Sourced from ecdsa's releases.

ecdsa 0.19.0

New API:

• to_ssh in VerifyingKey and SigningKey, supports Ed25519 keys only (Pablo Mazzini)

New features:

• Support for twisted Brainpool curves

Doc fix:

• Fix curve equation in glossary
• Documentation for signature encoding and signature decoding functions

Maintenance:

• Dropped official support for 3.3 and 3.4 (because of problems running them in CI, not because it's actually incompatible; support for 2.6 and 2.7 is unaffected)
• Fixes around hypothesis parameters
• Officially support Python 3.11 and 3.12
• Small updates to test suite to make it work with 3.11 and 3.12 and new releases of test dependencies
• Dropped the internal _rwlock module as it's unused
• Added mutation testing to CI, lots of speed-ups to the test suite to make it happen
• Removal of unnecessary six.b literals (Alexandre Detiste)

Deprecations:

• int_to_string, string_to_int, and digest_integer from ecdsa.ecdsa module are now considered deprecated, they will be removed in a future release

ecdsa 0.18.0

New features:

• Support for EdDSA (Ed25519, Ed448) signature creation and verification.
• Support for Ed25519 and Ed448 in PKCS#8 and public key files.
• Support for point precomputation for EdDSA.

New API:

• CurveEdTw class to represent the Twisted Edwards curve parameters.
• PointEdwards class to represent points on Twisted Edwards curve and provide point arithmetic on it.
• curve_by_name in curves module to get a Curve object by providing curve name.

... (truncated)

Sourced from ecdsa's changelog.

• Release 0.19.1 (13 Mar 2025)

New API:

• der.remove_implitic and der.encode_implicit for decoding and encoding DER IMPLICIT values with custom tag values and arbitrary classes

Bug fixes:

• Minor fixes around arithmetic with curves that have non-prime order (useful for experimentation, not practical deployments)
• Fix arithmetic to work with curves that have (0, 0) on the curve
• Fix canonicalization of signatures when s is just slightly above half of curve order

Maintenance:

• Dropped official support for Python 3.5 (again, issues with CI, support for Python 2.6 and Python 2.7 is unchanged)

• Officialy support Python 3.12 and 3.13 (add them to CI)

• Removal of few more unnecessary six.b literals (Alexandre Detiste)

• Fix typos in warning messages

• Release 0.19.0 (08 Apr 2024)

New API:

• to_ssh in VerifyingKey and SigningKey, supports Ed25519 keys only (Pablo Mazzini)

New features:

• Support for twisted Brainpool curves

Doc fix:

• Fix curve equation in glossary
• Documentation for signature encoding and signature decoding functions

Maintenance:

• Dropped official support for 3.3 and 3.4 (because of problems running them in CI, not because it's actually incompatible; support for 2.6 and 2.7 is unaffected)
• Fixes aroung hypothesis parameters
• Officially support Python 3.11 and 3.12
• Small updates to test suite to make it work with 3.11 and 3.12 and new releases of test dependencies
• Dropped the internal _rwlock module as it's unused
• Added mutation testing to CI, lots of speed-ups to the test suite to make it happen
• Removal of unnecessary six.b literals (Alexandre Detiste)

Deprecations:

• int_to_string, string_to_int, and digest_integer from ecdsa.ecdsa

... (truncated)

• be70016 Merge pull request #337 from tlsfuzzer/release-0.19
• 217735b allow early exit from worker processes when running mutation testing
• 6e7adff don't check rate if no tests executed
• c56030e make coveralls submission work with py2.6 again
• 66d0d74 add release notes for 0.19.0 release
• 0d5a38c Merge pull request #156 from tomato42/cosmic-ray
• 02c8350 be more permissive for the PR mutation test coverage
• 4845e8f better is_prime()
• 09f0d10 add hard timeout for test mutation test suite
• e16173b two digit precision for the mutation score badge
• Additional commits viewable in compare view

Sourced from flask's releases.

2.2.5

This is a security fix release for the 2.2.x release branch. Note that 2.3.x is the currently supported release branch; please upgrade to the latest version if possible.

• Security advisory: https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq, CVE-2023-30861
• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-5
• Milestone: https://github.com/pallets/flask/milestone/30?closed=1

2.2.4

This is a fix release for the 2.2.x release branch.

• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-4
• Milestone: https://github.com/pallets/flask/milestone/27?closed=1

2.2.3

This is a fix release for the 2.2.x release branch.

• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-3
• Milestone: https://github.com/pallets/flask/milestone/26?closed=1

2.2.2

This is a fix release for the 2.2.0 feature release.

• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-2
• Milestone: https://github.com/pallets/flask/milestone/25?closed=1

2.2.1

This is a fix release for the 2.2.0 feature release.

• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-1
• Milestone: https://github.com/pallets/flask/milestone/23?closed=1

2.2.0

This is a feature release, which includes new features and removes previously deprecated code. The 2.2.x branch is now the supported bug fix branch, the 2.1.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades.

• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-0
• Milestone: https://github.com/pallets/flask/milestone/19?closed=1

2.1.3

• Changes: https://flask.palletsprojects.com/en/2.1.x/changes/#version-2-1-3
• Milestone: https://github.com/pallets/flask/milestone/22?closed=1

2.1.2

This is a fix release for the 2.1.0 feature release.

• Changes: https://flask.palletsprojects.com/en/2.1.x/changes/#version-2-1-2
• Milestone: https://github.com/pallets/flask/milestone/21?closed=1

2.1.1

This is a fix release for the 2.1.0 feature release.

... (truncated)

Sourced from flask's changelog.

Version 2.2.5

Released 2023-05-02

• Update for compatibility with Werkzeug 2.3.3.
• Set Vary: Cookie header when the session is accessed, modified, or refreshed.

Version 2.2.4

Released 2023-04-25

• Update for compatibility with Werkzeug 2.3.

Version 2.2.3

Released 2023-02-15

• Autoescape is enabled by default for .svg template files. :issue:4831
• Fix the type of template_folder to accept pathlib.Path. :issue:4892
• Add --debug option to the flask run command. :issue:4777

Version 2.2.2

Released 2022-08-08

• Update Werkzeug dependency to >= 2.2.2. This includes fixes related to the new faster router, header parsing, and the development server. :pr:4754
• Fix the default value for app.env to be "production". This attribute remains deprecated. :issue:4740

Version 2.2.1

Released 2022-08-03

• Setting or accessing json_encoder or json_decoder raises a deprecation warning. :issue:4732

Version 2.2.0

... (truncated)

• 47af817 release version 2.2.5
• afd63b1 Merge pull request #5109 from pallets/backport-vary-cookie
• 8646edc set Vary: Cookie header consistently for session
• a6367da Merge pull request #5108 from pallets/werkzeug-compat
• 3fbfbad werkzeug 2.3.3 compatibility
• 726d3f4 start version 2.2.5
• ddc7acc Merge pull request #5081 from pallets/release-2.2.4
• 74e0329 release version 2.2.4
• 2d46068 update dev env
• 64bc458 update dev dependencies
• Additional commits viewable in compare view

Sourced from future's releases.

v0.18.3

This is a minor bug-fix release containing a number of fixes:

• Backport fix for bpo-38804 (c91d70b)
• Fix bug in fix_print.py fixer (dffc579)
• Fix bug in fix_raise.py fixer (3401099)
• Fix newint bool in py3 (fe645ba)
• Fix bug in super() with metaclasses (6e27aac)
• docs: fix simple typo, reqest -> request (974eb1f)
• Correct eq (c780bf5)
• Pass if lint fails (2abe00d)
• Update docker image and parcel out to constant variable. Add comment to update version constant (45cf382)
• fix order (f96a219)
• Add flake8 to image (046ff18)
• Make lint.sh executable (58cc984)
• Add docker push to optimize CI (01e8440)
• Build System (42b3025)
• Add docs build status badge to README.md (3f40bd7)
• Use same docs requirements in tox (18ecc5a)
• Add docs/requirements.txt (5f9893f)
• Add PY37_PLUS, PY38_PLUS, and PY39_PLUS (bee0247)
• fix 2.6 test, better comment (ddedcb9)
• fix 2.6 test (3f1ff7e)
• remove nan test (4dbded1)
• include list test values (e3f1a12)
• fix other python2 test issues (c051026)
• fix missing subTest (f006cad)
• import from old imp library on older python versions (fc84fa8)
• replace fstrings with format for python 3.4,3.5 (4a687ea)
• minor style/spelling fixes (8302d8c)
• improve cmp function, add unittest (0d95a40)
• Pin typing==3.7.4.1 for Python 3.3 compatiblity (1a48f1b)
• Fix various py26 unit test failures (9ca5a14)
• Add initial contributing guide with docs build instruction (e55f915)
• Add docs building to tox.ini (3ee9e7f)
• Support NumPy's specialized int types in builtins.round (b4b54f0)
• Added r""" to the docstring to avoid warnings in python3 (5f94572)
• Add subclasscheck for past.types.basestring (c9bc0ff)
• Correct example in README (681e78c)
• Add simple documentation (6c6e3ae)
• Add pre-commit hooks (a9c6a37)
• Handling of next and next by future.utils.get_next was reversed (52b0ff9)
• Add a test for our fix (461d77e)
• Compare headers to correct definition of str (3eaa8fd)
• #322 Add support for negative ndigits in round; additionally, fixing a bug so that it handles passing in Decimal properly (a4911b9)
• Add tkFileDialog to future.movers.tkinter (f6a6549)
• Sort before comparing dicts in TestChainMap (6126997)
• Fix typo (4dfa099)
• Fix formatting in "What's new" (1663dfa)
• Fix typo (4236061)

... (truncated)

Sourced from future's changelog.

Changes in version 0.18.3 (2023-01-13)

This is a minor bug-fix release containing a number of fixes:

• Backport fix for bpo-38804 (c91d70b)
• Fix bug in fix_print.py fixer (dffc579)
• Fix bug in fix_raise.py fixer (3401099)
• Fix newint bool in py3 (fe645ba)
• Fix bug in super() with metaclasses (6e27aac)
• docs: fix simple typo, reqest -> request (974eb1f)
• Correct eq (c780bf5)
• Pass if lint fails (2abe00d)
• Update docker image and parcel out to constant variable. Add comment to update version constant (45cf382)
• fix order (f96a219)
• Add flake8 to image (046ff18)
• Make lint.sh executable (58cc984)
• Add docker push to optimize CI (01e8440)
• Build System (42b3025)
• Add docs build status badge to README.md (3f40bd7)
• Use same docs requirements in tox (18ecc5a)
• Add docs/requirements.txt (5f9893f)
• Add PY37_PLUS, PY38_PLUS, and PY39_PLUS (bee0247)
• fix 2.6 test, better comment (ddedcb9)
• fix 2.6 test (3f1ff7e)
• remove nan test (4dbded1)
• include list test values (e3f1a12)
• fix other python2 test issues (c051026)
• fix missing subTest (f006cad)
• import from old imp library on older python versions (fc84fa8)
• replace fstrings with format for python 3.4,3.5 (4a687ea)
• minor style/spelling fixes (8302d8c)
• improve cmp function, add unittest (0d95a40)
• Pin typing==3.7.4.1 for Python 3.3 compatiblity (1a48f1b)
• Fix various py26 unit test failures (9ca5a14)
• Add initial contributing guide with docs build instruction (e55f915)
• Add docs building to tox.ini (3ee9e7f)
• Support NumPy's specialized int types in builtins.round (b4b54f0)
• Added r""" to the docstring to avoid warnings in python3 (5f94572)
• Add subclasscheck for past.types.basestring (c9bc0ff)
• Correct example in README (681e78c)
• Add simple documentation (6c6e3ae)
• Add pre-commit hooks (a9c6a37)
• Handling of next and next by future.utils.get_next was reversed (52b0ff9)
• Add a test for our fix (461d77e)
• Compare headers to correct definition of str (3eaa8fd)
• #322 Add support for negative ndigits in round; additionally, fixing a bug so that it handles passing in Decimal properly (a4911b9)
• Add tkFileDialog to future.movers.tkinter (f6a6549)
• Sort before comparing dicts in TestChainMap (6126997)
• Fix typo (4dfa099)
• Fix formatting in "What's new" (1663dfa)

... (truncated)

• af1db97 Merge pull request #613 from PythonCharmers/lwan/0.18.3-release
• 079ee9b Prepare for 0.18.3 release
• 02f7a81 Merge pull request #610 from wshanks/wshanks-patch-1
• c91d70b Backport fix for bpo-38804
• 80523f3 Merge pull request #569 from jmadler/master
• 5e5af71 Merge pull request #582 from r3m0t/patch-6
• 17e4bbd Merge pull request #596 from abjonnes/fix-print-trailing-comma
• 1b427ba Merge branch 'xZise-official-count' into master
• c8eb497 Merge branch 'official-count' of https://github.com/xZise/python-future into ...
• dffc579 Fix bug in fix_print.py fixer
• Additional commits viewable in compare view

Sourced from jinja2's releases.

3.1.6

This is the Jinja 3.1.6 security release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.6/ Changes: https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6

• The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. https://github.com/pallets/jinja/security/advisories/GHSA-cpwx-vrp4-4pq7

3.1.5

This is the Jinja 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.5/ Changes: https://jinja.palletsprojects.com/changes/#version-3-1-5 Milestone: https://github.com/pallets/jinja/milestone/16?closed=1

• The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. GHSA-q2x7-8rv6-6q7h
• Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. #1792, GHSA-gmj6-6f8f-6699
• Sandbox does not allow clear and pop on known mutable sequence types. #2032
• Calling sync render for an async template uses asyncio.run. #1952
• Avoid unclosed auto_aiter warnings. #1960
• Return an aclose-able AsyncGenerator from Template.generate_async. #1960
• Avoid leaving root_render_func() unclosed in Template.generate_async. #1960
• Avoid leaving async generators unclosed in blocks, includes and extends. #1960
• The runtime uses the correct concat function for the current environment when calling block references. #1701
• Make |unique async-aware, allowing it to be used after another async-aware filter. #1781
• |int filter handles OverflowError from scientific notation. #1921
• Make compiling deterministic for tuple unpacking in a {% set ... %} call. #2021
• Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. #2025
• Fix copy/pickle support for the internal missing object. #2027
• Environment.overlay(enable_async) is applied correctly. #2061
• The error message from FileSystemLoader includes the paths that were searched. #1661
• PackageLoader shows a clearer error message when the package does not contain the templates directory. #1705
• Improve annotations for methods returning copies. #1880
• urlize does not add mailto: to values like @a@b. #1870
• Tests decorated with @pass_context can be used with the |select filter. #1624
• Using set for multiple assignment (a, b = 1, 2) does not fail when the target is a namespace attribute. #1413
• Using set in all branches of {% if %}{% elif %}{% else %} blocks does not cause the variable to be considered initially undefined. #1253

3.1.4

This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Jinja2/3.1.4/ Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

• The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj

3.1.3

This is a fix release for the 3.1.x feature branch.

• Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.

... (truncated)

Sourced from jinja2's changelog.

Version 3.1.6

Released 2025-03-05

• The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. :ghsa:cpwx-vrp4-4pq7

Version 3.1.5

Released 2024-12-21

• The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. :ghsa:q2x7-8rv6-6q7h
• Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. :issue:1792, :ghsa:gmj6-6f8f-6699
• Sandbox does not allow clear and pop on known mutable sequence types. :issue:2032
• Calling sync render for an async template uses asyncio.run. :pr:1952
• Avoid unclosed auto_aiter warnings. :pr:1960
• Return an aclose-able AsyncGenerator from Template.generate_async. :pr:1960
• Avoid leaving root_render_func() unclosed in Template.generate_async. :pr:1960
• Avoid leaving async generators unclosed in blocks, includes and extends. :pr:1960
• The runtime uses the correct concat function for the current environment when calling block references. :issue:1701
• Make |unique async-aware, allowing it to be used after another async-aware filter. :issue:1781
• |int filter handles OverflowError from scientific notation. :issue:1921
• Make compiling deterministic for tuple unpacking in a {% set ... %} call. :issue:2021
• Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. :issue:2025
• Fix copy/pickle support for the internal missing object. :issue:2027
• Environment.overlay(enable_async) is applied correctly. :pr:2061
• The error message from FileSystemLoader includes the paths that were searched. :issue:1661
• PackageLoader shows a clearer error message when the package does not contain the templates directory. :issue:1705
• Improve annotations for methods returning copies. :pr:1880
• urlize does not add mailto: to values like @a@b. :pr:1870

... (truncated)

• 1520688 release version 3.1.6
• 90457bb Merge commit from fork
• 065334d attr filter uses env.getattr
• 033c200 start version 3.1.6
• bc68d4e use global contributing guide (#2070)
• 247de5e use global contributing guide
• ab8218c use project advisory link instead of global
• b4ffc8f release version 3.1.5 (#2066)
• 877f6e5 release version 3.1.5
• 8d58859 remove test pypi
• Additional commits viewable in compare view

Sourced from python-jose's releases.

3.4.0

News

• Remove support for Python 3.6 and 3.7
• Added support for Python 3.10 and 3.11

Bug fixes and Improvements

• Updating CryptographyAESKey::encrypt to generate 96 bit IVs for GCM block cipher mode
• Fix for PEM key comparisons caused by line lengths and new lines
• Fix for CVE-2024-33664 - JWE limited to 250KiB
• Fix for CVE-2024-33663 - signing JWT with public key is now forbidden
• Replace usage of deprecated datetime.utcnow() with datetime.now(UTC)

Housekeeping

• Updated Github Actions Workflows
• Updated to use tox 4.x
• Revise codecov integration
• Fixed DeprecationWarnings

3.3.0 -- 2020-06-04

News

• Remove support for python 2.7 & 3.5
• Add support for Python 3.9
• Remove PyCrypto backend
• Fix deprecation warning from cryptography backend

Housekeeping

• Switched from Travis CI to Github Actions
• Added iSort & Black
• Run CI Tests under Mac OS & Windows.
• Updated Syntax to use Python 3.6+
• Upgrade to latest pytest, remove used dev requirements.

Small fixes

Changes

News

• This will be the last release supporting Python 2.7, 3.5, and the PyCrypto backend. This will be the penultimate release supporting Python 2.7, 3.5, and the PyCrypto backend.

Bug fixes and Improvements

• Use hmac.compare_digest instead of our own constant_time_string_compare #163

... (truncated)

Sourced from python-jose's changelog.

3.4.0 -- 2025-02-14

News

• Remove support for Python 3.6 and 3.7
• Added support for Python 3.10 and 3.11

Bug fixes and Improvements

• Updating CryptographyAESKey::encrypt to generate 96 bit IVs for GCM block cipher mode
• Fix for PEM key comparisons caused by line lengths and new lines
• Fix for CVE-2024-33664 - JWE limited to 250KiB
• Fix for CVE-2024-33663 - signing JWT with public key is now forbidden
• Replace usage of deprecated datetime.utcnow() with datetime.now(UTC)

Housekeeping

• Updated Github Actions Workflows
• Updated to use tox 4.x
• Revise codecov integration
• Fixed DeprecationWarnings

3.3.0 -- 2021-06-04

News

• Remove support for python 2.7 & 3.5
• Add support for Python 3.9
• Remove PyCrypto backend
• Fix deprecation warning from cryptography backend

Housekeeping

• Switched from Travis CI to Github Actions
• Added iSort & Black
• Run CI Tests under Mac OS & Windows.
• Updated Syntax to use Python 3.6+
• Upgrade to latest pytest, remove used dev requirements.

3.2.0 -- 2020-07-29

News

• This will be the last release supporting Python 2.7, 3.5, and the PyCrypto backend.

Bug fixes and Improvements

• Use hmac.compare_digest instead of our own constant_time_string_compare #163

... (truncated)

• 82cd15f Added release date to CHANGELOG.md for 3.4.0 (#371)
• 4e01847 Prepare 3.4.0 release (#370)
• 0360fa3 Replace usage of deprecated datetime.utcnow() with datetime.now(UTC) (#360)
• 12f30c8 Fix for CVE-2024-33663 (forbid public key for HMAC) (#369)
• 638d047 Bump cryptography from 42.0.4 to 43.0.1 (#368)
• 8e1f521 Fix for CVE-2024-33664. JWE limited to 250K (#352)
• c9403b5 Bump cryptography from 41.0.3 to 42.0.4 (#358)
• 58e543e Bump cryptography from 39.0.1 to 41.0.3
• 50d1997 Disabling test build for Python 3.7 on OS X since arm64 is no longer supporte...
• 1967754 Adding get_pem_for_key and normalize_pem methods to normalize PEM formatt...
• Additional commits viewable in compare view

Sourced from pyyaml's changelog.

5.4.1 (2021-01-20)

• yaml/pyyaml#480 -- Fix stub compat with older pyyaml versions that may unwittingly load it

5.4 (2021-01-19)

• yaml/pyyaml#407 -- Build modernization, remove distutils, fix metadata, build wheels, CI to GHA
• yaml/pyyaml#472 -- Fix for CVE-2020-14343, moves arbitrary python tags to UnsafeLoader
• yaml/pyyaml#441 -- Fix memory leak in implicit resolver setup
• yaml/pyyaml#392 -- Fix py2 copy support for timezone objects
• yaml/pyyaml#378 -- Fix compatibility with Jython

5.3.1 (2020-03-18)

• yaml/pyyaml#386 -- Prevents arbitrary code execution during python/object/new constructor

5.3 (2020-01-06)

• yaml/pyyaml#290 -- Use is instead of equality for comparing with None
• yaml/pyyaml#270 -- Fix typos and stylistic nit
• yaml/pyyaml#309 -- Fix up small typo
• yaml/pyyaml#161 -- Fix handling of slots
• yaml/pyyaml#358 -- Allow calling add_multi_constructor with None
• yaml/pyyaml#285 -- Add use of safe_load() function in README
• yaml/pyyaml#351 -- Fix reader for Unicode code points over 0xFFFF
• yaml/pyyaml#360 -- Enable certain unicode tests when maxunicode not > 0xffff
• yaml/pyyaml#359 -- Use full_load in yaml-highlight example
• yaml/pyyaml#244 -- Document that PyYAML is implemented with Cython
• yaml/pyyaml#329 -- Fix for Python 3.10
• yaml/pyyaml#310 -- Increase size of index, line, and column fields
• yaml/pyyaml#260 -- Remove some unused imports
• yaml/pyyaml#163 -- Create timezone-aware datetimes when parsed as such
• yaml/pyyaml#363 -- Add tests for timezone

5.2 (2019-12-02)

• Repair incompatibilities introduced with 5.1. The default Loader was changed, but several methods like add_constructor still used the old default yaml/pyyaml#279 -- A more flexible fix for custom tag constructors yaml/pyyaml#287 -- Change default loader for yaml.add_constructor yaml/pyyaml#305 -- Change default loader for add_implicit_resolver, add_path_resolver
• Make FullLoader safer by removing python/object/apply from the default FullLoader yaml/pyyaml#347 -- Move constructor for object/apply to UnsafeConstructor
• Fix bug introduced in 5.1 where quoting went wrong on systems with sys.maxunicode <= 0xffff yaml/pyyaml#276 -- Fix logic for quoting special characters
• Other PRs: yaml/pyyaml#280 -- Update CHANGES for 5.1

5.1.2 (2019-07-30)

... (truncated)

• ee37f46 5.4.1 release
• 2b37f15 Fix stub compat with older pyyaml versions that may unwittingly load it
• 58d0cb7 5.4 release
• a60f7a1 Fix compatibility with Jython
• ee98abd Run CI on PR base branch changes
• ddf2033 constructor.timezone: _copy & deepcopy
• fc914d5 Avoid repeatedly appending to yaml_implicit_resolvers
• a001f27 Fix for CVE-2020-14343
• fe15062 Add 3.9 to appveyor file for completeness sake
• 1e1c7fb Add a newline character to end of pyproject.toml
• Additional commits viewable in compare view

Sourced from requests's releases.

v2.32.4

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. (#6965)

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS. (#6926)
• Dropped support for pypy 3.9 following its end of support. (#6926)

v2.32.3

2.32.3 (2024-05-29)

Bugfixes

• Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of HTTPAdapter. (#6716)
• Fixed issue where Requests started failing to run on Python versions compiled without the ssl module. (#6724)

v2.32.2

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

v2.32.1

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

v2.32.0

2.32.0 (2024-05-20)

... (truncated)

Sourced from requests's changelog.

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS.
• Dropped support for pypy 3.9 following its end of support.

2.32.3 (2024-05-29)

Bugfixes

• Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of HTTPAdapter. (#6716)
• Fixed issue where Requests started failing to run on Python versions compiled without the ssl module. (#6724)

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

2.32.0 (2024-05-20)

Security

... (truncated)

• 021dc72 Polish up release tooling for last manual release
• 821770e Bump version and add release notes for v2.32.4
• 59f8aa2 Add netrc file search information to authentication documentation (#6876)
• 5b4b64c Add more tests to prevent regression of CVE 2024 47081
• 7bc4587 Add new test to check netrc auth leak (#6962)
• 96ba401 Only use hostname to do netrc lookup instead of netloc
• 7341690 Merge pull request #6951 from tswast/patch-1
• 6716d7c remove links
• a7e1c74 Update docs/conf.py
• c799b81 docs: fix dead links to kenreitz.org
• Additional commits viewable in compare view

Sourced from werkzeug's releases.

3.0.6

This is the Werkzeug 3.0.6 security fix release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.6/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-0-6

• Fix how max_form_memory_size is applied when parsing large non-file fields. GHSA-q34m-jh98-gwm2
• safe_join catches certain paths on Windows that were not caught by ntpath.isabs on Python < 3.11. GHSA-f9vj-2wh5-fj8j

3.0.5

This is the Werkzeug 3.0.5 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.5/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-0-5 Milestone: https://github.com/pallets/werkzeug/milestone/37?closed=1

• The Watchdog reloader ignores file closed no write events. #2945
• Logging works with client addresses containing an IPv6 scope. #2952
• Ignore invalid authorization parameters. #2955
• Improve type annotation fore SharedDataMiddleware. #2958
• Compatibility with Python 3.13 when generating debugger pin and the current UID does not have an associated name. #2957

3.0.4

This is the Werkzeug 3.0.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.4/ Changes: https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-4 Milestone: https://github.com/pallets/werkzeug/milestone/36?closed=1

• Restore behavior where parsing multipart/x-www-form-urlencoded data with invalid UTF-8 bytes in the body results in no form data parsed rather than a 413 error. #2930
• Improve parse_options_header performance when parsing unterminated quoted string values. #2904
• Debugger pin auth is synchronized across threads/processes when tracking failed entries. #2916
• Dev server handles unexpected SSLEOFError due to issue in Python < 3.13. #2926
• Debugger pin auth works when the URL already contains a query string. #2918

3.0.3

This is the Werkzeug 3.0.3 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Werkzeug/3.0.3/ Changes: https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-3 Milestone: https://github.com/pallets/werkzeug/milestone/35?closed=1

• Only allow localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger UI makes requests using the full URL rather than only the path. GHSA-2g68-c3qc-8985
• Make reloader more robust when "" is in sys.path. #2823

... (truncated)

Sourced from werkzeug's changelog.

Version 3.0.6

Released 2024-10-25

• Fix how max_form_memory_size is applied when parsing large non-file fields. :ghsa:q34m-jh98-gwm2
• safe_join catches certain paths on Windows that were not caught by ntpath.isabs on Python < 3.11. :ghsa:f9vj-2wh5-fj8j

Version 3.0.5

Released 2024-10-24

• The Watchdog reloader ignores file closed no write events. :issue:2945
• Logging works with client addresses containing an IPv6 scope :issue:2952
• Ignore invalid authorization parameters. :issue:2955
• Improve type annotation fore SharedDataMiddleware. :issue:2958
• Compatibility with Python 3.13 when generating debugger pin and the current UID does not have an associated name. :issue:2957

Version 3.0.4

Released 2024-08-21

• Restore behavior where parsing multipart/x-www-form-urlencoded data with invalid UTF-8 bytes in the body results in no form data parsed rather than a 413 error. :issue:2930
• Improve parse_options_header performance when parsing unterminated quoted string values. :issue:2904
• Debugger pin auth is synchronized across threads/processes when tracking failed entries. :issue:2916
• Dev server handles unexpected SSLEOFError due to issue in Python < 3.13. :issue:2926
• Debugger pin auth works when the URL already contains a query string. :issue:2918

Version 3.0.3

Released 2024-05-05

• Only allow localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger

... (truncated)

• 5eaefc3 release version 3.0.6
• 2767bcb Merge commit from fork
• 87cc78a catch special absolute path on Windows Python < 3.11
• 50cfeeb Merge commit from fork
• 8760275 apply max_form_memory_size another level up in the parser
• 8d6a12e start version 3.0.6
• a7b121a release version 3.0.5 (#2961)
• 9caf72a release version 3.0.5
• e28a245 catch OSError from getpass.getuser (#2960)
• e6b4cce catch OSError from getpass.getuser
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on...

Description has been truncated