Sourced from babel's releases.

v2.18.0

Happy 2026! Like last year's release (ahem...), this one too is being made from FOSDEM 2026, in Brussels, Belgium. 🇧🇪 We'll aspire for a less glacial release cycle for 2.19. 😁

Please see CHANGELOG.rst for the detailed change log.

Full Changelog: https://github.com/python-babel/babel/compare/v2.17.0...v2.18.0

Sourced from babel's changelog.

Version 2.18.0

Happy 2026! This release is, coincidentally, also being made from FOSDEM.

We will aspire for a slightly less glacial release cadence in this year; there are interesting features in the pipeline.

Features

* Core: Add `babel.core.get_cldr_version()` by @akx in :gh:`1242`
* Core: Use CLDR 47 by @tomasr8 in :gh:`1210`
* Core: Use canonical IANA zone names in zone_territories by @akx in :gh:`1220`
* Messages: Improve extract performance via ignoring directories early during os.walk by @akx in :gh:`968`
* Messages: Merge in per-format keywords and auto_comments by @akx in :gh:`1243`
* Messages: Update keywords for extraction of dpgettext and dnpgettext by @mardiros in :gh:`1235`
* Messages: Validate all plurals in Python format checker by @tomasr8 in :gh:`1188`
* Time: Use standard library `timezone` instead of `FixedOffsetTimezone` by @akx in :gh:`1203`
Bugfixes

• Core: Fix formatting for "Empty locale identifier" exception added in #1164 by @​akx in :gh:1184
• Core: Improve handling of no-inheritance-marker in timezone data by @​akx in :gh:1194
• Core: Make the number pattern regular expression more efficient by @​akx in :gh:1213
• Messages: Keep translator comments next to the translation function call by @​akx in :gh:1196
• Numbers: Fix KeyError that occurred when formatting compact currencies of exactly one thousand in several locales by @​bartbroere in :gh:1246

Other improvements

* Core: Avoid unnecessary uses of `map()` by @akx in :gh:`1180`
* Messages: Have init-catalog create directories too by @akx in :gh:`1244`
* Messages: Optimizations for read_po by @akx in :gh:`1200`
* Messages: Use pathlib.Path() in catalog frontend; improve test coverage by @akx in :gh:`1204`
Infrastructure and documentation

• CI: Renovate CI & lint tools by @​akx in :gh:1228
• CI: Tighten up CI with Zizmor by @​akx in :gh:1230
• CI: make job permissions explicit by @​akx in :gh:1227
• Docs: Add SECURITY.md by @​akx in :gh:1229
• Docs: Remove u string prefix from docs by @​verhovsky in :gh:1174
• Docs: Update dates.rst with current unicode.org tr35 link by @​clach04 in :gh:1189
• General: Add some PyPI classifiers by @​tomasr8 in :gh:1186
• General: Apply reformatting by hand and with Ruff by @​akx in :gh:1202
• General: Test on and declare support for Python 3.14 by @​akx in :gh:1233

... (truncated)

• 56c63ca Prepare for 2.18.0 (#1248)
• 73015a1 Add user-agent to CLDR downloader (#1247)
• 29bd362 Fix formatting compact currencies of exactly one thousand in several locales ...
• 851db43 Reuse InitCatalog's guts in UpdateCatalog (#1244)
• fd00e60 Extract: Merge in per-format keywords and auto_comments (#1243)
• 12a14b6 Add dpgettext and dnpgettext support (#1235)
• 7110e62 Use canonical IANA zone names in zone_territories (#1220)
• e91c346 Improve extract performance via ignoring directories early during os.walk (#968)
• 0c4f378 Convert Unittest testcases with setup/teardown to fixtures (#1240)
• 218c96e Add babel.core.get_cldr_version() (#1242)
• Additional commits viewable in compare view

Sourced from chardet's releases.

6.0.0

Features

• Unified single-byte charset detection: Instead of only having trained language models for a handful of languages (Bulgarian, Greek, Hebrew, Hungarian, Russian, Thai, Turkish) and relying on special-case Latin1Prober and MacRomanProber heuristics for Western encodings, chardet now treats all single-byte charsets the same way: every encoding gets proper language-specific bigram models trained on CulturaX corpus data. This means chardet can now accurately detect both the encoding and the language for all supported single-byte encodings.
• 38 new languages: Arabic, Belarusian, Breton, Croatian, Czech, Danish, Dutch, English, Esperanto, Estonian, Farsi, Finnish, French, German, Icelandic, Indonesian, Irish, Italian, Kazakh, Latvian, Lithuanian, Macedonian, Malay, Maltese, Norwegian, Polish, Portuguese, Romanian, Scottish Gaelic, Serbian, Slovak, Slovene, Spanish, Swedish, Tajik, Ukrainian, Vietnamese, and Welsh. Existing models for Bulgarian, Greek, Hebrew, Hungarian, Russian, Thai, and Turkish were also retrained with the new pipeline.
• EncodingEra filtering: New encoding_era parameter to detect allows filtering by an EncodingEra flag enum (MODERN_WEB, LEGACY_ISO, LEGACY_MAC, LEGACY_REGIONAL, DOS, MAINFRAME, ALL) allows callers to restrict detection to encodings from a specific era. detect() and detect_all() default to MODERN_WEB. The new MODERN_WEB default should drastically improve accuracy for users who are not working with legacy data. The tiers are:
  • MODERN_WEB: UTF-8/16/32, Windows-125x, CP874, CJK multi-byte (widely used on the web)
  • LEGACY_ISO: ISO-8859-x, KOI8-R/U (legacy but well-known standards)
  • LEGACY_MAC: Mac-specific encodings (MacRoman, MacCyrillic, etc.)
  • LEGACY_REGIONAL: Uncommon regional/national encodings (KOI8-T, KZ1048, CP1006, etc.)
  • DOS: DOS/OEM code pages (CP437, CP850, CP866, etc.)
  • MAINFRAME: EBCDIC variants (CP037, CP500, etc.)
• --encoding-era CLI flag: The chardetect CLI now accepts -e/--encoding-era to control which encoding eras are considered during detection.
• max_bytes and chunk_size parameters: detect(), detect_all(), and UniversalDetector now accept max_bytes (default 200KB) and chunk_size (default 64KB) parameters for controlling how much data is examined. (#314, @​bysiber)
• Encoding era preference tie-breaking: When multiple encodings have very close confidence scores, the detector now prefers more modern/Unicode encodings over legacy ones.
• Charset metadata registry: New chardet.metadata.charsets module provides structured metadata about all supported encodings, including their era classification and language filter.
• should_rename_legacy now defaults intelligently: When set to None (the new default), legacy renaming is automatically enabled when encoding_era is MODERN_WEB.
• Direct GB18030 support: Replaced the redundant GB2312 prober with a proper GB18030 prober.
• EBCDIC detection: Added CP037 and CP500 EBCDIC model registrations for mainframe encoding detection.
• Binary file detection: Added basic binary file detection to abort analysis earlier on non-text files.
• Python 3.12, 3.13, and 3.14 support (#283, @​hugovk; #311)
• GitHub Codespace support (#312, @​oxygen-dioxide)

Fixes

• Fix CP949 state machine: Corrected the state machine for Korean CP949 encoding detection. (#268, @​nenw)
• Fix SJIS distribution analysis: Fixed SJISDistributionAnalysis discarding valid second-byte range >= 0x80. (#315, @​bysiber)
• Fix UTF-16/32 detection for non-ASCII-heavy text: Improved detection of UTF-16/32 encoded CJK and other non-ASCII text by adding a MIN_RATIO threshold alongside the existing EXPECTED_RATIO.
• Fix get_charset crash: Resolved a crash when looking up unknown charset names.
• Fix GB18030 char_len_table: Corrected the character length table for GB18030 multi-byte sequences.
• Fix UTF-8 state machine: Updated to be more spec-compliant.
• Fix detect_all() returning inactive probers: Results from probers that determined "definitely not this encoding" are now excluded.
• Fix early cutoff bug: Resolved an issue where detection could terminate prematurely.
• Default UTF-8 fallback: If UTF-8 has not been ruled out and nothing else is above the minimum threshold, UTF-8 is now returned as the default.

Breaking changes

• Dropped Python 3.7, 3.8, and 3.9 support: Now requires Python 3.10+. (#283, @​hugovk)
• Removed Latin1Prober and MacRomanProber: These special-case probers have been replaced by the unified model-based approach described above. Latin-1, MacRoman, and all other single-byte encodings are now detected by SingleByteCharSetProber with trained language models, giving better accuracy and language identification.
• Removed EUC-TW support: EUC-TW encoding detection has been removed as it is extremely rare in practice.
• LanguageFilter.NONE removed: Use specific language filters or LanguageFilter.ALL instead.
• Enum types changed: InputState, ProbingState, MachineState, SequenceLikelihood, and CharacterCategory are now IntEnum (previously plain classes or Enum). LanguageFilter values changed from hardcoded hex to auto().
• detect() default behavior change: detect() now defaults to encoding_era=EncodingEra.MODERN_WEB and should_rename_legacy=None (auto-enabled for MODERN_WEB), whereas previously it defaulted to considering all encodings with no legacy renaming.

Misc changes

• Switched from Poetry/setuptools to uv + hatchling: Build system modernized with hatch-vcs for version management.
• License text updated: Updated LGPLv2.1 license text and FSF notices to use URL instead of mailing address. (#304, #307, @​musicinmybrain)
• CulturaX-based model training: The create_language_model.py training script was rewritten to use the CulturaX multilingual corpus instead of Wikipedia, producing higher quality bigram frequency models.
• Language class converted to frozen dataclass: The language metadata class now uses @dataclass(frozen=True) with num_training_docs and num_training_chars fields replacing wiki_start_pages.

... (truncated)

• See full diff in compare view

Sourced from myst-parser's releases.

v5.0.0

MyST-Parser 5.0.0

Release Date: 2026-01-15

This release significantly bumps the supported versions of core dependencies:

‼️ Breaking Changes

This release updates the minimum supported versions:

• Python: >=3.11 (dropped Python 3.10, tests up to 3.14)
• Sphinx: >=8,<10 (dropped Sphinx 7, added Sphinx 9)
• Docutils: >=0.20,<0.23 (dropped docutils 0.19, added docutils 0.22)
• markdown-it-py: ~=4.0 (upgraded from v3)

⬆️ Dependency Upgrades

• ⬆️ Upgrade to markdown-it-py v4 by @​chrisjsewell in #1060
• ⬆️ Drop Python 3.10 and Sphinx 7 by @​chrisjsewell in #1059
• ⬆️ Drop docutils 0.19 by @​chrisjsewell in #1061
• ⬆️ Add support for Python 3.14 by @​chrisjsewell in #1075
• ⬆️ Support Sphinx v9 by @​chrisjsewell in #1076
• ⬆️ Allow docutils 0.22 by @​chrisjsewell in #1084

👌 Improvements

• 👌 Improve generation of meta nodes by @​AA-Turner in #1080

📚 Documentation

• 📚 Fix typo in tables.md by @​electricalgorithm in #1034
• 📚 Fix minor typo in cross-referencing.md by @​krassowski in #1036

🔧 Internal / Maintenance

• 🔧 Update pre-commit by @​chrisjsewell in #1058
• 🔧 Add AGENTS.md by @​chrisjsewell in #1083

Full Changelog: v4.0.1...v5.0.0

Sourced from myst-parser's changelog.

5.0.0 - 2026-01-15

This release significantly bumps the supported versions of core dependencies:

‼️ Breaking Changes

This release updates the minimum supported versions:

• Python: >=3.11 (dropped Python 3.10, tests up to 3.14)
• Sphinx: >=8,<10 (dropped Sphinx 7, added Sphinx 9)
• Docutils: >=0.20,<0.23 (dropped docutils 0.19, added docutils 0.22)
• markdown-it-py: ~=4.0 (upgraded from v3)

⬆️ Dependency Upgrades

• ⬆️ Upgrade to markdown-it-py v4 by gh-user:chrisjsewell in gh-pr:1060
• ⬆️ Drop Python 3.10 and Sphinx 7 by gh-user:chrisjsewell in gh-pr:1059
• ⬆️ Drop docutils 0.19 by gh-user:chrisjsewell in gh-pr:1061
• ⬆️ Add support for Python 3.14 by gh-user:chrisjsewell in gh-pr:1075
• ⬆️ Support Sphinx v9 by gh-user:chrisjsewell in gh-pr:1076
• ⬆️ Allow docutils 0.22 by gh-user:chrisjsewell in gh-pr:1084

👌 Improvements

• 👌 Improve generation of meta nodes by gh-user:AA-Turner in gh-pr:1080

📚 Documentation

• 📚 Fix typo in tables.md by gh-user:electricalgorithm in gh-pr:1034
• 📚 Fix minor typo in cross-referencing.md by gh-user:krassowski in gh-pr:1036

🔧 Internal / Maintenance

• 🔧 Update pre-commit by gh-user:chrisjsewell in gh-pr:1058
• 🔧 Add AGENTS.md by gh-user:chrisjsewell in gh-pr:1083

Full Changelog: v4.0.1...v5.0.0

• a139a1f 🚀 Release v5.0.0 (#1085)
• 5405110 [pre-commit.ci] pre-commit autoupdate (#1071)
• 19512c0 ⬆️ Allow docutils 0.22 (#1084)
• a9e529f ⬆️ Support Sphinx v9 (#1076)
• fcf78ca 👌 Improve generation of meta nodes (#1080)
• e0fc7a3 🔧 Add AGENTS.md (#1083)
• 59d5384 ⬆️ Add support for Python 3.14 (#1075)
• 7b7d961 ⬆️ Update pytest requirement from <9,>=8 to >=9,<10 (#1063)
• 3342a3c ⬆️ Update sphinxext-opengraph requirement from ~=0.9.0 to ~=0.13.0 (#1066)
• 2cf85de ⬆️ Update sphinxext-rediraffe requirement from ~=0.2.7 to ~=0.3.0 (#1064)
• Additional commits viewable in compare view

Sourced from packaging's releases.

26.0

Read about the performance improvements here: https://iscinumpy.dev/post/packaging-faster.

What's Changed

Features:

• PEP 751: support pylock by @​sbidoul in pypa/packaging#900
• PEP 794: import name metadata by @​brettcannon in pypa/packaging#948
• Support writing metadata by @​henryiii in pypa/packaging#846
• Support __replace__ for Version by @​henryiii in pypa/packaging#1003
• Support positional pattern matching for Version and Specifier by @​henryiii in pypa/packaging#1004

Behavior adaptations:

• PEP 440 handling of prereleases for Specifier.contains, SpecifierSet.contains, and SpecifierSet.filter by @​notatallshaw in pypa/packaging#897
• Handle PEP 440 edge case in SpecifierSet.filter by @​notatallshaw in pypa/packaging#942
• Adjust arbitrary equality intersection preservation in SpecifierSet by @​notatallshaw in pypa/packaging#951
• Return False instead of raising for .contains with invalid version by @​Liam-DeVoe in pypa/packaging#932
• Support arbitrary equality on arbitrary strings for Specifier and SpecifierSet's filter and contains method. by @​notatallshaw in pypa/packaging#954
• Only try to parse as Version on certain marker keys, return False on unequal ordered comparsions by @​JP-Ellis in pypa/packaging#939

Fixes:

• Update _hash when unpickling Tag() by @​dholth in pypa/packaging#860
• Correct comment and simplify implicit prerelease handling in Specifier.prereleases by @​notatallshaw in pypa/packaging#896
• Use explicit _GLibCVersion NamedTuple in _manylinux by @​cthoyt in pypa/packaging#868
• Detect invalid license expressions containing () by @​bwoodsend in pypa/packaging#879
• Correct regex for metadata 'name' format by @​di in pypa/packaging#925
• Improve the message around expecting a semicolon by @​pradyunsg in pypa/packaging#833
• Support nested parens in license expressions by @​Liam-DeVoe in pypa/packaging#931
• Add space before at symbol in Requirements string by @​henryiii in pypa/packaging#953
• A root logger use found by ruff LOG, use packaging logger instead by @​henryiii in pypa/packaging#965
• Better support for subclassing Marker and Requirement by @​henryiii in pypa/packaging#1022
• Normalize all extras, not just if it comes first by @​henryiii in pypa/packaging#1024
• Don't produce a broken repr if Marker fails to construct by @​henryiii in pypa/packaging#1033

Performance:

• Avoid recompiling regexes in the tokenizer for a 3x speedup by @​hauntsaninja in pypa/packaging#1019
• Improve performance in _manylinux.py by @​cthoyt in pypa/packaging#869
• Minor cleanups to Version by @​bearomorphism in pypa/packaging#913
• Skip redundant creation of Versions in specifier comparison by @​notatallshaw in pypa/packaging#986
• Cache Specifier's Version by @​notatallshaw in pypa/packaging#985
• Make Version a little faster by @​henryiii in pypa/packaging#987
• Minor Version regex cleanup by @​henryiii in pypa/packaging#990
• Faster regex on Python 3.11.5+ by @​henryiii in pypa/packaging#988 and pypa/packaging#1055
• Lazily calculate _key in Version by @​notatallshaw in pypa/packaging#989 and regression for packaging_legacy fixed by @​henryiii in pypa/packaging#1048
• Faster canonicalize_version by @​henryiii in pypa/packaging#993
• Use fullmatch in a couple more places by @​henryiii in pypa/packaging#992

... (truncated)

Sourced from packaging's changelog.

26.0 - 2026-01-20

Features:

PEP 751: support pylock (:pull:900)
PEP 794: import name metadata (:pull:948)
Support for writing metadata to a file (:pull:846)
Support __replace__ on Version (:pull:1003)
Support positional pattern matching for Version and SpecifierSet (:pull:1004)

Behavior adaptations:

PEP 440 handling of prereleases for Specifier.contains, SpecifierSet.contains, and SpecifierSet.filter (:pull:897)
Handle PEP 440 edge case in SpecifierSet.filter (:pull:942)
Adjust arbitrary equality intersection preservation in SpecifierSet (:pull:951)
Return False instead of raising for .contains with invalid version (:pull:932)
Support arbitrary equality on arbitrary strings for Specifier and SpecifierSet's filter and contains method. (:pull:954)
Only try to parse as Version on certain marker keys, return False on unequal ordered comparisons (:pull:939)

Fixes:

Update _hash when unpickling Tag() (:pull:860)
Correct comment and simplify implicit prerelease handling in Specifier.prereleases (:pull:896)
Use explicit _GLibCVersion NamedTuple in _manylinux (:pull:868)
Detect invalid license expressions containing () (:pull:879)
Correct regex for metadata 'name' format (:pull:925)
Improve the message around expecting a semicolon (:pull:833)
Support nested parens in license expressions (:pull:931)
Add space before at symbol in Requirements string (:pull:953)
A root logger use found, use a packaging logger instead (:pull:965)
Better support for subclassing Marker and Requirement (:pull:1022)
Normalize all extras, not just if it comes first (:pull:1024)
Don't produce a broken repr if Marker fails to construct (:pull:1033)

Performance:

Avoid recompiling regexes in the tokenizer for a 3x speedup (:pull:1019)
Improve performance in _manylinux.py (:pull:869)
Minor cleanups to Version (:pull:913)
Skip redundant creation of Version's in specifier comparison (:pull:986)
Cache the Specifier's Version (:pull:985)
Make Version a little faster (:pull:987)
Minor Version regex cleanup (:pull:990)
Faster regex on Python 3.11.5+ for Version (:pull:988, :pull:1055)
Lazily calculate _key in Version (:pull:989, :pull:1048)
Faster canonicalize_version (:pull:993)
Use re.fullmatch in a couple more places (:pull:992, :pull:1029)
Use map instead of generator (:pull:996)
Deprecate ._version (_Version, a NamedTuple) (:pull:995, :pull:1062)

</tr></table>

... (truncated)

• 3b77a26 Bump for release
• 31371cc docs: prepare for 26.0 final (#1063)
• 9627a88 perf: dual replace (#1064)
• d5398b8 fix: restore ._version as a compat shim (#1062)
• 3a7b600 Bump for development
• d4eefdc Bump for release
• 4618912 docs: prepare for 26.0rc3 (#1060)
• 0cf1b41 ci: test on first public release of CPythons (#1056)
• 716beb1 perf: 10% faster stripping zeros (#1058)
• 350a230 fix: support CPython 3.11.0-3.11.4 and older PyPy3.11 (#1055)
• Additional commits viewable in compare view

Sourced from pyparsing's changelog.

Version 3.3.2 - January, 2026

• Defined pyparsing-specific warning classes so that they can be selectively enabled or disabled without affecting warnings raised by other libraries in the same Python app:

  • PyparsingWarning - base warning for all pyparsing-specific warnings (inherits from UserWarning)
  • PyparsingDeprecationWarning - warning for using deprecated features (inherits from PyparsingWarning and DeprecationWarning)
  • PyparsingDiagnosticWarning - warning raised when pyparsing diagnostics are enabled and a diagnostic feature is used (inherits from PyparsingWarning)

• Added as_datetime parse action to pyparsing.common - a more generalized version of the convert_to_datetime parse action (supports any expression that extracts date/time fields into "year", "month", "day", etc. results names), and validates that the parsed fields represent a valid date and time.

• Added iso8601_date_validated and iso8601_datetime_validated expressions to pyparsing.common, which return a Python datetime.datetime

• Various performance improvements in ParseResults class and core functions, with 10-20% performance overall.

• Added regex_inverter web page (using PyScript) to demonstrate using the inv_regex.py example.

• Expanded regex forms handled by the examples/inv_regex.py example:

  • named capturing groups (?P<name>)
  • partial repetition ({m,} and {,n})
  • negated character classes ([^...])

• Added SPy (Simplified Python) parser to examples.

• fa24016 Sync regex_inverter example from pyparsing
• ea22046 Updates to regex_inverter example: handle cancel during long max_results inte...
• 7df5c09 Sync regex_inverter example from pyparsing
• e862afa Add Regular Expressions Quick Reference to regex_inverter/index.html
• 6fdbd88 Sync regex_inverter example from pyparsing
• 5b33045 Add note in the regex inverter that only the 7-bit ASCII characters are used ...
• e403f2c Merge branch 'master' of https://github.com/pyparsing/pyparsing
• e7b5f1c Fix repo sync action in sync-regex-inverter.yml
• ea463fa Sync regex_inverter example from pyparsing
• afcbdac Change repetition instructions to use {,4} instead of {,10}
• Additional commits viewable in compare view

Sourced from sphinx-favicon's releases.

Release 1.1.0

What's Changed

• Update test for static files by @​tcmetzger in tcmetzger/sphinx-favicon#47
• fix: make the panels compatible with dark theme by @​12rambau in tcmetzger/sphinx-favicon#52
• fix: add link to RDT and action badges by @​12rambau in tcmetzger/sphinx-favicon#51
• Modernize tests and update dependencies for Python 3.10–3.13 by @​tcmetzger in tcmetzger/sphinx-favicon#56

Full Changelog: https://github.com/tcmetzger/sphinx-favicon/compare/v1.0.1...v1.1.0

Sourced from sphinx-favicon's changelog.

2026-02-12, Release 1.1.0

Modernize package for Python 3.10–3.13 and Sphinx 8/9.

What's Changed

• Add official support for Python 3.10, 3.11, 3.12, 3.13; drop 3.7–3.9 classifiers
• Bump Sphinx dependency to >=8.1,<10 to ensure Python 3.13 compatibility (fixes imghdr removal)
• Update tests to use root_doc instead of deprecated master_doc
• Refresh CI: test matrix over Python 3.10–3.13 and Sphinx 8.1 / 9.1
• Update documentation extras to build with modern Sphinx

Full Changelog: https://github.com/tcmetzger/sphinx-favicon/compare/v1.0.1...v1.1.0

• 44313a3 Modernize tests and update dependencies for Python 3.10–3.13 (#56)
• f5f3e4e fix: add link to RDT and action badges (#51)
• 9bd097e fix: make the panels compatible with dark theme (#52)
• f08c93b Update test for static files (#47)
• c32e3d1 Bump version number
• See full diff in compare view

Sourced from sphinx-rtd-theme's changelog.

3.1.0

• Added support for docutils 0.22
• Added support for Sphinx 9.x

.. _release-3.1.0rc2:

3.1.0rc2

• Added support for docutils 0.22

.. _release-3.1.0rc1:

3.1.0rc1

• Added support for Sphinx 9.x

.. _release-3.0.2:

• 795de79 Release 3.1.0 (#1676)
• 66d0fdd Add Python 3.14 to the test suite (#1668)
• fbe5e60 3.1.0rc2 with support for docutils 0.22 (#1674)
• a76174c Add support for docutils 0.22 (#1671)
• 20733c3 Add support for Sphinx 9.0.0 (#1666)
• 71aacd3 Update Code of Conduct URL (#1664)
• 5a26375 Run tests and build docs with Sphinx 8.2 (#1640)
• 8d4d394 Sidebar should not be floating on mobile (#1622)
• See full diff in compare view

Sourced from urllib3's releases.

2.6.3

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by @​D47A, 8.9 High, GHSA-38jv-5279-wg99)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. (urllib3/urllib3#3743)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. (urllib3/urllib3#3752)

Sourced from urllib3's changelog.

2.6.3 (2026-01-07)

• Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. ([#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743>__)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. ([#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752>__)

• 0248277 Release 2.6.3
• 8864ac4 Merge commit from fork
• 70cecb2 Fix Scorecard issues related to vulnerable dev dependencies (#3755)
• 41f249a Move "v2.0 Migration Guide" to the end of the table of contents (#3747)
• fd4dffd Patch VerifiedHTTPSConnection for Emscripten (#3752)
• 13f0bfd Handle massive values in Retry-After when calculating time to sleep for (#3743)
• 8c480bf Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#3748)
• 4b40616 Bump actions/cache from 4.3.0 to 5.0.1 (#3750)
• 82b8479 Bump actions/download-artifact from 6.0.0 to 7.0.0 (#3749)
• 34284cb Mention experimental features in the security policy (#3746)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions