⬆️(dependencies) update python dependencies

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
Brotli	==1.1.0 -> ==1.2.0
PyMuPDF (changelog)	==1.26.6 -> ==1.26.7
WeasyPrint (changelog)	==66.0 -> ==67.0
arrow	==1.3.0 -> ==1.4.0
celery (source, changelog)	==5.5.3 -> ==5.6.0
cryptography (changelog)	==46.0.2 -> ==46.0.3
django-admin-sortable2	==2.2.8 -> ==2.3
django-countries (changelog)	==7.6.1 -> ==8.2.0
django-viewflow	==2.2.13 -> ==2.2.14
drf-spectacular-sidecar	==2025.10.1 -> ==2025.12.1
drf_spectacular	==0.28.0 -> ==0.29.0
markdown (changelog)	==3.9 -> ==3.10
psycopg (changelog)	==3.2.10 -> ==3.3.2
pyfakefs (changelog)	==5.10.0 -> ==5.10.2
pylint (changelog)	==3.3.8 -> ==4.0.4
pytest (changelog)	==8.4.2 -> ==9.0.2
pytest-subtests	==0.14.1 -> ==0.15.0
ruff (source, changelog)	==0.14.0 -> ==0.14.9
sentry-sdk (changelog)	==2.41.0 -> ==2.48.0

---

Release Notes

google/brotli (Brotli)

v1.2.0

Compare Source

SECURITY

• python: added Decompressor::can_accept_more_data method and optional
  output_buffer_limit argument Decompressor::process;
  that allows mitigation of unexpectedly large output;
  reported by Charles Chan (https://github.com/charleswhchan)

Added

• decoder / encoder: added static initialization to reduce binary size
• python: allow limiting decoder output (see SECURITY section)
• CLI: brcat alias; allow decoding concatenated brotli streams
• kt: pure Kotlin decoder
• cgo: support "raw" dictionaries
• build: Bazel modules

Removed

• java: dropped finalize() for native entities

Fixed

• java: in compress pass correct length to native encoder

Improved

• build: install man pages
• build: updated / fixed / refined Bazel buildfiles
• encoder: faster encoding
• cgo: link via pkg-config
• python: modernize extension / allow multi-phase module initialization

Changed

• decoder / encoder: static tables use "small" model (allows 2GiB+ binaries)

pymupdf/pymupdf (PyMuPDF)

v1.26.7: PyMuPDF-1.26.7 released

Compare Source

Wheels for Windows, Linux and MacOS, and the sdist, are available on pypi.org and can be installed in the usual way, for example:

python -m pip install --upgrade pymupdf

[Linux-aarch64 wheels will be built and uploaded later.]

Changes in version 1.26.7

• Use MuPDF-1.26.12.

Other:

• Retrospectively mark #​4756 as fixed in 1.26.6.
• Improved safety of pymupdf embed-extract. This now refuses to write to
  an existing file or outside current directory, unless -output or new flag
  -unsafe is specified.

Kozea/WeasyPrint (WeasyPrint)

v67.0

Compare Source

Read about this release on our blog.

Dependencies

• Python 3.10+ is now needed, Python 3.9 is not supported anymore
• tinycss2 1.5.0+ is now needed
• fontTools 4.59.2+ is now needed

Features

• #​2560, #​640, #​844, #​1091, #​2517: Support CMYK colors, PDF/X, color profiles and light-dark() function
• #​2558, #​1175: Support ::first-line, with financial support from Karte Technology
• #​2552: Support CSS layers, with financial support from Code & Co.
• #​2564, #​2599, #​2397: Allow page breaks in grid rows, with financial support from Ocean Recap
• #​2568, #​357: Support calc() and other mathematical functions
• #​2575, #​2574: Support PDF/A-1a, PDF/A-2a and PDF/A-3a
• #​2611, #​2573: Support PDF/A-4e and PDF/A-4f
• #​2523: Display tofu for missing glyphs
• #​2581: Add option to disable protocols in URL resolution
• #​2570: Support rch, cap, rcap, rex, ic and ric font-relative units
• #​2547, #​2140: Support "only" keyword in media queries

Bug fixes

• #​2516, #​1510: Fix rendering of first line of text with nested right float
• #​2510, #​1073, #​2507: Avoid Pango crashes and font mismatches with @font-face rules referencing local fonts
• #​2532, #​2531: Use fonttools instancer instead of deprecated mutator API
• #​2541: Fix syntax of functions
• #​2543: Allow font-related units to access @font-face fonts
• #​2525: Respect top margins and avoid overlapping footnotes for columns, with financial support from Code & Co.
• #​2536: Remove Subtype key from font descriptor
• #​2539: Fix min width for SVGs with intrinsic ratio but no intrinsic size
• #​2537, #​2533: Fix order of operators when drawing SVGs
• #​2538: Don’t crash with nested unknown functions
• #​2542: Don’t crash when lh and rlh are used for line height or font size
• #​2540, #​2528: Use locale encoding instead of filesystem encoding for font paths
• #​2563, #​2479: Don’t avoid float collisions for atomic flex items
• #​2569: Don’t be case-sensitive for units
• #​2567, #​2566: Add x-default attribute for metadata description to be compliant with PDF/A
• #​2586, #​2571: Improve formatting contexts management
• #​2600: Fix SVG image aspect ratio when only width or height is specified
• #​2612, #​2595: Clean block layout and fix corner cases
• #​2522: Ignore preserveAspectRatio when SVG has no viewBox
• #​2544: Allow to use a variable twice in a function
• #​2555: Fix flex gap in right-to-left context
• #​2591: Respect non-auto widths and fix padding of grid items
• #​2601: Don’t crash when tagged tables are not displayed as tables
• #​2607: Fix rendering of multiline textareas with PDF forms
• #​2106: Force variable initialization to avoid crashes during column layout
• #​2618, #​2617: Fix rendering of relative grid and flex items

Documentation

• #​2535: #​2534: Removed reference to defunct site

Contributors

• Guillaume Ayoub
• Fazle Rabbi Ferdaus
• Lucie Anglade
• Luca Vercelli
• ChickenF622
• Ernie Chu
• Mark Pullin
• Malte Laukötter
• Markus Mohanty
• Yvonne Kothmeier
• Jarom Ort
• kuypan

Backers and sponsors

• Spacinov
• Syslifters
• Kobalt
• Simon Sapin
• Grip Angebotssoftware
• Manuel Barkhau
• Simonsoft
• KontextWork
• Menutech
• TrainingSparkle
• Healthchecks.io
• Method B
• FieldHub
• Hammerbacher
• Yanal-Yves Fargialla
• Morntag
• Piloterr
• Xavid
• Charlie S.
• Prothesis Dental Solutions
• Kai DeLorenzo

arrow-py/arrow (arrow)

v1.4.0

Compare Source

• [ADDED] Added week_start parameter to floor() and ceil() methods. PR #&#8203;1222 <https://github.com/arrow-py/arrow/pull/1222>_
• [ADDED] Added FORMAT_RFC3339_STRICT with a T separator. PR #&#8203;1201 <https://github.com/arrow-py/arrow/pull/1201>_
• [ADDED] Added Macedonian in Latin locale support. PR #&#8203;1200 <https://github.com/arrow-py/arrow/pull/1200>_
• [ADDED] Added Persian/Farsi locale support. PR #&#8203;1190 <https://github.com/arrow-py/arrow/pull/1190>_
• [ADDED] Added week and weeks to Thai locale timeframes. PR #&#8203;1218 <https://github.com/arrow-py/arrow/pull/1218>_
• [ADDED] Added weeks to Catalan locale. PR #&#8203;1189 <https://github.com/arrow-py/arrow/pull/1189>_
• [ADDED] Added Persian names of months, month-abbreviations and day-abbreviations in Gregorian calendar. PR #&#8203;1172 <https://github.com/arrow-py/arrow/pull/1172>_
• [CHANGED] Migrated Arrow to use ZoneInfo for timezones instead of pytz. PR #&#8203;1217 <https://github.com/arrow-py/arrow/pull/1217>_
• [FIXED] Fixed humanize month limits. PR #&#8203;1224 <https://github.com/arrow-py/arrow/pull/1224>_
• [FIXED] Fixed type hint of Arrow.__getattr__. PR #&#8203;1171 <https://github.com/arrow-py/arrow/pull/1171>_
• [FIXED] Fixed spelling and removed poorly used expressions in Korean locale. PR #&#8203;1181 <https://github.com/arrow-py/arrow/pull/1181>_
• [FIXED] Updated shift() method for issue #​1145. PR #&#8203;1194 <https://github.com/arrow-py/arrow/pull/1194>_
• [FIXED] Improved Greek locale translations (seconds, days, "ago", and month typo). PR #&#8203;1184 <https://github.com/arrow-py/arrow/pull/1184>, PR #&#8203;1186 <https://github.com/arrow-py/arrow/pull/1186>
• [FIXED] Addressed datetime.utcnow deprecation warning. PR #&#8203;1182 <https://github.com/arrow-py/arrow/pull/1182>_
• [INTERNAL] Added codecov test results. PR #&#8203;1223 <https://github.com/arrow-py/arrow/pull/1223>_
• [INTERNAL] Updated CI dependencies (actions/setup-python, actions/checkout, codecov/codecov-action, actions/cache).
• [INTERNAL] Added docstrings to parser.py. PR #&#8203;1010 <https://github.com/arrow-py/arrow/pull/1010>_
• [INTERNAL] Updated Python versions support and bumped CI dependencies. PR #&#8203;1177 <https://github.com/arrow-py/arrow/pull/1177>_
• [INTERNAL] Added dependabot for GitHub actions. PR #&#8203;1193 <https://github.com/arrow-py/arrow/pull/1193>_
• [INTERNAL] Moved dateutil types to test requirements. PR #&#8203;1183 <https://github.com/arrow-py/arrow/pull/1183>_
• [INTERNAL] Added documentation link for arrow.format. PR #&#8203;1180 <https://github.com/arrow-py/arrow/pull/1180>_

celery/celery (celery)

v5.6.0

Compare Source

=====

:release-date: 2025-11-30
:release-by: Tomer Nosrati

Celery v5.6.0 is now available.

Key Highlights

See :ref:`whatsnew-5.6` for a complete overview or read the main highlights below.

Python 3.9 Minimum Version
--------------------------

Celery 5.6.0 drops support for Python 3.8 (EOL). The minimum required Python
version is now 3.9. Users still on Python 3.8 must upgrade their Python version
before upgrading to Celery 5.6.0.

Additionally, this release includes initial support for Python 3.14.

SQS: Reverted to ``pycurl`` from ``urllib3``
--------------------------------------------

The switch from ``pycurl`` to ``urllib3`` for the SQS transport (introduced in
Celery 5.5.0 via Kombu) has been reverted due to critical issues affecting SQS
users:

- Processing throughput dropped from ~100 tasks/sec to ~3/sec in some environments
- ``UnknownOperationException`` errors causing container crash loops
- Silent message processing failures with no error logs

Users of the SQS transport must ensure ``pycurl`` is installed. If you removed
``pycurl`` after upgrading to Celery 5.5.0, you will need to reinstall it.

Contributed by `@auvipy <https://github.com/auvipy>`_ in
`#&#8203;9620 <https://github.com/celery/celery/pull/9620>`_.

Security Fix: Broker Credential Leak Prevention
------------------------------------------------

Fixed a security issue where broker URLs containing passwords were being logged
in plaintext by the delayed delivery mechanism. Broker credentials are now
properly sanitized in all log output.

Contributed by `@giancarloromeo <https://github.com/giancarloromeo>`_ in
`#&#8203;9997 <https://github.com/celery/celery/pull/9997>`_.

Memory Leak Fixes
-----------------

Two significant memory leaks have been fixed in this release:

**Exception Handling Memory Leak**: Fixed a critical memory leak in task exception
handling that was particularly severe on Python 3.11+ due to enhanced traceback
data. The fix properly breaks reference cycles in tracebacks to allow garbage
collection.

Contributed by `@jaiganeshs21 <https://github.com/jaiganeshs21>`_ in
`#&#8203;9799 <https://github.com/celery/celery/pull/9799>`_.

**Pending Result Memory Leak**: Fixed a memory leak where ``AsyncResult``
subscriptions were not being cleaned up when results were forgotten.

Contributed by `@tsoos99dev <https://github.com/tsoos99dev>`_ in
`#&#8203;9806 <https://github.com/celery/celery/pull/9806>`_.

ETA Task Memory Limit
---------------------

New configuration option :setting:`worker_eta_task_limit` to prevent out-of-memory
crashes when workers fetch large numbers of ETA or countdown tasks. Previously,
workers could exhaust available memory when the broker contained many scheduled tasks.

Example usage:

.. code-block:: python

    app.conf.worker_eta_task_limit = 1000

Contributed by `@sashu2310 <https://github.com/sashu2310>`_ in
`#&#8203;9853 <https://github.com/celery/celery/pull/9853>`_.

Queue Type Selection for Auto-created Queues
--------------------------------------------

New configuration options allow specifying the queue type and exchange type when
Celery auto-creates missing queues. This is particularly useful for RabbitMQ users
who want to use quorum queues with auto-created queues.

Configuration options:

- :setting:`task_create_missing_queue_type`: Sets the queue type for auto-created
  queues (e.g., ``quorum``, ``classic``)
- :setting:`task_create_missing_queue_exchange_type`: Sets the exchange type for
  auto-created queues

Example usage:

.. code-block:: python

    app.conf.task_create_missing_queue_type = 'quorum'

Contributed by `@ghirailghiro <https://github.com/ghirailghiro>`_ in
`#&#8203;9815 <https://github.com/celery/celery/pull/9815>`_.

What's Changed

• Prepare for release: v5.6.0 (#​10010)

.. _version-5.6.0rc2:

pyca/cryptography (cryptography)

v46.0.3

Compare Source

jrief/django-admin-sortable2 (django-admin-sortable2)

v2.3

Compare Source

• Prepare for Django-6.0.
• fix #​397: Remove Django popup when using list action after dragging items in list view.
• fix #​417: Increase height of drag area in Stacked-Inlines.
• fix #​371: default_order_field might not be set on model.
• fix #​400: Check for change permission when rendering "Move" actions in list view.
• fix #​408: Validate POST request from action form.
• fix #​423: Remove novalidate from action form in list view.
• fix #​425: Give better explanation what to do if ordering numbers get negative.

SmileyChris/django-countries (django-countries)

v8.2.0

Compare Source

Features

• Add django_countries.django_filters.CountryFilter for django-filters integration with support for custom empty_label. This filter automatically sets country choices and seamlessly integrates with django-filters FilterSets, making it easier to add country filtering to your views. (#​307)

• Enable CountryFieldMixin to accept name_only, country_dict, and output customization options via Meta.extra_kwargs. You can now configure country field serialization behavior without explicitly declaring serializer fields, making it easier to customize output for both single and multiple country fields. (#​414)

• CountryField(country_dict=...) now accepts either a boolean (existing behaviour) or an iterable/string of keys so you can control exactly which values appear in the serialized country dict (for example ("code", "name", "alpha3") or just "alpha3"). (#​416)

• Add COUNTRIES_FIRST_BY_LANGUAGE and COUNTRIES_FIRST_AUTO_DETECT settings for dynamic country ordering based on user language. Countries can now be automatically reordered based on the current language, with locale-based auto-detection (e.g., fr-CA users see Canada prepended to the French country group). (#​418)

• Add support for custom flag_url in COUNTRIES_OVERRIDE setting. You can now specify a custom flag URL for overridden countries:

  COUNTRIES_OVERRIDE = {
      "IND": {
          "names": ["Indonesia"],
          "ioc_code": "INA",
          "flag_url": "flags/id.gif",
      },
  }

  This is particularly useful when using custom country codes that need to reference existing flag images. (#​449)

• Add countries_context() context manager for temporary, thread-local override of country configuration options. Supports all country options (first, only, first_sort, first_repeat, first_break, first_by_language, first_auto_detect), enabling per-request customization based on user preferences, IP geolocation, or other dynamic factors. Each option independently overrides its corresponding setting with the highest priority.

Bugfixes

• Fix CountryField serializer to respect current language when deserializing localized country names. The field now automatically uses Django's get_language() to detect the active language and falls back to English if the country name is not found in the current language. (#​407)
• Fixed CountryFilter to support filtering on CountryField through relations (e.g., list_filter = [("contact__country", CountryFilter)]). Previously this would fail with a FieldError. (#​432)
• Fixed CountryFilter admin filter to work correctly with CountryField(multiple=True). The filter now uses the __contains lookup instead of exact matching to properly find records where the selected country appears in the comma-separated country list. (#​445)
• Added support for empty_label parameter in CountryField.formfield() to customize the blank choice label in form fields. This allows using empty_label="" for an empty label or empty_label="Custom text" for custom text, resolving the issue where empty_label was previously ignored. (#​466)
• Fixed type annotation for CountryField.countries parameter in stub file to accept type[Countries] instead of Countries instance, resolving mypy errors when using custom Countries subclasses. Also removed unnecessary exclusion of tests from mypy checking. (#​482)

Misc

• Refactored deployment script from bash (244 lines) to Python using click for better maintainability and testability. The script is now in scripts/deploy.py with these improvements:

  • Interactive mode: Run just deploy without arguments to get an interactive prompt showing version options (e.g., "8.1.1 → 8.2.0")
  • Enhanced dry-run: DRY_RUN=1 now validates package builds, documentation builds, runs pre-commit checks, shows full changelog preview, checks PyPI for existing versions, displays translation status, and checks for uncommitted changes (same as real run)
  • Comprehensive summary: Shows a detailed list of completed steps at the end of each run
  • Allow dirty: --allow-dirty flag to bypass git status check when needed (not recommended for production)
  • Better error handling: Clear error messages with proper exception types
  • Colorful output: Uses click's styling for better readability

v8.1.1

Compare Source

Bugfixes

• Fixed CountryField(multiple=True) not marking selected options in Django forms. (#​480)

v8.1.0

Compare Source

Features

• DRF serializer fields now respect the allow_null parameter, returning None for NULL values when allow_null=True.
  This enables better API consistency and is particularly useful with unique=True constraints, which allow multiple NULL values but not multiple empty strings in the database. (#​453)
• Add support for null=True on multiple country fields, allowing This nullable unique constraints on multiple country fields.
  CountryField(multiple=True, null=True) now returns None for NULL database values instead of crashing and the historical system check E100 that blocked multiple=True + null=True has been removed. (#​453)

Bugfixes

• Fixed OpenAPI schema generation for CountryField when using country_dict=True or name_only=True. The field now correctly generates an object schema (with code and name properties) for country_dict=True and a string schema for name_only=True, instead of incorrectly generating an enum schema. This fixes schema generation for both DRF's built-in OpenAPI support and drf-spectacular, enabling accurate TypeScript client generation and other API tooling. (#​441)
• Major performance enhancement for Django admin. Added per-language caching to Countries.__iter__(), delivering 20-40× speedup when displaying CountryField in list_display (admin changelist now renders in <0.5s instead of 6-10s). (#​454)
• Fixed a regression where a country field allowing for selection of multiple countries could not be added to using the + operator. (#​455)

v8.0.1

Compare Source

Bugfixes

• Fixed required attribute not being rendered on form widgets when using COUNTRIES_FIRST_BREAK setting. The separator option now correctly allows the field to remain required for HTML5 validation. (#​280)
• Fixed Transifex translation pull workflow to use git commit timestamps instead of filesystem modification times, preventing translations from being incorrectly skipped. Updated German (de), Afrikaans (af), Slovak (sk), and Slovenian (sl) translations.

Misc

• Add OLD_NAMES for Bahamas and Netherlands to support translation fallback when country names change. Updated translation workflow to generate English source locale and automatically push to Transifex during releases.

v8.0.0

Compare Source

Note: This release includes all changes from the yanked versions 7.8, 7.9, and 7.9.1, which were yanked because they inadvertently dropped Python 3.7 support without a major version bump.

Features

• Added common names for six additional countries/territories: Democratic Republic of the Congo (CD), South Georgia (GS), Netherlands (NL), Palestine (PS), Saint Helena (SH), and Vatican City (VA). These provide friendlier, shorter names when COUNTRIES_COMMON_NAMES is enabled (default).

Bugfixes

• Fix COUNTRIES_OVERRIDE to support custom country codes that are 3 characters long. Previously, 3-character codes were incorrectly treated as alpha3 codes and resolved to existing countries. (#​474)
• Fixed TypeError "unhashable type: 'list'" when using CountryField(multiple=True) in Django admin list_display. (#​311)
• Fixed CountryField(multiple=True) displaying "-" instead of country names in Django admin readonly_fields. (#​463)
• Fixed incorrect max_length calculation for CountryField(multiple=True) when using COUNTRIES_FIRST with COUNTRIES_FIRST_REPEAT. (#​469)
• Updated country names to match ISO 3166-1 OBP: Bahamas (The) and Netherlands (Kingdom of the). Also improved self_generate() regex to handle type hints in dictionary declarations.

Improved Documentation

• Added MkDocs documentation site and simplified README to focus on quick start with link to full documentation.
• Consolidated release documentation into CONTRIBUTING.md and improved development setup instructions.
• Added documentation warning that CountryField does not support Django's autocomplete_fields in admin or third-party admin filter packages like more_admin_filters. (#​473)
• Added comprehensive documentation on ISO 3166-1 country name formatting, explaining parentheses vs commas usage, capitalization of "the", and addressing common political objections about territories like Taiwan, Kosovo, Hong Kong, and Palestine.

Deprecations and Removals

• Drop Python 3.7 support. Python 3.7 reached end-of-life in June 2023. The minimum supported Python version is now 3.8.

Misc

• Expanded test matrix to cover Python 3.8-3.13 and Django 3.2-5.1 with improved test infrastructure.
• Fixed various code quality issues identified by ruff linter, including improved string formatting and file handling.
• Migrated build system from setuptools to uv_build for faster and more modern package building.
• Simplified release process with automated just deploy command and towncrier for changelog management.
• Fix unnecessary list comprehension in test_tags.py

v7.9.1

Compare Source

Bugfixes

• Fix COUNTRIES_OVERRIDE to support custom country codes that are 3 characters long. Previously, 3-character codes were incorrectly treated as alpha3 codes and resolved to existing countries. (#​474)

Note: This release was yanked because it inadvertently dropped Python 3.7 support without a major version bump. Use 8.0.0 or later instead.

v7.9

Compare Source

Bugfixes

• Fix COUNTRIES_OVERRIDE to support custom country codes that are 3 characters long. Previously, 3-character codes were incorrectly treated as alpha3 codes and resolved to existing countries. (#​474)

Note: This release was yanked because it inadvertently dropped Python 3.7 support without a major version bump. Use 8.0.0 or later instead.

v7.8

Compare Source

Where'd 7.7 go? Well 7.6 was accidentally bumped to 7.8 because of the new release process!

Note: This release was yanked because it inadvertently dropped Python 3.7 support without a major version bump. Use 8.0.0 or later instead.

Improved Documentation

• Added MkDocs documentation site and simplified README to focus on quick start with link to full documentation.
• Consolidated release documentation into CONTRIBUTING.md and improved development setup instructions.

Misc

• Expanded test matrix to cover Python 3.8-3.13 and Django 3.2-5.1 with improved test infrastructure.
• Fixed various code quality issues identified by ruff linter, including improved string formatting and file handling.
• Migrated build system from setuptools to uv_build for faster and more modern package building.
• Simplified release process with automated just deploy command and towncrier for changelog management.

tfranzel/drf-spectacular-sidecar (drf-spectacular-sidecar)

v2025.12.1

Compare Source

tfranzel/drf-spectacular (drf_spectacular)

v0.29.0

Compare Source

• Add l18n handling for Decimal field #&#8203;1466 <https://github.com/tfranzel/drf-spectacular/issues/1466>_
• Fix LogoutSerializer for JWT/dj_rest_auth #&#8203;1392 <https://github.com/tfranzel/drf-spectacular/issues/1392>_
• fix: support token blacklist feature in rest_auth [Bart van Andel]
• [django-filter] Add null_label if set in ChoiceFilter (#&#8203;1450 <https://github.com/tfranzel/drf-spectacular/issues/1450>_) [Enric Pou]
• fix: camelize tuples/fixed length array (#&#8203;1432 <https://github.com/tfranzel/drf-spectacular/issues/1432>_) [Chris Wesseling]
• Fix items:False case in enum hook #&#8203;1432 <https://github.com/tfranzel/drf-spectacular/issues/1432>_
• Add option to overwrite serializer description #&#8203;1463 <https://github.com/tfranzel/drf-spectacular/issues/1463>_
• Fix OpenApiViewExtension not providing view instance under self.target (#&#8203;1405 <https://github.com/tfranzel/drf-spectacular/issues/1405>_) [astro-stan]
• Move list default fix to source of the problem #&#8203;1436 <https://github.com/tfranzel/drf-spectacular/issues/1436>_
• Improve confusing doc #&#8203;1461 <https://github.com/tfranzel/drf-spectacular/issues/1461>_
• Add assert to pagination test #&#8203;1459 <https://github.com/tfranzel/drf-spectacular/issues/1459>_
• fix SafeString handling for picky CDumper (#&#8203;1435 <https://github.com/tfranzel/drf-spectacular/issues/1435>_)
• Remove EOL 3.7 from suite; pydantic not updated for <=3.8
• Fix DecimalField with decimal_places and max_digits equal. [keter2002]
• fix test for i18n changes on DRF (#&#8203;1444 <https://github.com/tfranzel/drf-spectacular/issues/1444>_)
• Improve to_filter_name support for django_filter [Matwey V. Kornilov]
• fixes prefix estimation on windows [Luis Nell]
• Fix default for array types [Stanislav Khlud]
• fix: use CSafeDumper for render yaml if available [florian]
• fix: sort list to produce same hash [florian]
• Add typing.Generic to default lib_doc_excludes [Max Howald]
• Add get_doc test for class that inherits from Generic [Max Howald]
• Add Django REST framework 3.16 support [Paolo Melchiorre]
• Fix memory leak [artemkucher]
• Fix python 3.11 slice index [Egor Litvinov]
• fix: correct port mapping for the container in README [Maksym Bieńkowski]
• Update docs [q0w]
• Allow setting callable for ENUM_NAME_OVERRIDES [q0w]
• Add allauth's DRF token auth #&#8203;1401 <https://github.com/tfranzel/drf-spectacular/issues/1401>_
• update away from retired GH worker image
• add condition to check, that serializer Meta has model attribute [aliev_vt]
• Fix docs compile issue and update some old code (#&#8203;1389 <https://github.com/tfranzel/drf-spectacular/issues/1389>_) [Mike Manger]
• Fix location of @​extend_schema_field [johnthagen]
• Remove reference to non-exposed lazy_serializer [johnthagen]
• Document how to lazily define a recursive SerializerMethod [johnthagen]
• Link to SerializerMethod docs [johnthagen]
• Document Django 5.1 support in README [johnthagen]
• Bump django from 4.2.11 to 4.2.18 in /requirements [dependabot[bot]]
• Enhance bug report template with instructions for better clarity [antoliny0919]
• add pydantic computed field to tests #&#8203;1354 <https://github.com/tfranzel/drf-spectacular/issues/1354>_

Breaking changes / important additions:

• Finally fixed the memory leak thanks to @​artKucher.
• Another performance improvement is the usage of the C versions of yaml, if available.
• Apart from that, there are a lot of small improvements and bugfixes.

Python-Markdown/markdown (markdown)

v3.10

Compare Source

psycopg/psycopg (psycopg)

v3.3.2

Compare Source

v3.3.1

Compare Source

v3.3.0

Compare Source

v3.2.13

Compare Source

v3.2.12

Compare Source

v3.2.11

Compare Source

pytest-dev/pyfakefs (pyfakefs)

v5.10.2

Compare Source

Fixes a problem with pathlib.glob in Python 3.14.

Fixes

• fixed pathlib.glob() for Python 3.14 (see #​1239)

v5.10.1

Compare Source

Fixes a regression introduced in version 5.9.0.

Fixes

• fixed a deadlock in shutil.copytree if copying using an shutil function as
  copy_function argument (see #​1235)

pylint-dev/pylint (pylint)

v4.0.4

Compare Source

What's new in Pylint 4.0.4?

Release date: 2025-11-30

False Positives Fixed

• Fixed false positive for invalid-name where module-level constants were incorrectly classified as variables when a class-level attribute with the same name exists.

  Closes #​10719

• Fix a false positive for invalid-name on an UPPER_CASED name inside an if branch that assigns an object.

  Closes #​10745

v4.0.3

Compare Source

What's new in Pylint 4.0.3?

Release date: 2025-11-13

False Positives Fixed

• Add Enum dunder methods _generate_next_value_, _missing_, _numeric_repr_, _add_alias_, and _add_value_alias_ to the list passed to --good-dunder-names.

  Closes #​10435

• Fixed false positive for invalid-name with typing.Annotated.

  Closes #​10696

• Fix false positive for f-string-without-interpolation with template strings
  when using format spec.

  Closes #​10702

• Fix a false positive when an UPPER_CASED class attribute was raising an
  invalid-name when typed with Final.

  Closes #​10711

• Fix a false positive for unbalanced-tuple-unpacking when a tuple is assigned to a function call and the structure of the function's return value is ambiguous.

  Closes #​10721

Other Bug Fixes

• Make 'ignore' option work as expected again.

  Closes #​10669

• Fix crash for consider-using-assignment-expr when a variable annotation without assignment
  is used as the if test expression.

  Closes #​10707

• Fix crash for prefer-typing-namedtuple and consider-math-not-float when
  a slice object is called.

  Closes #​10708

v4.0.2

Compare Source

False Positives Fixed

• Fix false positive for invalid-name on a partially uninferable module-level constant.

  Closes #​10652

• Fix a false positive for invalid-name on exclusive module-level assignments
  composed of three or more branches. We won't raise disallowed-name on module-level names that can't be inferred
  until a further refactor to remove this false negative is done.

  Closes #​10664

• Fix false positive for invalid-name for TypedDict instances.

  Closes #​10672

v4.0.1

Compare Source

What's new in Pylint 4.0.1?

Release date: 2025-10-14

False Positives Fixed

• Exclude __all__ and __future__.annotations from unused-variable.

  Closes #​10019

• Fix false-positive for bare-name-capture-pattern if a case guard is used.

  Closes #​10647

• Check enums created with the Enum() functional syntax to pass against the
  --class-rgx for the invalid-name check, like other enums.

  Closes #​10660

v4.0.0

Compare Source

• Pylint now supports Python 3.14.

• Pylint's inference engine (astroid) is now much more precise,
  understanding implicit booleanness and ternary expressions. (Thanks @​zenlyj!)

Consider this example:

class Result:
    errors: dict | None = None

result = Result()
if result.errors:
    result.errors[field_key]

##### inference engine understands result.errors cannot be None
##### pylint no longer raises unsubscriptable-object

The required astroid version is now 4.0.0. See the astroid changelog for additional fixes, features, and performance improvements applicable to pylint.

• Handling of invalid-name at the module level was patchy. Now,
  module-level constants that are reassigned are treated as variables and checked
  against --variable-rgx rather than --const-rgx. Module-level lists,
  sets, and objects can pass against either regex.

Here, LIMIT is reassigned, so pylint only uses --variable-rgx:

LIMIT = 500  # [invalid-name]
if sometimes:
    LIMIT = 1  # [invalid-name]

If this is undesired, refactor using exclusive assignment so that it is
evident that this assignment happens only once:

if sometimes:
    LIMIT = 1
else:
    LIMIT = 500  # exclusive assignment: uses const regex, no warning

Lists, sets, and objects still pass against either const-rgx or variable-rgx
even if reassigned, but are no longer completely skipped:

MY_LIST = []
my_list = []
My_List = []  # [invalid-name]

Remember to adjust the regexes and allow lists to your liking.

Breaking Changes

• invalid-name now distinguishes module-level constants that are assigned only once
  from those that are reassigned and now applies --variable-rgx to the latter. Values
  other than literals (lists, sets, objects) can pass against either the constant or
  variable regexes (e.g. "LOGGER" or "logger" but not "LoGgEr").

  Remember that --good-names or --good-names-rgxs can be provided to explicitly
  allow good names.

  Closes #​3585

• The unused pylintrc argument to PyLinter.__init__() is deprecated
  and will be removed.

  Refs #​6052

• Commented out code blocks such as # bar() # TODO: remove dead code will no longer emit fixme.

  Refs #​9255

• pyreverse Run was changed to no longer call sys.exit() in its __init__.
  You should now call Run(args).run() which will return the exit code instead.
  Having a class that always raised a SystemExit exception was considered a bug.

  Normal usage of pyreverse through the CLI will not be affected by this change.

  Refs #​9689

• The suggestion-mode option was removed, as pylint now always emits user-friendly hints instead
  of false-positive error messages. You should remove it from your conf if it's defined.

  Refs #​9962

• The async.py checker module has been renamed to async_checker.py since async is a Python keyword
  and cannot be imported directly. This allows for better testing and extensibility of the async checker functionality.

  Refs #​10071

• The message-id of continue-in-finally was changed from E0116 to W0136. The warning is
  now emitted for every Python version since it will raise a syntax warning in Python 3.14.
  See PEP 765 - Disallow return/break/continue that exit a finally block.

  Refs #​10480

• Removed support for nmp.NaN alias for numpy.NaN being recognized in ':ref:nan-comparison'. Use np or numpy instead.

  Refs #​10583

• Version requirement for isort has been bumped to >=5.0.0.
  The internal compatibility for older isort versions exposed via pylint.utils.IsortDriver has
  been removed.

  Refs #​10637

New Features

• comparison-of-constants now uses the unicode from the ast instead of reformatting from
  the node's values preventing some bad formatting due to utf-8 limitation. The message now uses
  " instead of ' to better work with what the python ast returns.

  Refs #​8736

• Enhanced pyreverse to properly distinguish between UML relationship types (association, aggregation, composition) based on object ownership semantics. Type annotations without assignment are now treated as associations, parameter assignments as aggregations, and object instantiation as compositions.

  Closes #​9045
  Closes #​9267

• The fixme check can now search through docstrings as well as comments, by using
  check-fixme-in-docstring = true in the [tool.pylint.miscellaneous] section.

  Closes #​9255

• The use-implicit-booleaness-not-x checks now distinguish between comparisons
  used in boolean contexts and those that are not, enabling them to provide more accurate refactoring suggestions.

  Closes #​9353

• The verbose option now outputs the filenames of the files that have been checked.
  Previously, it only included the number of checked and skipped files.

  Closes #​9357

• colorized reporter now colorizes mess

---

Configuration

📅 Schedule: Branch creation - "before 7am on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.