• bd81538 2024.07.04 (#295)
• 06a2cbf Bump peter-evans/create-pull-request from 6.0.5 to 6.1.0 (#294)
• 13bba02 Bump actions/checkout from 4.1.6 to 4.1.7 (#293)
• e8abcd0 Bump pypa/gh-action-pypi-publish from 1.8.14 to 1.9.0 (#292)
• 124f4ad 2024.06.02 (#291)
• c2196ce --- (#290)
• fefdeec Bump actions/checkout from 4.1.4 to 4.1.5 (#289)
• 3c5fb15 Bump actions/download-artifact from 4.1.6 to 4.1.7 (#286)
• 4a9569a Bump actions/checkout from 4.1.2 to 4.1.4 (#287)
• 1fc8086 Bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 (#288)
• Additional commits viewable in compare view

Sourced from cryptography's changelog.

44.0.1 - 2025-02-11

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.1.
* We now build ``armv7l`` ``manylinux`` wheels and publish them to PyPI.
* We now build ``manylinux_2_34`` wheels and publish them to PyPI.
.. _v44-0-0:
44.0.0 - 2024-11-27

• BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.9.
• Deprecated Python 3.7 support. Python 3.7 is no longer supported by the Python core team. Support for Python 3.7 will be removed in a future cryptography release.
• Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.0.
• macOS wheels are now built against the macOS 10.13 SDK. Users on older versions of macOS should upgrade, or they will need to build cryptography themselves.
• Enforce the :rfc:5280 requirement that extended key usage extensions must not be empty.
• Added support for timestamp extraction to the :class:~cryptography.fernet.MultiFernet class.
• Relax the Authority Key Identifier requirements on root CA certificates during X.509 verification to allow fields permitted by :rfc:5280 but forbidden by the CA/Browser BRs.
• Added support for :class:~cryptography.hazmat.primitives.kdf.argon2.Argon2id when using OpenSSL 3.2.0+.
• Added support for the :class:~cryptography.x509.Admissions certificate extension.
• Added basic support for PKCS7 decryption (including S/MIME 3.2) via :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_der, :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_pem, and :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_smime.

.. _v43-0-3:

43.0.3 - 2024-10-18

* Fixed release metadata for ``cryptography-vectors``
.. _v43-0-2:
43.0.2 - 2024-10-18

• Fixed compilation when using LibreSSL 4.0.0.

.. _v43-0-1:

... (truncated)

• adaaaed Bump for 44.0.1 release (#12441)
• ccc61da [backport] test and build on armv7l (#12420) (#12431)
• f299a48 remove deprecated call (#12052)
• 439eb05 Bump version for 44.0.0 (#12051)
• 2c5ad4d chore(deps): bump maturin from 1.7.4 to 1.7.5 in /.github/requirements (#12050)
• d23968a chore(deps): bump libc from 0.2.165 to 0.2.166 (#12049)
• 133c0e0 Bump x509-limbo and/or wycheproof in CI (#12047)
• f2259d7 Bump BoringSSL and/or OpenSSL in CI (#12046)
• e201c87 fixed metadata in changelog (#12044)
• c6104cc Prohibit Python 3.9.0, 3.9.1 -- they have a bug that causes errors (#12045)
• Additional commits viewable in compare view

Sourced from idna's releases.

v3.7

What's Changed

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: kjd/idna@v3.6...v3.7

Sourced from idna's changelog.

3.7 (2024-04-11) ++++++++++++++++

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

3.6 (2023-11-25) ++++++++++++++++

• Fix regression to include tests in source distribution.

3.5 (2023-11-24) ++++++++++++++++

• Update to Unicode 15.1.0
• String codec name is now "idna2008" as overriding the system codec "idna" was not working.
• Fix typing error for codec encoding
• "setup.cfg" has been added for this release due to some downstream lack of adherence to PEP 517. Should be removed in a future release so please prepare accordingly.
• Removed reliance on a symlink for the "idna-data" tool to comport with PEP 517 and the Python Packaging User Guide for sdist archives.
• Added security reporting protocol for project

Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions to this release.

• 1d365e1 Release v3.7
• c1b3154 Merge pull request #172 from kjd/optimize-contextj
• 0394ec7 Merge branch 'master' into optimize-contextj
• cd58a23 Merge pull request #152 from elliotwutingfeng/dev
• 5beb28b More efficient resolution of joiner contexts
• 1b12148 Update ossf/scorecard-action to v2.3.1
• d516b87 Update Github actions/checkout to v4
• c095c75 Merge branch 'master' into dev
• 60a0a4c Fix typo in GitHub Actions workflow key
• 5918a0e Merge branch 'master' into dev
• Additional commits viewable in compare view

Sourced from jinja2's releases.

3.1.6

This is the Jinja 3.1.6 security release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.6/ Changes: https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6

• The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. GHSA-cpwx-vrp4-4pq7

3.1.5

This is the Jinja 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.5/ Changes: https://jinja.palletsprojects.com/changes/#version-3-1-5 Milestone: https://github.com/pallets/jinja/milestone/16?closed=1

• The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. GHSA-q2x7-8rv6-6q7h
• Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. #1792, GHSA-gmj6-6f8f-6699
• Sandbox does not allow clear and pop on known mutable sequence types. #2032
• Calling sync render for an async template uses asyncio.run. #1952
• Avoid unclosed auto_aiter warnings. #1960
• Return an aclose-able AsyncGenerator from Template.generate_async. #1960
• Avoid leaving root_render_func() unclosed in Template.generate_async. #1960
• Avoid leaving async generators unclosed in blocks, includes and extends. #1960
• The runtime uses the correct concat function for the current environment when calling block references. #1701
• Make |unique async-aware, allowing it to be used after another async-aware filter. #1781
• |int filter handles OverflowError from scientific notation. #1921
• Make compiling deterministic for tuple unpacking in a {% set ... %} call. #2021
• Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. #2025
• Fix copy/pickle support for the internal missing object. #2027
• Environment.overlay(enable_async) is applied correctly. #2061
• The error message from FileSystemLoader includes the paths that were searched. #1661
• PackageLoader shows a clearer error message when the package does not contain the templates directory. #1705
• Improve annotations for methods returning copies. #1880
• urlize does not add mailto: to values like @a@b. #1870
• Tests decorated with @pass_context can be used with the |select filter. #1624
• Using set for multiple assignment (a, b = 1, 2) does not fail when the target is a namespace attribute. #1413
• Using set in all branches of {% if %}{% elif %}{% else %} blocks does not cause the variable to be considered initially undefined. #1253

3.1.4

This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Jinja2/3.1.4/ Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

• The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj

3.1.3

This is a fix release for the 3.1.x feature branch.

• Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.

... (truncated)

Sourced from jinja2's changelog.

Version 3.1.6

Released 2025-03-05

• The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. :ghsa:cpwx-vrp4-4pq7

Version 3.1.5

Released 2024-12-21

• The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. :ghsa:q2x7-8rv6-6q7h
• Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. :issue:1792, :ghsa:gmj6-6f8f-6699
• Sandbox does not allow clear and pop on known mutable sequence types. :issue:2032
• Calling sync render for an async template uses asyncio.run. :pr:1952
• Avoid unclosed auto_aiter warnings. :pr:1960
• Return an aclose-able AsyncGenerator from Template.generate_async. :pr:1960
• Avoid leaving root_render_func() unclosed in Template.generate_async. :pr:1960
• Avoid leaving async generators unclosed in blocks, includes and extends. :pr:1960
• The runtime uses the correct concat function for the current environment when calling block references. :issue:1701
• Make |unique async-aware, allowing it to be used after another async-aware filter. :issue:1781
• |int filter handles OverflowError from scientific notation. :issue:1921
• Make compiling deterministic for tuple unpacking in a {% set ... %} call. :issue:2021
• Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. :issue:2025
• Fix copy/pickle support for the internal missing object. :issue:2027
• Environment.overlay(enable_async) is applied correctly. :pr:2061
• The error message from FileSystemLoader includes the paths that were searched. :issue:1661
• PackageLoader shows a clearer error message when the package does not contain the templates directory. :issue:1705
• Improve annotations for methods returning copies. :pr:1880
• urlize does not add mailto: to values like @a@b. :pr:1870

... (truncated)

• 1520688 release version 3.1.6
• 90457bb Merge commit from fork
• 065334d attr filter uses env.getattr
• 033c200 start version 3.1.6
• bc68d4e use global contributing guide (#2070)
• 247de5e use global contributing guide
• ab8218c use project advisory link instead of global
• b4ffc8f release version 3.1.5 (#2066)
• 877f6e5 release version 3.1.5
• 8d58859 remove test pypi
• Additional commits viewable in compare view

Sourced from requests's releases.

v2.32.4

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. (#6965)

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS. (#6926)
• Dropped support for pypy 3.9 following its end of support. (#6926)

v2.32.3

2.32.3 (2024-05-29)

Bugfixes

• Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of HTTPAdapter. (#6716)
• Fixed issue where Requests started failing to run on Python versions compiled without the ssl module. (#6724)

v2.32.2

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

v2.32.1

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

v2.32.0

2.32.0 (2024-05-20)

... (truncated)

Sourced from requests's changelog.

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS.
• Dropped support for pypy 3.9 following its end of support.

2.32.3 (2024-05-29)

Bugfixes

• Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of HTTPAdapter. (#6716)
• Fixed issue where Requests started failing to run on Python versions compiled without the ssl module. (#6724)

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

2.32.0 (2024-05-20)

Security

... (truncated)

• 021dc72 Polish up release tooling for last manual release
• 821770e Bump version and add release notes for v2.32.4
• 59f8aa2 Add netrc file search information to authentication documentation (#6876)
• 5b4b64c Add more tests to prevent regression of CVE 2024 47081
• 7bc4587 Add new test to check netrc auth leak (#6962)
• 96ba401 Only use hostname to do netrc lookup instead of netloc
• 7341690 Merge pull request #6951 from tswast/patch-1
• 6716d7c remove links
• a7e1c74 Update docs/conf.py
• c799b81 docs: fix dead links to kenreitz.org
• Additional commits viewable in compare view

Sourced from urllib3's releases.

2.5.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security issues

urllib3 2.5.0 fixes two moderate security issues:

• Pool managers now properly control redirects when retries is passed — CVE-2025-50181 reported by @​sandumjacob (5.3 Medium, GHSA-pq67-6m6q-mj2v)
• Redirects are now controlled by urllib3 in the Node.js runtime — CVE-2025-50182 (5.3 Medium, GHSA-48p4-8xcf-vxj5)

Features

• Added support for the compression.zstd module that is new in Python 3.14. See PEP 784 for more information. (#3610)
• Added support for version 0.5 of hatch-vcs (#3612)

Bugfixes

• Raised exception for HTTPResponse.shutdown on a connection already released to the pool. (#3581)
• Fixed incorrect CONNECT statement when using an IPv6 proxy with connection_from_host. Previously would not be wrapped in []. (#3615)

2.4.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Features

• Applied PEP 639 by specifying the license fields in pyproject.toml. (#3522)
• Updated exceptions to save and restore more properties during the pickle/serialization process. (#3567)
• Added verify_flags option to create_urllib3_context with a default of VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT for Python 3.13+. (#3571)

Bugfixes

• Fixed a bug with partial reads of streaming data in Emscripten. (#3555)

Misc

• Switched to uv for installing development dependecies. (#3550)
• Removed the multiple.intoto.jsonl asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. (#3566)

2.3.0

... (truncated)

Sourced from urllib3's changelog.

2.5.0 (2025-06-18)

Features

• Added support for the compression.zstd module that is new in Python 3.14. See PEP 784 <https://peps.python.org/pep-0784/>_ for more information. ([#3610](https://github.com/urllib3/urllib3/issues/3610) <https://github.com/urllib3/urllib3/issues/3610>__)
• Added support for version 0.5 of hatch-vcs ([#3612](https://github.com/urllib3/urllib3/issues/3612) <https://github.com/urllib3/urllib3/issues/3612>__)

Bugfixes

• Fixed a security issue where restricting the maximum number of followed redirects at the urllib3.PoolManager level via the retries parameter did not work.
• Made the Node.js runtime respect redirect parameters such as retries and redirects.
• Raised exception for HTTPResponse.shutdown on a connection already released to the pool. ([#3581](https://github.com/urllib3/urllib3/issues/3581) <https://github.com/urllib3/urllib3/issues/3581>__)
• Fixed incorrect CONNECT statement when using an IPv6 proxy with connection_from_host. Previously would not be wrapped in []. ([#3615](https://github.com/urllib3/urllib3/issues/3615) <https://github.com/urllib3/urllib3/issues/3615>__)

2.4.0 (2025-04-10)

Features

• Applied PEP 639 by specifying the license fields in pyproject.toml. ([#3522](https://github.com/urllib3/urllib3/issues/3522) <https://github.com/urllib3/urllib3/issues/3522>__)
• Updated exceptions to save and restore more properties during the pickle/serialization process. ([#3567](https://github.com/urllib3/urllib3/issues/3567) <https://github.com/urllib3/urllib3/issues/3567>__)
• Added verify_flags option to create_urllib3_context with a default of VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT for Python 3.13+. ([#3571](https://github.com/urllib3/urllib3/issues/3571) <https://github.com/urllib3/urllib3/issues/3571>__)

Bugfixes

• Fixed a bug with partial reads of streaming data in Emscripten. ([#3555](https://github.com/urllib3/urllib3/issues/3555) <https://github.com/urllib3/urllib3/issues/3555>__)

Misc

• Switched to uv for installing development dependecies. ([#3550](https://github.com/urllib3/urllib3/issues/3550) <https://github.com/urllib3/urllib3/issues/3550>__)
• Removed the multiple.intoto.jsonl asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. ([#3566](https://github.com/urllib3/urllib3/issues/3566) <https://github.com/urllib3/urllib3/issues/3566>__)

2.3.0 (2024-12-22)

... (truncated)

• aaab4ec Release 2.5.0
• 7eb4a2a Merge commit from fork
• f05b132 Merge commit from fork
• d03fe32 Fix HTTP tunneling with IPv6 in older Python versions
• 11661e9 Bump github/codeql-action from 3.28.0 to 3.29.0 (#3624)
• 6a0ecc6 Update v2 migration guide to 2.4.0 (#3621)
• 8e32e60 Raise exception for shutdown on a connection already released to the pool (#3...
• 9996e0f Fix emscripten CI for Chrome 137+ (#3599)
• 4fd1a99 Bump RECENT_DATE (#3617)
• c4b5917 Add support for the new compression.zstd module in Python 3.14 (#3611)
• Additional commits viewable in compare view

Sourced from virtualenv's releases.

20.26.6

What's Changed

• release 20.26.5 by @​gaborbernat in pypa/virtualenv#2766
• Fix #2768: Quote template strings in activation scripts by @​y5c4l3 in pypa/virtualenv#2771

New Contributors

• @​y5c4l3 made their first contribution in pypa/virtualenv#2771

Full Changelog: pypa/virtualenv@20.26.5...20.26.6

20.26.5

What's Changed

• release 20.26.4 by @​gaborbernat in pypa/virtualenv#2761
• Use uv over pip by @​gaborbernat in pypa/virtualenv#2765

Full Changelog: pypa/virtualenv@20.26.4...20.26.5

20.26.4

What's Changed

• release 20.26.3 by @​gaborbernat in pypa/virtualenv#2742
• Fix whitespace around backticks in changelog by @​edmorley in pypa/virtualenv#2751
• Test latest Python 3.13 by @​hugovk in pypa/virtualenv#2752
• Fix typo in Nushell activation script by @​edmorley in pypa/virtualenv#2754
• GitHub Actions: Replace deprecated macos-12 with macos-13 by @​hugovk in pypa/virtualenv#2756
• Fix #2728: Activating venv create unwanted console output by @​ShootGan in pypa/virtualenv#2748
• Upgrade bundled wheels by @​gaborbernat in pypa/virtualenv#2760

New Contributors

• @​ShootGan made their first contribution in pypa/virtualenv#2748

Full Changelog: pypa/virtualenv@20.26.3...20.26.4

20.26.3

What's Changed

• release 20.26.2 by @​gaborbernat in pypa/virtualenv#2724
• Bump embeded wheels by @​gaborbernat in pypa/virtualenv#2741

Full Changelog: pypa/virtualenv@20.26.2...20.26.3

20.26.2

... (truncated)

Sourced from virtualenv's changelog.

v20.26.6 (2024-09-27)

Bugfixes - 20.26.6

- Properly quote string placeholders in activation script templates to mitigate
  potential command injection - by :user:`y5c4l3`. (:issue:`2768`)
v20.26.5 (2024-09-17)
Bugfixes - 20.26.5

• Upgrade embedded wheels: setuptools to 75.1.0 from 74.1.2 - by :user:gaborbernat. (:issue:2765)

v20.26.4 (2024-09-07)

Bugfixes - 20.26.4

- no longer create `()` output in console during activation of a virtualenv by .bat file. (:issue:`2728`)
- Upgrade embedded wheels:

wheel to 0.44.0 from 0.43.0
pip to 24.2 from 24.1
setuptools to 74.1.2 from 70.1.0 (:issue:2760)

v20.26.3 (2024-06-21)
Bugfixes - 20.26.3

• Upgrade embedded wheels:

  • setuptools to 70.1.0 from 69.5.1
  • pip to 24.1 from 24.0 (:issue:2741)

v20.26.2 (2024-05-13)

Bugfixes - 20.26.2

- ``virtualenv.pyz`` no longer fails when zipapp path contains a symlink - by :user:`HandSonic` and :user:`petamas`. (:issue:`1949`)
- Fix bad return code from activate.sh if hashing is disabled - by :user:'fenkes-ibm'. (:issue:`2717`)
v20.26.1 (2024-04-29)
Bugfixes - 20.26.1

... (truncated)

• ec04726 release 20.26.6
• 86ddded Fix #2768: Quote template strings in activation scripts (#2771)
• 6bb3f62 [pre-commit.ci] pre-commit autoupdate (#2769)
• 220d49c Bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2 (#2767)
• cf340c8 Merge pull request #2766 from pypa/release-20.26.5
• f3172b4 release 20.26.5
• 22b9795 Use uv over pip (#2765)
• 35d8269 [pre-commit.ci] pre-commit autoupdate (#2764)
• ee77feb [pre-commit.ci] pre-commit autoupdate (#2763)
• c516056 Update README.md
• Additional commits viewable in compare view

Sourced from zipp's changelog.

v3.19.1

Bugfixes

• Improved handling of malformed zip files. (#119)

v3.19.0

Features

• Implement is_symlink. (#117)

v3.18.2

No significant changes.

v3.18.1

No significant changes.

v3.18.0

Features

• Bypass ZipFile.namelist in glob for better performance. (#106)
• Refactored glob functionality to support a more generalized solution with support for platform-specific path separators. (#108)

Bugfixes

• Add special accounting for pypy when computing the stack level for text encoding warnings. (#114)

v3.17.0

Features

... (truncated)

• 6d1cb72 Finalize
• fd604bd Merge pull request #120 from jaraco/bugfix/119-malformed-paths
• c18417e Add news fragment.
• 58115d2 Employ SanitizedNames in CompleteDirs. Fixes broken test.
• 564fcc1 Add SanitizedNames mixin.
• 79a309f Add some assertions about malformed paths.
• 2d015c2 Merge https://github.com/jaraco/skeleton
• a595a0f Rename extras to align with core metadata spec.
• 608f90a Finalize
• 3a22d72 Merge pull request #118 from jaraco/feature/is-symlink
• Additional commits viewable in compare view

Sourced from setuptools's changelog.

v78.1.1

Bugfixes

• More fully sanitized the filename in PackageIndex._download. (#4946)

v78.1.0

Features

• Restore access to _get_vc_env with a warning. (#4874)

v78.0.2

Bugfixes

• Postponed removals of deprecated dash-separated and uppercase fields in setup.cfg. All packages with deprecated configurations are advised to move before 2026. (#4911)

v78.0.1

Misc

• #4909

v78.0.0

Bugfixes

• Reverted distutils changes that broke the monkey patching of command classes. (#4902)

Deprecations and Removals

• Setuptools no longer accepts options containing uppercase or dash characters in setup.cfg.

... (truncated)

• 8e4868a Bump version: 78.1.0 → 78.1.1
• 100e9a6 Merge pull request #4951
• 8faf1d7 Add news fragment.
• 2ca4a9f Rely on re.sub to perform the decision in one expression.
• e409e80 Extract _sanitize method for sanitizing the filename.
• 250a6d1 Add a check to ensure the name resolves relative to the tmpdir.
• d8390fe Extract _resolve_download_filename with test.
• 4e1e893 Merge https://github.com/jaraco/skeleton
• 3a3144f Fix typo: pyproject.license -> project.license (#4931)
• d751068 Fix typo: pyproject.license -> project.license
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.