Bump the all-dependencies group across 1 directory with 24 updates

[dependabot]

Bumps the all-dependencies group with 24 updates in the /api directory:

Package	From	To
boto3	1.42.39	1.42.89
botocore	1.42.39	1.42.89
certifi	2026.1.4	2026.2.25
charset-normalizer	3.4.4	3.4.7
click	8.3.1	8.3.2
greenlet	3.3.1	3.4.0
importlib-metadata	8.7.1	9.0.0
pydantic	2.12.5	2.13.0
pydantic-core	2.41.5	2.46.0
pytz	2025.2	2026.1.post1
requests	2.33.0	2.33.1
sqlalchemy	2.0.46	2.0.49
werkzeug	3.1.6	3.1.8
zipp	3.23.0	3.23.1
pip	26.0	26.0.1
pip-tools	7.5.2	7.5.3
cachetools	6.2.6	7.0.5
chardet	5.2.0	7.4.3
coverage	7.13.2	7.13.5
filelock	3.20.3	3.25.2
identify	2.6.16	2.6.18
platformdirs	4.5.1	4.9.6
tox	4.34.1	4.53.0
virtualenv	20.36.1	21.2.3

Updates boto3 from 1.42.39 to 1.42.89

Commits

• 54a9dc1 Merge branch 'release-1.42.89'
• 730d84c Bumping version to 1.42.89
• 6b65768 Add changelog entries from botocore
• f92a06c Merge branch 'release-1.42.88'
• 5da0f6a Merge branch 'release-1.42.88' into develop
• 9bdec29 Bumping version to 1.42.88
• d880788 Add changelog entries from botocore
• 39a4122 chore: add additional text to CONTRIBUTING.rst (#4749)
• 8d65320 Merge branch 'release-1.42.87'
• fdcbb88 Merge branch 'release-1.42.87' into develop
• Additional commits viewable in compare view

Updates botocore from 1.42.39 to 1.42.89

Commits

• 9b76a62 Merge branch 'release-1.42.89'
• 9402965 Bumping version to 1.42.89
• d7f945c Update endpoints model
• b84a3d3 Update to latest models
• 974e23f Merge branch 'release-1.42.88'
• 3ed8b67 Merge branch 'release-1.42.88' into develop
• ec1ea27 Bumping version to 1.42.88
• 67dcb88 Update to latest models
• 55f7dc1 chore: add additional text to CONTRIBUTING.rst (#3662)
• 215aec9 Merge branch 'release-1.42.87'
• Additional commits viewable in compare view

Updates certifi from 2026.1.4 to 2026.2.25

Commits

• 8571a4b 2026.02.25 (#395)
• 6f7de00 Bump peter-evans/create-pull-request from 8.0.0 to 8.1.0 (#390)
• a1de59b Bump actions/checkout from 6.0.1 to 6.0.2 (#391)
• 7f5ade5 Bump actions/setup-python from 6.1.0 to 6.2.0 (#392)
• See full diff in compare view

Updates charset-normalizer from 3.4.4 to 3.4.7

Release notes

Sourced from charset-normalizer's releases.

Version 3.4.7

3.4.7 (2026-04-02)

Changed

• Pre-built optimized version using mypy[c] v1.20.
• Relax setuptools constraint to setuptools>=68,<82.1.

Fixed

• Correctly remove SIG remnant in utf-7 decoded string. (#718) (#716)

Version 3.4.6

3.4.6 (2026-03-15)

Changed

• Flattened the logic in charset_normalizer.md for higher performance. Removed eligible(..) and feed(...) in favor of feed_info(...).
• Raised upper bound for mypy[c] to 1.20, for our optimized version.
• Updated UNICODE_RANGES_COMBINED using Unicode blocks v17.

Fixed

• Edge case where noise difference between two candidates can be almost insignificant. (#672)
• CLI --normalize writing to wrong path when passing multiple files in. (#702)

Misc

• Freethreaded pre-built wheels now shipped in PyPI starting with 3.14t. (#616)

Version 3.4.5

3.4.5 (2026-03-06)

Changed

• Update setuptools constraint to setuptools>=68,<=82.
• Raised upper bound of mypyc for the optional pre-built extension to v1.19.1

Fixed

• Add explicit link to lib math in our optimized build. (#692)
• Logger level not restored correctly for empty byte sequences. (#701)
• TypeError when passing bytearray to from_bytes. (#703)

Misc

• Applied safe micro-optimizations in both our noise detector and language detector.
• Rewrote the query_yes_no function (inside CLI) to avoid using ambiguous licensed code.
• Added cd.py submodule into mypyc optional compilation to reduce further the performance impact.

[!WARNING]
mypyc changed the usual binary output for the optimized wheel. Beware, especially if using PyInstaller or alike. See jawah/charset_normalizer#714

Changelog

Sourced from charset-normalizer's changelog.

3.4.7 (2026-04-02)

Changed

• Pre-built optimized version using mypy[c] v1.20.
• Relax setuptools constraint to setuptools>=68,<82.1.

Fixed

• Correctly remove SIG remnant in utf-7 decoded string. (#718) (#716)

3.4.6 (2026-03-15)

Changed

• Flattened the logic in charset_normalizer.md for higher performance. Removed eligible(..) and feed(...) in favor of feed_info(...).
• Raised upper bound for mypy[c] to 1.20, for our optimized version.
• Updated UNICODE_RANGES_COMBINED using Unicode blocks v17.

Fixed

• Edge case where noise difference between two candidates can be almost insignificant. (#672)
• CLI --normalize writing to wrong path when passing multiple files in. (#702)

Misc

• Freethreaded pre-built wheels now shipped in PyPI starting with 3.14t. (#616)

3.4.5 (2026-03-06)

Changed

• Update setuptools constraint to setuptools>=68,<=82.
• Raised upper bound of mypyc for the optional pre-built extension to v1.19.1

Fixed

• Add explicit link to lib math in our optimized build. (#692)
• Logger level not restored correctly for empty byte sequences. (#701)
• TypeError when passing bytearray to from_bytes. (#703)

Misc

• Applied safe micro-optimizations in both our noise detector and language detector.
• Rewrote the query_yes_no function (inside CLI) to avoid using ambiguous licensed code.
• Added cd.py submodule into mypyc optional compilation to reduce further the performance impact.

Commits

• 0f07891 Merge pull request #729 from jawah/release-3.4.7
• fdbeb29 chore: update dev, and ci requirements
• b66f922 chore: add ft classifier
• f94249d chore: add test cases for utf_7 recent fix
• 95c866f chore: bump version to 3.4.7
• 4f429bb chore: bump mypy pre-commit to v1.20
• b579cd6 fix: correctly remove SIG remnant in utf-7 decoded string
• 58bf944 ⬆️ Bump github/codeql-action from 4.32.4 to 4.35.1 (#728)
• 44cf8a1 ⬆️ Bump actions/download-artifact from 8.0.0 to 8.0.1 (#726)
• 362bc20 ⬆️ Bump docker/setup-qemu-action from 3.7.0 to 4.0.0 (#725)
• Additional commits viewable in compare view

Updates click from 8.3.1 to 8.3.2

Release notes

Sourced from click's releases.

8.3.2

This is the Click 8.3.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.3.2/ Changes: https://click.palletsprojects.com/page/changes/#version-8-3-2 Milestone: https://github.com/pallets/click/milestone/29

• Fix handling of flag_value when is_flag=False to allow such options to be used without an explicit value. #3084 #3152
• Hide Sentinel.UNSET values as None when using lookup_default(). #3136 #3199 #3202 #3209 #3212 #3224
• Prevent _NamedTextIOWrapper from closing streams owned by StreamMixer. #824 #2991 #2993 #3110 #3139 #3140
• Add comprehensive tests for CliRunner stream lifecycle, covering logging interaction, multi-threaded safety, and sequential invocation isolation. Add high-iteration stress tests behind a stress marker with a dedicated CI job. #3139
• Fix callable flag_value being instantiated when used as a default via default=True. #3121 #3201 #3213 #3225

Changelog

Sourced from click's changelog.

Version 8.3.2

Released 2026-04-02

• Fix handling of flag_value when is_flag=False to allow such options to be used without an explicit value. :issue:3084 :pr:3152
• Hide Sentinel.UNSET values as None when using lookup_default(). :issue:3136 :pr:3199 :pr:3202 :pr:3209 :pr:3212 :pr:3224
• Prevent _NamedTextIOWrapper from closing streams owned by StreamMixer. :issue:824 :issue:2991 :issue:2993 :issue:3110 :pr:3139 :pr:3140
• Add comprehensive tests for CliRunner stream lifecycle, covering logging interaction, multi-threaded safety, and sequential invocation isolation. Add high-iteration stress tests behind a stress marker with a dedicated CI job. :pr:3139
• Fix callable flag_value being instantiated when used as a default via default=True. :issue:3121 :pr:3201 :pr:3213 :pr:3225

Commits

• 052c006 Change update release date.
• 502b7ce Merge branch 'stable' of https://github.com/pallets/click into release-8.3.2
• a0a37e4 Change publish to werkzeug latest. (#3301)
• 57be6fc Change publish to werkzeug latest.
• 781d6a8 Update publish workflows (#3266)
• ff795b6 Update precommit pins with tox
• dd87ef4 Update github action pins with tox
• 93d3f9d Release version 8.3.2
• 3299ba1 Add missing PR to changelog. (#3264)
• b7f62c4 Add missing PR to changelog.
• Additional commits viewable in compare view

Updates greenlet from 3.3.1 to 3.4.0

Changelog

Sourced from greenlet's changelog.

3.4.0 (2026-04-08)

• Publish binary wheels for RiscV 64.

• Fix multiple rare crash paths during interpreter shutdown.

  Note that this now relies on the atexit module, and introduces subtle API changes during interpreter shutdown (for example, getcurrent is no longer available once the atexit callback fires).

  See PR [#499](https://github.com/python-greenlet/greenlet/issues/499) <https://github.com/python-greenlet/greenlet/pull/499>_ by Nicolas Bouvrette.

• Address the results of an automated code audit performed by Daniel Diniz. This includes several minor correctness changes that theoretically could have been crashing bugs, but typically only in very rare circumstances.

  See PR 502 <https://github.com/python-greenlet/greenlet/pull/502>_.

• Fix several race conditions that could arise in free-threaded builds when using greenlet objects from multiple threads, some of which could lead to assertion failures or interpreter crashes.

  See issue 503 <https://github.com/python-greenlet/greenlet/issues/503>_, with thanks to Nitay Dariel and Daniel Diniz.

3.3.2 (2026-02-20)

• Fix a crash on Python 3.10 if there are active greenlets during interpreter shutdown. See PR 495 <https://github.com/python-greenlet/greenlet/pull/495>_ by Nicolas Bouvrette.

Commits

• df6734e Preparing release 3.4.0
• 0f86075 Merge pull request #504 from python-greenlet/freethreading-fixes
• 4596574 TLBC: crash appears to still happen on CI 3.14t ubuntu. Re-enable workaround.
• 2f4a1cf Make green_switch (python level greenlet.switch) and green_throw check for (p...
• a0c2a2a Fix unused variable warning when asserts are disabled.
• 8688581 gcc was complaining about an incomplete std::atomic type. make sure we includ...
• 449c760 Make MainGreenlet._thread_state atomic; we use it for cross thread checking a...
• f840e00 Add critical sections to greenlet attribute accessors.
• 6b281d3 test_contextvars: No need for the fallback case where contextvars isn't avail...
• f52615a Merge pull request #502 from python-greenlet/devdanzin-audit
• Additional commits viewable in compare view

Updates importlib-metadata from 8.7.1 to 9.0.0

Changelog

Sourced from importlib-metadata's changelog.

v9.0.0

Deprecations and Removals

• Added MetadataNotFound (subclass of FileNotFoundError) and updated Distribution.metadata/metadata() to raise it when the metadata files are missing instead of returning Nonepython/cpython#143387#532)

v8.9.0

Features

• python/cpython#110937python/cpython#140141, python/cpython#143658)

v8.8.0

Features

• Removed Python 3.9 compatibility.

Commits

• a9f883f Finalize
• 9b0dfdf Raise an exception when no metadata file is found (#532)
• 0f2229c Merge branch 'main' into feature/no-metadata-exception
• 2f4088e Remove news fragments about internal details.
• 0ac2720 Add news fragment.
• a5c2154 Finalize
• e66e226 Drop support for EOL Python 3.9 (#530)
• 6027933 Add news fragment.
• b89388a Import os_helper directly.
• 2dcb761 Add uniform exclusions for test.support.
• Additional commits viewable in compare view

Updates pydantic from 2.12.5 to 2.13.0

Release notes

Sourced from pydantic's releases.

v2.13.0 2026-04-13

v2.13.0 (2026-04-13)

The highlights of the v2.13 release are available in the blog post. Several minor changes (considered non-breaking changes according to our versioning policy) are also included in this release. Make sure to look into them before upgrading.

This release contains the updated pydantic.v1 namespace, matching version 1.10.26 which includes support for Python 3.14.

What's Changed

See the beta releases for all changes sinces 2.12.

Packaging

• Add zizmor for GitHub Actions workflow linting by @​Viicos in #13039
• Update jiter to v0.14.0 to fix a segmentation fault on musl Linux by @​Viicos in #13064

New Features

• Allow default factories of private attributes to take validated model data by @​Viicos in #13013

Changes

• Warn when serializing fixed length tuples with too few items by @​arvindsaripalli in #13016

Fixes

• Change type of Any when synthesizing _build_sources for BaseSettings.__init__() signature in the mypy plugin by @​Viicos in #13049
• Fix model equality when using runtime extra configuration by @​Viicos in #13062

New Contributors

• @​arvindsaripalli made their first contribution in #13016

Full Changelog: pydantic/pydantic@v2.12.0...v2.13.0

v2.13.0b3 2026-03-31

What's Changed

Packaging

• Add riscv64 build target for manylinux by @​boosterl in #12723

New Features

• Add ascii_only option to StringConstraints by @​ai-man-codes in #12907
• Support exclude_if in computed fields by @​andresliszt in #12748
• Push down constraints in unions involving MISSING sentinel by @​Viicos in #12908

... (truncated)

Changelog

Sourced from pydantic's changelog.

v2.13.0 (2026-04-13)

GitHub release

The highlights of the v2.13 release are available in the blog post. Several minor changes (considered non-breaking changes according to our versioning policy) are also included in this release. Make sure to look into them before upgrading.

This release contains the updated pydantic.v1 namespace, matching version 1.10.26 which includes support for Python 3.14.

What's Changed

See the beta releases for all changes sinces 2.12.

New Features

• Allow default factories of private attributes to take validated model data by @​Viicos in #13013

Changes

• Warn when serializing fixed length tuples with too few items by @​arvindsaripalli in #13016

Fixes

• Change type of Any when synthesizing _build_sources for BaseSettings.__init__() signature in the mypy plugin by @​Viicos in #13049
• Fix model equality when using runtime extra configuration by @​Viicos in #13062

Packaging

• Add zizmor for GitHub Actions workflow linting by @​Viicos in #13039
• Update jiter to v0.14.0 to fix a segmentation fault on musl Linux by @​Viicos in #13064

New Contributors

• @​arvindsaripalli made their first contribution in #13016

v2.13.0b3 (2026-03-31)

GitHub release

What's Changed

New Features

• Add ascii_only option to StringConstraints by @​ai-man-codes in #12907
• Support exclude_if in computed fields by @​andresliszt in #12748
• Push down constraints in unions involving MISSING sentinel by @​Viicos in #12908

Changes

... (truncated)

Commits

• 46bf4fa Fix Pydantic release workflow (#13067)
• 1b359ed Prepare release v2.13.0 (#13065)
• b1bf194 Fix model equality when using runtime extra configuration (#13062)
• 17a35e3 Update jiter to v0.14.0 (#13064)
• feea402 Use simulation mode in Codspeed CI (#13063)
• 671c9b0 Add basic benchmarks for model equality (#13061)
• d17d71e Bump cryptography from 46.0.6 to 46.0.7 (#13056)
• 919d61a 👥 Update Pydantic People (#13059)
• e7cf5dc Fix people workflow (#13047)
• 2a806ad Add regression test for MISSING sentinel serialization with subclasses (#13...
• Additional commits viewable in compare view

Updates pydantic-core from 2.41.5 to 2.46.0

Commits

• See full diff in compare view

Updates pytz from 2025.2 to 2026.1.post1

Commits

• 02509d0 Update test runners for new Pythons and github actions
• 43c1cb2 Bump version number to 2026.1.post1
• 6ee7e56 Try to access resource using importlib.resources
• 95fe75d Bump version number to 2026.1 (2026a)
• 7034275 Updates for upstream directory layout changes
• 4dd79d3 IANA 2026a
• 08d7e76 Squashed 'tz/' changes from 7e1145bfdb..e23c045f8f
• b07d947 try to access resource using importlib.resources
• See full diff in compare view

Updates requests from 2.33.0 to 2.33.1

Release notes

Sourced from requests's releases.

v2.33.1

2.33.1 (2026-03-30)

Bugfixes

• Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
• Fixed Content-Type header parsing for malformed values. (#7309)
• Improved error consistency for malformed header values. (#7308)

New Contributors

• @​ferdnyc made their first contribution in psf/requests#7277

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2331-2026-03-30

Changelog

Sourced from requests's changelog.

2.33.1 (2026-03-30)

Bugfixes

• Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
• Fixed Content-Type header parsing for malformed values. (#7309)
• Improved error consistency for malformed header values. (#7308)

Commits

• 111d2b7 v2.33.1
• f0198e6 Fix malformed value parsing for Content-Type (#7309)
• bc7dd0f Fix cosmetic header validity parsing regex (#7308)
• 4443b1a Fix unintended test extra (#7306)
• 389eea5 Cleanup extracted file after extract_zipped_path test (#7305)
• 7407309 Packaging: DRY out extras definition (#7277)
• See full diff in compare view

Updates sqlalchemy from 2.0.46 to 2.0.49

Release notes

Sourced from sqlalchemy's releases.

2.0.49

Released: April 3, 2026

orm

• [orm] [bug] Fixed issue where _orm.Session.get() would bypass the identity map and emit unnecessary SQL when with_for_update=False was passed, rather than treating it equivalently to the default of None. Pull request courtesy of Joshua Swanson.

  References: #13176

• [orm] [bug] Fixed issue where chained _orm.joinedload() options would not be applied correctly when the final relationship in the chain is declared on a base mapper and accessed through a subclass mapper in a _orm.with_polymorphic() query. The path registry now correctly computes the natural path when a property declared on a base class is accessed through a path containing a subclass mapper, ensuring the loader option can be located during query compilation.

  References: #13193

• [orm] [bug] [inheritance] Fixed issue where using _orm.Load.options() to apply a chained loader option such as _orm.joinedload() or _orm.selectinload() with _orm.PropComparator.of_type() for a polymorphic relationship would not generate the necessary clauses for the polymorphic subclasses. The polymorphic loading strategy is now correctly propagated when using a call such as joinedload(A.b).options(joinedload(B.c.of_type(poly))) to match the behavior of direct chaining e.g. joinedload(A.b).joinedload(B.c.of_type(poly)).

  References: #13202

• [orm] [bug] [inheritance] Fixed issue where using chained loader options such as _orm.selectinload() after _orm.joinedload() with _orm.PropComparator.of_type() for a polymorphic relationship would not properly apply the chained loader option. The loader option is now correctly applied when using a call such as joinedload(A.b.of_type(poly)).selectinload(poly.SubClass.c) to eagerly load related objects.

  References: #13209

typing

• [typing] [bug] Fixed a typing issue where the typed members of :data:.func would return the appropriate class of the same name, however this creates an issue for

... (truncated)

Commits

• See full diff in compare view

Updates werkzeug from 3.1.6 to 3.1.8

Release notes

Sourced from werkzeug's releases.

3.1.8

This is the Werkzeug 3.1.8 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.8/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-8 Milestone: https://github.com/pallets/werkzeug/milestone/45?closed=1

• Request.host and get_host return the empty string if the header is missing or has invalid characters. #3142

3.1.7

This is the Werkzeug 3.1.7 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.7/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-7 Milestone: https://github.com/pallets/werkzeug/milestone/44?closed=1

• parse_list_header preserves partially quoted items, discards empty items, and returns empty for unclosed quoted values. #3128
• WWWAuthenticate.to_header does not produce a trailing space when there are no parameters. #3127
• Transfer-Encoding is parsed as a set. #3134
• Request.host, get_host, and host_is_trusted validate the characters of the value. An empty value is no longer allowed. A Unix socket server address is ignored. The trusted_list argument to host_is_trusted is optional. #3113
• Fix multipart form parser handling of newline at boundary. #3088
• Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. #3108
• merge_slashes merges any number of consecutive slashes. #3121

Changelog

Sourced from werkzeug's changelog.

Version 3.1.8

Released 2026-04-02

• Request.host and get_host return the empty string if the header is missing or has invalid characters. :issue:3142

Version 3.1.7

Released 2026-03-23

• parse_list_header preserves partially quoted items, discards empty items, and returns empty for unclosed quoted values. :pr:3128
• WWWAuthenticate.to_header does not produce a trailing space when there are no parameters. :issue:3127
• Transfer-Encoding is parsed as a set. :pr:3134
• Request.host, get_host, and host_is_trusted validate the characters of the value. An empty value is no longer allowed. A Unix socket server address is ignored. The trusted_list argument to host_is_trusted is optional. :pr:3113
• Fix multipart form parser handling of newline at boundary. :issue:3088
• Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. :issue:3108
• merge_slashes merges any number of consecutive slashes. :issue:3121

Commits

• c1a26b4 release version 3.1.8
• 7926f0b relax get_host strictness (#3148)
• deab88f relax get_host strictness
• 65eb639 start version 3.1.8
• 7720b76 release version 3.1.7 (#3135)
• 005d93b release version 3.1.7
• c328342 merge any number of slashes (#3136)
• 23142a3 merge any number of slashes
• b913d68 always set accept-ranges header
• f282943 Correct 1049dd6b2a363e1ef302b4161c340fb8582f627a
• Additional commits viewable in compare view

Updates zipp from 3.23.0 to 3.23.1

Changelog

Sourced from zipp's changelog.

v3.23.1

Bugfixes

• str(Path(...)) now renders ":zipfile" for the filename when a zipfile has no filename instead of failing with a TypeError. (#134)

Commits

• 157860e Finalize
• 0c7638a Merge pull request #135 from barneygale/fix-134
• 6d1e280 Update news fragment.
• 0b07235 Merge branch 'main' into fix-134
• c5f40d3 Moved none_as to _functools.
• f7bdf7c Use :zipfile: to designate an unnamed zipfile.
• e7956b7 Mark 3.21 as Python 3.15.
• See full diff in compare view

Updates pip from 26.0 to 26.0.1

Changelog

Sourced from pip's changelog.

26.0.1 (2026-02-04)

Bug Fixes

• Fix --pre not being respected from the command line when a requirement file includes an option e.g. -extra-index-url. ([#13788](https://github.com/pypa/pip/issues/13788) <https://github.com/pypa/pip/issues/13788>_)

Commits

• 5fe4ea4 Bump for release
• bea3cbe windows fix tests
• ed22252 News Entry
• af13274 Match release control behavior to the same as format control behavior
• See full diff in compare view

Updates pip-tools from 7.5.2 to 7.5.3

Release notes

Sourced from pip-tools's releases.

v7.5.3

2026-02-11

Bug fixes

• The option --unsafe-package is now normalized -- by @​shifqu.

  PRs and issues: #2150

• Fixed a bug in which pip-compile lost any index URL options when looking up hashes -- by @​sirosen.

  This caused errors when a package was only available from an extra index, and caused pip-compile to incorrectly drop index URL options from output, even when they were present in the input requirements.

  PRs and issues: #2220, #2294, #2305

• Fixed removal of temporary files used when reading requirements from stdin -- by @​sirosen.

Features

• pip-tools is now tested against Python 3.14 and 3.14t in CI, and marks them as supported in the core packaging metadata -- by @​webknjaz.

  PRs and issues: #2255

• pip-tools is now compatible with pip 26.0 -- by @​sirosen.

  PRs and issues: #2319, #2320

Removals and backward incompatible breaking changes

• Removed support for Python 3.8 -- by @​sirosen.

Improved documentation

• The change log management infra now allows the maintainers to add notes before and after the regular categories -- by @​webknjaz.

  PRs and issues: #2287, #2322

• Added documentation clarifying that pip-compile reads the existing output file as a constraint source, and how to use --upgrade to refresh dependencies -- by @​maliktafheem.

  PRs and issues: #2307

... (truncated)

Changelog

Sourced from pip-tools's changelog.

v7.5.3

2026-02-09

Bug fixes

• The option --unsafe-package is now normalized -- by {user}shifqu.

  PRs and issues: {issue}2150

• Fixed a bug in which pip-compile lost any index URL options when looking up hashes -- by {user}sirosen.

  This caused errors when a package was only available from an extra index, and caused pip-compile to incorrectly drop index URL options from output, even when they were present in the input requirements.

  PRs and issues: {issue}2220, {issue}2294, {issue}2305

• Fixed removal of temporary files used when reading requirements from stdin -- by {user}sirosen.

Features

• pip-tools is now tested against Python 3.14 and 3.14t in CI, and marks them as supported in the core packaging metadata -- by {user}webknjaz.

  PRs and issues: {issue}2255

• pip-tools is now compatible with pip 26.0 -- by {user}sirosen.

  PRs and issues: {issue}2319, {issue}2320

Removals and backward incompatible breaking changes

• Removed support for Python 3.8 -- by {user}sirosen.

Improved documentation

• The change log management infra now allows the maintainers to add notes before and after the regular categories -- by {user}webknjaz.

  PRs and issues: {issue}2287, {issue}2322

• Added documentation clarifying that pip-compile reads the existing output file as a constraint source, and how to use --upgrade to refresh dependencies -- by {user}maliktafheem.

  PRs and issues: {issue}2307

... (truncated)

Commits

• 5f31d8a Merge pull request #2332 from sirosen/fix-release-version-normalization
• 106f1d6 Fix CI workflow to normalize versions (for release)
• 3a0f5ed Merge pull request #2329 from sirosen/release/v7.5.3
• e4bd31d Merge pull request #2328 from jazzband/pre-commit-ci-update-config
• 08107ab Update changelog for version 7.5.3
• 5b4d130 Merge pull request #2325 from sirosen/ensure-tmpfile-cleanup
• cc6a2b9 Apply feedback/suggestions from review
• fc53265 [pre-commit.ci] pre-commit autoupdate
• 6c27507 Add 'tempfile_compat' to handle windows tmp files
• 9ac94db Fix leak of temp files when reading from stdin
• Additional commits viewable in compare view

Updates cachetools from 6.2.6 to 7.0.5

Changelog

Sourced from