Bump the pip group across 9 directories with 16 updates

[dependabot]

Bumps the pip group with 1 update in the /benchmarking directory: sentencepiece.
Bumps the pip group with 11 updates in the /data_extraction directory:

Package	From	To
sentencepiece	0.1.99	0.2.1
pillow	9.5.0	12.1.1
filelock	3.12.4	3.20.3
orjson	3.10.6	3.11.5
pypdf	3.16.2	6.7.4
unstructured	0.12.0	0.18.18
urllib3	2.0.6	2.6.3
flask	3.0.0	3.1.3
werkzeug	3.0.1	3.1.6
pip	23.0.1	26.0
protobuf	4.25.2	5.29.6

Bumps the pip group with 2 updates in the /document_comparison directory: pillow and nltk.
Bumps the pip group with 2 updates in the /enterprise_knowledge_retriever directory: pillow and nltk.
Bumps the pip group with 1 update in the /eval_jumpstart directory: pypdf.
Bumps the pip group with 1 update in the /financial_assistant directory: pypdf.
Bumps the pip group with 1 update in the /multimodal_knowledge_retriever directory: nltk.
Bumps the pip group with 1 update in the /utils/parsing directory: unstructured.
Bumps the pip group with 10 updates in the /utils/parsing/unstructured-api/requirements directory:

Package	From	To
pillow	10.3.0	12.1.1
filelock	3.15.1	3.20.3
orjson	3.10.5	3.11.5
pypdf	4.2.0	6.7.4
urllib3	2.2.1	2.6.3
nltk	3.8.1	3.9.3
cryptography	42.0.8	46.0.5
python-multipart	0.0.9	0.0.22
nbconvert	7.16.4	7.17.0
wheel	0.43.0	0.46.2

Updates sentencepiece from 0.2.0 to 0.2.1

Release notes

Sourced from sentencepiece's releases.

v0.2.1

Major changes

• [Python] Supported wheels and builds for Python 3.13 and 3.14(rc1) #1134, #1127, #1121, #1111, #1110, #1104, #1103, #1099, #1091
• [Python] Added an experimental support for free-threading. #1134, #1127, #1110 https://github.com/google/sentencepiece/tree/master/python#free-threading-support
• [Python] Updated the supported Python version to 3.9 or later.

New features

• [ALL]: Added new build mode to prevent the precompiled normalization rules being embedded in *.so and *.a. (-DSPM_DISABLE_EMBEDDED_DATA=ON). This reduces the runtime size by approximately 1-2 MB. This mode is enabled to build python wheels. The rules are loaded as the data package.

Bug fixes & minor changes

• [ALL]: Security fix to address a heap overflow issue that could occur when using a model containing an invalid precompiled normalization model.
• [Python]: Deprecates the wheel package for Linux i686.
• [Python]: Supported wheel for Windows Arm64. #1114
• [Python]: Fixed the crash issue on batch decoding #1051
• [ALL]: Updated the Unicode normalization rule with the latest ICU/Unicode rules.
• [ALL]: Unused code and build mode cleanup.

v0.2.1pre2

Major changes

• [Python] Supported wheels and builds for Python 3.13 and 3.14(rc0)
• [Python] Added an experimental support for free-threading. https://github.com/google/sentencepiece/tree/master/python#free-threading-support
• [Python] Updated the supported Python version to 3.9 or later.

New features

• [ALL]: Added new build mode to prevent the precompiled normalization rules being embedded in *.so and *.a. (-DSPM_DISABLE_EMBEDDED_DATA=ON). This reduces the runtime size by approximately 1-2 MB. This mode is enabled to build python wheels. The rules are loaded as the data package.

Bug fixes & minor changes

• [ALL]: Security fix to address a heap overflow issue that could occur when using a model containing an invalid precompiled normalization model.
• [Python]: Deprecates the wheel package for Linux i686.
• [Python]: Supported wheel for Windows Arm64.
• [Python]: Fixed the crash issue on batch decoding #1051
• [ALL]: Updated the Unicode normalization rule with the latest ICU/Unicode rules.
• [ALL]: Unused code and build mode cleanup.

Commits

• 31646a4 Merge pull request #1136 from crusaderky/pytest-run-parallel
• bcd44b9 free-threading tests
• 135747f install twine before checking wheel
• 69fe0b2 install setuptools before making sdist
• ee1422b install setuptools before making sdist
• 5ac2fd2 use windows-11-arm runner to test ARM64 wheel on native env.
• 36b9745 use windows-11-arm runner to test ARM64 wheel on native env.
• 4f043ae use auto-mode to make wheel with the native binary.
• 623196e uses arm docker image to build and test wheel
• 559fd65 re-enable QEMU to enable arm execution
• Additional commits viewable in compare view

Updates sentencepiece from 0.1.99 to 0.2.1

Release notes

Sourced from sentencepiece's releases.

v0.2.1

Major changes

• [Python] Supported wheels and builds for Python 3.13 and 3.14(rc1) #1134, #1127, #1121, #1111, #1110, #1104, #1103, #1099, #1091
• [Python] Added an experimental support for free-threading. #1134, #1127, #1110 https://github.com/google/sentencepiece/tree/master/python#free-threading-support
• [Python] Updated the supported Python version to 3.9 or later.

New features

• [ALL]: Added new build mode to prevent the precompiled normalization rules being embedded in *.so and *.a. (-DSPM_DISABLE_EMBEDDED_DATA=ON). This reduces the runtime size by approximately 1-2 MB. This mode is enabled to build python wheels. The rules are loaded as the data package.

Bug fixes & minor changes

• [ALL]: Security fix to address a heap overflow issue that could occur when using a model containing an invalid precompiled normalization model.
• [Python]: Deprecates the wheel package for Linux i686.
• [Python]: Supported wheel for Windows Arm64. #1114
• [Python]: Fixed the crash issue on batch decoding #1051
• [ALL]: Updated the Unicode normalization rule with the latest ICU/Unicode rules.
• [ALL]: Unused code and build mode cleanup.

v0.2.1pre2

Major changes

• [Python] Supported wheels and builds for Python 3.13 and 3.14(rc0)
• [Python] Added an experimental support for free-threading. https://github.com/google/sentencepiece/tree/master/python#free-threading-support
• [Python] Updated the supported Python version to 3.9 or later.

New features

• [ALL]: Added new build mode to prevent the precompiled normalization rules being embedded in *.so and *.a. (-DSPM_DISABLE_EMBEDDED_DATA=ON). This reduces the runtime size by approximately 1-2 MB. This mode is enabled to build python wheels. The rules are loaded as the data package.

Bug fixes & minor changes

• [ALL]: Security fix to address a heap overflow issue that could occur when using a model containing an invalid precompiled normalization model.
• [Python]: Deprecates the wheel package for Linux i686.
• [Python]: Supported wheel for Windows Arm64.
• [Python]: Fixed the crash issue on batch decoding #1051
• [ALL]: Updated the Unicode normalization rule with the latest ICU/Unicode rules.
• [ALL]: Unused code and build mode cleanup.

Commits

• 31646a4 Merge pull request #1136 from crusaderky/pytest-run-parallel
• bcd44b9 free-threading tests
• 135747f install twine before checking wheel
• 69fe0b2 install setuptools before making sdist
• ee1422b install setuptools before making sdist
• 5ac2fd2 use windows-11-arm runner to test ARM64 wheel on native env.
• 36b9745 use windows-11-arm runner to test ARM64 wheel on native env.
• 4f043ae use auto-mode to make wheel with the native binary.
• 623196e uses arm docker image to build and test wheel
• 559fd65 re-enable QEMU to enable arm execution
• Additional commits viewable in compare view

Updates pillow from 9.5.0 to 12.1.1

Release notes

Sourced from pillow's releases.

12.1.1

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html

Dependencies

• Patch libavif for svt-av1 4.0 compatibility #9413 [@​hugovk]

Other changes

• Fix OOB Write with invalid tile extents #9427 [@​radarhere]

12.1.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.0.html

Deprecations

• Deprecate getdata(), in favour of new get_flattened_data() #9292 [@​radarhere]

Documentation

• Specify APNG duration type when opening #9368 [@​radarhere]
• Added release notes for #9350 #9366 [@​radarhere]
• Update ImageMorph documentation #9349 [@​radarhere]
• Docs: update major bump cadence #9334 [@​hugovk]
• Add release notes for #9070 #9320 [@​radarhere]
• Updated Ubuntu version #9306 [@​radarhere]
• Update macOS tested Pillow versions #9265 [@​radarhere]

Dependencies

• Update harfbuzz to 12.3.0 #9355 [@​radarhere]
• Update xz to 5.8.2 #9343 [@​radarhere]
• Updated libjpeg-turbo to 3.1.3 #9333 [@​radarhere]
• Updated zlib-ng to 2.3.2 #9324 [@​radarhere]
• Updated libpng to 1.6.53 #9325 [@​radarhere]
• Update actions/checkout action to v6 #9323 [@renovate[bot]]
• Update dependency mypy to v1.19.0 #9322 [@renovate[bot]]
• Updated libpng to 1.6.51 #9305 [@​radarhere]
• Updated brotli to 1.2.0 #9284 [@​radarhere]
• Update libimagequant to 4.4.1 #9301 [@​radarhere]
• Update zlib-ng to 2.3.1, except on manylinux2014 aarch64 #9312 [@​radarhere]
• Updated harfbuzz to 12.2.0 #9289 [@​radarhere]
• Update github-actions #9277 [@renovate[bot]]

Testing

• Replace pre-commit with prek #9360 [@​hugovk]
• Test PyQt6 on Python 3.14 on Windows #9353 [@​radarhere]
• Test 32-bit Windows on Windows Server 2022 #9345 [@​radarhere]
• Correct variable type #9335 [@​radarhere]

... (truncated)

Changelog

Sourced from pillow's changelog.

Changelog (Pillow)

11.1.0 and newer

See GitHub Releases:

• https://github.com/python-pillow/Pillow/releases

11.0.0 (2024-10-15)

• Update licence to MIT-CMU #8460 [hugovk]

• Conditionally define ImageCms type hint to avoid requiring core #8197 [radarhere]

• Support writing LONG8 offsets in AppendingTiffWriter #8417 [radarhere]

• Use ImageFile.MAXBLOCK when saving TIFF images #8461 [radarhere]

• Do not close provided file handles with libtiff when saving #8458 [radarhere]

• Support ImageFilter.BuiltinFilter for I;16* images #8438 [radarhere]

• Use ImagingCore.ptr instead of ImagingCore.id #8341 [homm, radarhere, hugovk]

• Updated EPS mode when opening images without transparency #8281 [Yay295, radarhere]

• Use transparency when combining P frames from APNGs #8443 [radarhere]

• Support all resampling filters when resizing I;16* images #8422 [radarhere]

• Free memory on early return #8413 [radarhere]

• Cast int before potentially exceeding INT_MAX #8402 [radarhere]

... (truncated)

Commits

• 5158d98 12.1.1 version bump
• 9000313 Fix OOB Write with invalid tile extents (#9427)
• cd01118 Patch libavif for svt-av1 4.0 compatibility
• 46f45f6 12.1.0 version bump
• c9ac097 Simplify band splitting (#9291)
• 3baedf2 Deprecate getdata(), in favour of new get_flattened_data() (#9292)
• b51a036 Specify APNG duration type when opening (#9368)
• 8d08e31 Add release notes for #9348 (#9369)
• 432707e Added release notes for #9348
• 2d58910 Specify APNG duration type when opening
• Additional commits viewable in compare view

Updates filelock from 3.12.4 to 3.20.3

Release notes

Sourced from filelock's releases.

3.20.3

What's Changed

• Fix TOCTOU symlink vulnerability in SoftFileLock by @​gaborbernat in tox-dev/filelock#465

Full Changelog: tox-dev/filelock@3.20.2...3.20.3

3.20.2

What's Changed

• Support Unix systems without O_NOFOLLOW by @​mwilliamson in tox-dev/filelock#463
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in tox-dev/filelock#464

New Contributors

• @​mwilliamson made their first contribution in tox-dev/filelock#463

Full Changelog: tox-dev/filelock@3.20.1...3.20.2

3.20.1

What's Changed

• CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file creation by @​gaborbernat in tox-dev/filelock#461

Full Changelog: tox-dev/filelock@3.20.0...3.20.1

3.20.0

What's Changed

• Add tox.toml to sdist by @​mtelka in tox-dev/filelock#436
• Update docs with example by @​znichollscr in tox-dev/filelock#438
• Add 3.14 support and drop 3.9 by @​gaborbernat in tox-dev/filelock#448

New Contributors

• @​mtelka made their first contribution in tox-dev/filelock#436
• @​znichollscr made their first contribution in tox-dev/filelock#438

Full Changelog: tox-dev/filelock@3.19.1...3.20.0

3.19.1

What's Changed

• add 3.14t (free threading) to matrix by @​paultiq in tox-dev/filelock#433
• Increase test coverage by @​paultiq in tox-dev/filelock#434

... (truncated)

Changelog

Sourced from filelock's changelog.

########### Changelog ###########

---

3.25.0 (2026-03-01)

---

• ✨ feat(async): add AsyncReadWriteLock :pr:506
• Standardize .github files to .yaml suffix
• build(deps): bump actions/download-artifact from 7 to 8 :pr:503 - by :user:dependabot[bot]
• build(deps): bump actions/upload-artifact from 6 to 7 :pr:502 - by :user:dependabot[bot]
• Move SECURITY.md to .github/SECURITY.md
• Add security policy
• Add permissions to check workflow :pr:500
• [pre-commit.ci] pre-commit autoupdate :pr:499 - by :user:pre-commit-ci[bot]

---

3.24.3 (2026-02-19)

---

• 🐛 fix(unix): handle ENOENT race on FUSE/NFS during acquire :pr:495
• 🐛 fix(ci): add trailing blank line after changelog entries :pr:492

---

3.24.2 (2026-02-16)

---

• 🐛 fix(rw): close sqlite3 cursors and skip SoftFileLock Windows race :pr:491
• 🐛 fix(test): resolve flaky write non-starvation test :pr:490
• 📝 docs: restructure using Diataxis framework :pr:489

---

3.24.1 (2026-02-15)

---

• 🐛 fix(soft): resolve Windows deadlock and test race condition :pr:488

---

3.24.0 (2026-02-14)

---

• ✨ feat(lock): add lifetime parameter for lock expiration (#68) :pr:486
• ✨ feat(lock): add cancel_check to acquire (#309) :pr:487
• 🐛 fix(api): detect same-thread self-deadlock :pr:481
• ✨ feat(mode): respect POSIX default ACLs (#378) :pr:483
• 🐛 fix(win): eliminate lock file race in threaded usage :pr:484
• ✨ feat(lock): add poll_interval to constructor :pr:482
• 🐛 fix(unix): auto-fallback to SoftFileLock on ENOSYS :pr:480

... (truncated)

Commits

• 41b42dd Fix TOCTOU symlink vulnerability in SoftFileLock (#465)
• f2e7d40 [pre-commit.ci] pre-commit autoupdate (#464)
• 5088854 Support Unix systems without O_NOFOLLOW (#463)
• 377f622 [pre-commit.ci] pre-commit autoupdate (#460)
• 4724d7f Fix TOCTOU symlink vulnerability in lock file creation (#461)
• cb69414 Bump actions/upload-artifact from 5 to 6 (#459)
• 0769294 Bump actions/download-artifact from 6 to 7 (#458)
• 414193a [pre-commit.ci] pre-commit autoupdate (#457)
• 1456797 [pre-commit.ci] pre-commit autoupdate (#456)
• 8d6bf90 Bump actions/checkout from 5 to 6 (#455)
• Additional commits viewable in compare view

Updates orjson from 3.10.6 to 3.11.5

Release notes

Sourced from orjson's releases.

3.11.5

Changed

• Show simple error message instead of traceback when attempting to build on unsupported Python versions.

3.11.4

Changed

• ABI compatibility with CPython 3.15 alpha 1.
• Publish PyPI wheels for 3.14 and manylinux i686, manylinux arm7, manylinux ppc64le, manylinux s390x.
• Build now requires a C compiler.

3.11.3

Fixed

• Fix PyPI project metadata when using maturin 1.9.2 or later.

3.11.2

Fixed

• Fix build using Rust 1.89 on amd64.

Changed

• Build now depends on Rust 1.85 or later instead of 1.82.

3.11.1

Changed

• Publish PyPI wheels for CPython 3.14.

Fixed

• Fix str on big-endian architectures.

3.11.0

Changed

• Use a deserialization buffer allocated per request instead of a shared buffer allocated on import.
• ABI compatibility with CPython 3.14 beta 4.

3.10.18

Fixed

• Fix incorrect escaping of the vertical tabulation character. This was introduced in 3.10.17.

3.10.17

... (truncated)

Changelog

Sourced from orjson's changelog.

3.11.5 - 2025-12-06

Changed

• Show simple error message instead of traceback when attempting to build on unsupported Python versions.

3.11.4 - 2025-10-24

Changed

• ABI compatibility with CPython 3.15 alpha 1.
• Publish PyPI wheels for 3.14 and manylinux i686, manylinux arm7, manylinux ppc64le, manylinux s390x.
• Build now requires a C compiler.

3.11.3 - 2025-08-26

Fixed

• Fix PyPI project metadata when using maturin 1.9.2 or later.

3.11.2 - 2025-08-12

Fixed

• Fix build using Rust 1.89 on amd64.

Changed

• Build now depends on Rust 1.85 or later instead of 1.82.

3.11.1 - 2025-07-25

Changed

• Publish PyPI wheels for CPython 3.14.

Fixed

• Fix str on big-endian architectures. This was introduced in 3.11.0.

3.11.0 - 2025-07-15

Changed

... (truncated)

Commits

• fb3eb1f 3.11.5
• 52688e0 Record contributors in headers
• dc083e8 Further compatibility and build misc
• 18f0186 Compatibility and build misc
• a4fdeb3 3.11.4
• 2e80d68 unlikely to cold_path, remove intrinsics
• 27edea9 FFI through crate::ffi, partial non-CPython compatibility
• 416a8c9 Unconditionally build yyjson
• c8c1a17 edition 2024
• af4179a build maintenance, panic_immediate_abort break, test 3.15
• Additional commits viewable in compare view

Updates pypdf from 3.16.2 to 6.7.4

Release notes

Sourced from pypdf's releases.

Version 6.7.4, 2026-02-27

What's new

Security (SEC)

• Allow limiting output length for RunLengthDecode filter (#3664) by @​stefan6419846

Robustness (ROB)

• Deal with invalid annotations in extract_links (#3659) by @​stefan6419846

Full Changelog

Version 6.7.3, 2026-02-24

What's new

Security (SEC)

• Use zlib decompression limit when retrieving XFA data (#3658) by @​stefan6419846

Full Changelog

Version 6.7.2, 2026-02-22

What's new

Security (SEC)

• Prevent infinite loop from circular xref /Prev references (#3655) by @​rampageservices

Bug Fixes (BUG)

• Fix wrong LUT size error (#3651) by @​stefan6419846
• Fix handling of page boxes defined on /Pages (#3650) by @​stefan6419846

Full Changelog

Version 6.7.1, 2026-02-17

What's new

Security (SEC)

• Detect cyclic references when accessing TreeObject.children (#3645) by @​stefan6419846
• Limit size of /ToUnicode entries (#3646) by @​stefan6419846
• Limit FlateDecode recovery attempts (#3644) by @​stefan6419846

Bug Fixes (BUG)

• Avoid own object replacement logic in PageObject.replace_contents (#3638) by @​stefan6419846
• Fix UnboundLocalError when update_page_form_field_values with /Sig (#3634) by @​John-Sharp

Robustness (ROB)

• Avoid divison by zero when decoding FlateDecode PNG prediction (#3641) by @​stefan6419846

Full Changelog

Version 6.7.0, 2026-02-08

What's new

... (truncated)

Changelog

Sourced from pypdf's changelog.

Version 6.7.4, 2026-02-27

Security (SEC)

• Allow limiting output length for RunLengthDecode filter (#3664)

Robustness (ROB)

• Deal with invalid annotations in extract_links (#3659)

Full Changelog

Version 6.7.3, 2026-02-24

Security (SEC)

• Use zlib decompression limit when retrieving XFA data (#3658)

Full Changelog

Version 6.7.2, 2026-02-22

Security (SEC)

• Prevent infinite loop from circular xref /Prev references (#3655)

Bug Fixes (BUG)

• Fix wrong LUT size error (#3651)
• Fix handling of page boxes defined on /Pages (#3650)

Full Changelog

Version 6.7.1, 2026-02-17

Security (SEC)

• Detect cyclic references when accessing TreeObject.children (#3645)
• Limit size of /ToUnicode entries (#3646)
• Limit FlateDecode recovery attempts (#3644)

Bug Fixes (BUG)

• Avoid own object replacement logic in PageObject.replace_contents (#3638)
• Fix UnboundLocalError when update_page_form_field_values with /Sig (#3634)

Robustness (ROB)

• Avoid divison by zero when decoding FlateDecode PNG prediction (#3641)

Full Changelog

Version 6.7.0, 2026-02-08

Deprecations (DEP)

• Deprecate support for abbreviations in decode_stream_data (#3617)

New Features (ENH)

... (truncated)

Commits

• 1650bc3 REL: 6.7.4
• f309c60 SEC: Allow limiting output length for RunLengthDecode filter (#3664)
• 993f052 DEV: Bump actions/upload-artifact from 6 to 7 (#3662)
• a3c996b DEV: Bump actions/download-artifact from 7 to 8 (#3663)
• 37de320 ROB: Deal with invalid annotations in extract_links (#3659)
• 05e6d3c REL: 6.7.3
• 7a4c824 SEC: Use zlib decompression limit when retrieving XFA data (#3658)
• 4f1260f REL: 6.7.2
• 6ef86cb DOC: Sync release process with current status
• f0a462d SEC: Prevent infinite loop from circular xref /Prev references (#3655)
• Additional commits viewable in compare view

Updates unstructured from 0.12.0 to 0.18.18

Release notes

Sourced from unstructured's releases.

0.18.18

Fixes

• Prevent path traversal in email MSG attachment filenames Fixed a security vulnerability (GHSA-gm8q-m8mv-jj5m) where malicious attachment filenames containing path traversal sequences could write files outside the intended directory. The fix normalizes both Unix and Windows path separators before sanitizing filenames, preventing cross-platform path traversal attacks in partition_msg functions

0.18.17

Enhancement

Features

Fixes

• Removed Clarifai dependency as it is no longer used
• Bumped dependencies via pip-compile to address the following CVEs:
  • pypdf: GHSA-vr63-x8vc-m265
  • pip: GHSA-4xh5-x5gv-qwph
  • uv: GHSA-8qf3-x8v5-2pj8 GHSA-pqhf-p39g-3x64

0.18.16

Enhancement

• Speed up function _assign_hash_ids by 34% (codeflash)

Features

Fixes

• Bumped dependencies via pip-compile to address the following CVEs:
  • authlib: GHSA-pq5p-34cr-23v9
  • python-3.12/python03.12-base: CVE-2025-8291, GHSA-49g5-f6qw-8mm7
  • libcrypto3/libssl3: CVE-2025-9230, CVE-2025-9231, CVE-2025-9232, GHSA-76r2-c3cg-f5r9, GHSA-9mrx-mqmg-gwj9

0.18.15

What's Changed

• Setup Codeflash Github Actions to optimize all future code by @​misrasaurabh1 in Unstructured-IO/unstructured#4082
• fix: update deps to resolve cve by @​qued in Unstructured-IO/unstructured#4093
• ⚡️ Speed up function group_broken_paragraphs by 30% by @​aseembits93 in Unstructured-IO/unstructured#4088
• ⚡️ Speed up method ElementHtml._get_children_html by 234% by @​aseembits93 in Unstructured-IO/unstructured#4087
• Luke/sept16 CVE by @​luke-kucing in Unstructured-IO/unstructured#4094

New Contributors

• @​aseembits93 made their first contribution in Unstructured-IO/unstructured#4088

Full Changelog: Unstructured-IO/unstructured@0.18.14...0.18.15

0.18.14

Enhancements

• Speed up function sentence_count by 59% (codeflash)

• Speed up function check_for_nltk_package by 111% (codeflash)

... (truncated)

Changelog

Sourced from unstructured's changelog.

0.18.18

Fixes

• Prevent path traversal in email MSG attachment filenames Fixed a security vulnerability (GHSA-gm8q-m8mv-jj5m) where malicious attachment filenames containing path traversal sequences could write files outside the intended directory. The fix normalizes both Unix and Windows path separators before sanitizing filenames, preventing cross-platform path traversal attacks in partition_msg functions

0.18.17

Enhancement

Features

Fixes

• Removed Clardy dependency as it is no longer used
• Bumped dependencies via pip-compile to address the following CVEs:
  • pypdf: GHSA-vr63-x8vc-m265
  • pip: GHSA-4xh5-x5gv-qwph
  • uv: GHSA-8qf3-x8v5-2pj8 GHSA-pqhf-p39g-3x64

0.18.16

Enhancement

• Speed up function _assign_hash_ids by 34% (codeflash)

Features

Fixes

• Bumped dependencies via pip-compile to address the following CVEs:
  • authlib: GHSA-pq5p-34cr-23v9
  • python-3.12/python03.12-base: CVE-2025-8291, GHSA-49g5-f6qw-8mm7
  • libcrypto3/libssl3: CVE-2025-9230, CVE-2025-9231, CVE-2025-9232, GHSA-76r2-c3cg-f5r9, GHSA-9mrx-mqmg-gwj9

0.18.15

Enhancements

• Speed up function ElementHtml._get_children_html by 234% (codeflash)
• Speed up function group_broken_paragraphs by 30% (codeflash)

Features

Fixes

• Bumped dependencies via pip-compile to address the crit CVE in:
  • deepdiff: 8.6.0 -> 8.6.1: GHSA-mw26-5g2v-hqw3

0.18.14

Enhancements

• Speed up function sentence_count by 59% (codeflash)
• Speed up function check_for_nltk_package by 111% (codeflash)
• Speed up function under_non_alpha_ratio by 76% (codeflash)

... (truncated)

Commits

• b01d35b fix: sanitize MSG attachment filenames to prevent path traversal (GHS… (#4117)
• 1c519ef Security Fixes - CVE Remediation (#4115)
• c79cf3a updated dependancies to resolve open CVEs and cut a new version (#4108)
• 8fd07fd feat: Add simple script to sync fork with local branch (#4102)
• ef68384 enhancement: Speed up function _assign_hash_ids by 34% (#4101)
• 2d44d73 Luke/sept16 CVE (#4094)
• ab55d86 ⚡️ Speed up method ElementHtml._get_children_html by 234% (#4087)
• 6aee131 ⚡️ Speed up function group_broken_paragraphs by 30% (#4088)
• 1030a69 fix: update deps to resolve cve (#4093)
• e3854d2 Setup Codeflash Github Actions to optimize all future code (#4082)
• Additional commits viewable in compare view

Updates urllib3 from 2.0.6 to 2.6.3

Release notes

Sourced from urllib3's releases.

2.6.3

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by @​D47A, 8.9 High, GHSA-38jv-5279-wg99)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. (urllib3/urllib3#3743)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. (urllib3/urllib3#3752)

2.6.2

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (urllib3/urllib3#3734)

2.6.1

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. (#3731)

2.6.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by @​Cycloctane, 8.9 High, GHSA-2xpw-w6gg-jr37)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by @​illia-v, 8.9 High, GHSA-gm62-xv2j-4w53)

[!IMPORTANT]

• If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.

... (truncated)

Changelog

Sourced from urllib3's changelog.

2.6.3 (2026-01-07)

• Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. ([#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743>__)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. ([#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752>__)

2.6.2 (2025-12-11)

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. ([#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734>__)

2.6.1 (2025-12-08)

• Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. ([#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731>__)

2.6.0 (2025-12-05)

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now...

  Description has been truncated