You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* **SECURITY ISSUE**: Fixed an issue where non-contiguous buffers could be
passed to APIs that accept Python buffers, which could lead to buffer
overflow. **CVE-2026-39892**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.6.
.. _v46-0-6:
46.0.6 - 2026年03月25日
SECURITY ISSUE: Fixed a bug where name constraints were not applied
to peer names during verification when the leaf certificate contains a
wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug,
including those used by the Web PKI. Credit to Oleh Konko (1seal) for
reporting the issue. CVE-2026-34073
.. _v46-0-5:
46.0.5 - 2026年02月10日
* An attacker could create a malicious public key that reveals portions of your
private key when using certain uncommon elliptic curves (binary curves).
This version now includes additional security checks to prevent this attack.
This issue only affects binary elliptic curves, which are rarely used in
real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and
Atuin Automated Vulnerability Discovery Engine** for reporting the issue.
**CVE-2026-26007**
* Support for ``SECT*`` binary elliptic curves is deprecated and will be
removed in the next release.
.. v46-0-4:
46.0.4 - 2026年01月27日
Dropped support for win_arm64 wheels_.
Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.
Enforce DNS-length cap on individual labels early in check_label,
short-circuiting contextual-rule processing for oversized input
while staying compatible with UTS 46 usage.
Tidy core helpers: hoist bidi category sets to module-level
frozensets (avoiding per-codepoint list construction), simplify
length checks, and reuse the shared _unicode_dots_re from
idna.core in the codec module.
Use raise ... from err for proper exception chaining and
switch internal string formatting to f-strings.
Allow flit_core 4.x in the build backend.
Expand the ruff lint set (flake8-bugbear, flake8-simplify,
pyupgrade, perflint) and apply the surfaced fixes; pin lint CI
to Python 3.14.
Add Dependabot configuration for GitHub Actions.
Convert README and HISTORY from reStructuredText to Markdown.
Reference CVE-2026-45409 for the 3.14 advisory in place of the
initial GHSA identifier.
Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for
contributions to this release.
3.14 (2026年05月10日)
Removed opportunity to process long inputs into quadratic
time by rejecting oversize inputs up-front. Closes a bypass
of the CVE-2024-3651 mitigation. [CVE-2026-45409]
Thanks to Stan Ulbrych for reporting the issue.
3.13 (2026年04月22日)
Correct classification error for codepoint U+A7F1
3.12 (2026年04月21日)
Update to Unicode 17.0.0.
Issue a deprecation warning for the transitional argument.
Added lazy-loading to provide some performance improvements.
Removed vestiges of code related to Python 2 support, including
segmentation of data structures specific to Jython.
Thanks to Rodrigo Nogueira for contributions to this release.
3.11 (2025年10月12日)
Update to Unicode 16.0.0, including significant changes to UTS46
processing. As a result of Unicode ending support for it, transitional
processing no longer has an effect and returns the same result.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dependenciesPull requests that update a dependency filepythonPull requests that update python code
0 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Warning
Dependabot will stop supporting
python v3.9!Please upgrade to one of the following versions:
v3.9,v3.10,v3.11,v3.12,v3.13, orv3.14.Bumps the pip group with 4 updates in the / directory: certifi, cryptography, idna and zipp.
Updates
certififrom 2022年12月7日 to 2024年7月4日Commits
bd815382024年07月04日 (#295)06a2cbfBump peter-evans/create-pull-request from 6.0.5 to 6.1.0 (#294)13bba02Bump actions/checkout from 4.1.6 to 4.1.7 (#293)e8abcd0Bump pypa/gh-action-pypi-publish from 1.8.14 to 1.9.0 (#292)124f4ad2024年06月02日 (#291)c2196ce--- (#290)fefdeecBump actions/checkout from 4.1.4 to 4.1.5 (#289)3c5fb15Bump actions/download-artifact from 4.1.6 to 4.1.7 (#286)4a9569aBump actions/checkout from 4.1.2 to 4.1.4 (#287)1fc8086Bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 (#288)Updates
cryptographyfrom 38.0.4 to 46.0.7Changelog
Sourced from cryptography's changelog.
... (truncated)
Commits
622d67246.0.7 release (#14602)91d7288Cherry-pick #14542 (#14543)06e120ebump version for 46.0.5 release (#14289)0eebb9dEC check key on cofactor > 1 (#14287)bedf6e1fix openssl version on 46 branch (#14220)e6f44fcbump for 46.0.4 and drop win arm64 due to CI issues (#14217)c0af4ddrelease 46.0.3 (#13681)99efe5abump version for 46.0.2 (#13531)e735cfcrelease 46.0.1 (#13450)4e457ffExplicitly specify python in mac uv build invocation (#13447)Updates
idnafrom 3.4 to 3.15Release notes
Sourced from idna's releases.
Changelog
Sourced from idna's changelog.
... (truncated)
Commits
af30a09Release 3.1530314d4Pre-release 3.15rc005d4b21Merge pull request #237 from kjd/convert-docs-to-markdown2987fdbConvert README and HISTORY from reStructuredText to Markdown59fa800Merge pull request #236 from kjd/dependabot/github_actions/actions-f3e34333eadef6983Merge branch 'master' into dependabot/github_actions/actions-f3e34333eabbd8004Merge pull request #234 from StanFromIreland/patch-1edd07c0Bump github/codeql-action from 3.35.2 to 4.35.2 in the actions group5557db0Merge branch 'master' into patch-1f11746cMerge pull request #235 from StanFromIreland/patch-2Updates
zippfrom 3.11.0 to 3.19.1Changelog
Sourced from zipp's changelog.
... (truncated)
Commits
6d1cb72Finalizefd604bdMerge pull request #120 from jaraco/bugfix/119-malformed-pathsc18417eAdd news fragment.58115d2Employ SanitizedNames in CompleteDirs. Fixes broken test.564fcc1Add SanitizedNames mixin.79a309fAdd some assertions about malformed paths.2d015c2Merge https://github.com/jaraco/skeletona595a0fRename extras to align with core metadata spec.608f90aFinalize3a22d72Merge pull request #118 from jaraco/feature/is-symlinkDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.