chore(deps): bump the all-deps group across 1 directory with 35 updates

[dependabot]

Bumps the all-deps group with 35 updates in the / directory:

Package	From	To
anyio	4.12.0	4.13.0
attrs	25.4.0	26.1.0
certifi	2025.11.12	2026.2.25
charset-normalizer	3.4.4	3.4.7
click	8.3.1	8.3.2
dash	3.3.0	4.1.0
filelock	3.20.3	3.25.2
flask	3.1.2	3.1.3
fonttools	4.61.1	4.62.1
fsspec	2025.12.0	2026.3.0
gunicorn	23.0.0	25.3.0
hf-xet	1.2.0	1.4.3
huggingface-hub	1.2.3	1.9.2
importlib-metadata	8.7.0	9.0.0
kiwisolver	1.4.9	1.5.0
llvmlite	0.45.1	0.47.0
matplotlib	3.10.0	3.10.8
multimethod	1.12	2.0.2
narwhals	2.14.0	2.19.0
numba	0.62.1	0.65.0
packaging	25.0	26.0
pillow	12.1.1	12.2.0
plotly	6.5.0	6.6.0
pyarrow	22.0.0	23.0.1
pydantic-core	2.41.5	2.45.0
pyparsing	3.2.5	3.3.2
pytz	2025.2	2026.1.post1
requests	2.32.5	2.33.1
tqdm	4.67.1	4.67.3
typeguard	4.4.4	4.5.1
typer-slim	0.20.0	0.24.0
tzdata	2025.3	2026.1
werkzeug	3.1.5	3.1.8
wordcloud	1.9.4	1.9.6
ydata-profiling	4.18.0	4.18.1

Updates anyio from 4.12.0 to 4.13.0

Release notes

Sourced from anyio's releases.

4.13.0

• Dropped support for Python 3.9
• Added a ttl parameter to the anyio.functools.lru_cache wrapper (#1073; PR by @​Graeme22)
• Widened the type annotations of file I/O streams to accept IO[bytes] instead of just BinaryIO (#1078)
• Fixed anyio.Path not being compatible with Python 3.15 due to the removal of pathlib.Path.is_reserved() and the addition of pathlib.Path.__vfspath__() (#1061; PR by @​veeceey)
• Fixed the BrokenResourceError raised by the asyncio SocketStream not having the original exception as its cause (#1055; PR by @​veeceey)
• Fixed the TypeError raised when using "func" as a parameter name in pytest.mark.parametrize when using the pytest plugin (#1068; PR by @​JohnnyDeuss)
• Fixed the pytest plugin not running tests that had the anyio marker added programmatically via pytest_collection_modifyitems (#422; PR by @​chbndrhnns)
• Fixed cancellation exceptions leaking from a CancelScope on asyncio when they are contained in an exception group alongside non-cancellation exceptions (#1091; PR by @​gschaffner)
• Fixed Condition.wait() not passing on a notification when the task is cancelled but already received a notification
• Fixed inverted condition in the process pool shutdown phase which would cause still-running pooled processes not to be terminated (#1074; PR by @​bysiber)

4.12.1

• Changed all functions currently raising the private NoCurrentAsyncBackend exception (since v4.12.0) to instead raise the public NoEventLoopError exception (#1048)
• Fixed anyio.functools.lru_cache not working with instance methods (#1042)

Commits

• afbe93c Bumped up the version
• 33bdf2e Rearranged the changelog entries
• 19e09e2 Fixed inverted condition in _forcibly_shutdown_process_pool_on_exit (#1074)
• 9369d80 Fixed Condition.wait() not handing over notification when cancelled
• 6f122ab Fixed cancellation exceptions leaking from a CancelScope on asyncio when th...
• beaa45a [pre-commit.ci] pre-commit autoupdate (#1097)
• 602f660 Widened type annotations to accept IO[bytes] in file streams
• b5dcd45 Added note about erasing the template
• d68670b [pre-commit.ci] pre-commit autoupdate (#1090)
• fc17a22 tweak to_thread docs about abandon_on_cancel (#1088)
• Additional commits viewable in compare view

Updates attrs from 25.4.0 to 26.1.0

Release notes

Sourced from attrs's releases.

26.1.0

Highlights

The main outward change here only affects people using field transformers, but it should be a nice quality of life improvement!

Full changelog below!

Special Thanks

This release would not be possible without my generous sponsors! Thank you to all of you making sustainable maintenance possible! If you would like to join them, go to https://github.com/sponsors/hynek and check out the sweet perks!

Above and Beyond

Variomedia AG (@variomedia), Tidelift (@tidelift), Kraken Tech (@kraken-tech), Privacy Solutions GmbH (@privacy-solutions), FilePreviews (@filepreviews), Ecosystems (@ecosyste-ms), TestMu AI Open Source Office (Formerly LambdaTest) (@LambdaTest-Inc), Doist (@Doist), Daniel Fortunov (@asqui), and Kevin P. Fleming (@kpfleming).

Maintenance Sustainers

Buttondown (@buttondown), Christopher Dignam (@chdsbd), Magnus Watn (@magnuswatn), David Cramer (@dcramer), Rivo Laks (@rivol), Polar (@polarsource), Mike Fiedler (@miketheman), Duncan Hill (@cricalix), Colin Marquardt (@cmarqu), Pieter Swinkels (@swinkels), Nick Libertini (@libertininick), Brian M. Dennis (@crossjam), Celebrity News AG (@celebritynewsag), The Westervelt Company (@westerveltco), Sławomir Ehlert (@slafs), Mostafa Khalil (@khadrawy), Filip Mularczyk (@mukiblejlok), Thomas Klinger (@thmsklngr), Andreas Poehlmann (@ap--), August Trapper Bigelow (@atbigelow), Carlton Gibson (@carltongibson), and Roboflow (@roboflow).

Full Changelog

Backwards-incompatible Changes

• Field aliases are now resolved before calling field_transformer, so transformers receive fully populated Attribute objects with usable alias values instead of None. The new Attribute.alias_is_default flag indicates whether the alias was auto-generated (True) or explicitly set by the user (False). #1509

Changes

• Fix type annotations for attrs.validators.optional(), so it no longer rejects tuples with more than one validator. #1496
• The attrs.validators.disabled() contextmanager can now be nested. #1513
• Frozen classes can set on_setattr=attrs.setters.NO_OP in addition to None. #1515
• It's now possible to pass attrs instances in addition to attrs classes to attrs.fields(). #1529

---

This release contains contributions from @​bysiber, @​DavidCEllis, @​finite-state-machine, @​hynek, @​veeceey, and @​vstinner.

Artifact Attestations

You can verify this release's artifact attestions using GitHub's CLI tool by downloading the sdist and wheel from PyPI and running:

$ gh attestation verify --owner python-attrs attrs-26.1.0.tar.gz

... (truncated)

Changelog

Sourced from attrs's changelog.

26.1.0 - 2026-03-19

Backwards-incompatible Changes

• Field aliases are now resolved before calling field_transformer, so transformers receive fully populated Attribute objects with usable alias values instead of None. The new Attribute.alias_is_default flag indicates whether the alias was auto-generated (True) or explicitly set by the user (False). #1509

Changes

• Fix type annotations for attrs.validators.optional(), so it no longer rejects tuples with more than one validator. #1496
• The attrs.validators.disabled() contextmanager can now be nested. #1513
• Frozen classes can set on_setattr=attrs.setters.NO_OP in addition to None. #1515
• It's now possible to pass attrs instances in addition to attrs classes to attrs.fields(). #1529

Commits

• 7bfc49e Prepare 26.1.0
• 31e0286 Update test_validators.py for Python 3.15a7 (#1530)
• 48b8611 Add instance support to attrs.fields() (#1529)
• 3a68d49 dev: document missing git tags failure mode
• a572c3a Allow field(on_setattr=NO_OP) on frozen classes
• af9c510 Fix validators.disabled() to save/restore state on nesting (#1513)
• ab7f8b2 update dev
• ce89f5d Fix message passing in frozen errors
• eccd966 Fix optional validator to accept tuples of len > 1 (#1496)
• e92fe52 policies: tighten screws (#1528)
• Additional commits viewable in compare view

Updates certifi from 2025.11.12 to 2026.2.25

Commits

• 8571a4b 2026.02.25 (#395)
• 6f7de00 Bump peter-evans/create-pull-request from 8.0.0 to 8.1.0 (#390)
• a1de59b Bump actions/checkout from 6.0.1 to 6.0.2 (#391)
• 7f5ade5 Bump actions/setup-python from 6.1.0 to 6.2.0 (#392)
• c64d9f3 2026.01.04 (#389)
• 4ac232f Bump actions/download-artifact from 6.0.0 to 7.0.0 (#387)
• 95ae4b2 Update CI workflow to use Ubuntu 24.04 and Python 3.14 stable (#386)
• b72a7b1 Bump dessant/lock-threads from 5.0.1 to 6.0.0 (#385)
• ecc2672 Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#384)
• 6a897db Bump peter-evans/create-pull-request from 7.0.11 to 8.0.0 (#383)
• Additional commits viewable in compare view

Updates charset-normalizer from 3.4.4 to 3.4.7

Release notes

Sourced from charset-normalizer's releases.

Version 3.4.7

3.4.7 (2026-04-02)

Changed

• Pre-built optimized version using mypy[c] v1.20.
• Relax setuptools constraint to setuptools>=68,<82.1.

Fixed

• Correctly remove SIG remnant in utf-7 decoded string. (#718) (#716)

Version 3.4.6

3.4.6 (2026-03-15)

Changed

• Flattened the logic in charset_normalizer.md for higher performance. Removed eligible(..) and feed(...) in favor of feed_info(...).
• Raised upper bound for mypy[c] to 1.20, for our optimized version.
• Updated UNICODE_RANGES_COMBINED using Unicode blocks v17.

Fixed

• Edge case where noise difference between two candidates can be almost insignificant. (#672)
• CLI --normalize writing to wrong path when passing multiple files in. (#702)

Misc

• Freethreaded pre-built wheels now shipped in PyPI starting with 3.14t. (#616)

Version 3.4.5

3.4.5 (2026-03-06)

Changed

• Update setuptools constraint to setuptools>=68,<=82.
• Raised upper bound of mypyc for the optional pre-built extension to v1.19.1

Fixed

• Add explicit link to lib math in our optimized build. (#692)
• Logger level not restored correctly for empty byte sequences. (#701)
• TypeError when passing bytearray to from_bytes. (#703)

Misc

• Applied safe micro-optimizations in both our noise detector and language detector.
• Rewrote the query_yes_no function (inside CLI) to avoid using ambiguous licensed code.
• Added cd.py submodule into mypyc optional compilation to reduce further the performance impact.

[!WARNING]
mypyc changed the usual binary output for the optimized wheel. Beware, especially if using PyInstaller or alike. See jawah/charset_normalizer#714

Changelog

Sourced from charset-normalizer's changelog.

3.4.7 (2026-04-02)

Changed

• Pre-built optimized version using mypy[c] v1.20.
• Relax setuptools constraint to setuptools>=68,<82.1.

Fixed

• Correctly remove SIG remnant in utf-7 decoded string. (#718) (#716)

3.4.6 (2026-03-15)

Changed

• Flattened the logic in charset_normalizer.md for higher performance. Removed eligible(..) and feed(...) in favor of feed_info(...).
• Raised upper bound for mypy[c] to 1.20, for our optimized version.
• Updated UNICODE_RANGES_COMBINED using Unicode blocks v17.

Fixed

• Edge case where noise difference between two candidates can be almost insignificant. (#672)
• CLI --normalize writing to wrong path when passing multiple files in. (#702)

Misc

• Freethreaded pre-built wheels now shipped in PyPI starting with 3.14t. (#616)

3.4.5 (2026-03-06)

Changed

• Update setuptools constraint to setuptools>=68,<=82.
• Raised upper bound of mypyc for the optional pre-built extension to v1.19.1

Fixed

• Add explicit link to lib math in our optimized build. (#692)
• Logger level not restored correctly for empty byte sequences. (#701)
• TypeError when passing bytearray to from_bytes. (#703)

Misc

• Applied safe micro-optimizations in both our noise detector and language detector.
• Rewrote the query_yes_no function (inside CLI) to avoid using ambiguous licensed code.
• Added cd.py submodule into mypyc optional compilation to reduce further the performance impact.

Commits

• 0f07891 Merge pull request #729 from jawah/release-3.4.7
• fdbeb29 chore: update dev, and ci requirements
• b66f922 chore: add ft classifier
• f94249d chore: add test cases for utf_7 recent fix
• 95c866f chore: bump version to 3.4.7
• 4f429bb chore: bump mypy pre-commit to v1.20
• b579cd6 fix: correctly remove SIG remnant in utf-7 decoded string
• 58bf944 ⬆️ Bump github/codeql-action from 4.32.4 to 4.35.1 (#728)
• 44cf8a1 ⬆️ Bump actions/download-artifact from 8.0.0 to 8.0.1 (#726)
• 362bc20 ⬆️ Bump docker/setup-qemu-action from 3.7.0 to 4.0.0 (#725)
• Additional commits viewable in compare view

Updates click from 8.3.1 to 8.3.2

Release notes

Sourced from click's releases.

8.3.2

This is the Click 8.3.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.3.2/ Changes: https://click.palletsprojects.com/page/changes/#version-8-3-2 Milestone: https://github.com/pallets/click/milestone/29

• Fix handling of flag_value when is_flag=False to allow such options to be used without an explicit value. #3084 #3152
• Hide Sentinel.UNSET values as None when using lookup_default(). #3136 #3199 #3202 #3209 #3212 #3224
• Prevent _NamedTextIOWrapper from closing streams owned by StreamMixer. #824 #2991 #2993 #3110 #3139 #3140
• Add comprehensive tests for CliRunner stream lifecycle, covering logging interaction, multi-threaded safety, and sequential invocation isolation. Add high-iteration stress tests behind a stress marker with a dedicated CI job. #3139
• Fix callable flag_value being instantiated when used as a default via default=True. #3121 #3201 #3213 #3225

Changelog

Sourced from click's changelog.

Version 8.3.2

Released 2026-04-02

• Fix handling of flag_value when is_flag=False to allow such options to be used without an explicit value. :issue:3084 :pr:3152
• Hide Sentinel.UNSET values as None when using lookup_default(). :issue:3136 :pr:3199 :pr:3202 :pr:3209 :pr:3212 :pr:3224
• Prevent _NamedTextIOWrapper from closing streams owned by StreamMixer. :issue:824 :issue:2991 :issue:2993 :issue:3110 :pr:3139 :pr:3140
• Add comprehensive tests for CliRunner stream lifecycle, covering logging interaction, multi-threaded safety, and sequential invocation isolation. Add high-iteration stress tests behind a stress marker with a dedicated CI job. :pr:3139
• Fix callable flag_value being instantiated when used as a default via default=True. :issue:3121 :pr:3201 :pr:3213 :pr:3225

Commits

• 052c006 Change update release date.
• 502b7ce Merge branch 'stable' of https://github.com/pallets/click into release-8.3.2
• a0a37e4 Change publish to werkzeug latest. (#3301)
• 57be6fc Change publish to werkzeug latest.
• 781d6a8 Update publish workflows (#3266)
• ff795b6 Update precommit pins with tox
• dd87ef4 Update github action pins with tox
• 93d3f9d Release version 8.3.2
• 3299ba1 Add missing PR to changelog. (#3264)
• b7f62c4 Add missing PR to changelog.
• Additional commits viewable in compare view

Updates dash from 3.3.0 to 4.1.0

Release notes

Sourced from dash's releases.

Dash v4.1.0

Added

• #3637 Added debounce prop to Dropdown.

Fixed

• #3629 Fix date pickers not showing date when initially rendered in a hidden container.
• #3660 Allow same date to be selected for both start and end in DatePickerRange components
• #3600 DatePicker support for the Moment.js Y year token
• #3627 Make dropdowns searchable wheen focused, without requiring to open them first
• #3656 Improved dropdown performance for large collections of options
• #3643 Fix multiselect dropdown with components as labels
• #3609 Add backward compat alias for _Wildcard
• #3672 Improve browser performance when app contains a large number of pattern matching callback callbacks. Exposes an api endpoint to fetch the latest computeGraph call.

Dash Version 4.1.0rc0

Added

• Add support for multiple backend implementation beside flask such as fastapi and quart (both included).
  • Add app = Dash(backend="flask" | "fastapi" | "quart" | CustomBackendImpl) parameter to automatically setup
  • An existing Fastapi, Quart or Flask instance can also be given as app = Dash(server=Fastapi()) to automatically setup a dash app on the server.
  • Install fastapi dependencies with pip install dash[fastapi] or quart with pip install dash[quart], flask is still included by default.
  • Custom backend implementation can be added as a subclass of dash.backends.base_server.BaseDashServer and response/request adapters.

Dash Version 4.0.0

Added

• Redesigned dash core components

Added since 4.0.0rc6

• Add a prop to sliders, allow_direct_input, that can be used to disable the inputs rendered with sliders.
• Improve CSS styles in calendar when looking at selected dates outside the current calendar month (show_outside_days=True)

v4.0.0rc6

Added

• Restored missing implementation for with_portal and with_full_screen_portal in datepickers

Changed

• Bugfixes for feedback received in rc5: notably, popovers are position: fixed once again.

v4.0.0rc5

Added

• New prop in dcc.Upload allows users to recursively upload entire folders at once

Changed

• Bugfixes for feedback received in rc4

v4.0.0rc4

• New dcc.Button component that mirrors html.Button but with default styles applied
• Fix various bugs found in rc3

v4.0.0rc3

... (truncated)

Changelog

Sourced from dash's changelog.

[4.1.0] - 2026-03-23

Added

• #3637 Added debounce prop to Dropdown.

Fixed

• #3629 Fix date pickers not showing date when initially rendered in a hidden container.
• #3660 Allow same date to be selected for both start and end in DatePickerRange components
• #3600 DatePicker support for the Moment.js Y year token
• #3627 Make dropdowns searchable wheen focused, without requiring to open them first
• #3656 Improved dropdown performance for large collections of options
• #3643 Fix multiselect dropdown with components as labels
• #3609 Add backward compat alias for _Wildcard
• #3672 Improve browser performance when app contains a large number of pattern matching callback callbacks. Exposes an api endpoint to fetch the latest computeGraph call.

[4.0.0] - 2026-02-03

Added

• Finalize all redesigned dash core components
• Add a prop to sliders, allow_direct_input, that can be used to disable the inputs rendered with sliders.
• Improve CSS styles in calendar when looking at selected dates outside the current calendar month (show_outside_days=True)

[4.0.0rc6] - 2026-01-07

Added

• Restored missing implementation for with_portal and with_full_screen_portal in datepickers

Changed

• Bugfixes for feedback received in rc5: notably, popovers are position: fixed once again.

[4.0.0rc5] - 2025-12-16

Added

• #3464 Add folder upload functionality to dcc.Upload component. When multiple=True, users can now select and upload entire folders in addition to individual files. The folder hierarchy is preserved in filenames (e.g., folder/subfolder/file.txt). Files within folders are filtered according to the accept prop. Folder support is available in Chrome, Edge, and Opera; other browsers gracefully fall back to file-only mode. The uploaded files use the same output API as multiple file uploads.

Changed

• Bugfixes for feedback received in rc4

[4.0.0rc4] - 2025-12-04

Added

• New dcc.Button component that mirrors html.Button but with default styles applied

[4.0.0rc3] - 2025-11-27

• Modernized dcc.Tabs
• Modernized dcc.DatePickerSingle and dcc.DatePickerRange
• DatePicker calendars can now accept translations as an external script, either with Dash's external_scripts or from the assets folder. See documentation for the underlying library that supports this.

Changed

... (truncated)

Commits

• 6c500cd Merge pull request #3686 from plotly/master-4.1.0
• 8830051 update build artifacts
• 6a7bb4a Merge branch 'dev' into master-4.1.0
• e33d2e4 Merge pull request #3685 from plotly/release/4.1.0
• 4e70240 Merge branch 'dev' into release/4.1.0
• 67992ea Merge pull request #3672 from BSd3v/fix/3661-compute-graphs2
• 136e66c add missing changelog entry
• 575c7f1 bump versions
• ac5ca89 Merge branch 'dev' into fix/3661-compute-graphs2
• aede54b Merge branch 'dev' into release/4.1.0
• Additional commits viewable in compare view

Updates filelock from 3.20.3 to 3.25.2

Release notes

Sourced from filelock's releases.

3.25.2

What's Changed

• 🐛 fix(unix): suppress EIO on close in Docker bind mounts by @​gaborbernat in tox-dev/filelock#513

Full Changelog: tox-dev/filelock@3.25.1...3.25.2

3.25.1

What's Changed

• 📝 docs(logo): add branded project logo by @​gaborbernat in tox-dev/filelock#507
• 🐛 fix(win): restore best-effort lock file cleanup on release by @​gaborbernat in tox-dev/filelock#511

Full Changelog: tox-dev/filelock@3.25.0...3.25.1

3.25.0

What's Changed

• Add permissions to check workflow by @​gaborbernat in tox-dev/filelock#500
• Move SECURITY.md to .github/SECURITY.md by @​gaborbernat in tox-dev/filelock#501
• Standardize .github files to .yaml suffix by @​gaborbernat in tox-dev/filelock#504
• ✨ feat(async): add AsyncReadWriteLock by @​gaborbernat in tox-dev/filelock#506

Full Changelog: tox-dev/filelock@3.24.4...3.25.0

3.24.4

What's Changed

• Suppress ValueError in _try_break_stale_lock for corrupted lock files by @​bysiber in tox-dev/filelock#496
• Fix ValueError in _acquire_transaction_lock when blocking=False with timeout by @​gaborbernat in tox-dev/filelock#498

New Contributors

• @​bysiber made their first contribution in tox-dev/filelock#496

Full Changelog: tox-dev/filelock@3.24.3...3.24.4

3.24.3

What's Changed

• 🐛 fix(ci): add trailing blank line after changelog entries by @​gaborbernat in tox-dev/filelock#492
• 🐛 fix(unix): handle ENOENT race on FUSE/NFS during acquire by @​gaborbernat in tox-dev/filelock#495

... (truncated)

Changelog

Sourced from filelock's changelog.

########### Changelog ###########

---

3.26.0 (2026-04-06)

---

• ✨ feat(soft): add PID inspection and lock breaking :pr:524
• [pre-commit.ci] pre-commit autoupdate :pr:523 - by :user:pre-commit-ci[bot]
• build(deps): bump astral-sh/setup-uv from 7.6.0 to 8.0.0 :pr:522 - by :user:dependabot[bot]
• Remove persist-credentials: false from release job :pr:520
• [pre-commit.ci] pre-commit autoupdate :pr:519 - by :user:pre-commit-ci[bot]
• 🔒 ci(workflows): add zizmor security auditing :pr:517
• [pre-commit.ci] pre-commit autoupdate :pr:516 - by :user:pre-commit-ci[bot]
• [pre-commit.ci] pre-commit autoupdate :pr:514 - by :user:pre-commit-ci[bot]

---

3.25.2 (2026-03-11)

---

• 🐛 fix(unix): suppress EIO on close in Docker bind mounts :pr:513

---

3.25.1 (2026-03-09)

---

• [pre-commit.ci] pre-commit autoupdate :pr:510 - by :user:pre-commit-ci[bot]
• 🐛 fix(win): restore best-effort lock file cleanup on release :pr:511
• [pre-commit.ci] pre-commit autoupdate :pr:508 - by :user:pre-commit-ci[bot]
• 📝 docs(logo): add branded project logo :pr:507

---

3.25.0 (2026-03-01)

---

• ✨ feat(async): add AsyncReadWriteLock :pr:506
• Standardize .github files to .yaml suffix
• build(deps): bump actions/download-artifact from 7 to 8 :pr:503 - by :user:dependabot[bot]
• build(deps): bump actions/upload-artifact from 6 to 7 :pr:502 - by :user:dependabot[bot]
• Move SECURITY.md to .github/SECURITY.md
• Add security policy
• Add permissions to check workflow :pr:500
• [pre-commit.ci] pre-commit autoupdate :pr:499 - by :user:pre-commit-ci[bot]

---

3.24.3 (2026-02-19)

---

• 🐛 fix(unix): handle ENOENT race on FUSE/NFS during acquire :pr:495

... (truncated)

Commits

• 5b9872c Release 3.25.2
• 42b740a 🐛 fix(unix): suppress EIO on close in Docker bind mounts (#513)
• d8b04b5 Release 3.25.1
• 0633386 [pre-commit.ci] pre-commit autoupdate (#510)
• 7f2247d 🐛 fix(win): restore best-effort lock file cleanup on release (#511)
• 5ae1c4e [pre-commit.ci] pre-commit autoupdate (#508)
• bcffcfe 📝 docs(logo): add branded project logo (#507)
• 7f195d9 Release 3.25.0
• df2754e ✨ feat(async): add AsyncReadWriteLock (#506)
• 8a359c5 Standardize .github files to .yaml suffix
• Additional commits viewable in compare view

Updates flask from 3.1.2 to 3.1.3

Release notes

Sourced from flask's releases.

3.1.3

This is the Flask 3.1.3 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.3/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-3

• The session is marked as accessed for operations that only access the keys but not the values, such as in and len. GHSA-68rp-wp8r-4726

Changelog

Sourced from flask's changelog.

Version 3.1.3

Released 2026-02-18

• The session is marked as accessed for operations that only access the keys but not the values, such as in and len. :ghsa:68rp-wp8r-4726

Commits

• 22d9247 release version 3.1.3
• 089cb86 Merge commit from fork
• c17f379 request context tracks session access
• 27be933 start version 3.1.3
• 4e652d3 Abort if the instance folder cannot be created (#5903)
• 3d03098 Abort if the instance folder cannot be created
• 407eb76 document using gevent for async (#5900)
• ac5664d document using gevent for async
• 4f79d5b Increase required flit_core version to 3.11 (#5865)
• fe3b215 Increase required flit_core version to 3.11
• Additional commits viewable in compare view

Updates fonttools from 4.61.1 to 4.62.1

Release notes

Sourced from fonttools's releases.

4.62.1

• [feaLib] Extend contextual rule merging to all rule types: single subst, GSUB/GPOS named lookups, ignore rules, and chained alternate subst (#4061).

4.62.0

• [diff] Add new fonttools diff command for comparing font files, imported from the fdiff project and heavily reworked (#1190, #4007, #4009, #4011, #4013, #4019).
• [feaLib] Fix VariableScalar interpolation bug with non-linear avar mappings. Also decouple VariableScalar from compiled fonts, allowing it to work with designspace data before compilation (#3938, #4054).
• [feaLib] Fix VariableScalar axis ordering and iterative delta rounding to match fontc behavior (#4053).
• [feaLib] Merge chained multi subst rules with same context into a single subtable instead of emitting one subtable per glyph (#4016, #4058).
• [feaLib] Pass location to ConditionsetStatementfontra/fontra-glyphs#130#4057).
• [feaLib] Write 0xFFFF instead of 0 for missing nameIDs in cv feature params (#4010, #4012).
• [cmap] Fix CmapSubtable.__lt__() TypeError on Python 3 when subtables share the same encoding record, and add compile-time validation for unique encoding records (#4035, #4055).
• [svgLib] Skip non-element XML nodes (comments, processing instructions) when drawing SVG paths (#4042, #4043).
• [glifLib] Fix regression reading glyph outlines when glyphObject=None (#4030, #4031).
• [pointPen] Fix SegmentToPointPen edge case: only remove a duplicate final point on closePath() if it is an on-curve point (#4014, #4015).
• [cffLib] SECURITY Replace eval() with safeEval() in parseBlendList() to prevent arbitrary code execution from crafted TTX files (#4039, #4040).
• [ttLib] Remove defunct Adobe SING Glyphlet tables (META, SING, GMAP, GPKG) (#4044).
• [varLib.interpolatable] Various bugfixes: fix swapped nodeTypes assignment, duplicate kink-detector condition, typos, CFF2 vsindex parsing, glyph existence check, and plot helpers (#4046).
• [varLib.models] Fix getSubModel not forwarding extrapolate/axisRanges; check location uniqueness after stripping zeros (#4047).
• [varLib] Fix --variable-fonts filter in build_many; remove dead code and fix comments (#4048).
• [avar] Preserve existing name table in build; keep unbuild return types consistent; validate map CLI coordinates (#4051).
• [cu2qu/qu2cu] Add input validation: reject non-positive tolerances, validate curve inputs and list lengths (#4052).
• [colorLib] Raise a clear ColorLibError when base glyphs are missing from glyphMap, instead of a confusing KeyError (#4041).
• [glyf] Remove unnecessary fvar table dependency (#4017).
• [fvar/trak] Remove unnecessary name table dependency (#4018).
• [ufoLib] Relax guideline validation to follow the updated spec (#3537, #3553).
• [ttFont] Fix saveXML regression with empty table lists, clarify docstring (#4025, #4026, #4056).
• [setup.py] Link libm for Cython extensions using math functions (#4028, #4029).
• Add typing annotations for DSIG, DefaultTable, ttProgramDescription has been truncated