Bump the pip group across 1 directory with 23 updates

[dependabot]

Bumps the pip group with 23 updates in the / directory:

Package	From	To
python-jose	3.3.0	3.4.0
streamlit	1.32.2	1.37.0
unstructured	0.12.5	0.14.3
aiohttp	3.9.3	3.11.0b0
certifi	2024.2.2	2024.7.4
cryptography	42.0.5	44.0.1
ecdsa	0.18.0	0.19.0
idna	3.6	3.7
jinja2	3.1.3	3.1.6
langchain-core	0.1.30	0.1.35
nltk	3.8.1	3.9.1
onnx	1.15.0	1.16.2
pillow	10.2.0	10.3.0
python-multipart	0.0.9	0.0.18
requests	2.31.0	2.32.2
setuptools	69.1.1	70.0.0
starlette	0.36.3	0.40.0
tornado	6.4	6.4.2
tqdm	4.66.2	4.66.3
transformers	4.38.2	4.48.0
urllib3	2.2.1	2.2.2
virtualenv	20.25.1	20.26.6
zipp	3.17.0	3.19.1

Updates python-jose from 3.3.0 to 3.4.0

Release notes

Sourced from python-jose's releases.

3.4.0

News

• Remove support for Python 3.6 and 3.7
• Added support for Python 3.10 and 3.11

Bug fixes and Improvements

• Updating CryptographyAESKey::encrypt to generate 96 bit IVs for GCM block cipher mode
• Fix for PEM key comparisons caused by line lengths and new lines
• Fix for CVE-2024-33664 - JWE limited to 250KiB
• Fix for CVE-2024-33663 - signing JWT with public key is now forbidden
• Replace usage of deprecated datetime.utcnow() with datetime.now(UTC)

Housekeeping

• Updated Github Actions Workflows
• Updated to use tox 4.x
• Revise codecov integration
• Fixed DeprecationWarnings

Changelog

Sourced from python-jose's changelog.

3.4.0 -- 2025-02-14

News

• Remove support for Python 3.6 and 3.7
• Added support for Python 3.10 and 3.11

Bug fixes and Improvements

• Updating CryptographyAESKey::encrypt to generate 96 bit IVs for GCM block cipher mode
• Fix for PEM key comparisons caused by line lengths and new lines
• Fix for CVE-2024-33664 - JWE limited to 250KiB
• Fix for CVE-2024-33663 - signing JWT with public key is now forbidden
• Replace usage of deprecated datetime.utcnow() with datetime.now(UTC)

Housekeeping

• Updated Github Actions Workflows
• Updated to use tox 4.x
• Revise codecov integration
• Fixed DeprecationWarnings

Commits

• 82cd15f Added release date to CHANGELOG.md for 3.4.0 (#371)
• 4e01847 Prepare 3.4.0 release (#370)
• 0360fa3 Replace usage of deprecated datetime.utcnow() with datetime.now(UTC) (#360)
• 12f30c8 Fix for CVE-2024-33663 (forbid public key for HMAC) (#369)
• 638d047 Bump cryptography from 42.0.4 to 43.0.1 (#368)
• 8e1f521 Fix for CVE-2024-33664. JWE limited to 250K (#352)
• c9403b5 Bump cryptography from 41.0.3 to 42.0.4 (#358)
• 58e543e Bump cryptography from 39.0.1 to 41.0.3
• 50d1997 Disabling test build for Python 3.7 on OS X since arm64 is no longer supporte...
• 1967754 Adding get_pem_for_key and normalize_pem methods to normalize PEM formatt...
• Additional commits viewable in compare view

Updates streamlit from 1.32.2 to 1.37.0

Release notes

Sourced from streamlit's releases.

1.37.0

What's Changed

New Features 🎉

• Stacking options - st.bar_chart by @​mayagbarnes in streamlit/streamlit#8945
• Support graphviz.sources.Source object for st.graphviz_chart by @​sfc-gh-kbregula in streamlit/streamlit#8993
• Add support for material icons in markdown by @​LukasMasuch in streamlit/streamlit#8889
• Fix lag when closing dialog by @​raethlein in streamlit/streamlit#9023
• Stacking options - st.area_chart by @​mayagbarnes in streamlit/streamlit#8992
• Add feedback widget by @​raethlein in streamlit/streamlit#8915
• READ only headers and cookies by @​kajarenc in streamlit/streamlit#8976
• De-experimentalize st.fragment by @​vdonato in streamlit/streamlit#9019
• De-experimentalize st.dialog by @​raethlein in streamlit/streamlit#9020

Bug Fixes 🐛

• Show fragment errors in fragment-path for main app runs by @​raethlein in streamlit/streamlit#8868
• Fix st.rerun fragment thread reuse issue by @​raethlein in streamlit/streamlit#8798
• Support non-unix style paths for MPA loading by @​kmcgrady in streamlit/streamlit#8988
• Set theme hash properly on load if a custom theme is active to start by @​kmcgrady in streamlit/streamlit#8989
• Don't remove session refs on fragment runs by @​vdonato in streamlit/streamlit#9010
• Improvements to NumberInput formatting by @​sfc-gh-nbellante in streamlit/streamlit#9035
• Hide all Particles upon printing by @​sfc-gh-nbellante in streamlit/streamlit#9053
• Fix: MPA support of custom themes by @​mayagbarnes in streamlit/streamlit#8994
• st.switch_page clears non-embed query params by @​mayagbarnes in streamlit/streamlit#9059
• Fix secrets.toml Windows Path Bug by @​sfc-gh-nbellante in streamlit/streamlit#9061
• Bugfix: Fixes two st.map width bugs by @​sfc-gh-nbellante in streamlit/streamlit#9070
• Validate the path using Tornado before performing checks by @​kmcgrady in streamlit/streamlit#8990
• Reset ctx.current_fragment_id to last ID instead of None by @​vdonato in streamlit/streamlit#9114

Other Changes

• Update emojis used for validation by @​LukasMasuch in streamlit/streamlit#8923
• Add support for numpy 2.x by @​LukasMasuch in streamlit/streamlit#8940
• Remove a bunch of deprecated experimental features by @​vdonato in streamlit/streamlit#8943
• Migrate custom icons from material outlined to rounded by @​LukasMasuch in streamlit/streamlit#8998
• Remove old config options - part 1 by @​mayagbarnes in streamlit/streamlit#9005
• Remove old config options - part 2 by @​mayagbarnes in streamlit/streamlit#9013
• Remove deprecation.showPyplotGlobalUse config option by @​LukasMasuch in streamlit/streamlit#9018
• Fix broken st.navigation docstring by @​mahotd in streamlit/streamlit#9027
• Update the feedback widget design by @​raethlein in streamlit/streamlit#9094

New Contributors

• @​Dev-iL made their first contribution in streamlit/streamlit#8947
• @​quant12345 made their first contribution in streamlit/streamlit#8968
• @​mahotd made their first contribution in streamlit/streamlit#9027

Full Changelog: streamlit/streamlit@1.36.0...1.37.0

1.36.0

What's Changed

... (truncated)

Commits

• e2c3c93 Up version to 1.37.0
• 88389e3 Docstrings for 1.37.0 (#9115)
• 898fd80 Temp solution to fix invalid material icon error rendering (#9113)
• b2c88c6 Reset ctx.current_fragment_id to last ID instead of None (#9114)
• 3a63985 Validate the path using Tornado before performing checks (#8990)
• 40303e1 Move the filled star icon for feedback widget from python code to web app (#9...
• 6296baf Update the feedback widget design (#9094)
• b9c3521 Fixes two st.map width bugs (#9070)
• a2ae47a Only expose selected objects in components module (#8873)
• 340f3f7 De-experimentalize st.dialog (#9020)
• Additional commits viewable in compare view

Updates unstructured from 0.12.5 to 0.14.3

Release notes

Sourced from unstructured's releases.

0.14.3

Enhancements

• Move category field from Text class to Element class.
• partition_docx() now supports pluggable picture sub-partitioners. A subpartitioner that accepts a DOCX Paragraph and generates elements is now supported. This allows adding a custom sub-partitioner that extracts images and applies OCR or summarization for the image.
• Add VoyageAI embedder Adds VoyageAI embeddings to support embedding via Voyage AI.

Features

Fixes

• Fix partition_pdf() to keep spaces in the text. The control character \t is now replaced with a space instead of being removed when merging inferred elements with embedded elements.
• Turn off XML resolve entities Sets resolve_entities=False for XML parsing with lxml to avoid text being dynamically injected into the XML document.
• Add backward compatibility for the deprecated pdf_infer_table_structure parameter.
• Add the missing form_extraction_skip_tables argument to the partition_pdf_or_image call. to avoid text being dynamically injected into the XML document.
• Chromadb change from Add to Upsert using element_id to make idempotent
• Diable table_as_cells output by default to reduce overhead in partition; now table_as_cells is only produced when the env EXTACT_TABLE_AS_CELLS is true
• Reduce excessive logging Change per page ocr info level logging into detail level trace logging
• Replace try block in document_to_element_list for handling HTMLDocument Use getattr(element, "type", "") to get the type attribute of an element when it exists. This is more explicit way to handle the special case for HTML documents and prevents other types of attribute error from being silenced by the try block

0.14.2

Enhancements

• Bump unstructured-inference==0.7.33.

Features

• Add attribution to the pinecone connector.

0.14.1

Enhancements

• Refactor code related to embedded text extraction. The embedded text extraction code is moved from unstructured-inference to unstructured.

Features

• Large improvements to the ingest process:
  • Support for multiprocessing and async, with limits for both.
  • Streamlined to process when mapping CLI invocations to the underlying code
  • More granular steps introduced to give better control over process (i.e. dedicated step to uncompress files already in the local filesystem, new optional staging step before upload)
  • Use the python client when calling the unstructured api for partitioning or chunking
  • Saving the final content is now a dedicated destination connector (local) set as the default if none are provided. Avoids adding new files locally if uploading elsewhere.
  • Leverage last modified date when deciding if new files should be downloaded and reprocessed.
  • Add attribution to the pinecone connector
• Add support for Python 3.12. unstructured now works with Python 3.12!

0.14.0

... (truncated)

Changelog

Sourced from unstructured's changelog.

0.14.3

Enhancements

• Move category field from Text class to Element class.
• partition_docx() now supports pluggable picture sub-partitioners. A subpartitioner that accepts a DOCX Paragraph and generates elements is now supported. This allows adding a custom sub-partitioner that extracts images and applies OCR or summarization for the image.
• Add VoyageAI embedder Adds VoyageAI embeddings to support embedding via Voyage AI.

Features

Fixes

• Fix partition_pdf() to keep spaces in the text. The control character \t is now replaced with a space instead of being removed when merging inferred elements with embedded elements.
• Turn off XML resolve entities Sets resolve_entities=False for XML parsing with lxml to avoid text being dynamically injected into the XML document.
• Add backward compatibility for the deprecated pdf_infer_table_structure parameter.
• Add the missing form_extraction_skip_tables argument to the partition_pdf_or_image call. to avoid text being dynamically injected into the XML document.
• Chromadb change from Add to Upsert using element_id to make idempotent
• Diable table_as_cells output by default to reduce overhead in partition; now table_as_cells is only produced when the env EXTACT_TABLE_AS_CELLS is true
• Reduce excessive logging Change per page ocr info level logging into detail level trace logging
• Replace try block in document_to_element_list for handling HTMLDocument Use getattr(element, "type", "") to get the type attribute of an element when it exists. This is more explicit way to handle the special case for HTML documents and prevents other types of attribute error from being silenced by the try block

0.14.2

Enhancements

• Bump unstructured-inference==0.7.33.

Features

• Add attribution to the pinecone connector.

Fixes

0.14.1

Enhancements

• Refactor code related to embedded text extraction. The embedded text extraction code is moved from unstructured-inference to unstructured.

Features

• Large improvements to the ingest process:
  • Support for multiprocessing and async, with limits for both.
  • Streamlined to process when mapping CLI invocations to the underlying code
  • More granular steps introduced to give better control over process (i.e. dedicated step to uncompress files already in the local filesystem, new optional staging step before upload)
  • Use the python client when calling the unstructured api for partitioning or chunking
  • Saving the final content is now a dedicated destination connector (local) set as the default if none are provided. Avoids adding new files locally if uploading elsewhere.
  • Leverage last modified date when deciding if new files should be downloaded and reprocessed.

... (truncated)

Commits

• f445724 fix: partition_pdf() removes spaces from the text (#3106)
• 3158169 fix: uninstall bson for mongo connector (#3104)
• 6b400b4 feat: add VoyageAI embeddings (#3069) (#3099)
• 32df4ee fix: disable table_as_cells output by default (#3093)
• 809c7e5 chore: reduce excessive logging (#3095)
• 26d403d fix: add missing params to ElementMetadata (#3092)
• 35ec21e fix: decide table extraction (#3090)
• 31a53c8 Fix: Chroma Upsert instead of Add (#3086)
• 47d2861 feat(docx): add pluggable picture sub-partitioner (#3081)
• 171b5df fix: set resolve_entities=False in partition_xml (#3088)
• Additional commits viewable in compare view

Updates aiohttp from 3.9.3 to 3.11.0b0

Release notes

Sourced from aiohttp's releases.

3.11.0b0

Bug fixes

• Raise :exc:aiohttp.ServerFingerprintMismatch exception on client-side if request through http proxy with mismatching server fingerprint digest: aiohttp.ClientSession(headers=headers, connector=TCPConnector(ssl=aiohttp.Fingerprint(mismatch_digest), trust_env=True).request(...) -- by :user:gangj.

  Related issues and pull requests on GitHub: #6652.

• Made TestClient.app a Generic so type checkers will know the correct type (avoiding unneeded client.app is not None checks) -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub: #8977.

• Authentication provided by a redirect now takes precedence over provided auth when making requests with the client -- by :user:PLPeeters.

  Related issues and pull requests on GitHub: #9436.

Features

• Added strategy parameter to :meth:aiohttp.web.StreamResponse.enable_compression The value of this parameter is passed to the :func:zlib.compressobj function, allowing people to use a more sufficient compression algorithm for their data served by :mod:aiohttp.web -- by :user:shootkin

  Related issues and pull requests on GitHub: #6257.

• Exported :py:class:~aiohttp.ClientWSTimeout to top-level namespace -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub: #8612.

... (truncated)

Changelog

Sourced from aiohttp's changelog.

3.11.0b0 (2024-10-28)

Bug fixes

• Raise :exc:aiohttp.ServerFingerprintMismatch exception on client-side if request through http proxy with mismatching server fingerprint digest: aiohttp.ClientSession(headers=headers, connector=TCPConnector(ssl=aiohttp.Fingerprint(mismatch_digest), trust_env=True).request(...) -- by :user:gangj.

  Related issues and pull requests on GitHub: :issue:6652.

• Made TestClient.app a Generic so type checkers will know the correct type (avoiding unneeded client.app is not None checks) -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub: :issue:8977.

• Authentication provided by a redirect now takes precedence over provided auth when making requests with the client -- by :user:PLPeeters.

  Related issues and pull requests on GitHub: :issue:9436.

Features

• Added strategy parameter to :meth:aiohttp.web.StreamResponse.enable_compression The value of this parameter is passed to the :func:zlib.compressobj function, allowing people to use a more sufficient compression algorithm for their data served by :mod:aiohttp.web -- by :user:shootkin

  Related issues and pull requests on GitHub: :issue:6257.

• Exported :py:class:~aiohttp.ClientWSTimeout to top-level namespace -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub: :issue:8612.

... (truncated)

Commits

• f07c021 Release 3.11.0b0 (#9580)
• 125c7ed [PR #9577/a54dd98c backport][3.11] Cleanup changelog messages for 3.11 (#9579)
• 429ec17 [PR #9575/951def15 backport][3.11] Switch to using `URL.host_port_subcomponen...
• 9cd73e3 [PR #9574/998204d backport][3.11] Increase minimum yarl version to 1.17.0 (#9...
• 4592d03 Add support for adjusting the server WebSocket writer limit (#9572) (#9573)
• 78418f7 [PR #9566/22f0831 backport][3.11] Refactor WebSocketWriter to remove high lev...
• a3b8129 [PR #9443/06b2398 backport][3.11] Fix handling of redirects with authenticati...
• 153350d Bump pip from 24.2 to 24.3.1 (#9562)
• 1127bcd [PR #9558/0a706625 backport][3.11] Fix refactoring error from moving WebSocke...
• 1417252 [PR #9559/50656ca0 backport][3.11] Add benchmarks for sending masked WebSocke...
• Additional commits viewable in compare view

Updates certifi from 2024.2.2 to 2024.7.4

Commits

• bd81538 2024.07.04 (#295)
• 06a2cbf Bump peter-evans/create-pull-request from 6.0.5 to 6.1.0 (#294)
• 13bba02 Bump actions/checkout from 4.1.6 to 4.1.7 (#293)
• e8abcd0 Bump pypa/gh-action-pypi-publish from 1.8.14 to 1.9.0 (#292)
• 124f4ad 2024.06.02 (#291)
• c2196ce --- (#290)
• fefdeec Bump actions/checkout from 4.1.4 to 4.1.5 (#289)
• 3c5fb15 Bump actions/download-artifact from 4.1.6 to 4.1.7 (#286)
• 4a9569a Bump actions/checkout from 4.1.2 to 4.1.4 (#287)
• 1fc8086 Bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 (#288)
• Additional commits viewable in compare view

Updates cryptography from 42.0.5 to 44.0.1

Changelog

Sourced from cryptography's changelog.

44.0.1 - 2025-02-11

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.1.
* We now build ``armv7l`` ``manylinux`` wheels and publish them to PyPI.
* We now build ``manylinux_2_34`` wheels and publish them to PyPI.
.. _v44-0-0:
44.0.0 - 2024-11-27

• BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.9.
• Deprecated Python 3.7 support. Python 3.7 is no longer supported by the Python core team. Support for Python 3.7 will be removed in a future cryptography release.
• Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.0.
• macOS wheels are now built against the macOS 10.13 SDK. Users on older versions of macOS should upgrade, or they will need to build cryptography themselves.
• Enforce the :rfc:5280 requirement that extended key usage extensions must not be empty.
• Added support for timestamp extraction to the :class:~cryptography.fernet.MultiFernet class.
• Relax the Authority Key Identifier requirements on root CA certificates during X.509 verification to allow fields permitted by :rfc:5280 but forbidden by the CA/Browser BRs.
• Added support for :class:~cryptography.hazmat.primitives.kdf.argon2.Argon2id when using OpenSSL 3.2.0+.
• Added support for the :class:~cryptography.x509.Admissions certificate extension.
• Added basic support for PKCS7 decryption (including S/MIME 3.2) via :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_der, :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_pem, and :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_smime.

.. _v43-0-3:

43.0.3 - 2024-10-18

* Fixed release metadata for ``cryptography-vectors``
.. _v43-0-2:
43.0.2 - 2024-10-18

• Fixed compilation when using LibreSSL 4.0.0.

.. _v43-0-1:

... (truncated)

Commits

• adaaaed Bump for 44.0.1 release (#12441)
• ccc61da [backport] test and build on armv7l (#12420) (#12431)
• f299a48 remove deprecated call (#12052)
• 439eb05 Bump version for 44.0.0 (#12051)
• 2c5ad4d chore(deps): bump maturin from 1.7.4 to 1.7.5 in /.github/requirements (#12050)
• d23968a chore(deps): bump libc from 0.2.165 to 0.2.166 (#12049)
• 133c0e0 Bump x509-limbo and/or wycheproof in CI (#12047)
• f2259d7 Bump BoringSSL and/or OpenSSL in CI (#12046)
• e201c87 fixed metadata in changelog (#12044)
• c6104cc Prohibit Python 3.9.0, 3.9.1 -- they have a bug that causes errors (#12045)
• Additional commits viewable in compare view

Updates ecdsa from 0.18.0 to 0.19.0

Release notes

Sourced from ecdsa's releases.

ecdsa 0.19.0

New API:

• to_ssh in VerifyingKey and SigningKey, supports Ed25519 keys only (Pablo Mazzini)

New features:

• Support for twisted Brainpool curves

Doc fix:

• Fix curve equation in glossary
• Documentation for signature encoding and signature decoding functions

Maintenance:

• Dropped official support for 3.3 and 3.4 (because of problems running them in CI, not because it's actually incompatible; support for 2.6 and 2.7 is unaffected)
• Fixes around hypothesis parameters
• Officially support Python 3.11 and 3.12
• Small updates to test suite to make it work with 3.11 and 3.12 and new releases of test dependencies
• Dropped the internal _rwlock module as it's unused
• Added mutation testing to CI, lots of speed-ups to the test suite to make it happen
• Removal of unnecessary six.b literals (Alexandre Detiste)

Deprecations:

• int_to_string, string_to_int, and digest_integer from ecdsa.ecdsa module are now considered deprecated, they will be removed in a future release

Changelog

Sourced from ecdsa's changelog.

• Release 0.19.0 (08 Apr 2024)

New API:

• to_ssh in VerifyingKey and SigningKey, supports Ed25519 keys only (Pablo Mazzini)

New features:

• Support for twisted Brainpool curves

Doc fix:

• Fix curve equation in glossary
• Documentation for signature encoding and signature decoding functions

Maintenance:

• Dropped official support for 3.3 and 3.4 (because of problems running them in CI, not because it's actually incompatible; support for 2.6 and 2.7 is unaffected)
• Fixes aroung hypothesis parameters
• Officially support Python 3.11 and 3.12
• Small updates to test suite to make it work with 3.11 and 3.12 and new releases of test dependencies
• Dropped the internal _rwlock module as it's unused
• Added mutation testing to CI, lots of speed-ups to the test suite to make it happen
• Removal of unnecessary six.b literals (Alexandre Detiste)

Deprecations:

• int_to_string, string_to_int, and digest_integer from ecdsa.ecdsa module are now considered deprecated, they will be removed in a future release

• Release 0.18.0 (09 Jul 2022)

New API:

• curve_by_name in curves module to get a Curve object by providing curve name.

Bug fix:

• Make the VerifyingKey encoded with explicit parameters use the same kind of point encoding for public key and curve generator.
• Better handling of malformed curve parameters (as in CVE-2022-0778); make python-ecdsa raise MalformedPointError instead of AssertionError.

Doc fix:

• Publish the documentation on https://ecdsa.readthedocs.io/, include explanation of basics of handling of ECC data formats and how to use the library for elliptic curve arithmetic.
• Make object names more consistent, make them into hyperlinks on the readthedocs documentation.
• Make security note more explicit (Ian Rodney)

... (truncated)

Commits

• be70016 Merge pull request #337 from tlsfuzzer/release-0.19
• 217735b allow early exit from worker processes when running mutation testing
• 6e7adff don't check rate if no tests executed
• c56030e make coveralls submission work with py2.6 again
• 66d0d74 add release notes for 0.19.0 release
• 0d5a38c Merge pull request #156 from tomato42/cosmic-ray
• 02c8350 be more permissive for the PR mutation test coverage
• 4845e8f better is_prime()
• 09f0d10 add hard timeout for test mutation test suite
• e16173b two digit precision for the mutation score badge
• Additional commits viewable in compare view

Updates idna from 3.6 to 3.7

Release notes

Sourced from idna's releases.

v3.7

What's Changed

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: kjd/idna@v3.6...v3.7

Changelog

Sourced from idna's changelog.

3.7 (2024-04-11) ++++++++++++++++

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Commits

• 1d365e1 Release v3.7
• c1b3154 Merge pull request #172 from kjd/optimize-contextj
• 0394ec7 Merge branch 'master' into optimize-contextj
• cd58a23 Merge pull request #152 from elliotwutingfeng/dev
• 5beb28b More efficient resolution of joiner contexts
• 1b12148 Update ossf/scorecard-action to v2.3.1
• d516b87 Update Github actions/checkout to v4
• c095c75 Merge branch 'master' into dev
• 60a0a4c Fix typo in GitHub Actions workflow key
• 5918a0e Merge branch 'master' into dev
• Additional commits viewable in compare view

Updates jinja2 from 3.1.3 to 3.1.6

Release notes

Sourced from jinja2's releases.

3.1.6

This is the Jinja 3.1.6 security release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.6/ Changes: https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6

• The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. GHSA-cpwx-vrp4-4pq7

3.1.5

This is the Jinja 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.5/ Changes: https://jinja.palletsprojects.com/changes/#version-3-1-5 Milestone: https://github.com/pallets/jinja/milestone/16?closed=1

• The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. GHSA-q2x7-8rv6-6q7h
• Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. #1792, GHSA-gmj6-6f8f-6699
• Sandbox does not allow clear and pop on known mutable sequence types. #2032
• Calling sync render for an async template uses asyncio.run. #1952
• Avoid unclosed auto_aiter warnings. #1960
• Return an aclose-able AsyncGenerator from Template.generate_async. #1960
• Avoid leaving root_render_func() unclosed in Template.generate_async. #1960
• Avoid leaving async generators unclosed in blocks, includes and extends. #1960
• The runtime uses the correct concat function for the current environment when calling block references. #1701
• Make |unique async-aware, allowing it to be used after another async-aware filter. #1781
• |int filter handles OverflowError from scientific notation. #1921
• Make compiling deterministic for tuple unpacking in a {% set ... %} call. #2021
• Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. #2025
• Fix copy/pickle support for the internal missing object. #2027
• Environment.overlay(enable_async) is applied correctly. #2061
• The error message from FileSystemLoader includes the paths that were searched. #1661
• PackageLoader shows a clearer error message when the package does not contain the templates directory. #1705
• Improve annotations for methods returning copies. #1880
• urlize does not add mailto: to values like @a@b. #1870
• Tests decorated with @pass_context can be used with the |select filter. #1624
• Using set for multiple assignment (a, b = 1, 2) does not fail when the target is a namespace attribute. #1413
• Using set in all branches of {% if %}{% elif %}{% else %} blocks does not cause the variable to be considered initially undefined. #1253

3.1.4

This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Jinja2/3.1.4/ Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

• The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj

Changelog

Sourced from jinja2's changelog.

Version 3.1.6

Released 2025-03-05

• The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. :ghsa:cpwx-vrp4-4pq7

Version 3.1.5

Released 2024-12-21

• The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. :ghsa:q2x7-8rv6-6q7h
• Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. :issue:1792, :ghsa:gmj6-6f8f-6699
• Sandbox does not allow clear and pop on known mutable sequence types. :issue:2032
• Calling sync render for an async template uses asyncio.run. :pr:1952
• Avoid unclosed auto_aiter warnings. :pr:1960
• Return an aclose-able AsyncGenerator from Template.generate_async. :pr:1960
• Avoid leaving root_render_func() unclosed in Template.generate_async. :pr:1960
• Avoid leaving async generators unclosed in blocks, includes and extends. :pr:1960
• The runtime uses the correct concat function for the current environment when calling block references. :issue:1701
• Make |unique async-aware, allowing it to be used after another async-aware filter. :issue:1781
• |int filter handles OverflowError from scientific notation. :issue:1921
• Make compiling deterministic for tuple unpacking in a {% set ... %} call. :issue:2021
• Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. :issue:2025
• Fix copy/pickle support for the internal missing object. :issue:2027
• Environment.overlay(enable_async) is applied correctly. :pr:2061
• The error message from FileSystemLoader includes the paths that were searched. :issue:1661
• PackageLoader shows a clearer error message when the package does not contain the templates directory. :issue:1705
• Improve annotations for methods returning copies. :pr:1880
• urlize does not add mailto: to values like @a@b. :pr:1870

... (truncated)

Commits

• 1520688 release version 3.1.6
• 90457bb Merge commit from fork
• 065334d attr filter uses env.getattr
• 033c200 start version 3.1.6
• bc68d4e use global contributing guide (#2070)
• 247de5e use global contributing guide
• ab8218c use project advisory link instead of global
• b4ffc8f release version 3.1.5 (#2066)
• 877f6e5 release version 3.1.5
• 8d58859 remove test pypi
• Additional commits viewable in compare view

Updates langchain-core from 0.1.30 to 0.1.35

Commits

• See full diff in compare view

Updates nltk from 3.8.1 to 3.9.1

Changelog

Sourced from nltk's changelog.

Version 3.9.1 2024-08-19

• Fixed bug that prevented wordnet from loading

Version 3.9 2024-08-18

• Fix security vulnerability CVE-2024-39705 (breaking change)
• Replace pickled models (punkt, chunker, taggers) by new pickle-free "_tab" packages
• No longer sort Wordnet synsets and relations (sort in calling function when required)
• Only strip the last suffix in Wordnet Morphy, thus restricting synsets() results
• Add Python 3.12 support
• Many other minor fixes

Thanks to the following contributors to 3.8.2: Tom Aarsen, Cat Lee Ball, Veralara Bernhard, Carlos Brandt, Konstantin Chernyshev, Michael Higgins, Eric Kafe, Vivek Kalyan, David Lukes, Rob Malouf, purificant, Alex Rudnick, Liling Tan, Akihiro Yamazaki...

Description has been truncated