chore(deps): bump the pip group across 5 directories with 6 updates

Closed

Number: #2
Type: Pull Request
State: Closed

Author:

dependabot[bot]
Association: Unknown
Comments: 1

Created: February 10, 2026 at 11:40 PM UTC
(4 months ago)

Updated: February 20, 2026 at 10:49 PM UTC
(4 months ago)

Closed: February 20, 2026 at 10:49 PM UTC
(4 months ago)

Time to Close: 10 days

Labels:
dependencies python

Description:

Bumps the pip group with 6 updates in the / directory:

Package	From	To
requests	`2.20.1`	`2.32.4`
flask	`1.0.4`	`2.2.5`
gunicorn	`19.9.0`	`22.0.0`
cryptography	`41.0.2`	`46.0.5`
pymysql	`0.9.2`	`1.1.1`
pymongo	`3.7.2`	`4.6.3`

Bumps the pip group with 2 updates in the /authenticating-users directory: requests and cryptography.
Bumps the pip group with 1 update in the /bookshelf directory: gunicorn.
Bumps the pip group with 1 update in the /gce directory: gunicorn.
Bumps the pip group with 5 updates in the /optional-kubernetes-engine directory:

Package	From	To
requests	`2.20.1`	`2.32.4`
flask	`1.0.4`	`2.2.5`
gunicorn	`19.9.0`	`22.0.0`
pymysql	`0.9.2`	`1.1.1`
pymongo	`3.7.2`	`4.6.3`

Updates requests from 2.20.1 to 2.32.4

Release notes

Sourced from requests's releases.

v2.32.4

2.32.4 (2025-06-10)

Security

CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. (#6965)

Improvements

Numerous documentation improvements

Deprecations

Added support for pypy 3.11 for Linux and macOS. (#6926)

Dropped support for pypy 3.9 following its end of support. (#6926)

v2.32.3

2.32.3 (2024-05-29)

Bugfixes

Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of HTTPAdapter. (#6716)

Fixed issue where Requests started failing to run on Python versions compiled without the ssl module. (#6724)

v2.32.2

2.32.2 (2024-05-21)

Deprecations

To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

v2.32.1

2.32.1 (2024-05-20)

Bugfixes

Add missing test certs to the sdist distributed on PyPI.

v2.32.0

2.32.0 (2024-05-20)

... (truncated)

Changelog

Sourced from requests's changelog.

2.32.4 (2025-06-10)

Security

CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

Improvements

Numerous documentation improvements

Deprecations

Added support for pypy 3.11 for Linux and macOS.

Dropped support for pypy 3.9 following its end of support.

2.32.3 (2024-05-29)

Bugfixes

Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of HTTPAdapter. (#6716)

Fixed issue where Requests started failing to run on Python versions compiled without the ssl module. (#6724)

2.32.2 (2024-05-21)

Deprecations

To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

2.32.1 (2024-05-20)

Bugfixes

Add missing test certs to the sdist distributed on PyPI.

2.32.0 (2024-05-20)

Security

... (truncated)

Commits

021dc72 Polish up release tooling for last manual release
821770e Bump version and add release notes for v2.32.4
59f8aa2 Add netrc file search information to authentication documentation (#6876)
5b4b64c Add more tests to prevent regression of CVE 2024 47081
7bc4587 Add new test to check netrc auth leak (#6962)
96ba401 Only use hostname to do netrc lookup instead of netloc
7341690 Merge pull request #6951 from tswast/patch-1
6716d7c remove links
a7e1c74 Update docs/conf.py
c799b81 docs: fix dead links to kenreitz.org
Additional commits viewable in compare view

Updates flask from 1.0.4 to 2.2.5

Release notes

Sourced from flask's releases.

2.2.5

This is a security fix release for the 2.2.x release branch. Note that 2.3.x is the currently supported release branch; please upgrade to the latest version if possible.

Security advisory: https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq, CVE-2023-30861

Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-5

Milestone: https://github.com/pallets/flask/milestone/30?closed=1

2.2.4

This is a fix release for the 2.2.x release branch.

Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-4

Milestone: https://github.com/pallets/flask/milestone/27?closed=1

2.2.3

This is a fix release for the 2.2.x release branch.

Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-3

Milestone: https://github.com/pallets/flask/milestone/26?closed=1

2.2.2

This is a fix release for the 2.2.0 feature release.

Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-2

Milestone: https://github.com/pallets/flask/milestone/25?closed=1

2.2.1

This is a fix release for the 2.2.0 feature release.

Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-1

Milestone: https://github.com/pallets/flask/milestone/23?closed=1

2.2.0

This is a feature release, which includes new features and removes previously deprecated code. The 2.2.x branch is now the supported bug fix branch, the 2.1.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades.

Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-0

Milestone: https://github.com/pallets/flask/milestone/19?closed=1

2.1.3

Changes: https://flask.palletsprojects.com/en/2.1.x/changes/#version-2-1-3

Milestone: https://github.com/pallets/flask/milestone/22?closed=1

2.1.2

This is a fix release for the 2.1.0 feature release.

Changes: https://flask.palletsprojects.com/en/2.1.x/changes/#version-2-1-2

Milestone: https://github.com/pallets/flask/milestone/21?closed=1

2.1.1

This is a fix release for the 2.1.0 feature release.

... (truncated)

Changelog

Sourced from flask's changelog.

Version 2.2.5

Released 2023-05-02

Update for compatibility with Werkzeug 2.3.3.

Set Vary: Cookie header when the session is accessed, modified, or refreshed.

Version 2.2.4

Released 2023-04-25

Update for compatibility with Werkzeug 2.3.

Version 2.2.3

Released 2023-02-15

Autoescape is enabled by default for .svg template files. :issue:4831

Fix the type of template_folder to accept pathlib.Path. :issue:4892

Add --debug option to the flask run command. :issue:4777

Version 2.2.2

Released 2022-08-08

Update Werkzeug dependency to >= 2.2.2. This includes fixes related to the new faster router, header parsing, and the development server. :pr:4754

Fix the default value for app.env to be "production". This attribute remains deprecated. :issue:4740

Version 2.2.1

Released 2022-08-03

Setting or accessing json_encoder or json_decoder raises a deprecation warning. :issue:4732

Version 2.2.0

... (truncated)

Commits

47af817 release version 2.2.5
afd63b1 Merge pull request #5109 from pallets/backport-vary-cookie
8646edc set Vary: Cookie header consistently for session
a6367da Merge pull request #5108 from pallets/werkzeug-compat
3fbfbad werkzeug 2.3.3 compatibility
726d3f4 start version 2.2.5
ddc7acc Merge pull request #5081 from pallets/release-2.2.4
74e0329 release version 2.2.4
2d46068 update dev env
64bc458 update dev dependencies
Additional commits viewable in compare view

Updates gunicorn from 19.9.0 to 22.0.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12

** Breaking changes **

minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

** SECURITY **

fix CVE-2024-1135

Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
Packages: https://pypi.org/project/gunicorn/

Gunicorn 21.2.0 has been released

Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.

Changes:

21.2.0 - 2023-07-19
===================
fix thread worker: revert change considering connection as idle .
</tr></table>

... (truncated)

Commits

f63d59e bump to 22.0
4ac81e0 Merge pull request #3175 from e-kwsm/typo
401cecf Merge pull request #3179 from dhdaines/exclude-eventlet-0360
0243ec3 fix(deps): exclude eventlet 0.36.0
628a0bc chore: fix typos
88fc4a4 Merge pull request #3131 from pajod/patch-py12-rebased
deae2fc CI: back off the agressive timeout
f470382 docs: promise 3.12 compat
5e30bfa add changelog to project.urls (updated for PEP621)
481c3f9 remove setup.cfg - overridden by pyproject.toml
Additional commits viewable in compare view

Updates cryptography from 41.0.2 to 46.0.5

Changelog

Sourced from cryptography's changelog.

46.0.5 - 2026-02-10


* An attacker could create a malicious public key that reveals portions of your
  private key when using certain uncommon elliptic curves (binary curves).
  This version now includes additional security checks to prevent this attack.
  This issue only affects binary elliptic curves, which are rarely used in
  real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and
  Atuin Automated Vulnerability Discovery Engine** for reporting the issue.
  **CVE-2026-26007**
* Support for ``SECT*`` binary elliptic curves is deprecated and will be
  removed in the next release.
.. v46-0-4:
46.0.4 - 2026-01-27

Dropped support for win_arm64 wheels_.
Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.

.. _v46-0-3:

46.0.3 - 2025-10-15

* Fixed compilation when using LibreSSL 4.2.0. .. _v46-0-2:

46.0.2 - 2025-09-30

Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.4.

.. _v46-0-1:

46.0.1 - 2025-09-16

* Fixed an issue where users installing via ``pip`` on Python 3.14 development versions would not properly install a dependency. * Fixed an issue building the free-threaded macOS 3.14 wheels. .. _v46-0-0:

46.0.0 - 2025-09-16

BACKWARDS INCOMPATIBLE: Support for Python 3.7 has been removed.

... (truncated)

Commits

06e120e bump version for 46.0.5 release (#14289)
0eebb9d EC check key on cofactor > 1 (#14287)
bedf6e1 fix openssl version on 46 branch (#14220)
e6f44fc bump for 46.0.4 and drop win arm64 due to CI issues (#14217)
c0af4dd release 46.0.3 (#13681)
99efe5a bump version for 46.0.2 (#13531)
e735cfc release 46.0.1 (#13450)
4e457ff Explicitly specify python in mac uv build invocation (#13447)
2726efd Depend on CFFI 2.0.0 or newer on Python > 3.8 (#13448)
6223062 release 46.0.0 (#13446)
Additional commits viewable in compare view

Updates pymysql from 0.9.2 to 1.1.1

Release notes

Sourced from pymysql's releases.

v1.1.1

[!WARNING] This release fixes a vulnerability (CVE-2024-36039). All users are recommended to update to this version.

If you can not update soon, check the input value from untrusted source has an expected type. Only dict input from untrusted source can be an attack vector.

What's Changed

Prohibit dict parameter for Cursor.execute(). It didn't produce valid SQL and might cause SQL injection. (CVE-2024-36039)

Added ssl_key_password param by @svaskov in PyMySQL/PyMySQL#1145

Merged PRs

Add support for Python 3.12 by @hugovk in PyMySQL/PyMySQL#1134

chore(deps): update actions/checkout action to v4 by @renovate in PyMySQL/PyMySQL#1136

Update codecov/codecov-action action to v4 by @renovate in PyMySQL/PyMySQL#1137

ci: use codecov@v3 by @methane in PyMySQL/PyMySQL#1142

chore(deps): update dessant/lock-threads action to v5 by @renovate in PyMySQL/PyMySQL#1141

doc: use rtd theme by @methane in PyMySQL/PyMySQL#1143

use Ruff as formatter by @methane in PyMySQL/PyMySQL#1144

chore(deps): update dependency sphinx-rtd-theme to v2 by @renovate in PyMySQL/PyMySQL#1147

chore(deps): update actions/setup-python action to v5 by @renovate in PyMySQL/PyMySQL#1152

chore(deps): update github/codeql-action action to v3 by @renovate in PyMySQL/PyMySQL#1154

chore(deps): update codecov/codecov-action action to v4 by @renovate in PyMySQL/PyMySQL#1158

Support error packet without sqlstate by @methane in PyMySQL/PyMySQL#1160

test json - mariadb without JSON type by @grooverdan in PyMySQL/PyMySQL#1165

New Contributors

@hugovk made their first contribution in PyMySQL/PyMySQL#1134

@svaskov made their first contribution in PyMySQL/PyMySQL#1145

Full Changelog: https://github.com/PyMySQL/PyMySQL/compare/v1.1.0...v1.1.1

v1.1.0

What's Changed

Remove redundant wheel dep from pyproject.toml by @mgorny in PyMySQL/PyMySQL#1099

ci: Fix black options by @methane in PyMySQL/PyMySQL#1109

Remove unused function by @methane in PyMySQL/PyMySQL#1108

Expose Cursor.warning_count by @Nothing4You in PyMySQL/PyMySQL#1056

Add constants and tests related to query timeouts by @Nothing4You in PyMySQL/PyMySQL#1033

Fix SSCursor raising query timeout error on wrong query on MySQL DB by @Nothing4You in PyMySQL/PyMySQL#1035

Make Cursor an iterator by @sanchezg in PyMySQL/PyMySQL#995

ci: Update CodeQL workflow by @methane in PyMySQL/PyMySQL#1110

Use Ruff instead of flake8 by @methane in PyMySQL/PyMySQL#1112

Use Codecov instead of coveralls. by @methane in PyMySQL/PyMySQL#1113

optionfile: Replace _ with - by @methane in PyMySQL/PyMySQL#1114

Cursor.fetchall() always return list. by @methane in PyMySQL/PyMySQL#1115

... (truncated)

Changelog

Sourced from pymysql's changelog.

v1.1.1

Release date: 2024-05-21

[!WARNING] This release fixes a vulnerability (CVE-2024-36039). All users are recommended to update to this version.

If you can not update soon, check the input value from untrusted source has an expected type. Only dict input from untrusted source can be an attack vector.

Prohibit dict parameter for Cursor.execute(). It didn't produce valid SQL and might cause SQL injection. (CVE-2024-36039)

Added ssl_key_password param. #1145

v1.1.0

Release date: 2023-06-26

Fixed SSCursor raising OperationalError for query timeouts on wrong statement (#1032)

Exposed Cursor.warning_count to check for warnings without additional query (#1056)

Make Cursor iterator (#995)

Support '_' in key name in my.cnf (#1114)

Cursor.fetchall() returns empty list instead of tuple (#1115). Note that Cursor.fetchmany() still return empty tuple after reading all rows for compatibility with Django.

Deprecate Error classes in Cursor class (#1117)

Add Connection.set_character_set(charset, collation=None). This method is compatible with mysqlclient. (#1119)

Deprecate Connection.set_charset(charset) (#1119)

New connection always send "SET NAMES charset [COLLATE collation]" query. (#1119) Since collation table is vary on MySQL server versions, collation in handshake is fragile.

Support charset="utf8mb3" option (#1127)

v1.0.3

Release date: 2023-03-28

Dropped support of end of life MySQL version 5.6

Dropped support of end of life MariaDB versions below 10.3

Dropped support of end of life Python version 3.6

Removed _last_executed because of duplication with _executed by @rajat315315 in PyMySQL/PyMySQL#948

Fix generating authentication response with long strings by @netch80 in PyMySQL/PyMySQL#988

update pymysql.constants.CR by @Nothing4You in PyMySQL/PyMySQL#1029

Document that the ssl connection parameter can be an SSLContext by @cakemanny in PyMySQL/PyMySQL#1045

Raise ProgrammingError on -np.inf in addition to np.inf by @cdcadman in PyMySQL/PyMySQL#1067

Use Python 3.11 release instead of -dev in tests by @Nothing4You in PyMySQL/PyMySQL#1076

v1.0.2

... (truncated)

Commits

2cab9ec v1.1.1
521e400 forbid dict parameter
7f032a6 remove coveralls from requirements
69f6c74 ruff format
b4ed688 test json - mariadb without JSON type (#1165)
bbd049f Support error packet without sqlstate (#1160)
9694747 pyupgrade
1f0b785 chore(deps): update codecov/codecov-action action to v4 (#1158)
1e28be8 chore(deps): update github/codeql-action action to v3 (#1154)
f13f054 chore(deps): update actions/setup-python action to v5 (#1152)
Additional commits viewable in compare view

Updates pymongo from 3.7.2 to 4.6.3

Release notes

Sourced from pymongo's releases.

PyMongo 4.6.3

Community notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-3-release-for-cve-2024-5629/284348

PyMongo 4.6.2

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-2-released/267404

PyMongo 4.6.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-1-released/255752

PyMongo 4.6.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-0-released/251866

PyMongo 4.5.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-5-0-released/240662

PyMongo 4.4.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-1-released/235045

PyMongo 4.4.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-released/232211

PyMongo 4.4.0b0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-0b0-release/210471

PyMongo 4.3.3

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-3-3-release/200145

PyMongo 4.3.2

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-3-2-released/194266

PyMongo 4.2.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-2-0-released/176012

PyMongo 4.2.0b0

Release notes: https://www.mongodb.com/community/forums/t/python-driver-4-2-0-beta-available/168488

PyMongo 4.1.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-1-1-released/157895

PyMongo 4.1.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-1-0-released/156029

PyMongo 4.0.2

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-0-2-released/150457

PyMongo 4.0.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-0-1-released/135979

PyMongo 4.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-0-released/134677

... (truncated)

Changelog

Sourced from pymongo's changelog.

Changes in Version 4.6.3 (2024/03/27)

PyMongo 4.6.3 fixes the following bug:

Fixed a potential memory access violation when decoding invalid bson.

Issues Resolved ...............

See the PyMongo 4.6.3 release notes in JIRA_ for the list of resolved issues in this release.

.. _PyMongo 4.6.3 release notes in JIRA: https://jira.mongodb.org/secure/ReleaseNote.jspa?projectId=10004&version=38360

Changes in Version 4.6.2 (2024/02/21)

PyMongo 4.6.2 fixes the following bug:

Fixed a bug appearing in Python 3.12 where "RuntimeError: can't create new thread at interpreter shutdown" could be written to stderr when a MongoClient's thread starts as the python interpreter is shutting down.

Issues Resolved ...............

See the PyMongo 4.6.2 release notes in JIRA_ for the list of resolved issues in this release.

.. _PyMongo 4.6.2 release notes in JIRA: https://jira.mongodb.org/secure/ReleaseNote.jspa?projectId=10004&version=37906

Changes in Version 4.6.1 (2023/11/29)

PyMongo 4.6.1 fixes the following bug:

Ensure retryable read OperationFailure errors re-raise exception when 0 or NoneType error code is provided.

Issues Resolved ...............

See the PyMongo 4.6.1 release notes in JIRA_ for the list of resolved issues in this release.

.. _PyMongo 4.6.1 release notes in JIRA: https://jira.mongodb.org/secure/ReleaseNote.jspa?projectId=10004&version=37138

Changes in Version 4.6.0 (2023/11/01)

PyMongo 4.6 brings a number of improvements including:

... (truncated)

Commits

8da192f BUMP 4.6.3
56b6b6d PYTHON-4305 Fix bson size check (#1564)
449d0f3 BUMP to 4.6.3.dev0
e04576d DEVPROD-3871 Use teardown_task when there is one function/command (#1533)
cf1c6a1 PYTHON-4219 Prep for 4.6.2 Release (#1530)
d29b2b7 PYTHON-4147 [v4.6]: Silence noisy thread.start() RuntimeError at shutdown (#1...
0477b9b PYTHON-4077 [v4.6]: Ensure there is a MacOS wheel for Python 3.7 (#1527)
ecad17d BUMP 4.6.2.dev0
485e0a5 BUMP 4.6.1
995365c PYTHON-4038 [v4.6]: Ensure retryable read OperationFailures re-raise except...
Additional commits viewable in compare view

Updates requests from 2.31.0 to 2.32.4

Release notes

Sourced from requests's releases.

v2.32.4

2.32.4 (2025-06-10)

Security

CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. (#6965)

Improvements

Numerous documentation improvements

Deprecations

Added support for pypy 3.11 for Linux and macOS. (#6926)

Dropped support for pypy 3.9 following its end of support. (#6926)

v2.32.3

2.32.3 (2024-05-29)

Bugfixes

Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of HTTPAdapter. (#6716)

Fixed issue where Requests started failing to run on Python versions compiled without the ssl module. (#6724)

v2.32.2

2.32.2 (2024-05-21)

Deprecations

To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

v2.32.1

2.32.1 (2024-05-20)

Bugfixes

Add missing test certs to the sdist distributed on PyPI.

v2.32.0

2.32.0 (2024-05-20)

... (truncated)

Changelog

Sourced from requests's changelog.

2.32.4 (2025-06-10)

Security

CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

Improvements

Numerous documentation improvements

Deprecations

Added support for pypy 3.11 for Linux and macOS.

Dropped support for pypy 3.9 following its end of support.

2.32.3 (2024-05-29)

Bugfixes

Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of HTTPAdapter. (#6716)

Fixed issue where Requests started failing to run on Python versions compiled without the ssl module. (#6724)

2.32.2 (2024-05-21)

Deprecations

To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

2.32.1 (2024-05-20)

Bugfixes

Add missing test certs to the sdist distributed on PyPI.

2.32.0 (2024-05-20)

Security

... (truncated)

Commits

021dc72 Polish up release tooling for last manual release
821770e Bump version and add release notes for v2.32.4
59f8aa2 Add netrc file search information to authentication documentation (#6876)
5b4b64c Add more tests to prevent regression of CVE 2024 47081
7bc4587 Add new test to check netrc auth leak (#6962)
96ba401 Only use hostname to do netrc lookup instead of netloc
7341690 Merge pull request #6951 from tswast/patch-1
6716d7c remove links
a7e1c74 Update docs/conf.py
c799b81 docs: fix dead links to kenreitz.org
Additional commits viewable in compare view

Updates cryptography from 41.0.2 to 46.0.5

Changelog

Sourced from cryptography's changelog.

46.0.5 - 2026-02-10


* An attacker could create a malicious public key that reveals portions of your
  private key when using certain uncommon elliptic curves (binary curves).
  This version now includes additional security checks to prevent this attack.
  This issue only affects binary elliptic curves, which are rarely used in
  real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and
  Atuin Automated Vulnerability Discovery Engine** for reporting the issue.
  **CVE-2026-26007**
* Support for ``SECT*`` binary elliptic curves is deprecated and will be
  removed in the next release.
.. v46-0-4:
46.0.4 - 2026-01-27

Dropped support for win_arm64 wheels_.
Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.

.. _v46-0-3:

46.0.3 - 2025-10-15

* Fixed compilation when using LibreSSL 4.2.0. .. _v46-0-2:

46.0.2 - 2025-09-30

Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.4.

.. _v46-0-1:

46.0.1 - 2025-09-16

46.0.0 - 2025-09-16

BACKWARDS INCOMPATIBLE: Support for Python 3.7 has been removed.

... (truncated)

Commits

06e120e bump version for 46.0.5 release (#14289)
0eebb9d EC check key on cofactor > 1 (#14287)
bedf6e1 fix openssl version on 46 branch (#14220)
e6f44fc bump for 46.0.4 and drop win arm64 due to CI issues (#14217)
c0af4dd release 46.0.3 (#13681)
99efe5a bump version for 46.0.2 (#13531)
e735cfc release 46.0.1 (#13450)
4e457ff Explicitly specify python in mac uv build invocation (#13447)
2726efd Depend on CFFI 2.0.0 or newer on Python > 3.8 (#13448)
6223062 release 46.0.0 (#13446)
Additional commits viewable in compare view

Updates gunicorn from 20.1.0 to 22.0.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12

** Breaking changes **

minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

** SECURITY **

fix CVE-2024-1135

Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
Packages: https://pypi.org/project/gunicorn/

Gunicorn 21.2.0 has been released

Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.

Changes:

21.2.0 - 2023-07-19
===================
fix thread worker: revert change considering connection as idle .
</tr></table>

... (truncated)

Commits

f63d59e bump to 22.0
4ac81e0 Merge pull request #3175 from e-kwsm/typo
401cecf Merge pull request #3179 from dhdaines/exclude-eventlet-0360
0243ec3 fix(deps): exclude eventlet 0.36.0
628a0bc chore: fix typos
88fc4a4 Merge pull request #3131 from pajod/patch-py12-rebased
deae2fc CI: back off the agressive timeout
f470382 docs: promise 3.12 compat
5e30bfa add changelog to project.urls (updated for PEP621)
481c3f9 remove setup.cfg - overridden by pyproject.toml
Additional commits viewable in compare view

Updates gunicorn from 20.1.0 to 22.0.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12

** Breaking changes **

minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)Description has been truncated



      

      
        
          
            
              
              Package Dependencies
            
          
          
              
                
                  
                    Package:

                    
                      gunicorn
                  
                  
                  
                    Ecosystem:

                    pip
                  
                  
                    
                      Version Change:

                      19.9.0 → 22.0.0
                    
                  
                    
                      Update Type:

                      
                        Major
                      
                    
                  
                
              
              
                
                  
                    Package:

                    
                      flask
                  
                  
                  
                    Ecosystem:

                    pip
                  
                  
                    
                      Version Change:

                      1.0.4 → 2.2.5
                    
                  
                    
                      Update Type:

                      
                        Major
                      
                    
                  
                
              
              
                
                  
                    Package:

                    
                      pymongo
                  
                  
                  
                    Ecosystem:

                    pip
                  
                  
                    
                      Version Change:

                      3.7.2 → 4.6.3
                    
                  
                    
                      Update Type:

                      
                        Major
                      
                    
                  
                
              
              
                
                  
                    Package:

                    
                      cryptography
                  
                  
                  
                    Ecosystem:

                    pip
                  
                  
                    
                      Version Change:

                      41.0.2 → 46.0.5
                    
                  
                    
                      Update Type:

                      
                        Major
                      
                    
                  
                
              
              
                
                  
                    Package:

                    
                      requests
                  
                  
                  
                    Ecosystem:

                    pip
                  
                  
                    
                      Version Change:

                      2.20.1 → 2.32.4
                    
                  
                    
                      Update Type:

                      
                        Minor
                      
                    
                  
                
              
              
                
                  
                    Package:

                    
                      pymysql
                  
                  
                  
                    Ecosystem:

                    pip
                  
                  
                    
                      Version Change:

                      0.9.2 → 1.1.1
                    
                  
                    
                      Update Type:

                      
                        Major
                      
                    
                  
                
              
          
        

      
        
          
            
              
              Security Advisories
            
          
          
              
                
                  
                    
                      PyMySQL SQL Injection vulnerability
                      
                      
                          GHSA-v9hf-5j83-6xpp
                          CVE-2024-36039
                        
                          
                            CRITICAL
                          
                      
                      
                        
                          PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by `escape_dict`.
                        
                    
                  
                
              
                
                  
                    
                      Requests `Session` object does not verify requests after making first request with verify=False
                      
                      
                          GHSA-9wx4-h78v-vm56
                          CVE-2024-35195
                        
                          
                            MODERATE
                          
                      
                      
                        
                          When using a `requests.Session`, if the first request to a given origin is made with `verify=False`, TLS certificate verification may remain disabled for all subsequent requests to that origin, eve...
                        
                    
                  
                
              
                
                  
                    
                      Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header
                      
                      
                          GHSA-m2qf-hxjv-5gpq
                          CVE-2023-30861
                        
                          
                            HIGH
                          
                      
                      
                        
                          When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by a proxy to other clients. If the proxy also caches `Set-Cooki...
                        
                    
                  
                
              
                
                  
                    
                      TeamPass vulnerable to stored Cross-site Scripting
                      
                      
                          GHSA-j245-v2mh-5h6f
                          CVE-2023-3086
                        
                          
                            CRITICAL
                          
                      
                      
                        
                          Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
                        
                    
                  
                
              
                
                  
                    
                      Request smuggling leading to endpoint restriction bypass in Gunicorn
                      
                      
                          GHSA-w3h3-4rj7-4ph4
                          CVE-2024-1135
                        
                          
                            HIGH
                          
                      
                      
                        
                          Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers ca...
                        
                    
                  
                
              
                
                  
                    
                      Requests vulnerable to .netrc credentials leak via malicious URLs
                      
                      
                          GHSA-9hjg-9r4m-mvj7
                          CVE-2024-47081
                        
                          
                            MODERATE
                          
                      
                      
                        
                          ### Impact

Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs.

### Workarounds
For older versions of ...
                        
                    
                  
                
              
                
                  
                    
                      cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves
                      
                      
                          GHSA-r6ph-v2qm-q3c2
                          CVE-2026-26007
                        
                          
                            HIGH
                          
                      
                      
                        
                          ## Vulnerability Summary

The `public_key_from_numbers` (or `EllipticCurvePublicNumbers.public_key()`), `EllipticCurvePublicNumbers.public_key()`, `load_der_public_key()` and `load_pem_public_key()...



    
    
      
        
          Actions
        
        
          
            
            View on GitHub
          
          
            
            View Repository
          
          
            
            All Dependabot PRs
        
      

      
        
          Technical Details
        
        
          
            
              ID:
              13989079
            
            
              UUID:
              3924035103
            
            
              Node ID:
              PR_kwDOPGBIIs7C3-iR
            
            
              Host:
              GitHub
            
            
              Repository:
              PeezoslugOG/getting-started-python

ID:	`13989079`
UUID:	`3924035103`
Node ID:	`PR_kwDOPGBIIs7C3-iR`
Host:	GitHub
Repository:	PeezoslugOG/getting-started-python