fix(deps): update pypi group #111

renovate · 2025-12-05T18:07:58Z

This PR contains the following updates:

Package	Change	Age	Confidence
poetry-core	`2.2.1` → `2.3.0`
pytest (changelog)	`9.0.1` → `9.0.2`
urllib3 (changelog)	`2.5.0` → `2.6.3`

python-poetry/poetry-core (poetry-core)

Fix an issue where unsatisfiable requirements did not raise an error (#891).
Fix an issue where the implicit main group did not exist if it was explicitly declared as not having any dependencies (#892).
Fix an issue where python_full_version markers with pre-release versions were parsed incorrectly (#893).

pytest-dev/pytest (pytest)

#13896: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.

You may enable it again by passing -p terminalprogress. We may enable it by default again once compatibility improves in the future.

Additionally, when the environment variable TERM is dumb, the escape codes are no longer emitted, even if the plugin is enabled.
#13904: Fixed the TOML type of the tmp_path_retention_count settings in the API reference from number to string.
#13946: The private config.inicfg attribute was changed in a breaking manner in pytest 9.0.0.
Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim.
It will be deprecated in pytest 9.1 and removed in pytest 10.
#13965: Fixed quadratic-time behavior when handling unittest subtests in Python 3.10.

#4492: The API Reference now contains cross-reference-able documentation of pytest's command-line flags <command-line-flags>.

urllib3/urllib3 (urllib3)

==================

Fixed a high-severity security issue where decompression-bomb safeguards of
the streaming API were bypassed when HTTP redirects were followed.
(GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)
Started treating Retry-After times greater than 6 hours as 6 hours by
default. (#3743 <https://github.com/urllib3/urllib3/issues/3743>__)
Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten.
(#3752 <https://github.com/urllib3/urllib3/issues/3752>__)

==================

Fixed HTTPResponse.read_chunked() to properly handle leftover data in
the decoder's buffer when reading compressed chunked responses.
(#3734 <https://github.com/urllib3/urllib3/issues/3734>__)

==================

Restore previously removed HTTPResponse.getheaders() and
HTTPResponse.getheader() methods.
(#3731 <https://github.com/urllib3/urllib3/issues/3731>__)

==================

Security

Fixed a security issue where streaming API could improperly handle highly
compressed HTTP content ("decompression bombs") leading to excessive resource
consumption even when a small amount of data was requested. Reading small
chunks of compressed data is safer and much more efficient now.
(GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
Fixed a security issue where an attacker could compose an HTTP response with
virtually unlimited links in the Content-Encoding header, potentially
leading to a denial of service (DoS) attack by exhausting system resources
during decoding. The number of allowed chained encodings is now limited to 5.
(GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

If urllib3 is not installed with the optional urllib3[brotli] extra, but
your environment contains a Brotli/brotlicffi/brotlipy package anyway, make
sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to
benefit from the security fixes and avoid warnings. Prefer using
urllib3[brotli] to install a compatible Brotli package automatically.
If you use custom decompressors, please make sure to update them to
respect the changed API of urllib3.response.ContentDecoder.

Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. (#3653 <https://github.com/urllib3/urllib3/issues/3653>__)
Added host and port information to string representations of HTTPConnection. (#3666 <https://github.com/urllib3/urllib3/issues/3666>__)
Added support for Python 3.14 free-threading builds explicitly. (#3696 <https://github.com/urllib3/urllib3/issues/3696>__)

Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers.
Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). (#3622 <https://github.com/urllib3/urllib3/issues/3622>__)

Fixed redirect handling in urllib3.PoolManager when an integer is passed
for the retries parameter. (#3649 <https://github.com/urllib3/urllib3/issues/3649>__)
Fixed HTTPConnectionPool when used in Emscripten with no explicit port. (#3664 <https://github.com/urllib3/urllib3/issues/3664>__)
Fixed handling of SSLKEYLOGFILE with expandable variables. (#3700 <https://github.com/urllib3/urllib3/issues/3700>__)

Changed the zstd extra to install backports.zstd instead of zstandard on Python 3.13 and before. (#3693 <https://github.com/urllib3/urllib3/issues/3693>__)
Improved the performance of content decoding by optimizing BytesQueueBuffer class. (#3710 <https://github.com/urllib3/urllib3/issues/3710>__)
Allowed building the urllib3 package with newer setuptools-scm v9.x. (#3652 <https://github.com/urllib3/urllib3/issues/3652>__)
Ensured successful urllib3 builds by setting Hatchling requirement to >= 1.27.0. (#3638 <https://github.com/urllib3/urllib3/issues/3638>__)