py-simpy: updated to 4.1.2
4.1.2
- [NEW] Support Python 3.13 and 3.14
- [FIX] Allow PEP 657 location underlines in ``test_exception_chaining`` so
the test passes on Python 3.11+
- [FIX] Update ``docs/conftest.py`` to import ``TerminalRepr`` from
``_pytest._code.code`` and use the ``file_path`` collection hook,
replacing the removed ``py._code`` import and deprecated ``py.path.local``
hook argument
- [FIX] Explicitly mark ``ConditionValue`` as unhashable
- [CHANGE] Address current ruff and mypy findings: switch tests to use
``pytest.raises`` as a context manager, mark regex ``match=`` patterns as
raw strings, hoist module-level imports, and extend the ruff ignore list
with ``UP045`` (matches the existing ``UP006``/``UP007`` policy)
py-dulwich: updated to 1.2.4
1.2.4 2026-05-21
* Tolerate ref names with empty path components (e.g. ``refs/tags//v1.0``)
for now, emitting a ``DeprecationWarning`` rather than raising a
``RefFormatError``. Such names are constructed by older Poetry releases
(fixed in Poetry 2.4.0) and were silently accepted before Dulwich 1.2.3.
``local_branch_name``, ``local_tag_name`` and ``local_replace_name``
likewise warn about, and strip, a leading slash instead of raising
``ValueError``. Both will become errors again in a future release.
py-prometheus_client: updated to 0.25.0
0.25.0
Fix spaces in grouping key values for push_to_gateway
Support MultiProcessCollector in RestrictedRegistry
py-ldap: updated to 3.4.7
3.4.7 2026-05-19
No code changes, correcting for the fact that the previous release artifacts
uploaded to PyPI contained unintended files.
3.4.6 2026-05-14
Fixes:
* ``attrlist`` parameter is now properly checked before use, avoiding memory
errors due to type mismatches
* Fixed errors with requestName/requestValue in ``extop.dds``
* ``ldif`` and ``ldap.schema`` modules now actively close sockets as they're
finished with them
Infrastructure:
* Package no longer requires setuptools-scm
py-testfixtures: updated to 12.0.0
12.0.0 (23 May 2026)
.. warning:: Breaking changes:
- Comparers have moved from :mod:`!testfixtures.comparison` to :mod:`testfixtures.comparers`.
- :func:`!django_compare` has been removed, :func:`compare` now works with Django models.
- Refactoring of :class:`LogCapture` to introduce support for :doc:`loguru <loguru>`,
:doc:`structlog <structlog>` and similar support for :doc:`twisted <twisted>` by way of the new
:class:`~testfixtures.logcapture.CaptureSource` architecture.
- :func:`compare` now supports per-type ``ignore_eq``.
- :func:`compare` now supports both :doc:`polars <polars>` and :doc:`pandas <pandas>` dataframes.
- :func:`compare` now provides better feedback when objects being compared raised exceptipns in
their :any:`str` or :any:`repr`.
[3 lines not shown]
py-checkdmarc: updated to 5.16.2
5.16.2
BIMI: forbidden x/y attributes on the root <svg> element are now actually rejected. get_svg_metadata was reading the wrong xmltodict keys, so the existing rejection in check_svg_requirements never fired on real SVGs. The metadata also lost the y value to a typo that clobbered metadata["x"].
DNSSEC: narrowed three broad except Exception clauses to specific exception types (dns.exception.DNSException, OSError, EOFError) so programming errors propagate instead of being silently swallowed.
5.16.1
Simplify the warning emitted for pct/rf/ri to just "Support for the {tag} tag was removed in RFC 9989".
5.16.0
Rename DMARCbis references to RFC 9989
In compliance with RFC 9989, treat a DMARC p tag as p=none, instead of requiring it
Instead, a warning is raised that older versions of DMARC require it
DMARC: the pct, rf, and ri tags are removed in RFC 9989. They are no longer implicitly added to parsed results, are no longer strictly validated (invalid values that previously raised now just warn), and explicit use emits a "removed in RFC 9989" warning. Pre-9989 readers may still honor them, so the value is left intact for those consumers.
DMARC: unknown tags are now ignored with a warning instead of raising InvalidDMARCTag, per RFC 9989 ("Unknown tags MUST be ignored").
DMARC: the order constraint that p must immediately follow v is now a warning rather than a hard syntax error. RFC 9989 permits any tag ordering after v; older RFC 7489 readers may still expect p second.
[3 lines not shown]
py-soupsieve: updated to 2.8.4
2.8.4
- **FIX**: Fix another inefficient attribute pattern
- **FIX**: Limit total number of selectors processed in a pattern to prevent massive selector requests
py-sqlalchemy: updated to 2.0.50
2.0.50
orm
[orm] [bug]
Fixed issue where using joinedload() with PropComparator.of_type() targeting a joined-table subclass combined with PropComparator.and_() referencing a column on that subclass would generate invalid SQL, where the subclass column was not adapted to the subquery alias. Pull request courtesy Joaquin Hui Gomez.
[orm] [bug]
Fixed issue where the presence of a SessionEvents.do_orm_execute() event hook would cause internal execution options such as yield_per and loader-specific state from the first orm_pre_session_exec pass to leak into the second pass, leading to errors when using relationship loaders such as selectinload() and immediateload(). The execution options passed to the second compilation pass are now based on the original options plus only the explicit updates made via ORMExecuteState.update_execution_options() within the event hook.
[orm] [bug]
Fixed issue where using with_polymorphic() on a leaf class (a subclass with no further descendants) or a non-inherited class would fail with an AttributeError when used in an ORM statement, due to configure_mappers() not being triggered implicitly. The fix ensures that AliasedInsp participates in the _post_inspect hook, triggering mapper configuration during ORM statement compilation.
sql
[34 lines not shown]
py-test-rerunfailures: updated to 16.3
16.3 (2026-05-22)
Features
- Add ``--reruns-mode`` option (``strict`` or ``append``). With ``append``,
marker reruns and the global ``--reruns`` / ``reruns`` ini setting are summed
instead of the marker taking strict priority. Default is ``strict`` so
existing behaviour is unchanged.
- Add ``--rerun-show-tracebacks`` option to display tracebacks from failed
attempts that were retried, including tests that eventually passed. The
rerun summary section is emitted automatically when the flag is set, so
``-rR`` is no longer required to see the tracebacks.
py-snowballstemmer: updated to 3.1.0
Snowball 3.1.0 (2026-05-22)
Compiler changes
* Bug fixes:
+ Fix segmentation fault if -syntax is used on a program with no code.
+ Fix segmentation fault on some assignment syntax errors.
+ Fix bug introduced in v3.0.0 with conversion of `among` starter. If there
were any commands after the among in the same command list then the among
itself would get lost. Not triggered by any current algorithms.
+ Clear name field when removing dead assignments. This is visible in the
syntax tree shown when command line option -syntax is used, but probably
doesn't affect anything otherwise.
[160 lines not shown]
rclone: updated to 1.74.2
1.74.2 - 2026-05-22
- Bug Fixes
- build
- Update golang.org/x/net to v0.55.0 to address:
- CVE-2026-42506: html: incorrect handling of namespaced elements in foreign content
- CVE-2026-39821: idna: failure to reject ASCII-only Punycode-encoded labels
- CVE-2026-42502: html: incorrect handling of HTML elements in foreign content
- CVE-2026-25680: html: denial of service when parsing arbitrary HTML
- CVE-2026-25681: html: incorrect handling of character references in DOCTYPE nodes
- CVE-2026-27136: html: duplicate attributes can cause XSS
- Update golang.org/x/crypto to v0.52.0 to address:
- CVE-2026-46598: ssh/agent: pathological inputs can lead to client panic
- CVE-2026-46597: ssh: byte arithmetic causes underflow and panic
- CVE-2026-39828: ssh: bypass of certificate restrictions
- CVE-2026-39835: ssh: server panic during CheckHostKey/Authenticate
- CVE-2026-39833: ssh/agent: key constraints not enforced
[31 lines not shown]
