Skip to content

Bump the prod-dependencies group across 1 directory with 4 updates#113

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/prod-dependencies-ec18c40ced
Open

Bump the prod-dependencies group across 1 directory with 4 updates#113
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/prod-dependencies-ec18c40ced

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 23, 2026

Bumps the prod-dependencies group with 4 updates in the / directory: lxml, polars, pyarrow and requests.

Updates lxml from 6.0.2 to 6.1.0

Changelog

Sourced from lxml's changelog.

6.1.0 (2026-04-17)

This release fixes a possible external entity injection (XXE) vulnerability in iterparse() and the ETCompatXMLParser.

Features added

  • GH#486: The HTML ARIA accessibility attributes were added to the set of safe attributes in lxml.html.defs. This allows lxml_html_clean to pass them through. Patch by oomsveta.

  • The default chunk size for reading from file-likes in iterparse() is now configurable with a new chunk_size argument.

Bugs fixed

  • LP#2146291: The resolve_entities option was still set to True for iterparse and ETCompatXMLParser, allowing for external entity injection (XXE) when using these parsers without setting this option explicitly. The default was now changed to 'internal' only (as for the normal XML and HTML parsers since lxml 5.0). Issue found by Sihao Qiu as CVE-2026-41066.

6.0.4 (2026-04-12)

Bugs fixed

  • LP#2148019: Spurious MemoryError during namespace cleanup.

6.0.3 (2026-04-09)

Bugs fixed

  • Several out of memory error cases now raise MemoryError that were not handled before.

  • Slicing with large step values (outside of +/- sys.maxsize) could trigger undefined C behaviour.

  • LP#2125399: Some failing tests were fixed or disabled in PyPy.

  • LP#2138421: Memory leak in error cases when setting the public_id or system_url of a document.

... (truncated)

Commits
  • 43722f4 Update changelog.
  • 8747040 Name version of option change in docstring.
  • 6c36e6c Fix pypistats URL in download statistics script.
  • c7d76d6 Change security policy to point to Github security advisories.
  • 378ccf8 Update project income report.
  • 315270b Docs: Reduce TOC depth of package pages and move module contents first.
  • 6dbba7f Docs: Show current year in copyright line.
  • e4385bf Update project income report.
  • 5bed1e1 Validate file hashes in release download script.
  • c13ee10 Prepare release of 6.1.0.
  • Additional commits viewable in compare view

Updates polars from 1.38.1 to 1.40.1

Release notes

Sourced from polars's releases.

Python Polars 1.40.1

🚀 Performance improvements

  • Skip validity mask processing in __array_ufunc__ when no inputs have nulls (#27358)

✨ Enhancements

  • Cargo deny (#27363)
  • Add maintain_order parameter to merge_sorted (#27263)

🐞 Bug fixes

  • Honor having predicate in GroupBy iter (#27370)
  • Use the physical dtype for NumUnorderedImplodeReducer arrow ListArray (#27375)
  • Address bug in reduce_balanced for certain input length lists affecting pl.concat (#27352)
  • Ensure list.sample() allows fraction > 1 when with_replacement=True (#27350)
  • Ensure append() errors when upcast=False (#27346)
  • Always rechunk sorts, prune sorts even in eager execution (#27356)
  • Fix typing for DataFrame.__init__ and Series.__init__ so they don't require all optional dependencies to be installed (#27348)

📖 Documentation

  • Split out openlineage docs into guide and configuration (#27371)
  • Add explanation on the observatory sqlite db file (#27354)

🛠️ Other improvements

  • Disable mypy type checking for pyarrow calls (#27377)
  • Disable debug symbols in macos coverage tests (#27361)
  • Cargo deny (#27363)

Thank you to all our contributors for making this release possible! @​EndPositive, @​Kevin-Patyk, @​MarcoGorelli, @​carnarez, @​dsprenkels, @​gab23r, @​jonathanchang31, @​kdn36, @​mzjp2 and @​ritchie46

Python Polars 1.40.0

🏆 Highlights

  • Add streaming support for grouped AsOf join (#27293)

⚠️ Deprecations

  • Deprecate support for dataframe interchange protocol (#27214)

🚀 Performance improvements

  • Create IR slice from expr slice pushdown (#27200)
  • Add streaming support for grouped AsOf join (#27293)
  • Avoid unnecessary rechunk when sorting already sorted DataFrame (#27264)
  • Lower basic over() to streaming primitives (#27303)
  • Lower drop_{nulls,nans} in streaming group_by aggregations (#27296)

... (truncated)

Commits
  • 344a0ea Python Polars 1.40.1 (#27381)
  • 4856eb3 fix: Honor having predicate in GroupBy iter (#27370)
  • f992305 chore(python): Disable mypy type checking for pyarrow calls (#27377)
  • 17f9074 chore: Disable debug symbols in macos coverage tests (#27361)
  • 44948d3 fix: Use the physical dtype for NumUnorderedImplodeReducer arrow `ListArray...
  • 6bb1cf8 fix(python): Address bug in reduce_balanced for certain input length lists ...
  • fb70396 docs: Split out openlineage docs into guide and configuration (#27371)
  • 2436421 fix: Ensure list.sample() allows fraction > 1 when `with_replacement=True...
  • 21f150f ci(rust): Cargo deny (#27363)
  • dd9be47 perf: Skip validity mask processing in array_ufunc when no inputs have nu...
  • Additional commits viewable in compare view

Updates pyarrow from 23.0.1 to 24.0.0

Release notes

Sourced from pyarrow's releases.

Apache Arrow 24.0.0

Release Notes URL: https://arrow.apache.org/release/24.0.0.html

Apache Arrow 24.0.0 RC0

Release Notes: Release Candidate: 24.0.0 RC0

Commits
  • 31b4b6c MINOR: [Release] Update versions for 24.0.0
  • 06dbc17 MINOR: [Release] Update .deb/.rpm changelogs for 24.0.0
  • a021d80 MINOR: [Release] Update CHANGELOG.md for 24.0.0
  • 2d6b12c GH-49716: [C++] FixedShapeTensorType::Deserialize should strictly validate se...
  • a74cb6a GH-49697: [C++][CI] Check IPC file body bounds are in sync with decoder outco...
  • 871a0c6 GH-49676: [Python][Packaging] Fix gRPC docker image layer being too big for h...
  • f9203b3 GH-49586: [C++][CI] StructToStructSubset test failure with libc++ 22.1.1 (#49...
  • fe298b4 GH-49628: [Python][Interchange protocol] Suppress warnings for pandas 4.0.0 a...
  • 1f94910 GH-49252: [GLib] Deprecate Feather features (#49673)
  • 5ba5c3c GH-49671: [CI][Docs] Don't run jobs for push by Dependabot (#49672)
  • Additional commits viewable in compare view

Updates requests from 2.32.5 to 2.33.1

Release notes

Sourced from requests's releases.

v2.33.1

2.33.1 (2026-03-30)

Bugfixes

  • Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
  • Fixed Content-Type header parsing for malformed values. (#7309)
  • Improved error consistency for malformed header values. (#7308)

New Contributors

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2331-2026-03-30

v2.33.0

2.33.0 (2026-03-25)

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

  • Various typo fixes and doc improvements.

New Contributors

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

Changelog

Sourced from requests's changelog.

2.33.1 (2026-03-30)

Bugfixes

  • Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
  • Fixed Content-Type header parsing for malformed values. (#7309)
  • Improved error consistency for malformed header values. (#7308)

2.33.0 (2026-03-25)

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

  • Various typo fixes and doc improvements.
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the prod-dependencies group across 1 directory with 4 updates
187551f 
Bumps the prod-dependencies group with 4 updates in the / directory: [lxml](https://github.com/lxml/lxml), [polars](https://github.com/pola-rs/polars), [pyarrow](https://github.com/apache/arrow) and [requests](https://github.com/psf/requests).


Updates `lxml` from 6.0.2 to 6.1.0
- [Release notes](https://github.com/lxml/lxml/releases)
- [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt)
- [Commits](lxml/lxml@lxml-6.0.2...lxml-6.1.0)

Updates `polars` from 1.38.1 to 1.40.1
- [Release notes](https://github.com/pola-rs/polars/releases)
- [Commits](pola-rs/polars@py-1.38.1...py-1.40.1)

Updates `pyarrow` from 23.0.1 to 24.0.0
- [Release notes](https://github.com/apache/arrow/releases)
- [Commits](apache/arrow@apache-arrow-23.0.1...apache-arrow-24.0.0)

Updates `requests` from 2.32.5 to 2.33.1
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.32.5...v2.33.1)

---
updated-dependencies:
- dependency-name: lxml
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: polars
  dependency-version: 1.40.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: pyarrow
  dependency-version: 24.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: prod-dependencies
- dependency-name: requests
  dependency-version: 2.33.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Apr 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants