent RecursionError when pickling Config objects ([PR #3441](benoitc/gunicorn#3441))
• Use proper exception chaining with raise from in glogging.py ([PR #3440](benoitc/gunicorn#3440))

Installation

pip install gunicorn==24.1.0
</tr></table> 

... (truncated)

Commits

• 375e79e release: bump version to 24.1.1
• ad0c12d docs: add sponsors section to README
• 70200ee chore: add GitHub Sponsors funding configuration
• 6841804 docs: remove incorrect PR reference from Docker changelog entry
• abce0ca docs: add 24.1.1 changelog entry for forwarded_allow_ips fix
• e9a3f30 fix: keep forwarded_allow_ips as strings for backward compatibility (#3459)
• d73ff4b docs: update main changelog with 24.1.0
• 53f2c31 ci: allow docs deploy on workflow_dispatch
• eab5f0b ci: trigger Docker publish on tags with or without v prefix
• a20d3fb docs: add Docker image to 24.1.0 changelog
• Additional commits viewable in compare view

Updates numpy from 2.4.0 to 2.4.2

Release notes

Sourced from numpy's releases.

2.4.1 (Jan 10, 2026)

NumPy 2.4.1 Release Notes

The NumPy 2.4.1 is a patch release that fixes bugs discoved after the 2.4.0 release. In particular, the typo SeedlessSequence is preserved to enable wheels using the random Cython API and built against NumPy < 2.4.0 to run without errors.

This release supports Python versions 3.11-3.14

Contributors

A total of 9 people contributed to this release. People with a "+" by their names contributed a patch for the first time.

• Alexander Shadchin
• Bill Tompkins +
• Charles Harris
• Joren Hammudoglu
• Marten van Kerkwijk
• Nathan Goldbaum
• Raghuveer Devulapalli
• Ralf Gommers
• Sebastian Berg

Pull requests merged

A total of 15 pull requests were merged for this release.

• #30490: MAINT: Prepare 2.4.x for further development
• #30503: DOC: numpy.select: fix default parameter docstring...
• #30504: REV: Revert part of #30164 (#30500)
• #30506: TYP: numpy.select: allow passing array-like default...
• #30507: MNT: use if constexpr for compile-time branch selection
• #30513: BUG: Fix leak in flat assignment iterator
• #30516: BUG: fix heap overflow in fixed-width string multiply (#30511)
• #30523: BUG: Ensure summed weights returned by np.average always are...
• #30527: TYP: Fix return type of histogram2d
• #30594: MAINT: avoid passing ints to random functions that take double...
• #30595: BLD: Avoiding conflict with pygit2 for static build
• #30596: MAINT: Fix msvccompiler missing error on FreeBSD
• #30608: BLD: update vendored Meson to 1.9.2
• #30620: ENH: use more fine-grained critical sections in array coercion...
• #30623: BUG: Undo result type change of quantile/percentile but keep...

Changelog

Sourced from numpy's changelog.

This is a walkthrough of the NumPy 2.4.0 release on Linux, which will be the first feature release using the numpy/numpy-release <https://github.com/numpy/numpy-release>__ repository.

The commands can be copied into the command line, but be sure to replace 2.4.0 with the correct version. This should be read together with the :ref:general release guide <prepare_release>.

Facility preparation

Before beginning to make a release, use the requirements/*_requirements.txt files to ensure that you have the needed software. Most software can be installed with pip, but some will require apt-get, dnf, or whatever your system uses for software. You will also need a GitHub personal access token (PAT) to push the documentation. There are a few ways to streamline things:

• Git can be set up to use a keyring to store your GitHub personal access token. Search online for the details.
• You can use the keyring app to store the PyPI password for twine. See the online twine documentation for details.

Prior to release

Add/drop Python versions

When adding or dropping Python versions, multiple config and CI files need to be edited in addition to changing the minimum version in pyproject.toml. Make these changes in an ordinary PR against main and backport if necessary. We currently release wheels for new Python versions after the first Python RC once manylinux and cibuildwheel support that new Python version.

Backport pull requests

Changes that have been marked for this release must be backported to the maintenance/2.4.x branch.

Commits

• c81c49f Merge pull request #30757 from charris/prepare-2.4.2
• b3ae9c5 REL: Prepare for the NumPy 2.4.2 release
• 9de8984 Merge pull request #30737 from mattip/scipy-openblas-backport
• b7be329 backport scipy-openblas version change
• 7ff9863 Merge pull request #30736 from charris/backport-30667
• 431fffb MAINT: Skip tests that require buffer.
• 127235f BUG: fix thread safety of array_getbuffer (#30667)
• 18bdb2e Merge pull request #30713 from charris/backport-30710
• 41dd751 Merge pull request #30712 from charris/backport-30705
• 7a278da BUG: Fixup the quantile promotion fixup
• Additional commits viewable in compare view

Updates packaging from 25.0 to 26.0

Release notes

Sourced from packaging's releases.

26.0

Read about the performance improvements here: https://iscinumpy.dev/post/packaging-faster.

What's Changed

Features:

• PEP 751: support pylock by @​sbidoul in pypa/packaging#900
• PEP 794: import name metadata by @​brettcannon in pypa/packaging#948
• Support writing metadata by @​henryiii in pypa/packaging#846
• Support __replace__ for Version by @​henryiii in pypa/packaging#1003
• Support positional pattern matching for Version and Specifier by @​henryiii in pypa/packaging#1004

Behavior adaptations:

• PEP 440 handling of prereleases for Specifier.contains, SpecifierSet.contains, and SpecifierSet.filter by @​notatallshaw in pypa/packaging#897
• Handle PEP 440 edge case in SpecifierSet.filter by @​notatallshaw in pypa/packaging#942
• Adjust arbitrary equality intersection preservation in SpecifierSet by @​notatallshaw in pypa/packaging#951
• Return False instead of raising for .contains with invalid version by @​Liam-DeVoe in pypa/packaging#932
• Support arbitrary equality on arbitrary strings for Specifier and SpecifierSet's filter and contains method. by @​notatallshaw in pypa/packaging#954
• Only try to parse as Version on certain marker keys, return False on unequal ordered comparsions by @​JP-Ellis in pypa/packaging#939

Fixes:

• Update _hash when unpickling Tag() by @​dholth in pypa/packaging#860
• Correct comment and simplify implicit prerelease handling in Specifier.prereleases by @​notatallshaw in pypa/packaging#896
• Use explicit _GLibCVersion NamedTuple in _manylinux by @​cthoyt in pypa/packaging#868
• Detect invalid license expressions containing () by @​bwoodsend in pypa/packaging#879
• Correct regex for metadata 'name' format by @​di in pypa/packaging#925
• Improve the message around expecting a semicolon by @​pradyunsg in pypa/packaging#833
• Support nested parens in license expressions by @​Liam-DeVoe in pypa/packaging#931
• Add space before at symbol in Requirements string by @​henryiii in pypa/packaging#953
• A root logger use found by ruff LOG, use packaging logger instead by @​henryiii in pypa/packaging#965
• Better support for subclassing Marker and Requirement by @​henryiii in pypa/packaging#1022
• Normalize all extras, not just if it comes first by @​henryiii in pypa/packaging#1024
• Don't produce a broken repr if Marker fails to construct by @​henryiii in pypa/packaging#1033

Performance:

• Avoid recompiling regexes in the tokenizer for a 3x speedup by @​hauntsaninja in pypa/packaging#1019
• Improve performance in _manylinux.py by @​cthoyt in pypa/packaging#869
• Minor cleanups to Version by @​bearomorphism in pypa/packaging#913
• Skip redundant creation of Versions in specifier comparison by @​notatallshaw in pypa/packaging#986
• Cache Specifier's Version by @​notatallshaw in pypa/packaging#985
• Make Version a little faster by @​henryiii in pypa/packaging#987
• Minor Version regex cleanup by @​henryiii in pypa/packaging#990
• Faster regex on Python 3.11.5+ by @​henryiii in pypa/packaging#988 and pypa/packaging#1055
• Lazily calculate _key in Version by @​notatallshaw in pypa/packaging#989 and regression for packaging_legacy fixed by @​henryiii in pypa/packaging#1048
• Faster canonicalize_version by @​henryiii in pypa/packaging#993
• Use fullmatch in a couple more places by @​henryiii in pypa/packaging#992

... (truncated)

Changelog

Sourced from packaging's changelog.

26.0 - 2026-01-20

Features:

PEP 751: support pylock (:pull:900)
PEP 794: import name metadata (:pull:948)
Support for writing metadata to a file (:pull:846)
Support __replace__ on Version (:pull:1003)
Support positional pattern matching for Version and SpecifierSet (:pull:1004)

Behavior adaptations:

PEP 440 handling of prereleases for Specifier.contains, SpecifierSet.contains, and SpecifierSet.filter (:pull:897)
Handle PEP 440 edge case in SpecifierSet.filter (:pull:942)
Adjust arbitrary equality intersection preservation in SpecifierSet (:pull:951)
Return False instead of raising for .contains with invalid version (:pull:932)
Support arbitrary equality on arbitrary strings for Specifier and SpecifierSet's filter and contains method. (:pull:954)
Only try to parse as Version on certain marker keys, return False on unequal ordered comparisons (:pull:939)

Fixes:

Update _hash when unpickling Tag() (:pull:860)
Correct comment and simplify implicit prerelease handling in Specifier.prereleases (:pull:896)
Use explicit _GLibCVersion NamedTuple in _manylinux (:pull:868)
Detect invalid license expressions containing () (:pull:879)
Correct regex for metadata 'name' format (:pull:925)
Improve the message around expecting a semicolon (:pull:833)
Support nested parens in license expressions (:pull:931)
Add space before at symbol in Requirements string (:pull:953)
A root logger use found, use a packaging logger instead (:pull:965)
Better support for subclassing Marker and Requirement (:pull:1022)
Normalize all extras, not just if it comes first (:pull:1024)
Don't produce a broken repr if Marker fails to construct (:pull:1033)

Performance:

Avoid recompiling regexes in the tokenizer for a 3x speedup (:pull:1019)
Improve performance in _manylinux.py (:pull:869)
Minor cleanups to Version (:pull:913)
Skip redundant creation of Version's in specifier comparison (:pull:986)
Cache the Specifier's Version (:pull:985)
Make Version a little faster (:pull:987)
Minor Version regex cleanup (:pull:990)
Faster regex on Python 3.11.5+ for Version (:pull:988, :pull:1055)
Lazily calculate _key in Version (:pull:989, :pull:1048)
Faster canonicalize_version (:pull:993)
Use re.fullmatch in a couple more places (:pull:992, :pull:1029)
Use map instead of generator (:pull:996)
Deprecate ._version (_Version, a NamedTuple) (:pull:995, :pull:1062)

</tr></table>

... (truncated)

Commits

• 3b77a26 Bump for release
• 31371cc docs: prepare for 26.0 final (#1063)
• 9627a88 perf: dual replace (#1064)
• d5398b8 fix: restore ._version as a compat shim (#1062)
• 3a7b600 Bump for development
• d4eefdc Bump for release
• 4618912 docs: prepare for 26.0rc3 (#1060)
• 0cf1b41 ci: test on first public release of CPythons (#1056)
• 716beb1 perf: 10% faster stripping zeros (#1058)
• 350a230 fix: support CPython 3.11.0-3.11.4 and older PyPy3.11 (#1055)
• Additional commits viewable in compare view

Updates scipy from 1.16.3 to 1.17.0

Release notes

Sourced from scipy's releases.

SciPy 1.17.0 Release Notes

SciPy 1.17.0 is the culmination of 6 months of hard work. It contains many new features, numerous bug-fixes, improved test coverage and better documentation. There have been a number of deprecations and API changes in this release, which are documented below. All users are encouraged to upgrade to this release, as there are a large number of bug-fixes and optimizations. Before upgrading, we recommend that users check that their own code does not use deprecated SciPy functionality (to do so, run your code with python -Wd and check for DeprecationWarning s). Our development attention will now shift to bug-fix releases on the 1.17.x branch, and on adding new features on the main branch.

This release requires Python 3.11-3.14 and NumPy 1.26.4 or greater.

Highlights of this release

• Many SciPy functions have gained native support for batching of N-dimensional array input and additional support for the array API standard. An overall summary of the latter is now available in a set of tables.
• In scipy.sparse, coo_array now supports indexing. This includes integers, slices, arrays, np.newaxis, Ellipsis, in 1D, 2D and the relatively new nD. In scipy.sparse.linalg, ARPACK and PROPACK rewrites from Fortran77 to C now empower the use of external pseudorandom number generators, e.g. from numpy.
• In scipy.spatial, transform.Rotation and transform.RigidTransform have been extended to support N-D arrays. geometric_slerp now has support for extrapolation.
• scipy.stats has gained the matrix t and logistic distributions and many performance and accuracy improvements.
• Initial support for 64-bit integer (ILP64) BLAS and LAPACK libraries has been added, including for MKL and Apple Accelerate. Please report any issues with ILP64 you encounter.

New features

scipy.integrate improvements

• The integration routines dopri5, dopri853, LSODA, vode, and zvode have been ported from Fortran77 to C.
• scipy.integrate.quad now has a fast path for returning 0 when the integration interval is empty.
• The BDF, DOP853, RK23, RK45, OdeSolver, DenseOutput, ode, and complex_ode classes now support subscription, making them generic types, for compatibility with scipy-stubs.

... (truncated)

Commits

• 8c75ae7 REL: 1.17.0 "final" release commit [wheel build]
• 9d7f110 Merge pull request #24298 from tylerjereddy/treddy_prep_1.17.0_final
• 94373b6 MAINT: test wheels [wheel build]
• 723f4e2 DOC: update 1.17.0 relnotes
• bf042f0 CI: ensure we use pinned scipy-openblas version also in ILP64 job
• 3e00a04 CI: fix issue with ILP64 job; point to fixed numpy/meson commit
• 39bceab BUG: stats: fix va_args memory corruption bug
• 8f56387 DOC: update 1.17.0 release notes
• c50e9c0 Merge pull request #24304 from ev-br/edit_relnotes_for_ILP64
• b204495 DOC: clarify ILP64 support caveats in the release notes, remove mentions of O...
• Additional commits viewable in compare view

Updates urllib3 from 2.6.2 to 2.6.3

Release notes

Sourced from urllib3's releases.

2.6.3

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by @​D47A, 8.9 High, GHSA-38jv-5279-wg99)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. (urllib3/urllib3#3743)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. (urllib3/urllib3#3752)

Changelog

Sourced from urllib3's changelog.

2.6.3 (2026-01-07)

• Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. ([#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743>__)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. ([#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752>__)

Commits

• 0248277 Release 2.6.3
• 8864ac4 Merge commit from fork
• 70cecb2 Fix Scorecard issues related to vulnerable dev dependencies (#3755)
• 41f249a Move "v2.0 Migration Guide" to the end of the table of contents (#3747)
• fd4dffd Patch VerifiedHTTPSConnection for Emscripten (#3752)
• 13f0bfd Handle massive values in Retry-After when calculating time to sleep for (#3743)
• 8c480bf Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#3748)
• 4b40616 Bump actions/cache from 4.3.0 to 5.0.1 (#3750)
• 82b8479 Bump actions/download-artifact from 6.0.0 to 7.0.0 (#3749)
• 34284cb Mention experimental features in the security policy (#3746)
• Additional commits viewable in compare view

Updates werkzeug from 3.1.4 to 3.1.5

Release notes

Sourced from werkzeug's releases.

3.1.5

This is the Werkzeug 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.5/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-5 Milestone: https://github.com/pallets/werkzeug/milestone/43?closed=1

• safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. GHSA-87hc-h4r5-73f7
• The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. #3065 #3077
• Fix AttributeError when initializing DebuggedApplication with pin_security=False. #3075

Changelog

Sourced from werkzeug's changelog.

Version 3.1.5

Released 2026-01-08

• safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. :ghsa:87hc-h4r5-73f7
• The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. :issue:3065 :issue:3077
• Fix AttributeError when initializing DebuggedApplication with pin_security=False. :issue:3075

Commits

• e3d06f4 release version 3.1.5
• 7ae1d25 Merge commit from fork
• 37797ab safe_join prevents windows special device names with compound extensions
• 3db44c7 fix duplicate reference
• a40f8fa fix class name typo
• 0f76c35 Correct parsing up to a potential partial boundary (#3081)
• 1049dd6 Correct parsing up to a potential partial boundary
• b48878c initialize _pin in debugger (#3078)
• fa0f4f2 initialize _pin
• f637275 start version 3.1.5
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions