Sourced from requests's releases.

v2.32.4

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. (#6965)

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS. (#6926)
• Dropped support for pypy 3.9 following its end of support. (#6926)

v2.32.3

2.32.3 (2024-05-29)

Bugfixes

• Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of HTTPAdapter. (#6716)
• Fixed issue where Requests started failing to run on Python versions compiled without the ssl module. (#6724)

v2.32.2

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

v2.32.1

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

v2.32.0

2.32.0 (2024-05-20)

... (truncated)

Sourced from requests's changelog.

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS.
• Dropped support for pypy 3.9 following its end of support.

2.32.3 (2024-05-29)

Bugfixes

• Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of HTTPAdapter. (#6716)
• Fixed issue where Requests started failing to run on Python versions compiled without the ssl module. (#6724)

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

2.32.0 (2024-05-20)

Security

... (truncated)

• 021dc72 Polish up release tooling for last manual release
• 821770e Bump version and add release notes for v2.32.4
• 59f8aa2 Add netrc file search information to authentication documentation (#6876)
• 5b4b64c Add more tests to prevent regression of CVE 2024 47081
• 7bc4587 Add new test to check netrc auth leak (#6962)
• 96ba401 Only use hostname to do netrc lookup instead of netloc
• 7341690 Merge pull request #6951 from tswast/patch-1
• 6716d7c remove links
• a7e1c74 Update docs/conf.py
• c799b81 docs: fix dead links to kenreitz.org
• Additional commits viewable in compare view

Sourced from flask's releases.

2.2.5

This is a security fix release for the 2.2.x release branch. Note that 2.3.x is the currently supported release branch; please upgrade to the latest version if possible.

• Security advisory: GHSA-m2qf-hxjv-5gpq, CVE-2023-30861
• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-5
• Milestone: https://github.com/pallets/flask/milestone/30?closed=1

2.2.4

This is a fix release for the 2.2.x release branch.

• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-4
• Milestone: https://github.com/pallets/flask/milestone/27?closed=1

2.2.3

This is a fix release for the 2.2.x release branch.

• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-3
• Milestone: https://github.com/pallets/flask/milestone/26?closed=1

2.2.2

This is a fix release for the 2.2.0 feature release.

• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-2
• Milestone: https://github.com/pallets/flask/milestone/25?closed=1

2.2.1

This is a fix release for the 2.2.0 feature release.

• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-1
• Milestone: https://github.com/pallets/flask/milestone/23?closed=1

2.2.0

This is a feature release, which includes new features and removes previously deprecated code. The 2.2.x branch is now the supported bug fix branch, the 2.1.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades.

• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-0
• Milestone: https://github.com/pallets/flask/milestone/19?closed=1

2.1.3

• Changes: https://flask.palletsprojects.com/en/2.1.x/changes/#version-2-1-3
• Milestone: https://github.com/pallets/flask/milestone/22?closed=1

2.1.2

This is a fix release for the 2.1.0 feature release.

• Changes: https://flask.palletsprojects.com/en/2.1.x/changes/#version-2-1-2
• Milestone: https://github.com/pallets/flask/milestone/21?closed=1

2.1.1

This is a fix release for the 2.1.0 feature release.

... (truncated)

Sourced from flask's changelog.

Version 2.2.5

Released 2023-05-02

• Update for compatibility with Werkzeug 2.3.3.
• Set Vary: Cookie header when the session is accessed, modified, or refreshed.

Version 2.2.4

Released 2023-04-25

• Update for compatibility with Werkzeug 2.3.

Version 2.2.3

Released 2023-02-15

• Autoescape is enabled by default for .svg template files. :issue:4831
• Fix the type of template_folder to accept pathlib.Path. :issue:4892
• Add --debug option to the flask run command. :issue:4777

Version 2.2.2

Released 2022-08-08

• Update Werkzeug dependency to >= 2.2.2. This includes fixes related to the new faster router, header parsing, and the development server. :pr:4754
• Fix the default value for app.env to be "production". This attribute remains deprecated. :issue:4740

Version 2.2.1

Released 2022-08-03

• Setting or accessing json_encoder or json_decoder raises a deprecation warning. :issue:4732

Version 2.2.0

... (truncated)

• 47af817 release version 2.2.5
• afd63b1 Merge pull request #5109 from pallets/backport-vary-cookie
• 8646edc set Vary: Cookie header consistently for session
• a6367da Merge pull request #5108 from pallets/werkzeug-compat
• 3fbfbad werkzeug 2.3.3 compatibility
• 726d3f4 start version 2.2.5
• ddc7acc Merge pull request #5081 from pallets/release-2.2.4
• 74e0329 release version 2.2.4
• 2d46068 update dev env
• 64bc458 update dev dependencies
• Additional commits viewable in compare view

Sourced from gunicorn's releases.

23.0.0

Gunicorn 23.0.0 has been released. This version improve HTTP 1.1. support and which improve safety

You're invited to upgrade asap your own installation.

23.0.0 - 2024-08-10

• minor docs fixes (:pr:3217, :pr:3089, :pr:3167)
• worker_class parameter accepts a class (:pr:3079)
• fix deadlock if request terminated during chunked parsing (:pr:2688)
• permit receiving Transfer-Encodings: compress, deflate, gzip (:pr:3261)
• permit Transfer-Encoding headers specifying multiple encodings. note: no parameters, still (:pr:3261)
• sdist generation now explicitly excludes sphinx build folder (:pr:3257)
• decode bytes-typed status (as can be passed by gevent) as utf-8 instead of raising TypeError (:pr:2336)
• raise correct Exception when encounting invalid chunked requests (:pr:3258)
• the SCRIPT_NAME and PATH_INFO headers, when received from allowed forwarders, are no longer restricted for containing an underscore (:pr:3192)
• include IPv6 loopback address [::1] in default for :ref:forwarded-allow-ips and :ref:proxy-allow-ips (:pr:3192)

** NOTE **

• The SCRIPT_NAME change mitigates a regression that appeared first in the 22.0.0 release
• Review your :ref:forwarded-allow-ips setting if you are still not seeing the SCRIPT_NAME transmitted
• Review your :ref:forwarder-headers setting if you are missing headers after upgrading from a version prior to 22.0.0

** Breaking changes **

• refuse requests where the uri field is empty (:pr:3255)
• refuse requests with invalid CR/LR/NUL in heade field values (:pr:3253)
• remove temporary --tolerate-dangerous-framing switch from 22.0 (:pr:3260)
• If any of the breaking changes affect you, be aware that now refused requests can post a security problem, especially so in setups involving request pipe-lining and/or proxies.

Fix CVE-2024-1135

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

• use utime to notify workers liveness
• migrate setup to pyproject.toml
• fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
• parsing additional requests is no longer attempted past unsupported request framing
• on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
• requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
• Trailer fields are no longer inspected for headers indicating secure scheme </tr></table>

... (truncated)

• 411986d fix doc
• 334392e Merge pull request #2559 from laggardkernel/bugfix/reexec-env
• e75c353 Merge pull request #3189 from pajod/patch-py36
• 9357b28 keep document user in access_log_format setting
• 79fdef0 bump to 23.0.0
• 3acd9fb Merge pull request #2620 from talkerbox/improve-access-log-format-docs
• 3f56d76 Merge pull request #3192 from pajod/patch-allowed-script-name
• 256d474 docs: revert duped directive
• ffa48b5 test: default change was intentional
• 52538ca docs: recommend SCRIPT_NAME=/subfolder
• Additional commits viewable in compare view

Sourced from pymysql's releases.

v1.1.1

[!WARNING] This release fixes a vulnerability (CVE-2024-36039). All users are recommended to update to this version.

If you can not update soon, check the input value from untrusted source has an expected type. Only dict input from untrusted source can be an attack vector.

What's Changed

• Prohibit dict parameter for Cursor.execute(). It didn't produce valid SQL and might cause SQL injection. (CVE-2024-36039)
• Added ssl_key_password param by @​svaskov in PyMySQL/PyMySQL#1145

Merged PRs

• Add support for Python 3.12 by @​hugovk in PyMySQL/PyMySQL#1134
• chore(deps): update actions/checkout action to v4 by @​renovate in PyMySQL/PyMySQL#1136
• Update codecov/codecov-action action to v4 by @​renovate in PyMySQL/PyMySQL#1137
• ci: use codecov@v3 by @​methane in PyMySQL/PyMySQL#1142
• chore(deps): update dessant/lock-threads action to v5 by @​renovate in PyMySQL/PyMySQL#1141
• doc: use rtd theme by @​methane in PyMySQL/PyMySQL#1143
• use Ruff as formatter by @​methane in PyMySQL/PyMySQL#1144
• chore(deps): update dependency sphinx-rtd-theme to v2 by @​renovate in PyMySQL/PyMySQL#1147
• chore(deps): update actions/setup-python action to v5 by @​renovate in PyMySQL/PyMySQL#1152
• chore(deps): update github/codeql-action action to v3 by @​renovate in PyMySQL/PyMySQL#1154
• chore(deps): update codecov/codecov-action action to v4 by @​renovate in PyMySQL/PyMySQL#1158
• Support error packet without sqlstate by @​methane in PyMySQL/PyMySQL#1160
• test json - mariadb without JSON type by @​grooverdan in PyMySQL/PyMySQL#1165

New Contributors

• @​hugovk made their first contribution in PyMySQL/PyMySQL#1134
• @​svaskov made their first contribution in PyMySQL/PyMySQL#1145

Full Changelog: PyMySQL/PyMySQL@v1.1.0...v1.1.1

v1.1.0

What's Changed

• Remove redundant wheel dep from pyproject.toml by @​mgorny in PyMySQL/PyMySQL#1099
• ci: Fix black options by @​methane in PyMySQL/PyMySQL#1109
• Remove unused function by @​methane in PyMySQL/PyMySQL#1108
• Expose Cursor.warning_count by @​Nothing4You in PyMySQL/PyMySQL#1056
• Add constants and tests related to query timeouts by @​Nothing4You in PyMySQL/PyMySQL#1033
• Fix SSCursor raising query timeout error on wrong query on MySQL DB by @​Nothing4You in PyMySQL/PyMySQL#1035
• Make Cursor an iterator by @​sanchezg in PyMySQL/PyMySQL#995
• ci: Update CodeQL workflow by @​methane in PyMySQL/PyMySQL#1110
• Use Ruff instead of flake8 by @​methane in PyMySQL/PyMySQL#1112
• Use Codecov instead of coveralls. by @​methane in PyMySQL/PyMySQL#1113
• optionfile: Replace _ with - by @​methane in PyMySQL/PyMySQL#1114
• Cursor.fetchall() always return list. by @​methane in PyMySQL/PyMySQL#1115

... (truncated)

Sourced from pymysql's changelog.

v1.1.1

Release date: 2024-05-21

[!WARNING] This release fixes a vulnerability (CVE-2024-36039). All users are recommended to update to this version.

If you can not update soon, check the input value from untrusted source has an expected type. Only dict input from untrusted source can be an attack vector.

• Prohibit dict parameter for Cursor.execute(). It didn't produce valid SQL and might cause SQL injection. (CVE-2024-36039)
• Added ssl_key_password param. #1145

v1.1.0

Release date: 2023-06-26

• Fixed SSCursor raising OperationalError for query timeouts on wrong statement (#1032)
• Exposed Cursor.warning_count to check for warnings without additional query (#1056)
• Make Cursor iterator (#995)
• Support '_' in key name in my.cnf (#1114)
• Cursor.fetchall() returns empty list instead of tuple (#1115). Note that Cursor.fetchmany() still return empty tuple after reading all rows for compatibility with Django.
• Deprecate Error classes in Cursor class (#1117)
• Add Connection.set_character_set(charset, collation=None). This method is compatible with mysqlclient. (#1119)
• Deprecate Connection.set_charset(charset) (#1119)
• New connection always send "SET NAMES charset [COLLATE collation]" query. (#1119) Since collation table is vary on MySQL server versions, collation in handshake is fragile.
• Support charset="utf8mb3" option (#1127)

v1.0.3

Release date: 2023-03-28

• Dropped support of end of life MySQL version 5.6
• Dropped support of end of life MariaDB versions below 10.3
• Dropped support of end of life Python version 3.6
• Removed _last_executed because of duplication with _executed by @​rajat315315 in PyMySQL/PyMySQL#948
• Fix generating authentication response with long strings by @​netch80 in PyMySQL/PyMySQL#988
• update pymysql.constants.CR by @​Nothing4You in PyMySQL/PyMySQL#1029
• Document that the ssl connection parameter can be an SSLContext by @​cakemanny in PyMySQL/PyMySQL#1045
• Raise ProgrammingError on -np.inf in addition to np.inf by @​cdcadman in PyMySQL/PyMySQL#1067
• Use Python 3.11 release instead of -dev in tests by @​Nothing4You in PyMySQL/PyMySQL#1076

v1.0.2

... (truncated)

• 2cab9ec v1.1.1
• 521e400 forbid dict parameter
• 7f032a6 remove coveralls from requirements
• 69f6c74 ruff format
• b4ed688 test json - mariadb without JSON type (#1165)
• bbd049f Support error packet without sqlstate (#1160)
• 9694747 pyupgrade
• 1f0b785 chore(deps): update codecov/codecov-action action to v4 (#1158)
• 1e28be8 chore(deps): update github/codeql-action action to v3 (#1154)
• f13f054 chore(deps): update actions/setup-python action to v5 (#1152)
• Additional commits viewable in compare view

Sourced from pymongo's releases.

PyMongo 4.6.3

Community notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-3-release-for-cve-2024-5629/284348

PyMongo 4.6.2

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-2-released/267404

PyMongo 4.6.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-1-released/255752

PyMongo 4.6.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-0-released/251866

PyMongo 4.5.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-5-0-released/240662

PyMongo 4.4.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-1-released/235045

PyMongo 4.4.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-released/232211

PyMongo 4.4.0b0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-0b0-release/210471

PyMongo 4.3.3

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-3-3-release/200145

PyMongo 4.3.2

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-3-2-released/194266

PyMongo 4.2.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-2-0-released/176012

PyMongo 4.2.0b0

Release notes: https://www.mongodb.com/community/forums/t/python-driver-4-2-0-beta-available/168488

PyMongo 4.1.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-1-1-released/157895

PyMongo 4.1.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-1-0-released/156029

PyMongo 4.0.2

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-0-2-released/150457

PyMongo 4.0.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-0-1-released/135979

PyMongo 4.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-0-released/134677

... (truncated)

Sourced from pymongo's changelog.

Changes in Version 4.6.3 (2024/03/27)

PyMongo 4.6.3 fixes the following bug:

• Fixed a potential memory access violation when decoding invalid bson.

Issues Resolved ...............

See the PyMongo 4.6.3 release notes in JIRA_ for the list of resolved issues in this release.

.. _PyMongo 4.6.3 release notes in JIRA: https://jira.mongodb.org/secure/ReleaseNote.jspa?projectId=10004&version=38360

Changes in Version 4.6.2 (2024/02/21)

PyMongo 4.6.2 fixes the following bug:

• Fixed a bug appearing in Python 3.12 where "RuntimeError: can't create new thread at interpreter shutdown" could be written to stderr when a MongoClient's thread starts as the python interpreter is shutting down.

Issues Resolved ...............

See the PyMongo 4.6.2 release notes in JIRA_ for the list of resolved issues in this release.

.. _PyMongo 4.6.2 release notes in JIRA: https://jira.mongodb.org/secure/ReleaseNote.jspa?projectId=10004&version=37906

Changes in Version 4.6.1 (2023/11/29)

PyMongo 4.6.1 fixes the following bug:

• Ensure retryable read OperationFailure errors re-raise exception when 0 or NoneType error code is provided.

Issues Resolved ...............

See the PyMongo 4.6.1 release notes in JIRA_ for the list of resolved issues in this release.

.. _PyMongo 4.6.1 release notes in JIRA: https://jira.mongodb.org/secure/ReleaseNote.jspa?projectId=10004&version=37138

Changes in Version 4.6.0 (2023/11/01)

PyMongo 4.6 brings a number of improvements including:

... (truncated)

• 8da192f BUMP 4.6.3
• 56b6b6d PYTHON-4305 Fix bson size check (#1564)
• 449d0f3 BUMP to 4.6.3.dev0
• e04576d DEVPROD-3871 Use teardown_task when there is one function/command (#1533)
• cf1c6a1 PYTHON-4219 Prep for 4.6.2 Release (#1530)
• d29b2b7 PYTHON-4147 [v4.6]: Silence noisy thread.start() RuntimeError at shutdown (#1...
• 0477b9b PYTHON-4077 [v4.6]: Ensure there is a MacOS wheel for Python 3.7 (#1527)
• ecad17d BUMP 4.6.2.dev0
• 485e0a5 BUMP 4.6.1
• 995365c PYTHON-4038 [v4.6]: Ensure retryable read OperationFailures re-raise except...
• Additional commits viewable in compare view

Sourced from cryptography's changelog.

44.0.1 - 2025-02-11

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.1.
* We now build ``armv7l`` ``manylinux`` wheels and publish them to PyPI.
* We now build ``manylinux_2_34`` wheels and publish them to PyPI.
.. _v44-0-0:
44.0.0 - 2024-11-27

• BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.9.
• Deprecated Python 3.7 support. Python 3.7 is no longer supported by the Python core team. Support for Python 3.7 will be removed in a future cryptography release.
• Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.0.
• macOS wheels are now built against the macOS 10.13 SDK. Users on older versions of macOS should upgrade, or they will need to build cryptography themselves.
• Enforce the :rfc:5280 requirement that extended key usage extensions must not be empty.
• Added support for timestamp extraction to the :class:~cryptography.fernet.MultiFernet class.
• Relax the Authority Key Identifier requirements on root CA certificates during X.509 verification to allow fields permitted by :rfc:5280 but forbidden by the CA/Browser BRs.
• Added support for :class:~cryptography.hazmat.primitives.kdf.argon2.Argon2id when using OpenSSL 3.2.0+.
• Added support for the :class:~cryptography.x509.Admissions certificate extension.
• Added basic support for PKCS7 decryption (including S/MIME 3.2) via :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_der, :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_pem, and :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_smime.

.. _v43-0-3:

43.0.3 - 2024-10-18

* Fixed release metadata for ``cryptography-vectors``
.. _v43-0-2:
43.0.2 - 2024-10-18

• Fixed compilation when using LibreSSL 4.0.0.

.. _v43-0-1:

... (truncated)

• adaaaed Bump for 44.0.1 release (#12441)
• ccc61da [backport] test and build on armv7l (#12420) (#12431)
• f299a48 remove deprecated call (#12052)
• 439eb05 Bump version for 44.0.0 (#12051)
• 2c5ad4d chore(deps): bump maturin from 1.7.4 to 1.7.5 in /.github/requirements (#12050)
• d23968a chore(deps): bump libc from 0.2.165 to 0.2.166 (#12049)
• 133c0e0 Bump x509-limbo and/or wycheproof in CI (#12047)
• f2259d7 Bump BoringSSL and/or OpenSSL in CI (#12046)
• e201c87 fixed metadata in changelog (#12044)
• c6104cc Prohibit Python 3.9.0, 3.9.1 -- they have a bug that causes errors (#12045)
• Additional commits viewable in compare view

Sourced from requests's releases.

v2.32.4

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. (#6965)

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS. (#6926)
• Dropped support for pypy 3.9 following its end of support. (#6926)

v2.32.3

2.32.3 (2024-05-29)

Bugfixes

• Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of HTTPAdapter. (#6716)
• Fixed issue where Requests started failing to run on Python versions compiled without the ssl module. (#6724)

v2.32.2

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

v2.32.1

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

v2.32.0

2.32.0 (2024-05-20)

... (truncated)

Sourced from requests's changelog.

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS.
• Dropped support for pypy 3.9 following its end of support.

2.32.3 (2024-05-29)

Bugfixes

• Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of HTTPAdapter. (#6716)
• Fixed issue where Requests started failing to run on Python versions compiled without the ssl module. (#6724)

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

2.32.0 (2024-05-20)

Security

... (truncated)

• 021dc72 Polish up release tooling for last manual release
• 821770e Bump version and add release notes for v2.32.4
• 59f8aa2 Add netrc file search information to authentication documentation (#6876)
• 5b4b64c Add more tests to prevent regression of CVE 2024 47081
• 7bc4587 Add new test to check netrc auth leak (#6962)
• 96ba401 Only use hostname to do netrc lookup instead of netloc
• 7341690 Merge pull request #6951 from tswast/patch-1
• 6716d7c remove links
• a7e1c74 Update docs/conf.py
• c799b81 docs: fix dead links to kenreitz.org
• Additional commits viewable in compare view

Sourced from flask's releases.

2.2.5

This is a security fix release for the 2.2.x release branch. Note that 2.3.x is the currently supported release branch; please upgrade to the latest version if possible.

• Security advisory: GHSA-m2qf-hxjv-5gpq, CVE-2023-30861
• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-5
• Milestone: https://github.com/pallets/flask/milestone/30?closed=1

2.2.4

This is a fix release for the 2.2.x release branch.

• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-4
• Milestone: https://github.com/pallets/flask/milestone/27?closed=1

2.2.3

This is a fix release for the 2.2.x release branch.

• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-3
• Milestone: https://github.com/pallets/flask/milestone/26?closed=1

2.2.2

This is a fix release for the 2.2.0 feature release.

• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-2
• Milestone: https://github.com/pallets/flask/milestone/25?closed=1

2.2.1

This is a fix release for the 2.2.0 feature release.

• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-1
• Milestone: https://github.com/pallets/flask/milestone/23?closed=1

2.2.0

This is a feature release, which includes new features and removes previously deprecated code. The 2.2.x branch is now the supported bug fix branch, the 2.1.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades.

• Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-0
• Milestone: https://github.com/pallets/flask/milestone/19?closed=1

2.1.3

• Changes: https://flask.palletsprojects.com/en/2.1.x/changes/#version-2-1-3
• Milestone: https://github.com/pallets/flask/milestone/22?closed=1

2.1.2

This is a fix release for the 2.1.0 feature release.

• Changes: https://flask.palletsprojects.com/en/2.1.x/changes/#version-2-1-2
• Milestone: https://github.com/pallets/flask/milestone/21?closed=1

2.1.1

This is a fix release for the 2.1.0 feature release.

... (truncated)

Sourced from flask's changelog.

Version 2.2.5

Released 2023-05-02

• Update for compatibility with Werkzeug 2.3.3.
• Set Vary: Cookie header when the session is accessed, modified, or refreshed.

Version 2.2.4

Released 2023-04-25

• Update for compatibility with Werkzeug 2.3.

Version 2.2.3

Released 2023-02-15

• Autoescape is enabled by default for .svg template files. :issue:4831
• Fix the type of template_folder to accept pathlib.Path. :issue:4892
• Add --debug option to the flask run command. :issue:4777

Version 2.2.2

Released 2022-08-08

• Update Werkzeug dependency to >= 2.2.2. This includes fixes related to the new faster router, header parsing, and the development server. :pr:4754
• Fix the default value for app.env to be "production". This attribute remains deprecated. :issue:4740

Version 2.2.1

Released 2022-08-03

• Setting or accessing json_encoder or json_decoder raises a deprecation warning. :issue:4732

Version 2.2.0

... (truncated)

• 47af817 release version 2.2.5
• afd63b1 Merge pull request #5109 from pallets/backport-vary-cookie
• 8646edc set Vary: Cookie header consistently for session
• a6367da Merge pull request #5108 from pallets/werkzeug-compat
• 3fbfbad werkzeug 2.3.3 compatibility
• 726d3f4 start version 2.2.5
• ddc7acc Merge pull request #5081 from pallets/release-2.2.4
• 74e0329 release version 2.2.4
• 2d46068 update dev env
• 64bc458 update dev dependencies
• Additional commits viewable in compare view

Sourced from cryptography's changelog.

44.0.1 - 2025-02-11

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.1.
* We now build ``armv7l`` ``manylinux`` wheels and publish them to PyPI.
* We now build ``manylinux_2_34`` wheels and publish them to PyPI.
.. _v44-0-0:
44.0.0 - 2024-11-27

• BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.9.
• Deprecated Python 3.7 support. Python 3.7 is no longer supported by the Python core team. Support for Python 3.7 will be removed in a future cryptography release.
• Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.0.
• macOS wheels are now built against the macOS 10.13 SDK. Users on older versions of macOS should upgrade, or they will need to build cryptography themselves.
• Enforce the :rfc:5280 requirement that extended key usage extensions must not be empty.
• Added support for timestamp extraction to the :class:~cryptography.fernet.MultiFernet class.
• Relax the Authority Key Identifier requirements on root CA certificates during X.509 verification to allow fields permitted by :rfc:5280 but forbidden by the CA/Browser BRs.
• Added support for :class:~cryptography.hazmat.primitives.kdf.argon2.Argon2id when using OpenSSL 3.2.0+.
• Added support for the :class:~cryptography.x509.Admissions certificate extension.
• Added basic support for PKCS7 decryption (including S/MIME 3.2) via :func:~cryptography.hazmat.primitives.serialization.pkcs7.p...

  Description has been truncated