chore(deps): bump the python-packages group across 1 directory with 9 updates

[dependabot]

Bumps the python-packages group with 9 updates in the / directory:

Package	From	To
attrs	25.4.0	26.1.0
django	5.2.10	5.2.13
djangorestframework	3.16.1	3.17.1
dependency-injector	4.48.3	4.49.0
gunicorn	23.0.0	25.3.0
mypy	1.19.1	1.20.1
pytest	9.0.2	9.0.3
django-stubs	6.0.1	6.0.3
packaging	26.0	26.1

Updates attrs from 25.4.0 to 26.1.0

Release notes

Sourced from attrs's releases.

26.1.0

Highlights

The main outward change here only affects people using field transformers, but it should be a nice quality of life improvement!

Full changelog below!

Special Thanks

This release would not be possible without my generous sponsors! Thank you to all of you making sustainable maintenance possible! If you would like to join them, go to https://github.com/sponsors/hynek and check out the sweet perks!

Above and Beyond

Variomedia AG (@variomedia), Tidelift (@tidelift), Kraken Tech (@kraken-tech), Privacy Solutions GmbH (@privacy-solutions), FilePreviews (@filepreviews), Ecosystems (@ecosyste-ms), TestMu AI Open Source Office (Formerly LambdaTest) (@LambdaTest-Inc), Doist (@Doist), Daniel Fortunov (@asqui), and Kevin P. Fleming (@kpfleming).

Maintenance Sustainers

Buttondown (@buttondown), Christopher Dignam (@chdsbd), Magnus Watn (@magnuswatn), David Cramer (@dcramer), Rivo Laks (@rivol), Polar (@polarsource), Mike Fiedler (@miketheman), Duncan Hill (@cricalix), Colin Marquardt (@cmarqu), Pieter Swinkels (@swinkels), Nick Libertini (@libertininick), Brian M. Dennis (@crossjam), Celebrity News AG (@celebritynewsag), The Westervelt Company (@westerveltco), Sławomir Ehlert (@slafs), Mostafa Khalil (@khadrawy), Filip Mularczyk (@mukiblejlok), Thomas Klinger (@thmsklngr), Andreas Poehlmann (@ap--), August Trapper Bigelow (@atbigelow), Carlton Gibson (@carltongibson), and Roboflow (@roboflow).

Full Changelog

Backwards-incompatible Changes

• Field aliases are now resolved before calling field_transformer, so transformers receive fully populated Attribute objects with usable alias values instead of None. The new Attribute.alias_is_default flag indicates whether the alias was auto-generated (True) or explicitly set by the user (False). #1509

Changes

• Fix type annotations for attrs.validators.optional(), so it no longer rejects tuples with more than one validator. #1496
• The attrs.validators.disabled() contextmanager can now be nested. #1513
• Frozen classes can set on_setattr=attrs.setters.NO_OP in addition to None. #1515
• It's now possible to pass attrs instances in addition to attrs classes to attrs.fields(). #1529

---

This release contains contributions from @​bysiber, @​DavidCEllis, @​finite-state-machine, @​hynek, @​veeceey, and @​vstinner.

Artifact Attestations

You can verify this release's artifact attestions using GitHub's CLI tool by downloading the sdist and wheel from PyPI and running:

$ gh attestation verify --owner python-attrs attrs-26.1.0.tar.gz

... (truncated)

Changelog

Sourced from attrs's changelog.

26.1.0 - 2026-03-19

Backwards-incompatible Changes

• Field aliases are now resolved before calling field_transformer, so transformers receive fully populated Attribute objects with usable alias values instead of None. The new Attribute.alias_is_default flag indicates whether the alias was auto-generated (True) or explicitly set by the user (False). #1509

Changes

• Fix type annotations for attrs.validators.optional(), so it no longer rejects tuples with more than one validator. #1496
• The attrs.validators.disabled() contextmanager can now be nested. #1513
• Frozen classes can set on_setattr=attrs.setters.NO_OP in addition to None. #1515
• It's now possible to pass attrs instances in addition to attrs classes to attrs.fields(). #1529

Commits

• 7bfc49e Prepare 26.1.0
• 31e0286 Update test_validators.py for Python 3.15a7 (#1530)
• 48b8611 Add instance support to attrs.fields() (#1529)
• 3a68d49 dev: document missing git tags failure mode
• a572c3a Allow field(on_setattr=NO_OP) on frozen classes
• af9c510 Fix validators.disabled() to save/restore state on nesting (#1513)
• ab7f8b2 update dev
• ce89f5d Fix message passing in frozen errors
• eccd966 Fix optional validator to accept tuples of len > 1 (#1496)
• e92fe52 policies: tighten screws (#1528)
• Additional commits viewable in compare view

Updates django from 5.2.10 to 5.2.13

Commits

• 7d831a9 [5.2.x] Bumped version for 5.2.13 release.
• 49e1e2b [5.2.x] Fixed CVE-2026-33034 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE on body ...
• 0b46789 [5.2.x] Fixed CVE-2026-33033 -- Mitigated potential DoS in MultiPartParser.
• 397c220 [5.2.x] Fixed CVE-2026-4292 -- Disallowed instance creation via ModelAdmin.li...
• 60ffa95 [5.2.x] Fixed CVE-2026-4277 -- Checked add permissions in GenericInlineModelA...
• 1cc2a76 [5.2.x] Fixed CVE-2026-3902 -- Ignored headers with underscores in ASGIRequest.
• 2a8a76a [5.2.x] Added stub release notes and release date for 5.2.13 and 4.2.30.
• 90924f5 [5.2.x] Bumped black to 26.3.1.
• 0ee44c6 [5.2.x] Applied Black's 2026 stable style.
• 89b4d94 [5.2.x] Combined scripts confirm_release.sh and test_new_version.sh into veri...
• Additional commits viewable in compare view

Updates djangorestframework from 3.16.1 to 3.17.1

Release notes

Sourced from djangorestframework's releases.

3.17.1

What's Changed

Bug fixes

• Fix HTMLFormRenderer with empty datetime values by @​p-r-a-v-i-n in encode/django-rest-framework#9928

Full Changelog: encode/django-rest-framework@3.17.0...3.17.1

3.17.0

What's Changed

Breaking changes

• Drop support for Python 3.9 by @​auvipy in encode/django-rest-framework#9781
• Drop deprecated coreapi support by @​browniebroke in encode/django-rest-framework#9895

Features

• Add ability to specify output format for DurationField by @​sevdog in encode/django-rest-framework#8532
• Add missing decorators: @versioning_class(), @content_negotiation_class(), @metadata_class() for function-based views by @​qqii in encode/django-rest-framework#9719
• Add support for Python 3.14 by @​cclauss in encode/django-rest-framework#9780
• Support violation_error_code and violation_error_message from UniqueConstraint in UniqueTogetherValidator by @​s-aleshin in encode/django-rest-framework#9766
• Add support for ipaddress objects in JSONEncoder by @​corenting in encode/django-rest-framework#9087
• Add optional support to serialize BigInteger to string by @​HoodyH in encode/django-rest-framework#9775
• Add Django 6.0 support by @​MehrazRumman in encode/django-rest-framework#9819

Bug fixes

• Prevent small risk of Token overwrite by @​mahdirahimi1999 in encode/django-rest-framework#9754
• Fix UniqueTogetherValidator validation when condition references a read-only field by @​ticosax in encode/django-rest-framework#9764
• Fix validation on many to many field when default=None by @​Genarito in encode/django-rest-framework#9790
• Fix invalid SPDX license expression in __init__.py by @​TheFunctionalGuy in encode/django-rest-framework#9799
• Fix HTMLFormRenderer to ensure a valid datetime-local format by @​mgaligniana in encode/django-rest-framework#9365
• Fix mutable default arguments in OrderingFilter methods by @​killerdevildog in encode/django-rest-framework#9742
• Update TokenAdmin to respect USERNAME_FIELD of the user model by @​m000 in encode/django-rest-framework#9836
• Preserve ordering in MultipleChoiceField by @​fbozhang in encode/django-rest-framework#9735

Translations

• Update French translation by @​SebCorbin in encode/django-rest-framework#9770
• Update Brazilian Portuguese translations by @​JVPinheiroReis in encode/django-rest-framework#9828
• Fix and improve French translations by @​deronnax in encode/django-rest-framework#9896
• Add missing Russian translation by @​minorytanaka in encode/django-rest-framework#9903

Packaging

• Migrate packaging to pyproject.toml by @​deronnax in encode/django-rest-framework#9056
• Move package data rules from MANIFEST.in to pyproject.toml by @​p-r-a-v-i-n in encode/django-rest-framework#9825
• Set up release workflow with trusted publisher by @​browniebroke in encode/django-rest-framework#9852

Other changes

• Refactor token generation to use the secrets module by @​mahdirahimi1999 in encode/django-rest-framework#9760
• Add validation for decorator out-of-order with @api_view by @​kernelshard in encode/django-rest-framework#9821
• Switch to mkdocs material theme for documentation by @​browniebroke in encode/django-rest-framework#9849

New Contributors

• @​khaledsukkar2 made their first contribution in encode/django-rest-framework#9717

... (truncated)

Commits

• 22e231c Prepare bug fix release 3.17.1 (#9931)
• 8e99b53 Add condition to skip pushed tags from forks (#9924)
• c0407de Fix HTMLFormRenderer with empty datetime values (#9928)
• 30d58a7 Fix the book sizing in the documentation (#9926)
• 6f03b79 Tweak order of changes in release notes
• 021ab56 Bump version and update release notes for 3.17.0 (#9921)
• 19ebad7 Bump mkdocs-material[imaging] from 9.7.4 to 9.7.5 (#9923)
• f222c55 Correct requires-python key in pyproject.toml
• 7e7de6f Remove code fences from release checklist
• c599d30 Update release process
• Additional commits viewable in compare view

Updates dependency-injector from 4.48.3 to 4.49.0

Release notes

Sourced from dependency-injector's releases.

4.49.0

What's Changed

• Python 3.14 support
• Fix Pydantic v2 deprecation warning triggering on settings class import (fixes #942)
• Fix grammar in Declarative Container documentation by @​okotdaniel in ets-labs/python-dependency-injector#916
• Add missing warn_unresolved parameter to WiringConfiguration in containers.pyi by @​jonathandannenberg in ets-labs/python-dependency-injector#951
• Add keep_cache argument to Container.wire typings by @​romantolkachyov in ets-labs/python-dependency-injector#952
• Retrofit assert type for some type-stub checks by @​leonarduschen in ets-labs/python-dependency-injector#943
• Retrofit assert type for remaining type-stub checks by @​leonarduschen in ets-labs/python-dependency-injector#953
• Add provided().call *args, **kwargs arguments #945 by @​pavalso in ets-labs/python-dependency-injector#946
• Add context local resource by @​elina-israyelyan in ets-labs/python-dependency-injector#931
• Update CI/CD to actions/checkout@v6, actions/setup-python@v6, actions/download-artifact@v8, actions/upload-artifact@v7 and pypa/cibuildwheel@v3.4.0.
• Add dependabot config for GitHub Actions

New Contributors

• @​okotdaniel made their first contribution in ets-labs/python-dependency-injector#916
• @​jonathandannenberg made their first contribution in ets-labs/python-dependency-injector#951
• @​romantolkachyov made their first contribution in ets-labs/python-dependency-injector#952
• @​pavalso made their first contribution in ets-labs/python-dependency-injector#946
• @​elina-israyelyan made their first contribution in ets-labs/python-dependency-injector#931

Full Changelog: ets-labs/python-dependency-injector@4.48.3...4.49.0

Commits

• 5f7aa1c Bump version
• 5863d99 Add .github/dependabot.yml
• 000c670 Upgrade GHA actions
• 9310840 Fix iscoroutinefunction import for older Pythons
• 05a5e7d Fix get_annotations import
• 58700d9 Use from import statements
• 0e25331 Do not build nogil wheels
• 1696986 Python 3.14 support
• 5259351 Add context local resource (#931)
• 76d5932 Add provided()<func>.call *args, **kwargs arguments (#946)
• Additional commits viewable in compare view

Updates gunicorn from 23.0.0 to 25.3.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 25.3.0

Bug Fixes

• HTTP/2 ASGI Body Duplication: Fix request body being received twice in HTTP/2 ASGI requests, causing JSON parsing errors with "Extra data" messages (#3558)

• ASGI Chunked EOF Handling: Add finish() method to callback parser to handle chunked encoding edge case where connection closes before final CRLF after zero-chunk

• HTTP/2 Documentation: Fix http_protocols examples to use comma-separated string instead of list syntax (#3561)

• Chunked Encoding: Reject chunk extensions containing bare CR bytes per RFC 9112 (#3556)

• Request Line Limit: Fix --limit-request-line 0 to mean unlimited as documented, instead of using default maximum. Works with both Python and fast C parser. (#3563)

Security

• ASGI Parser Header Validation: Add security checks per RFC 9110/9112:
  • Reject duplicate Content-Length headers
  • Reject requests with both Content-Length and Transfer-Encoding
  • Reject chunked transfer encoding in HTTP/1.0
  • Reject stacked chunked encoding
  • Validate Transfer-Encoding values
  • Strict chunk size validation

Changes

• Fast HTTP Parser: Update to gunicorn_h1c >= 0.6.3 for asgi_headers property and InvalidChunkExtension validation for bare CR rejection

• ASGI PROXY Protocol: Add PROXY protocol v1/v2 support to callback parser

• Docker Images: Update to Python 3.14

Gunicorn 25.2.0

New Features

• Fast HTTP Parser (gunicorn_h1c 0.4.1): Integrate new exception types and limit parameters from gunicorn_h1c 0.4.1 for both WSGI and ASGI workers
  • Requires gunicorn_h1c >= 0.4.1 for http_parser='fast'
  • Falls back to Python parser in auto mode if version not met
  • Proper HTTP status codes for limit errors (414, 431)

Bug Fixes

• uWSGI Async Workers: Fix InvalidUWSGIHeader: incomplete header error when using gevent or gthread workers with uwsgi protocol behind nginx. (#3552, [PR #3554](benoitc/gunicorn#3554))

... (truncated)

Commits

• 9bce72c Update changelog with missing 25.3.0 changes
• 2a15fdb Fix pylint isinstance-second-argument-not-valid-type warning
• 8d08aaa Fix --limit-request-line 0 to mean unlimited
• d40a374 Fix pytest-asyncio configuration and treq_asgi hex escapes
• da8bd48 Remove unused AsyncRequest class
• b00f125 Integrate gunicorn_h1c 0.6.3 with InvalidChunkExtension support
• bdb2ebd Reject chunk extensions with bare CR bytes (RFC 9112)
• 7057fc9 Fix http_protocols documentation to use string syntax
• d43acb8 Update to gunicorn_h1c >= 0.6.2 for asgi_headers support
• cbd27e8 Merge pull request #3559 from benleembruggen/fix/http2-asgi-body-duplication
• Additional commits viewable in compare view

Updates mypy from 1.19.1 to 1.20.1

Changelog

Sourced from mypy's changelog.

Mypy 1.20.1

• Always disable sync in SQLite cache (Ivan Levkivskyi, PR 21184)
• Temporarily skip few base64 tests (Ivan Levkivskyi, PR 21193)
• Revert dict.__or__ typeshed change (Ivan Levkivskyi, PR 21186)
• Fix narrowing for match case with variadic tuples (Shantanu, PR 21192)
• Avoid narrowing type[T] in type calls (Shantanu, PR 21174)
• Fix regression for catching empty tuple in except (Shantanu, PR 21153)
• Fix reachability for frozenset and dict view narrowing (Shantanu, PR 21151)
• Fix narrowing with chained comparison (Shantanu, PR 21150)
• Avoid narrowing to unreachable at module level (Shantanu, PR 21144)
• Allow dangerous identity comparisons to Any typed variables (Shantanu, PR 21142)
• --warn-unused-config should not be a strict flag (Ivan Levkivskyi, PR 21139)

Acknowledgements

Thanks to all mypy contributors who contributed to this release:

• A5rocks
• Aaron Wieczorek
• Adam Turner
• Ali Hamdan
• asce
• BobTheBuidler
• Brent Westbrook
• Brian Schubert
• bzoracler
• Chris Burroughs
• Christoph Tyralla
• Colin Watson
• Donghoon Nam
• E. M. Bray
• Emma Smith
• Ethan Sarp
• George Ogden
• getzze
• grayjk
• Gregor Riepl
• Ivan Levkivskyi
• James Hilliard
• James Le Cuirot
• Jeremy Nimmer
• Joren Hammudoglu
• Kai (Kazuya Ito)
• kaushal trivedi
• Kevin Kannammalil
• Lukas Geiger
• Łukasz Langa
• Marc Mueller
• Michael R. Crusoe
• michaelm-openai

... (truncated)

Commits

• c60e8bf Bump version to 1.20.1
• 842e492 Always disable sync in SQLite cache (#21184)
• e82a046 Temporarily skip few base64 tests (#21193)
• f7fa418 Revert dict.or typeshed change (#21186)
• a2e8ee1 Fix narrowing for match case with variadic tuples (#21192)
• 521f88f Avoid narrowing type[T] in type calls (#21174)
• a4876e9 Fix regression for catching empty tuple in except (#21153)
• 6fccffc Fix reachability for frozenset and dict view narrowing (#21151)
• de50419 Fix narrowing with chained comparison (#21150)
• eafcf18 Avoid narrowing to unreachable at module level (#21144)
• Additional commits viewable in compare view

Updates pytest from 9.0.2 to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

• #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

  -- by aleguy02

Commits

• a7d58d7 Prepare release version 9.0.3
• 089d981 Merge pull request #14366 from bluetech/revert-14193-backport
• 8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
• 99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
• ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
• 74eac69 doc: Update training info (#14298) (#14301)
• f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
• 7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
• 37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
• c34bfa3 Add explanation for string context diffs (#14257) (#14266)
• Additional commits viewable in compare view

Updates django-stubs from 6.0.1 to 6.0.3

Commits

• 59e6666 Version 6.0.3 release (#3319)
• e6049b4 Fix attname column (#3318)
• 1ac68b4 Update mypy to 1.20.1 (#3316)
• 134e391 Update dependency ty to v0.0.30 (#3315)
• f6653b9 Make Func generic over output_field (#3311)
• 56a4d52 Update dependency pyrefly to v0.61.0 (#3312)
• 6dd7943 Type-check (a)get_or_create and (a)update_or_create kwargs (#3309)
• af3e8a8 Update actions/cache digest to 27d5ce7 (#3301)
• d97823e Bump pytest-mypy-plugin (#3299)
• 649ff18 [pre-commit.ci] pre-commit autoupdate (#3303)
• Additional commits viewable in compare view

Updates packaging from 26.0 to 26.1

Release notes

Sourced from packaging's releases.

26.1

Features:

• PEP 783: add handling for Emscripten wheel tags by @​hoodmane in pypa/packaging#804 (old name used in implementation, will be fixed in next release)
• PEP 803: add handling for the abi3.abi3t free-threading tag by @​ngoldbaum in pypa/packaging#1099
• PEP 723: add packaging.dependency_groups module, based on the dependency-groups package by @​sirosen in pypa/packaging#1065
• Add the packaging.direct_url module by @​sbidoul in pypa/packaging#944
• Add the packaging.errors module by @​henryiii in pypa/packaging#1071
• Add SpecifierSet.is_unsatisfiable using ranges (new internals that will be expanded in future versions) by @​notatallshaw in pypa/packaging#1119
• Add create_compatible_tags_selector to select compatible tags by @​sbidoul in pypa/packaging#1110
• Add a key argument to SpecifierSet.filter() by @​frostming in pypa/packaging#1068
• Support & and | for Marker's by @​henryiii in pypa/packaging#1146
• Normalize Version.__replace__ and add Version.from_parts by @​henryiii in pypa/packaging#1078
• Add an option to validate compressed tag set sort order in parse_wheel_filename by @​r266-tech in pypa/packaging#1150

Behavior adaptations:

• Narrow exclusion of pre-releases for <V.postN to match spec by @​notatallshaw in pypa/packaging#1140
• Narrow exclusion of post-releases for >V to match spec by @​notatallshaw in pypa/packaging#1141
• Rename format_full_version to _format_full_version to make it visibly private by @​r266-tech in pypa/packaging#1125
• Restrict local version to ASCII by @​henryiii in pypa/packaging#1102

Pylock (PEP 751) updates:

• Add pylock select function by @​sbidoul in pypa/packaging#1092
• Document pylock select() method and PylockSelectError by @​r266-tech in pypa/packaging#1153
• Add filename property to PackageSdist and PackageWheel, more validation by @​sbidoul in pypa/packaging#1095
• Give preference to path over url by @​sbidoul in pypa/packaging#1128
• Validate name/version consistency in file names by @​sbidoul in pypa/packaging#1114

Fixes:

• Fix > comparison for versions with dev+local segments by @​veeceey in pypa/packaging#1097
• Fix incorrect self-comparison for InfinityType and NegativeInfinityType by @​bysiber in pypa/packaging#1093
• Canonicalize when deduplicating specifiers in SpecifierSet by @​notatallshaw in pypa/packaging#1109
• Fix charset error message formatting by @​notatallshaw in pypa/packaging#1121
• Handle the key parameter in SpecifierSet.filter when specifiers are empty and prerelease is False by @​notatallshaw in pypa/packaging#1096
• Standardize inner components of repr output by @​henryiii in pypa/packaging#1090
• Specifier's === uses original string, not normalized, when available by @​notatallshaw in pypa/packaging#1124
• Propagate int-max-str-digits ValueError by @​notatallshaw in pypa/packaging#1155

Performance:

• Add fast path for parsing simple versions (digits and dots only) by @​notatallshaw in pypa/packaging#1082
• Add fast path for Version to Version comparison by skipping _key property by @​notatallshaw in pypa/packaging#1083
• Cache Version hash value in dedicated slot by @​notatallshaw in pypa/packaging#1118
• Overhaul _cmpkey to remove use of custom objects by @​notatallshaw in pypa/packaging#1116
• Skip __replace__ in Specifier comparison if not needed by @​notatallshaw in pypa/packaging#1081
• SpecifierSet use tuple instead of frozenset for _specs by @​notatallshaw in pypa/packaging#1108
• Speed up complex SpecifierSet filtering by implementing cost-based ordering by @​notatallshaw in pypa/packaging#1105

... (truncated)

Changelog

Sourced from packaging's changelog.

26.1 - 2026-04-14

Features:

PEP 783: add handling for Emscripten wheel tags in (:pull:804)
PEP 803: add handling for the abi3.abi3t free-threading tag in (:pull:1099)
PEP 723: add packaging.dependency_groups module, based on the dependency-groups package in (:pull:1065)
Add the packaging.direct_url module in (:pull:944)
Add the packaging.errors module in (:pull:1071)
Add SpecifierSet.is_unsatisfiable using ranges (new internals that will be expanded in future versions) in (:pull:1119)
Add create_compatible_tags_selector to select compatible tags in (:pull:1110)
Add a key argument to SpecifierSet.filter() in (:pull:1068)
Support & and | for Marker's in (:pull:1146)
Normalize Version.__replace__ and add Version.from_parts in (:pull:1078)
Add an option to validate compressed tag set sort order in parse_wheel_filename in (:pull:1150)

Behavior adaptations:

Narrow exclusion of pre-releases for <V.postN to match spec in (:pull:1140)
Narrow exclusion of post-releases for >V to match spec in (:pull:1141)
Rename format_full_version to _format_full_version to make it visibly private in (:pull:1125)
Restrict local version to ASCII in (:pull:1102)

Pylock (PEP 751) updates:

Add pylock select function in (:pull:1092)
Document pylock select() method and PylockSelectError in (:pull:1153)
Add filename property to PackageSdist and PackageWheel, more validation in (:pull:1095)
Give preference to path over url in (:pull:1128)
Validate name/version consistency in file names in (:pull:1114)

Fixes:

Fix > comparison for versions with dev+local segments in (:pull:1097)
Fix incorrect self-comparison for InfinityType and NegativeInfinityType in (:pull:1093)
Canonicalize when deduplicating specifiers in SpecifierSet in (:pull:1109)
Fix charset error message formatting in (:pull:1121)
Handle the key parameter in SpecifierSet.filter when specifiers are empty and prerelease is False in (:pull:1096)
Standardize inner components of repr output in (:pull:1090)
Specifier's === uses original string, not normalized, when available in (:pull:1124)
Propagate int-max-str-digits ValueError in (:pull:1155)

Performance:

Add fast path for parsing simple versions (digits and dots only) in (:pull:1082)
Add fast path for Version to Version comparison by skipping _key property in (:pull:1083)
Cache Version hash value in dedicated slot in (:pull:1118)
Overhaul _cmpkey to remove use of custom objects in (:pull:1116)
Skip __replace__ in Specifier comparison if not needed in (:pull:1081)

</tr></table>

... (truncated)

Commits

• c1a88a3 Bump for release
• 702c25e docs: update changelog for 26.1 (#1156)
• 3f4f5d4 Implement is_unsatisfiable on SpecifierSet using ranges (#1119)
• 06c6555 Propagate int-max-str-digits ValueError (#1155)
• 905c90c feat: option to validate compressed tag set sort order in `parse_wheel_filena...
• af0026c docs(pylock): document select() method and PylockSelectError (#1153)
• 668da86 Rename format_full_version to _format_full_version to make it visibly private...
• f294d52<...

  Description has been truncated

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.