Bump the pip group across 28 directories with 4 updates

[dependabot]

Bumps the pip group with 4 updates in the /wandb/run-20241208_233803-k50mdb94/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241208_234207-719gd67m/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241208_234348-3k843q5m/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241208_234927-0lormxok/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241208_235259-zo0177ba/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_001012-4p02l17t/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_003341-6ob8tc23/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_003544-nngnnaj1/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_003742-spjrnvfl/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_004548-pxlrlgu6/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_004625-3rtc2d1g/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_004945-hybasejc/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_005014-dkqdw2xf/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_005851-p2jjssp9/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_005923-ujmv6hg0/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_010713-uolr87wa/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_020634-3mme08dr/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_030055-vtglop6r/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_031342-h3ohlpzy/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_031452-h7pr4syu/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_033810-69h4jquw/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_034448-z838uymc/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_035835-oiah2ikz/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_041232-80wxu08d/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_041709-vvefq1b8/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_043649-4snvizf0/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_043855-yf41zoni/files directory: idna, mistune, ujson and urllib3.
Bumps the pip group with 4 updates in the /wandb/run-20241209_044357-2cudcxy1/files directory: idna, mistune, ujson and urllib3.

Updates idna from 3.7 to 3.15

Release notes

Sourced from idna's releases.

v3.15

No release notes provided.

v3.14

No release notes provided.

v3.13

No release notes provided.

v3.12

No release notes provided.

v3.11

No release notes provided.

v3.10

No release notes provided.

v3.9

No release notes provided.

v3.8

What's Changed

• Fix regression where IDNAError exception was not being produced for certain inputs.
• Add support for Python 3.13, drop support for Python 3.5 as it is no longer testable.
• Documentation improvements
• Updates to package testing using Github actions

Thanks to Hugo van Kemenade for contributions to this release.

Full Changelog: kjd/idna@v3.7...v3.8

Changelog

Sourced from idna's changelog.

3.15 (2026-05-12)

• Enforce DNS-length cap on individual labels early in check_label, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.
• Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared _unicode_dots_re from idna.core in the codec module.
• Use raise ... from err for proper exception chaining and switch internal string formatting to f-strings.
• Allow flit_core 4.x in the build backend.
• Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.
• Add Dependabot configuration for GitHub Actions.
• Convert README and HISTORY from reStructuredText to Markdown.
• Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.

3.14 (2026-05-10)

• Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass of the CVE-2024-3651 mitigation. [CVE-2026-45409]

Thanks to Stan Ulbrych for reporting the issue.

3.13 (2026-04-22)

• Correct classification error for codepoint U+A7F1

3.12 (2026-04-21)

• Update to Unicode 17.0.0.
• Issue a deprecation warning for the transitional argument.
• Added lazy-loading to provide some performance improvements.
• Removed vestiges of code related to Python 2 support, including segmentation of data structures specific to Jython.

Thanks to Rodrigo Nogueira for contributions to this release.

3.11 (2025-10-12)

• Update to Unicode 16.0.0, including significant changes to UTS46 processing. As a result of Unicode ending support for it, transitional processing no longer has an effect and returns the same result.

... (truncated)

Commits

• af30a09 Release 3.15
• 30314d4 Pre-release 3.15rc0
• 05d4b21 Merge pull request #237 from kjd/convert-docs-to-markdown
• 2987fdb Convert README and HISTORY from reStructuredText to Markdown
• 59fa800 Merge pull request #236 from kjd/dependabot/github_actions/actions-f3e34333ea
• def6983 Merge branch 'master' into dependabot/github_actions/actions-f3e34333ea
• bbd8004 Merge pull request #234 from StanFromIreland/patch-1
• edd07c0 Bump github/codeql-action from 3.35.2 to 4.35.2 in the actions group
• 5557db0 Merge branch 'master' into patch-1
• f11746c Merge pull request #235 from StanFromIreland/patch-2
• Additional commits viewable in compare view

Updates mistune from 2.0.4 to 3.2.1

Release notes

Sourced from mistune's releases.

v3.2.1

   🐞 Bug Fixes

• Resolve Windows compatibility issues in file inclusion and tests  -  by @​Yuki9814 (25471)
• Escape html text  -  by @​lepture (a3cb6)
• Update link reference  -  by @​lepture (85eb5)
• Handle escaped dollar signs in inline math  -  by @​saschabuehrle in lepture/mistune#370 (7bd57)
• Escape id of toc  -  by @​lepture (04880)
• Escape id of headings  -  by @​lepture (28556)
• Remove double-encoding of image alt text  -  by @​lawrence3699 (0d6f3)
• Escape xml for math plugin  -  by @​lepture (5fa09)
• Use strict regex for image's height and width  -  by @​lepture (8d0cb)

    View changes on GitHub

v3.2.0

   🚀 Features

• Support footnotes that start on the next line.  -  by @​kylechui (2677e)
• Properly handle code blocks inside footnotes.  -  by @​kylechui (0516c)
• Support python 3.14  -  by @​lepture (7e0eb)

   🐞 Bug Fixes

• Render ref links and footnotes in footnotes.  -  by @​lepture (bd90e)
• Render ref links in TOC.  -  by @​lemon24 (a0a01)
• Update typing for mypy upgrades  -  by @​lepture (8d49c)
• Render correct html for footnotes  -  by @​lepture (9b622)

    View changes on GitHub

v3.1.4

   🐞 Bug Fixes

• Add fenced directive break rule in list parser, #412  -  by @​lepture in lepture/mistune#412 (ea3ec)
• Prevent remove unicode whitespace when parsing atx heading  -  by @​lepture (9e720)

    View changes on GitHub

v3.1.3

   🚀 Features

• Announce supports for python 3.12 and 3.13  -  by @​lepture (ff831)

    View changes on GitHub

v3.1.2

   🐞 Bug Fixes

• plugin: Fix footnote plugins when rendering ast  -  by @​lepture (a7289)

... (truncated)

Changelog

Sourced from mistune's changelog.

Version 3.2.1

Released on May 3, 2026

• Escape link in render_toc_ul.
• Escape text in math plugin.
• Fix regex for math plugin.
• Escape heading's ID attribute.
• Fix LINK_TITLE_RE to prevent DoS.
• Escape class attribute for admonition directive.
• Remove double-encoding of image alt text.
• Escape class attribute for image directive.
• Fix width/height attribute for image directive.

Version 3.2.0

Released on Dec 23, 2025

• Announce supports for python 3.14
• Fix footnotes plugins for code blocks, ref links, blockquote and etc.
• Fix ref links in TOC.

Version 3.1.4

Released on Aug 29, 2025

• Add fenced directive break rule in list parser.
• Prevent removing unicode whitespace when parsing atx heading.

Version 3.1.3

Released on Mar 19, 2025

• Announce supports for python 3.12 and 3.13

Version 3.1.2

Released on Feb 19, 2025

• Fix footnotes plugin for AST renderer

Version 3.1.1

Released on Jan 28, 2025

... (truncated)

Commits

• 067f908 chore: release 3.2.1
• bf55030 Merge pull request #438 from saschabuehrle/fix/issue-370
• 8d0cb75 fix: use strict regex for image's height and width
• 5fa092e fix: escape xml for math plugin
• 71ec947 Merge pull request #440 from lawrence3699/fix/image-alt-double-encoding
• 0d6f3d8 fix: remove double-encoding of image alt text
• 2855622 fix: escape id of headings
• 04880a0 fix: escape id of toc
• 7bd5709 fix: handle escaped dollar signs in inline math (fixes #370)
• 85eb54f fix: update link reference
• Additional commits viewable in compare view

Updates ujson from 5.10.0 to 5.12.1

Release notes

Sourced from ujson's releases.

5.12.1

Fixed

• Fix encoding ref leak with non-English character (#714) @​nhancdt2602
• Fix memory leak when ujson.dump() is unable to write to its file (0bf630aaef59c0aafd0c8a4fc8bbe2a7bcefa853) @​bwoodsend

Note that pre-built wheels for graalpy on macOS have been omitted from this release due to infrastructural issues building them (#731).

5.12.0

Added

• Update license field (#693) @​wagenrace
• Build wheels for GraalPy (#685) @​timfel

Changed

• Drop support for Python 3.9 (#686) @​hugovk

Fixed

• Fix memory leak parsing large integers (ultrajson/ultrajson@4baeb95) @​bwoodsend
• Fix buffer overflow/infinite loop from indent handling (#709) @​bwoodsend
• Remove upper bound of setuptools for PyPy (#704) @​hugovk

5.11.0

Added

• Inline type stubs (#674) @​MarcoGorelli
• Add support for Python 3.14 (#680) @​hugovk
• Add support for PyPy3.11 (#658) @​hugovk
• Add Windows ARM64 wheels (#663) @​tonybaloney

Changed

• Migrate to src/ layout (#664) @​hugovk
• Build aarch64 wheels using native runners (#652) @​hugovk
• Drop support for EOL Python 3.8 (#645) @​hugovk
• Drop support for EOL PyPy3.8-PyPy3.10 (#639, #682) @​hugovk

Fixed

• fix(ujson.loads): raises a JSONDecodeError instead of SystemError when parsing a nested json string (#667) @​grandnew
• Pin setuptools < 72.2 to fix build on PyPy (#638) @​hugovk
• Update README.md example to match actual output (#654) @​AvdN

Commits

• 7d9036f Temporarily disable pre-built wheels for graalpy on macOS (#730)
• 0bf630a Temporarily disable pre-built wheels for graalpy on macOS
• 46f7596 Enable read access for CI/CD
• 82af1d0 Fix failure cleanup paths in ujson.dump()
• ceae6cd Gitignore .fuse_hidden and .DS_Store files
• dd87ed3 Improve unit test coverage (#718)
• ddbe2da Update release-drafter/release-drafter action to v7.2.1 (#717)
• 3be5ae5 Update release-drafter/release-drafter action to v7.2.1
• 9f90a8c Fix encoding ref leak with non-English character (#714)
• f1574e5 Hash pin GitHub Actions (#715)
• Additional commits viewable in compare view

Updates urllib3 from 2.2.3 to 2.7.0

Release notes

Sourced from urllib3's releases.

2.7.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

• Decompression-bomb safeguards of the streaming API were bypassed:

  1. When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially. (Reported by @​Cycloctane)
  2. During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli library. (Reported by @​kimkou2024)

  See GHSA-mf9v-mfxr-j63j for details.

• HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by @​christos-spearbit)

Deprecations and Removals

• Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (urllib3/urllib3#3763)
• Removed support for end-of-life Python 3.9. (urllib3/urllib3#3720)
• Removed support for end-of-life PyPy3.10. (urllib3/urllib3#4979)
• Bumped the minimum supported pyOpenSSL version to 19.0.0. (urllib3/urllib3#3777)

Bugfixes

• Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. (urllib3/urllib3#3636)
• Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True. (urllib3/urllib3#4967)
• Fixed HTTPResponse.stream() and HTTPResponse.read_chunked() to handle amt=0. (urllib3/urllib3#3793)
• Updated _TYPE_BODY type alias to include missing Iterable[str], matching the documented and runtime behavior of chunked request bodies. (urllib3/urllib3#3798)
• Fixed LocationParseError when paths resembling schemeless URIs were passed to HTTPConnectionPool.urlopen(). (urllib3/urllib3#3352)
• Fixed BaseHTTPResponse.readinto() type annotation to accept memoryview in addition to bytearray, matching the io.RawIOBase.readinto contract and enabling use with io.BufferedReader without type errors. (urllib3/urllib3#3764)

2.6.3

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by @​D47A, 8.9 High, GHSA-38jv-5279-wg99)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. (urllib3/urllib3#3743)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. (urllib3/urllib3#3752)

2.6.2

... (truncated)

Changelog

Sourced from urllib3's changelog.

2.7.0 (2026-05-07)

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

• Decompression-bomb safeguards of the streaming API were bypassed:

  1. When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially.
  2. During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli <https://pypi.org/project/brotli/>__ library.

  See GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__ for details.

• HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>__)

Deprecations and Removals

• Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. ([#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763>__)
• Removed support for end-of-life Python 3.9. ([#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720>__)
• Removed support for end-of-life PyPy3.10. ([#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979>__)
• Bumped the minimum supported pyOpenSSL version to 19.0.0. ([#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777>__)

Bugfixes

• Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. ([#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636>__)
• Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True.

... (truncated)

Commits

• 9a950b9 Release 2.7.0
• 5ec0de4 Merge commit from fork
• 2bdcc44 Merge commit from fork
• f45b0df Fix a misleading example for ProxyManager (#4970)
• 577193c Switch to nightly PyPy3.11 in CI for now (#4984)
• e90af45 Avoid infinite loop in HTTPResponse.read_chunked when amt=0 (#4974)
• 67ed74f Bump dev dependencies (#4972)
• 3abd481 Upgrade mypy to version 1.20.2 (#4978)
• 2b8725d Drop support for EOL PyPy3.10 (#4979)
• 2944b2a Upgrade setup-chrome and setup-firefox to fix warnings (#4973)
• Additional commits viewable in compare view

Updates idna from 3.7 to 3.15

Release notes

Sourced from idna's releases.

v3.15

No release notes provided.

v3.14

No release notes provided.

v3.13

No release notes provided.

v3.12

No release notes provided.

v3.11

No release notes provided.

v3.10

No release notes provided.

v3.9

No release notes provided.

v3.8

What's Changed

• Fix regression where IDNAError exception was not being produced for certain inputs.
• Add support for Python 3.13, drop support for Python 3.5 as it is no longer testable.
• Documentation improvements
• Updates to package testing using Github actions

Thanks to Hugo van Kemenade for contributions to this release.

Full Changelog: kjd/idna@v3.7...v3.8

Changelog

Sourced from idna's changelog.

3.15 (2026-05-12)

• Enforce DNS-length cap on individual labels early in check_label, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.
• Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared _unicode_dots_re from idna.core in the codec module.
• Use raise ... from err for proper exception chaining and switch internal string formatting to f-strings.
• Allow flit_core 4.x in the build backend.
• Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.
• Add Dependabot configuration for GitHub Actions.
• Convert README and HISTORY from reStructuredText to Markdown.
• Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.

3.14 (2026-05-10)

• Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass of the CVE-2024-3651 mitigation. [CVE-2026-45409]

Thanks to Stan Ulbrych for reporting the issue.

3.13 (2026-04-22)

• Correct classification error for codepoint U+A7F1

3.12 (2026-04-21)

• Update to Unicode 17.0.0.
• Issue a deprecation warning for the transitional argument.
• Added lazy-loading to provide some performance improvements.
• Removed vestiges of code related to Python 2 support, including segmentation of data structures specific to Jython.

Thanks to Rodrigo Nogueira for contributions to this release.

3.11 (2025-10-12)

• Update to Unicode 16.0.0, including significant changes to UTS46 processing. As a result of Unicode ending support for it, transitional processing no longer has an effect and returns the same result.

... (truncated)

Commits

• af30a09 Release 3.15
• 30314d4 Pre-release 3.15rc0
• 05d4b21 Merge pull request #237 from kjd/convert-docs-to-markdown
• 2987fdb Convert README and HISTORY from reStructuredText to Markdown
• 59fa800 Merge pull request #236 from kjd/dependabot/github_actions/actions-f3e34333ea
• def6983 Merge branch 'master' into dependabot/github_actions/actions-f3e34333ea
• bbd8004 Merge pull request #234 from StanFromIreland/patch-1
• edd07c0 Bump github/codeql-action from 3.35.2 to 4.35.2 in the actions group
• 5557db0 Merge branch 'master' into patch-1
• f11746c Merge pull request #235 from StanFromIreland/patch-2
• Additional commits viewable in compare view

Updates mistune from 2.0.4 to 3.2.1

Release notes

Sourced from mistune's releases.

v3.2.1

   🐞 Bug Fixes

• Resolve Windows compatibility issues in file inclusion and tests  -  by @​Yuki9814 (25471)
• Escape html text  -  by @​lepture (a3cb6)
• Update link reference  -  by @​lepture (85eb5)
• Handle escaped dollar signs in inline math  -  by @​saschabuehrle in lepture/mistune#370 (7bd57)
• Escape id of toc  -  by @​lepture (04880)
• Escape id of headings  -  by @​lepture (28556)
• Remove double-encoding of image alt text  -  by @​lawrence3699 (0d6f3)
• Escape xml for math plugin  -  by @​lepture (5fa09)
• Use strict regex for image's height and width  -  by @​lepture (8d0cb)

    View changes on GitHub

v3.2.0

   🚀 Features

• Support footnotes that start on the next line.  -  by @​kylechui (2677e)
• Properly handle code blocks inside footnotes.  -  by @​kylechui (0516c)
• Support python 3.14  -  by @​lepture (7e0eb)

   🐞 Bug Fixes

• Render ref links and footnotes in footnotes.  -  by @​lepture (bd90e)
• Render ref links in TOC.  -  by @​lemon24 (a0a01)
• Update typing for mypy upgrades  -  by @​lepture (8d49c)
• Render correct html for footnotes  -  by @​lepture (9b622)

    View changes on GitHub

v3.1.4

   🐞 Bug Fixes

• Add fenced directive break rule in list parser, #412  -  by @​lepture in lepture/mistune#412 (ea3ec)
• Prevent remove unicode whitespace when parsing atx heading  -  by @​lepture (9e720)

    View changes on GitHub

v3.1.3

   🚀 Features

• Announce supports for python 3.12 and 3.13  -  by @​lepture (ff831)

    View changes on GitHub

v3.1.2

   🐞 Bug Fixes

• plugin: Fix footnote plugins when rendering ast  -  by @​lepture (a7289)

... (truncated)

Changelog

Sourced from mistune's changelog.

Version 3.2.1

Released on May 3, 2026

• Escape link in render_toc_ul.
• Escape text in math plugin.
• Fix regex for math plugin.
• Escape heading's ID attribute.
• Fix LINK_TITLE_RE to prevent DoS.
• Escape class attribute for admonition directive.
• Remove double-encoding of image alt text.
• Escape class attribute for image directive.
• Fix width/height attribute for image directive.

Version 3.2.0

Released on Dec 23, 2025

• Announce supports for python 3.14
• Fix footnotes plugins for code blocks, ref links, blockquote and etc.
• Fix ref links in TOC.

Version 3.1.4

Released on Aug 29, 2025

• Add fenced directive break rule in list parser.
• Prevent removing unicode whitespace when parsing atx heading.

Version 3.1.3

Released on Mar 19, 2025

• Announce supports for python 3.12 and 3.13

Version 3.1.2

Released on Feb 19, 2025

• Fix footnotes plugin for AST renderer

Version 3.1.1

Released on Jan 28, 2025

... (truncated)

Commits

• 067f908 chore: release 3.2.1
• bf55030 Merge pull request #438 from saschabuehrle/fix/issue-370
• 8d0cb75 fix: use strict regex for image's height and width
• 5fa092e fix: escape xml for math plugin
• 71ec947 Merge pull request #440 from lawrence3699/fix/image-alt-double-encoding
• 0d6f3d8 fix: remove double-encoding of image alt text
• 2855622 fix: escape id of headings
• 04880a0 fix: escape id of toc
• 7bd5709 fix: handle escaped dollar signs in inline math (fixes #370)
• 85eb54f fix: update link reference
• Additional commits viewable in compare view

Updates ujson from 5.10.0 to 5.12.1

Release notes

Sourced from ujson's releases.

5.12.1

Fixed

• Fix encoding ref leak with non-English character (#714) @​nhancdt2602
• Fix memory leak when ujson.dump() is unable to write to its file (0bf630aaef59c0aafd0c8a4fc8bbe2a7bcefa853) @​bwoodsend

Note that pre-built wheels for graalpy on macOS have been omitted from this release due to infrastructural issues building them (#731).

5.12.0

Added

• Update license field (#693) @​wagenrace
• Build wheels for GraalPy (#685) @​timfel

Changed

• Drop support for Python 3.9 (#686) @​hugovk

Fixed

• Fix memory leak parsing large integers (ultrajson/ultrajson@4baeb95) @​bwoodsend
• Fix buffer overflow/infinite loop from indent handling (#709) @​bwoodsend
• Remove upper bound of setuptools for PyPy (#704) @​hugovk

5.11.0

Added

• Inline type stubs (#674) @​MarcoGorelli
• Add support for Python 3.14 (#680) @​hugovk
• Add support for PyPy3.11 (#658) @​hugovk
• Add Windows ARM64 wheels (#663) @​tonybaloney

Changed

• Migrate to src/ layout (#664) @​hugovk
• Build aarch64 wheels using native runners (#652) @​hugovk
• Drop support for EOL Python 3.8 (#645) @​hugovk
• Drop support for EOL PyPy3.8-PyPy3.10 (#639, #682) @​hugovk

Fixed

• fix(ujson.loads): raises a JSONDecodeError instead of SystemError when parsing a nested json string (#667) @​grandnew
• Pin setuptools < 72.2 to fix build on PyPy (#638) @​hugovk
• Update README.md example to match actual output (#654) @​AvdN

Commits

• 7d9036f Temporarily disable pre-built wheels for graalpy on macOS (#730)
• 0bf630a Temporarily disable pre-built wheels for graalpy on macOS
• 46f7596 Enable read access for CI/CD
• 82af1d0 Fix failure cleanup paths in ujson.dump()
• ceae6cd Gitignore .fuse_hidden and .DS_Store files
• dd87ed3 Improve unit test coverage (#718)
• ddbe2da Update release-drafter/release-drafter action to v7.2.1 (#717)
• 3be5ae5 Update release-drafter/release-drafter action to v7.2.1
• 9f90a8c Fix encoding ref leak with non-English character (#714)
• f1574e5 Hash pin GitHub Actions (#715)
• Additional commits viewable in compare view

Updates urllib3 from 2.2.3 to 2.7.0

Release notes

Sourced from urllib3's releases.

2.7.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

• Decompression-bomb safeguards of the streaming API were bypassed:

  1. When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially. (Reported by @​Cycloctane)
  2. During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli library. (Reported by @​kimkou2024)

  See GHSA-mf9v-mfxr-j63j for details.

• HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by @​christos-spearbit)

<...

Description has been truncated

---

Summary by cubic

Bump dependency pins across 28 W&B run directories to pick up security and compatibility updates. Only requirements.txt files were changed, upgrading idna, mistune, ujson, and urllib3.

• Dependencies

  • idna: 3.7 → 3.15
  • mistune: 2.0.4 → 3.2.1
  • ujson: 5.10.0 → 5.12.1
  • urllib3: 2.2.3 → 2.7.0

• Migration

  • Ensure Python ≥ 3.10 (new urllib3/ujson drop 3.9).
  • If you use mistune directly, verify compatibility with 3.x API.

^{Written for commit a6b59fc. Summary will update on new commits. Review in cubic}

[ecc-tools]

Analyzing 200 commits...

[ecc-tools]

Analysis Complete

Generated ECC bundle from 1 commits | Confidence: 55%

View Pull Request #6

Repository Profile

Attribute	Value
Language	TypeScript
Framework	Not detected
Commit Convention	freeform
Test Directory	separate

Changed Files (28)

Metric	Value
Files changed	28
Additions	112
Deletions	112

Top hotspots

Path	Status	+/-
wandb/run-20241208_233803-k50mdb94/files/requirements.txt	modified	+4 / -4
wandb/run-20241208_234207-719gd67m/files/requirements.txt	modified	+4 / -4
wandb/run-20241208_234348-3k843q5m/files/requirements.txt	modified	+4 / -4
wandb/run-20241208_234927-0lormxok/files/requirements.txt	modified	+4 / -4
wandb/run-20241208_235259-zo0177ba/files/requirements.txt	modified	+4 / -4

Top directories

Directory	Files	Total changes
wandb/run-20241208_233803-k50mdb94/files	1	8
wandb/run-20241208_234207-719gd67m/files	1	8
wandb/run-20241208_234348-3k843q5m/files	1	8
wandb/run-20241208_234927-0lormxok/files	1	8
wandb/run-20241208_235259-zo0177ba/files	1	8

Analysis Depth Readiness (commit-history, 7%)

ECC Tools uses this to decide whether recommendations should stay at commit-history/setup guidance or expand into CI, security, harness, reference-set, AI-routing, and team backlog work.

Area	Status	Evidence / Next Step
Commit history	Partial	1 commits sampled
CI/CD signals	Missing	Add workflow files or CI troubleshooting evidence so ECC Tools can reason about pipeline setup.
Security evidence	Missing	Add AgentShield, audit, SARIF, SBOM, or security review evidence so recommendations can cover security posture.
Harness configuration	Missing	Add Claude, Codex, OpenCode, Zed, dmux, MCP, plugin, or cross-harness config evidence for harness-agnostic recommendations.
Reference/eval evidence	Missing	Add fixtures, golden traces, reference sets, or evaluator benchmarks so deeper recommendations have regression evidence.
AI routing and cost controls	Missing	Add model-routing, budget, usage, or cost-control files before relying on AI-heavy automation recommendations.
Team handoff and project tracking	Missing	Add roadmap, runbook, project, Linear, or follow-up tracking docs so generated work can land in a team queue.

Reference Set Readiness (0/7, 0%)

Area	Status	Evidence / Next Step
Deep analyzer corpus	Missing	Add analyzer fixture, golden, benchmark, or reference-set files that can catch analyzer regressions.
RAG/evaluator comparison	Missing	Add retrieval or evaluator reference-set comparison fixtures with expected ranking behavior.
PR salvage/review corpus	Missing	Add stale-PR, review-thread, reopen-flow, or salvage reference cases for queue cleanup automation.
Discussion triage corpus	Missing	Add public discussion triage fixtures, golden cases, or reference sets for informational, answered, and no-response classifications.
Harness compatibility	Missing	Add cross-harness, adapter-compliance, or harness-audit evidence for Claude, Codex, OpenCode, Zed, dmux, and agent surfaces.
Security evidence	Missing	Attach security evidence such as SBOMs, SARIF, audit reports, or AgentShield evidence packs.
CI failure-mode evidence	Missing	Add captured CI failure logs, dry-run fixtures, or troubleshooting docs for common workflow failure modes.

Detected Workflows (1)

Workflow	Description
bulk-dependency-update-across-experiment-directories	Updates Python dependencies (idna, mistune, ujson, urllib3) in requirements.txt files across multiple experiment run directories under wandb.

Generated Instincts (15)

Domain	Count
git	2
code-style	9
testing	2
workflow	2

After merging, import with:

/instinct-import .claude/homunculus/instincts/inherited/Behavioral_RL-instincts.yaml

Files

• .claude/ecc-tools.json
• .claude/skills/Behavioral_RL/SKILL.md
• .agents/skills/Behavioral_RL/SKILL.md
• .agents/skills/Behavioral_RL/agents/openai.yaml
• .claude/identity.json
• .codex/config.toml
• .codex/AGENTS.md
• .codex/agents/explorer.toml
• .codex/agents/reviewer.toml
• .codex/agents/docs-researcher.toml
• .claude/homunculus/instincts/inherited/Behavioral_RL-instincts.yaml

---

_{ECC Tools | Everything Claude Code}

[cubic-dev-ai]

1 issue found across 28 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="wandb/run-20241209_005014-dkqdw2xf/files/requirements.txt">

<violation number="1" location="wandb/run-20241209_005014-dkqdw2xf/files/requirements.txt:183">
P0: Known incompatibility between mistune 3.2.1 and nbconvert 7.16.4. Mistune 3.1.0+ renamed `parse_axt_heading` to `parse_atx_heading`, breaking nbconvert's `MathBlockParser` override. The fix requires nbconvert >=7.16.5. Without it, notebook-to-HTML conversion will fail with an AttributeError.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[cubic-dev-ai]

P0: Known incompatibility between mistune 3.2.1 and nbconvert 7.16.4. Mistune 3.1.0+ renamed parse_axt_heading to parse_atx_heading, breaking nbconvert's MathBlockParser override. The fix requires nbconvert >=7.16.5. Without it, notebook-to-HTML conversion will fail with an AttributeError.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At wandb/run-20241209_005014-dkqdw2xf/files/requirements.txt, line 183:

<comment>Known incompatibility between mistune 3.2.1 and nbconvert 7.16.4. Mistune 3.1.0+ renamed `parse_axt_heading` to `parse_atx_heading`, breaking nbconvert's `MathBlockParser` override. The fix requires nbconvert >=7.16.5. Without it, notebook-to-HTML conversion will fail with an AttributeError.</comment>

<file context>
@@ -180,7 +180,7 @@ mccabe==0.7.0
 mdurl==0.1.0
 menuinst==2.1.2
-mistune==2.0.4
+mistune==3.2.1
 mkl_fft==1.3.10
 mkl_random==1.2.7
</file context>