chore(deps): bump the pip group across 2 directories with 8 updates

[dependabot]

Bumps the pip group with 8 updates in the / directory:

Package	From	To
python-jose	3.3.0	3.4.0
python-multipart	0.0.20	0.0.26
cryptography	46.0.5	46.0.7
requests	2.32.5	2.33.0
marshmallow	4.0.1	4.1.2
python-dotenv	1.0.0	1.2.2
weasyprint	60.2	68.0
pytest	7.4.3	9.0.3

Bumps the pip group with 2 updates in the /backend directory: python-jose and cryptography.

Updates python-jose from 3.3.0 to 3.4.0

Release notes

Sourced from python-jose's releases.

3.4.0

News

• Remove support for Python 3.6 and 3.7
• Added support for Python 3.10 and 3.11

Bug fixes and Improvements

• Updating CryptographyAESKey::encrypt to generate 96 bit IVs for GCM block cipher mode
• Fix for PEM key comparisons caused by line lengths and new lines
• Fix for CVE-2024-33664 - JWE limited to 250KiB
• Fix for CVE-2024-33663 - signing JWT with public key is now forbidden
• Replace usage of deprecated datetime.utcnow() with datetime.now(UTC)

Housekeeping

• Updated Github Actions Workflows
• Updated to use tox 4.x
• Revise codecov integration
• Fixed DeprecationWarnings

Changelog

Sourced from python-jose's changelog.

3.4.0 -- 2025-02-14

News

• Remove support for Python 3.6 and 3.7
• Added support for Python 3.10 and 3.11

Bug fixes and Improvements

• Updating CryptographyAESKey::encrypt to generate 96 bit IVs for GCM block cipher mode
• Fix for PEM key comparisons caused by line lengths and new lines
• Fix for CVE-2024-33664 - JWE limited to 250KiB
• Fix for CVE-2024-33663 - signing JWT with public key is now forbidden
• Replace usage of deprecated datetime.utcnow() with datetime.now(UTC)

Housekeeping

• Updated Github Actions Workflows
• Updated to use tox 4.x
• Revise codecov integration
• Fixed DeprecationWarnings

Commits

• 82cd15f Added release date to CHANGELOG.md for 3.4.0 (#371)
• 4e01847 Prepare 3.4.0 release (#370)
• 0360fa3 Replace usage of deprecated datetime.utcnow() with datetime.now(UTC) (#360)
• 12f30c8 Fix for CVE-2024-33663 (forbid public key for HMAC) (#369)
• 638d047 Bump cryptography from 42.0.4 to 43.0.1 (#368)
• 8e1f521 Fix for CVE-2024-33664. JWE limited to 250K (#352)
• c9403b5 Bump cryptography from 41.0.3 to 42.0.4 (#358)
• 58e543e Bump cryptography from 39.0.1 to 41.0.3
• 50d1997 Disabling test build for Python 3.7 on OS X since arm64 is no longer supporte...
• 1967754 Adding get_pem_for_key and normalize_pem methods to normalize PEM formatt...
• Additional commits viewable in compare view

Updates python-multipart from 0.0.20 to 0.0.26

Release notes

Sourced from python-multipart's releases.

Version 0.0.26

What's Changed

• Skip preamble before first multipart boundary by @​Kludex in Kludex/python-multipart#262
• Silently discard epilogue data after the closing boundary by @​Kludex in Kludex/python-multipart#259

Full Changelog: Kludex/python-multipart@0.0.25...0.0.26

Version 0.0.25

What's Changed

• Apply Apache-2.0 properly by @​Kludex in Kludex/python-multipart#247
• Handle multipart headers case-insensitively by @​Kludex in Kludex/python-multipart#252
• Emit field_end for trailing bare field names on finalize by @​bysiber in Kludex/python-multipart#230
• Add UPLOAD_DELETE_TMP to FormParser config by @​Kludex in Kludex/python-multipart#254
• Remove custom FormParser classes by @​Kludex in Kludex/python-multipart#257
• Handle CTE values case-insensitively by @​Kludex in Kludex/python-multipart#258
• Add MIME content type info to File by @​jhnstrk in Kludex/python-multipart#143

Full Changelog: Kludex/python-multipart@0.0.24...0.0.25

Version 0.0.24

What's Changed

• Validate chunk_size in parse_form() by @​Kludex in Kludex/python-multipart#244

Full Changelog: Kludex/python-multipart@0.0.23...0.0.24

Version 0.0.23

What's Changed

• Remove unused trust_x_headers parameter and X-File-Name fallback by @​jhnstrk in Kludex/python-multipart#196
• Return processed length from QuerystringParser._internal_write by @​bysiber in Kludex/python-multipart#229
• Cleanup metadata dunders from __init__.py by @​Chesars in Kludex/python-multipart#227

New Contributors

• @​Chesars made their first contribution in Kludex/python-multipart#227
• @​bysiber made their first contribution in Kludex/python-multipart#229

Full Changelog: Kludex/python-multipart@0.0.22...0.0.23

Version 0.0.22

What's Changed

• Drop directory path from filename in File 9433f4b.

---

Full Changelog: Kludex/python-multipart@0.0.21...0.0.22

Version 0.0.21

What's Changed

... (truncated)

Changelog

Sourced from python-multipart's changelog.

0.0.26 (2026-04-10)

• Skip preamble before the first multipart boundary more efficiently #262.
• Silently discard epilogue data after the closing multipart boundary #259.

0.0.25 (2026-04-10)

• Add MIME content type info to File #143.
• Handle CTE values case-insensitively #258.
• Remove custom FormParser classes #257.
• Add UPLOAD_DELETE_TMP to FormParser config #254.
• Emit field_end for trailing bare field names on finalize #230.
• Handle multipart headers case-insensitively #252.
• Apply Apache-2.0 properly #247.

0.0.24 (2026-04-05)

• Validate chunk_size in parse_form() #244.

0.0.23 (2026-04-05)

• Remove unused trust_x_headers parameter and X-File-Name fallback #196.
• Return processed length from QuerystringParser._internal_write #229.
• Cleanup metadata dunders from __init__.py #227.

0.0.22 (2026-01-25)

• Drop directory path from filename in File 9433f4b.

0.0.21 (2025-12-17)

• Add support for Python 3.14 and drop EOL 3.8 and 3.9 #216.

Commits

• 28f4785 Version 0.0.26 (#263)
• d4452a7 Silently discard epilogue data after the closing boundary (#259)
• 6a7b76d Skip preamble before first multipart boundary (#262)
• 4addb60 Version 0.0.25 (#261)
• d3a4698 Add MIME content type info to File (#143)
• 9a1ecbd Handle CTE values case-insensitively (#258)
• ef2a0b9 Remove custom FormParser classes (#257)
• 3a757d7 Ignore local Claude state (#255)
• 55e7396 fuzz: Add cifuzz (#186)
• d6d1d11 Bump the github-actions group with 2 updates (#249)
• Additional commits viewable in compare view

Updates cryptography from 46.0.5 to 46.0.7

Changelog

Sourced from cryptography's changelog.

46.0.7 - 2026-04-07

* **SECURITY ISSUE**: Fixed an issue where non-contiguous buffers could be
  passed to APIs that accept Python buffers, which could lead to buffer
  overflow. **CVE-2026-39892**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.6.
.. _v46-0-6:
46.0.6 - 2026-03-25

• SECURITY ISSUE: Fixed a bug where name constraints were not applied to peer names during verification when the leaf certificate contains a wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug, including those used by the Web PKI. Credit to Oleh Konko (1seal) for reporting the issue. CVE-2026-34073

.. _v46-0-5:

Commits

• 622d672 46.0.7 release (#14602)
• 91d7288 Cherry-pick #14542 (#14543)
• See full diff in compare view

Updates requests from 2.32.5 to 2.33.0

Release notes

Sourced from requests's releases.

v2.33.0

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

New Contributors

• @​M0d3v1 made their first contribution in psf/requests#6865
• @​aminvakil made their first contribution in psf/requests#7220
• @​E8Price made their first contribution in psf/requests#6960
• @​mitre88 made their first contribution in psf/requests#7244
• @​magsen made their first contribution in psf/requests#6553
• @​Rohan5commit made their first contribution in psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

Changelog

Sourced from requests's changelog.

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

Commits

• bc04dfd v2.33.0
• 66d21cb Merge commit from fork
• 8b9bc8f Move badges to top of README (#7293)
• e331a28 Remove unused extraction call (#7292)
• 753fd08 docs: fix FAQ grammar in httplib2 example
• 774a0b8 docs(socks): same block as other sections
• 9c72a41 Bump github/codeql-action from 4.33.0 to 4.34.1
• ebf7190 Bump github/codeql-action from 4.32.0 to 4.33.0
• 0e4ae38 docs: exclude Response.is_permanent_redirect from API docs (#7244)
• d568f47 docs: clarify Quickstart POST example (#6960)
• Additional commits viewable in compare view

Updates marshmallow from 4.0.1 to 4.1.2

Changelog

Sourced from marshmallow's changelog.

4.1.2 (2025-12-19)

Bug fixes:

• :cve:2025-68480: Merge error store messages without rebuilding collections. Thanks 카푸치노 for reporting and :user:deckar01 for the fix.

4.1.1 (2025-11-05)

Bug fixes:

• Ensure URL validator is case-insensitive when using custom schemes (:pr:2874). Thanks :user:T90REAL for the PR.

4.1.0 (2025-11-01)

Other changes:

• Add __len__ implementation to missing so that it can be used with validate.Length <marshmallow.validate.Length> (:pr:2861). Thanks :user:agentgodzilla for the PR.
• Drop support for Python 3.9 (:pr:2363).
• Test against Python 3.14 (:pr:2864).

Commits

• 692e79d Merge pull request #2876 from marshmallow-code/delint
• 045c5f6 [pre-commit.ci] auto fixes from pre-commit.com hooks
• 94c4d98 Delint
• d24a0c9 Merge commit from fork
• 1682640 Bump version and update changelog
• 36f8787 Only deep copy error message collections
• 70141f4 Add test coverage for error message modification
• 218d98a Merge error store messages without rebuilding collections
• 80f1110 Bump version and update changelog
• 10fe10b Merge pull request #2874 from T90REAL/fix_case_sensitivity
• Additional commits viewable in compare view

Updates python-dotenv from 1.0.0 to 1.2.2

Release notes

Sourced from python-dotenv's releases.

v1.2.2

Added

• Support for Python 3.14, including the free-threaded (3.14t) build. (#)

Changed

• The dotenv run command now forwards flags directly to the specified command by @​bbc2 in theskumar/python-dotenv#607
• Improved documentation clarity regarding override behavior and the reference page.
• Updated PyPy support to version 3.11.
• Documentation for FIFO file support.
• Support for Python 3.9.

Fixed

• Improved set_key and unset_key behavior when interacting with symlinks by @​bbc2 in #790c5
• Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by @​JYOuyang in theskumar/python-dotenv#590

Breaking Changes

• dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

• In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

• dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

Misc

• skip 000 permission tests for root user by @​burnout-projects in theskumar/python-dotenv#561
• Bump actions/checkout from 5 to 6 in the github-actions group by @​dependabot[bot] in theskumar/python-dotenv#593
• Add Windows testing to CI by @​bbc2 in theskumar/python-dotenv#604
• Improve workflow efficiency with best practices by @​theskumar in theskumar/python-dotenv#609
• Remove the use of sh in tests by @​bbc2 in theskumar/python-dotenv#612

New Contributors

• @​JYOuyang made their first contribution in theskumar/python-dotenv#590
• @​burnout-projects made their first contribution in theskumar/python-dotenv#561
• @​cpackham-atlnz made their first contribution in theskumar/python-dotenv#597

Full Changelog: theskumar/python-dotenv@v1.2.1...v1.2.2

v1.2.1

What's Changed

... (truncated)

Changelog

Sourced from python-dotenv's changelog.

[1.2.2] - 2026-03-01

Added

• Support for Python 3.14, including the free-threaded (3.14t) build. (#588)

Changed

• The dotenv run command now forwards flags directly to the specified command by [@​bbc2] in #607
• Improved documentation clarity regarding override behavior and the reference page.
• Updated PyPy support to version 3.11.
• Documentation for FIFO file support.
• Dropped Support for Python 3.9.

Fixed

• Improved set_key and unset_key behavior when interacting with symlinks by [@​bbc2] in [790c5c0]
• Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by [@​JYOuyang] in #590

Breaking Changes

• dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

• In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

• dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

[1.2.1] - 2025-10-26

• Move more config to pyproject.toml, removed setup.cfg
• Add support for reading .env from FIFOs (Unix) by [@​sidharth-sudhir] in #586

[1.2.0] - 2025-10-26

• Upgrade build system to use PEP 517 & PEP 518 to use build and pyproject.toml by [@​EpicWink] in #583
• Add support for Python 3.14 by [@​23f3001135] in #579
• Add support for disabling of load_dotenv() using PYTHON_DOTENV_DISABLED env var. by [@​matthewfranglen] in #569

[1.1.1] - 2025-06-24

Fixed

• CLI: Ensure find_dotenv work reliably on python 3.13 by [@​theskumar] in #563

... (truncated)

Commits

• 36004e0 Bump version: 1.2.1 → 1.2.2
• eb20252 docs: update changelog for v1.2.2
• 790c5c0 Merge commit from fork
• 43340da Remove the use of sh in tests (#612)
• 09d7cee docs: clarify override behavior and document FIFO support (#610)
• c8de288 ci: improve workflow efficiency with best practices (#609)
• 7bd9e3d Add Windows testing to CI (#604)
• 1baaf04 Drop Python 3.9 support and update to PyPy 3.11 (#608)
• 4a22cf8 ci: enable testing on Python 3.14t (free-threaded) (#588)
• e2e8e77 Fix license specifier (#597)
• Additional commits viewable in compare view

Updates weasyprint from 60.2 to 68.0

Release notes

Sourced from weasyprint's releases.

v68.0

This is a security update (CVE-2025-68616).

We strongly recommend to upgrade WeasyPrint to the latest version if you use the default_url_fetcher function in your custom URL fetcher, or if you use the allowed_protocols parameter of the default_url_fetcher function.

Read about this release on our blog.

Security

• Always use URL fetcher for HTTP redirects

Python API

• default_url_fetcher() is deprecated, use the new URLFetcher class instead, see URL Fetchers for more information about URL fetchers
• DocumentMetadata.generate_rdf_metadata is now a method that can be overridden instead of a parameter, see Factur-X / ZUGFeRD (Electronic Invoices) for examples to create e-invoices

Features

• #2609, #2603, #351: Refactor URL fetcher API
• #2632: Support legacy 0 value for angles
• #2627: Add font-face support to SVG
• #2646, #2255: Add font shorthand support for SVG text elements
• #2590, #1749: Honor language-specific rules for text-transform
• #2645, #2613: Improve SVG and SVG emojis rendering
• #2658, #2583: Add CLI for Factur-X / ZUGFeRD e-invoices

Bug fixes

• #2649: Refactor URL fetcher API
• #2643, #2628: Handle box-sizing: border-box in grid layout
• #2641, #1875: Process whitespace after checking all pending targets
• #2488, #2485: Preserve page groups during layout repagination
• #2642, #2631: Don’t use isolated transparency groups
• #2637: Fix repeating radial gradients rendering
• #2622: Fix validation of colors
• #2626: Share grid items rendering advancement between a box and its copies
• #2621: Correctly handle fallback values of attr()
• #2619: Fix SVG fonts
• #2629: Always define extra skip height that may be used after
• #2648: Fix numbers validation in font-feature-settings
• #2648: Fix keyword values for text-decoration-thickness
• #2661: Respect inline images when defining minimum table width

Documentation

• #2638: Update Python command for Windows installation steps

Contributors

• Guillaume Ayoub

... (truncated)

Changelog

Sourced from weasyprint's changelog.

Version 68.0

Released on 2026-01-19.

This is a security update (CVE-2025-68616).

We strongly recommend to upgrade WeasyPrint to the latest version if you use the default_url_fetcher function in your custom URL fetcher, or if you use the allowed_protocols parameter of the default_url_fetcher function.

Security:

• Always use URL fetcher for HTTP redirects

Python API:

• default_url_fetcher() is deprecated, use the new URLFetcher class instead, see :ref:URL Fetchers for more information about URL fetchers
• DocumentMetadata.generate_rdf_metadata is now a method that can be overridden instead of a parameter, see :ref:Factur-X / ZUGFeRD (Electronic Invoices) for examples to create e-invoices

Features:

• [#2609](https://github.com/Kozea/WeasyPrint/issues/2609) <https://github.com/Kozea/WeasyPrint/pull/2609>, [#2603](https://github.com/Kozea/WeasyPrint/issues/2603) <https://github.com/Kozea/WeasyPrint/issues/2603>, [#351](https://github.com/Kozea/WeasyPrint/issues/351) <https://github.com/Kozea/WeasyPrint/issues/351>_: Refactor URL fetcher API
• [#2632](https://github.com/Kozea/WeasyPrint/issues/2632) <https://github.com/Kozea/WeasyPrint/pull/2632>_: Support legacy 0 value for angles
• [#2627](https://github.com/Kozea/WeasyPrint/issues/2627) <https://github.com/Kozea/WeasyPrint/pull/2627>_: Add font-face support to SVG
• [#2646](https://github.com/Kozea/WeasyPrint/issues/2646) <https://github.com/Kozea/WeasyPrint/pull/2646>, [#2255](https://github.com/Kozea/WeasyPrint/issues/2255) <https://github.com/Kozea/WeasyPrint/issues/2255>: Add font shorthand support for SVG text elements
• [#2590](https://github.com/Kozea/WeasyPrint/issues/2590) <https://github.com/Kozea/WeasyPrint/pull/2590>, [#1749](https://github.com/Kozea/WeasyPrint/issues/1749) <https://github.com/Kozea/WeasyPrint/issues/1749>: Honor language-specific rules for text-transform
• [#2645](https://github.com/Kozea/WeasyPrint/issues/2645) <https://github.com/Kozea/WeasyPrint/pull/2645>, [#2613](https://github.com/Kozea/WeasyPrint/issues/2613) <https://github.com/Kozea/WeasyPrint/issues/2613>: Improve SVG and SVG emojis rendering
• [#2658](https://github.com/Kozea/WeasyPrint/issues/2658) <https://github.com/Kozea/WeasyPrint/pull/2658>, [#2583](https://github.com/Kozea/WeasyPrint/issues/2583) <https://github.com/Kozea/WeasyPrint/issues/2583>: Add CLI for Factur-X / ZUGFeRD e-invoices

Bug fixes:

• [#2649](https://github.com/Kozea/WeasyPrint/issues/2649) <https://github.com/Kozea/WeasyPrint/issues/2649>_: Refactor URL fetcher API

... (truncated)

Commits

• e9352be Version 68.0
• b6a14f0 Merge remote-tracking branch 'security/filter-redirections'
• 1140eba Update changelog for version 68.0
• 52c02a6 Update changelog
• de248a5 Merge pull request #2645 from Kozea/faster-svg-emojis
• fb046b2 Merge pull request #2658 from Kozea/factur-x-cli
• 8c899a9 Follow parent’s white-space value when breaking before replaced box
• afe532b Fix default media type CLI value
• 9546e6e Update changelog
• 1d012f3 Fix keyword values for text-decoration-thickness
• Additional commits viewable in compare view

Updates pytest from 7.4.3 to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

• #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

  -- by aleguy02

9.0.2

pytest 9.0.2 (2025-12-06)

Bug fixes

• #13896: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.

  You may enable it again by passing -p terminalprogress. We may enable it by default again once compatibility improves in the future.

  Additionally, when the environment variable TERM is dumb, the escape codes are no longer emitted, even if the plugin is enabled.

• #13904: Fixed the TOML type of the tmp_path_retention_count settings in the API reference from number to string.

• #13946: The private config.inicfg attribute was changed in a breaking manner in pytest 9.0.0. Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim. It will be deprecated in pytest 9.1 and removed in pytest 10.

... (truncated)

Commits

• a7d58d7 Prepare release version 9.0.3
• 089d981 Merge pull request #14366 from bluetech/revert-14193-backport
• 8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
• 99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
• ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
• 74eac69 doc: Update training info (#14298) (#14301)
• f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
• 7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
• 37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
• c34bfa3 Add explanation for string context diffs (#14257) (#14266)
• Additional commits viewable in compare view

Updates python-jose from 3.3.0 to 3.4.0

Release notes

Sourced from python-jose's releases.

3.4.0

News

• Remove support for Python 3.6 and 3.7
• Added support for Python 3.10 and 3.11

Bug fixes and Improvements

• Updating CryptographyAESKey::encrypt to generate 96 bit IVs for GCM block cipher mode
• Fix for PEM key comparisons caused by line lengths and new lines
• Fix for CVE-2024-33664 - JWE limited to 250KiB
• Fix for CVE-2024-33663 - signing JWT with public key is now forbidden
• Replace usage of deprecated datetime.utcnow() with datetime.now(UTC)

Housekeeping

• Updated Github Actions Workflows
• Updated to use tox 4.x
• Revise codecov integration
• Fixed DeprecationWarnings

Changelog

Sourced from python-jose's changelog.

3.4.0 -- 2025-02-14

News

• Remove support for Python 3.6 and 3.7
• Added support for Python 3.10 and 3.11

Bug fixes and Improvements

• Updating CryptographyAESKey::encrypt to generate 96 bit IVs for GCM block cipher mode
• Fix for PEM key comparisons caused by line lengths and new lines
• Fix for CVE-2024-33664 - JWE limited to 250KiB
• Fix for CVE-2024-33663 - signing JWT with public key is now forbidden
• Replace usage of deprecated datetime.utcnow() with datetime.now(UTC)

Housekeeping

• Updated Github Actions Workflows
• Updated to use tox 4.x
• Revise codecov integration
• Fixed DeprecationWarnings

Commits

• 82cd15f Added release date to CHANGELOG.md for 3.4.0 (#371)
• 4e01847 Prepare 3.4.0 release (#370)
• 0360fa3 Replace usage of deprecated datetime.utcnow() with datetime.now(UTC) (#360)
• 12f30c8 Fix for CVE-2024-33663 (forbid public key for HMAC) (#369)
• 638d047 Bump cryptography from 42.0.4 to 43.0.1 (#368)
• 8e1f521 Fix for CVE-2024-33664. JWE limited to 250K (#352)
• c9403b5 Bump cryptography from 41.0.3 to 42.0.4 (#358)
• 58e543e Bump cryptography from 39.0.1 to 41.0.3
• 50d1997 Disabling test build for Python 3.7 on OS X since arm64 is no longer supporte...
• 1967754 Adding get_pem_for_key and normalize_pem methods to normalize PEM formatt...
• Additional commits viewable in compare view

Updates cryptography from 46.0.5 to 46.0.7

Changelog

Sourced from cryptography's changelog.

46.0.7 - 2026-04-07

* **SECURITY ISSUE**: Fixed an issue where non-contiguous buffers could be
  passed to APIs that accept Python buffers, which could lead to buffer
  overflow. **CVE-2026-39892**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.6.
.. _v46-0-6:
46.0.6 - 2026-03-25

• SECURITY ISSUE: Fixed a bug where name constraints were not applied to peer names during verification when the leaf certificate contains a wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug, including those used by the Web PKI. Credit to Oleh Konko (1seal) for reporting the issue. CVE-2026-34073

.. _v46-0-5:

Commits

• 622d672 46.0.7 release (#14602)
• 91d7288 Cherry-pick #14542 (#14543)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.