build(deps): bump the pip group across 19 directories with 15 updates

[dependabot]

Bumps the pip group with 1 update in the /AWS/bedrock/multimodal/rag directory: pillow.
Bumps the pip group with 2 updates in the /AWS/bedrock/rag-solutions/rag-foundations-workshop directory: pillow and unstructured.
Bumps the pip group with 1 update in the /LLM/RAG/rag-bi/application directory: cryptography.
Bumps the pip group with 1 update in the /LLM/large_laguage_models/document_oriented_agent directory: unstructured.
Bumps the pip group with 1 update in the /LLM/large_laguage_models/mixtral_8x7b directory: protobuf.
Bumps the pip group with 1 update in the /LLM/llama_index/samples/llama-index-milvus-example directory: nltk.
Bumps the pip group with 2 updates in the /LLM/llama_index/samples/mixtral_ollama directory: nltk and flask.
Bumps the pip group with 1 update in the /LLM/src/observe_with_langfuse directory: nltk.
Bumps the pip group with 1 update in the /LLM/src/vector-search-api directory: flask.
Bumps the pip group with 4 updates in the /data_management/dvc directory: cryptography, protobuf, orjson and pyasn1.
Bumps the pip group with 1 update in the /kubernetes/src/odh_base_ml_platform directory: mlflow.
Bumps the pip group with 1 update in the /kubernetes/src/odh_base_ml_platform/advanced/model_deploy_pipeline/model_build_push directory: werkzeug.
Bumps the pip group with 2 updates in the /ml-serving/bento-ml/yolov5/utils/google_app_engine directory: flask and pip.
Bumps the pip group with 2 updates in the /ml-serving/custom-serving/fastapi/ray/ray_distilbert directory: protobuf and pyasn1.
Bumps the pip group with 2 updates in the /ml-serving/custom-serving/fastapi/ray/ray_stablediffusion directory: protobuf and pyasn1.
Bumps the pip group with 2 updates in the /ml-serving/custom-serving/fastapi/ray/ray_yolov5s directory: protobuf and pyasn1.
Bumps the pip group with 8 updates in the /model-vcs/mlflow/simple_mlflow_fastapi_k8s directory:

Package	From	To
sqlparse	0.4.4	0.5.4
protobuf	6.32.1	6.33.5
orjson	3.10.5	3.11.6
flask	3.0.0	3.1.3
werkzeug	3.0.1	3.1.6
pyasn1	0.6.0	0.6.3
mlflow	3.1.0	3.8.0rc0
tornado	6.5.2	6.5.5

Bumps the pip group with 6 updates in the /model-vcs/mlflow/sklearn_mlflow directory:

Package	From	To
pillow	10.3.0	12.1.1
sqlparse	0.5.0	0.5.4
protobuf	4.25.8	5.29.6
flask	3.0.0	3.1.3
pyasn1	0.6.1	0.6.3
mlflow	3.2.0	3.8.0rc0

Bumps the pip group with 2 updates in the /ray/zerocopy_loading directory: protobuf and ray.

Updates pillow from 10.3.0 to 12.1.1

Release notes

Sourced from pillow's releases.

12.1.1

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html

Dependencies

• Patch libavif for svt-av1 4.0 compatibility #9413 [@​hugovk]

Other changes

• Fix OOB Write with invalid tile extents #9427 [@​radarhere]

12.1.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.0.html

Deprecations

• Deprecate getdata(), in favour of new get_flattened_data() #9292 [@​radarhere]

Documentation

• Specify APNG duration type when opening #9368 [@​radarhere]
• Added release notes for #9350 #9366 [@​radarhere]
• Update ImageMorph documentation #9349 [@​radarhere]
• Docs: update major bump cadence #9334 [@​hugovk]
• Add release notes for #9070 #9320 [@​radarhere]
• Updated Ubuntu version #9306 [@​radarhere]
• Update macOS tested Pillow versions #9265 [@​radarhere]

Dependencies

• Update harfbuzz to 12.3.0 #9355 [@​radarhere]
• Update xz to 5.8.2 #9343 [@​radarhere]
• Updated libjpeg-turbo to 3.1.3 #9333 [@​radarhere]
• Updated zlib-ng to 2.3.2 #9324 [@​radarhere]
• Updated libpng to 1.6.53 #9325 [@​radarhere]
• Update actions/checkout action to v6 #9323 [@renovate[bot]]
• Update dependency mypy to v1.19.0 #9322 [@renovate[bot]]
• Updated libpng to 1.6.51 #9305 [@​radarhere]
• Updated brotli to 1.2.0 #9284 [@​radarhere]
• Update libimagequant to 4.4.1 #9301 [@​radarhere]
• Update zlib-ng to 2.3.1, except on manylinux2014 aarch64 #9312 [@​radarhere]
• Updated harfbuzz to 12.2.0 #9289 [@​radarhere]
• Update github-actions #9277 [@renovate[bot]]

Testing

• Replace pre-commit with prek #9360 [@​hugovk]
• Test PyQt6 on Python 3.14 on Windows #9353 [@​radarhere]
• Test 32-bit Windows on Windows Server 2022 #9345 [@​radarhere]
• Correct variable type #9335 [@​radarhere]

... (truncated)

Changelog

Sourced from pillow's changelog.

Changelog (Pillow)

11.1.0 and newer

See GitHub Releases:

• https://github.com/python-pillow/Pillow/releases

11.0.0 (2024-10-15)

• Update licence to MIT-CMU #8460 [hugovk]

• Conditionally define ImageCms type hint to avoid requiring core #8197 [radarhere]

• Support writing LONG8 offsets in AppendingTiffWriter #8417 [radarhere]

• Use ImageFile.MAXBLOCK when saving TIFF images #8461 [radarhere]

• Do not close provided file handles with libtiff when saving #8458 [radarhere]

• Support ImageFilter.BuiltinFilter for I;16* images #8438 [radarhere]

• Use ImagingCore.ptr instead of ImagingCore.id #8341 [homm, radarhere, hugovk]

• Updated EPS mode when opening images without transparency #8281 [Yay295, radarhere]

• Use transparency when combining P frames from APNGs #8443 [radarhere]

• Support all resampling filters when resizing I;16* images #8422 [radarhere]

• Free memory on early return #8413 [radarhere]

• Cast int before potentially exceeding INT_MAX #8402 [radarhere]

... (truncated)

Commits

• 5158d98 12.1.1 version bump
• 9000313 Fix OOB Write with invalid tile extents (#9427)
• cd01118 Patch libavif for svt-av1 4.0 compatibility
• 46f45f6 12.1.0 version bump
• c9ac097 Simplify band splitting (#9291)
• 3baedf2 Deprecate getdata(), in favour of new get_flattened_data() (#9292)
• b51a036 Specify APNG duration type when opening (#9368)
• 8d08e31 Add release notes for #9348 (#9369)
• 432707e Added release notes for #9348
• 2d58910 Specify APNG duration type when opening
• Additional commits viewable in compare view

Updates pillow from 10.3.0 to 12.1.1

Release notes

Sourced from pillow's releases.

12.1.1

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html

Dependencies

• Patch libavif for svt-av1 4.0 compatibility #9413 [@​hugovk]

Other changes

• Fix OOB Write with invalid tile extents #9427 [@​radarhere]

12.1.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.0.html

Deprecations

• Deprecate getdata(), in favour of new get_flattened_data() #9292 [@​radarhere]

Documentation

• Specify APNG duration type when opening #9368 [@​radarhere]
• Added release notes for #9350 #9366 [@​radarhere]
• Update ImageMorph documentation #9349 [@​radarhere]
• Docs: update major bump cadence #9334 [@​hugovk]
• Add release notes for #9070 #9320 [@​radarhere]
• Updated Ubuntu version #9306 [@​radarhere]
• Update macOS tested Pillow versions #9265 [@​radarhere]

Dependencies

• Update harfbuzz to 12.3.0 #9355 [@​radarhere]
• Update xz to 5.8.2 #9343 [@​radarhere]
• Updated libjpeg-turbo to 3.1.3 #9333 [@​radarhere]
• Updated zlib-ng to 2.3.2 #9324 [@​radarhere]
• Updated libpng to 1.6.53 #9325 [@​radarhere]
• Update actions/checkout action to v6 #9323 [@renovate[bot]]
• Update dependency mypy to v1.19.0 #9322 [@renovate[bot]]
• Updated libpng to 1.6.51 #9305 [@​radarhere]
• Updated brotli to 1.2.0 #9284 [@​radarhere]
• Update libimagequant to 4.4.1 #9301 [@​radarhere]
• Update zlib-ng to 2.3.1, except on manylinux2014 aarch64 #9312 [@​radarhere]
• Updated harfbuzz to 12.2.0 #9289 [@​radarhere]
• Update github-actions #9277 [@renovate[bot]]

Testing

• Replace pre-commit with prek #9360 [@​hugovk]
• Test PyQt6 on Python 3.14 on Windows #9353 [@​radarhere]
• Test 32-bit Windows on Windows Server 2022 #9345 [@​radarhere]
• Correct variable type #9335 [@​radarhere]

... (truncated)

Changelog

Sourced from pillow's changelog.

Changelog (Pillow)

11.1.0 and newer

See GitHub Releases:

• https://github.com/python-pillow/Pillow/releases

11.0.0 (2024-10-15)

• Update licence to MIT-CMU #8460 [hugovk]

• Conditionally define ImageCms type hint to avoid requiring core #8197 [radarhere]

• Support writing LONG8 offsets in AppendingTiffWriter #8417 [radarhere]

• Use ImageFile.MAXBLOCK when saving TIFF images #8461 [radarhere]

• Do not close provided file handles with libtiff when saving #8458 [radarhere]

• Support ImageFilter.BuiltinFilter for I;16* images #8438 [radarhere]

• Use ImagingCore.ptr instead of ImagingCore.id #8341 [homm, radarhere, hugovk]

• Updated EPS mode when opening images without transparency #8281 [Yay295, radarhere]

• Use transparency when combining P frames from APNGs #8443 [radarhere]

• Support all resampling filters when resizing I;16* images #8422 [radarhere]

• Free memory on early return #8413 [radarhere]

• Cast int before potentially exceeding INT_MAX #8402 [radarhere]

... (truncated)

Commits

• 5158d98 12.1.1 version bump
• 9000313 Fix OOB Write with invalid tile extents (#9427)
• cd01118 Patch libavif for svt-av1 4.0 compatibility
• 46f45f6 12.1.0 version bump
• c9ac097 Simplify band splitting (#9291)
• 3baedf2 Deprecate getdata(), in favour of new get_flattened_data() (#9292)
• b51a036 Specify APNG duration type when opening (#9368)
• 8d08e31 Add release notes for #9348 (#9369)
• 432707e Added release notes for #9348
• 2d58910 Specify APNG duration type when opening
• Additional commits viewable in compare view

Updates unstructured from 0.14.3 to 0.18.18

Release notes

Sourced from unstructured's releases.

0.18.18

Fixes

• Prevent path traversal in email MSG attachment filenames Fixed a security vulnerability (GHSA-gm8q-m8mv-jj5m) where malicious attachment filenames containing path traversal sequences could write files outside the intended directory. The fix normalizes both Unix and Windows path separators before sanitizing filenames, preventing cross-platform path traversal attacks in partition_msg functions

0.18.17

Enhancement

Features

Fixes

• Removed Clarifai dependency as it is no longer used
• Bumped dependencies via pip-compile to address the following CVEs:
  • pypdf: GHSA-vr63-x8vc-m265
  • pip: GHSA-4xh5-x5gv-qwph
  • uv: GHSA-8qf3-x8v5-2pj8 GHSA-pqhf-p39g-3x64

0.18.16

Enhancement

• Speed up function _assign_hash_ids by 34% (codeflash)

Features

Fixes

• Bumped dependencies via pip-compile to address the following CVEs:
  • authlib: GHSA-pq5p-34cr-23v9
  • python-3.12/python03.12-base: CVE-2025-8291, GHSA-49g5-f6qw-8mm7
  • libcrypto3/libssl3: CVE-2025-9230, CVE-2025-9231, CVE-2025-9232, GHSA-76r2-c3cg-f5r9, GHSA-9mrx-mqmg-gwj9

0.18.15

What's Changed

• Setup Codeflash Github Actions to optimize all future code by @​misrasaurabh1 in Unstructured-IO/unstructured#4082
• fix: update deps to resolve cve by @​qued in Unstructured-IO/unstructured#4093
• ⚡️ Speed up function group_broken_paragraphs by 30% by @​aseembits93 in Unstructured-IO/unstructured#4088
• ⚡️ Speed up method ElementHtml._get_children_html by 234% by @​aseembits93 in Unstructured-IO/unstructured#4087
• Luke/sept16 CVE by @​luke-kucing in Unstructured-IO/unstructured#4094

New Contributors

• @​aseembits93 made their first contribution in Unstructured-IO/unstructured#4088

Full Changelog: Unstructured-IO/unstructured@0.18.14...0.18.15

0.18.14

Enhancements

• Speed up function sentence_count by 59% (codeflash)

• Speed up function check_for_nltk_package by 111% (codeflash)

... (truncated)

Changelog

Sourced from unstructured's changelog.

0.18.18

Fixes

• Prevent path traversal in email MSG attachment filenames Fixed a security vulnerability (GHSA-gm8q-m8mv-jj5m) where malicious attachment filenames containing path traversal sequences could write files outside the intended directory. The fix normalizes both Unix and Windows path separators before sanitizing filenames, preventing cross-platform path traversal attacks in partition_msg functions

0.18.17

Enhancement

Features

Fixes

• Removed Clardy dependency as it is no longer used
• Bumped dependencies via pip-compile to address the following CVEs:
  • pypdf: GHSA-vr63-x8vc-m265
  • pip: GHSA-4xh5-x5gv-qwph
  • uv: GHSA-8qf3-x8v5-2pj8 GHSA-pqhf-p39g-3x64

0.18.16

Enhancement

• Speed up function _assign_hash_ids by 34% (codeflash)

Features

Fixes

• Bumped dependencies via pip-compile to address the following CVEs:
  • authlib: GHSA-pq5p-34cr-23v9
  • python-3.12/python03.12-base: CVE-2025-8291, GHSA-49g5-f6qw-8mm7
  • libcrypto3/libssl3: CVE-2025-9230, CVE-2025-9231, CVE-2025-9232, GHSA-76r2-c3cg-f5r9, GHSA-9mrx-mqmg-gwj9

0.18.15

Enhancements

• Speed up function ElementHtml._get_children_html by 234% (codeflash)
• Speed up function group_broken_paragraphs by 30% (codeflash)

Features

Fixes

• Bumped dependencies via pip-compile to address the crit CVE in:
  • deepdiff: 8.6.0 -> 8.6.1: GHSA-mw26-5g2v-hqw3

0.18.14

Enhancements

• Speed up function sentence_count by 59% (codeflash)
• Speed up function check_for_nltk_package by 111% (codeflash)
• Speed up function under_non_alpha_ratio by 76% (codeflash)

... (truncated)

Commits

• b01d35b fix: sanitize MSG attachment filenames to prevent path traversal (GHS… (#4117)
• 1c519ef Security Fixes - CVE Remediation (#4115)
• c79cf3a updated dependancies to resolve open CVEs and cut a new version (#4108)
• 8fd07fd feat: Add simple script to sync fork with local branch (#4102)
• ef68384 enhancement: Speed up function _assign_hash_ids by 34% (#4101)
• 2d44d73 Luke/sept16 CVE (#4094)
• ab55d86 ⚡️ Speed up method ElementHtml._get_children_html by 234% (#4087)
• 6aee131 ⚡️ Speed up function group_broken_paragraphs by 30% (#4088)
• 1030a69 fix: update deps to resolve cve (#4093)
• e3854d2 Setup Codeflash Github Actions to optimize all future code (#4082)
• Additional commits viewable in compare view

Updates cryptography from 44.0.1 to 46.0.5

Changelog

Sourced from cryptography's changelog.

46.0.5 - 2026-02-10

* An attacker could create a malicious public key that reveals portions of your
  private key when using certain uncommon elliptic curves (binary curves).
  This version now includes additional security checks to prevent this attack.
  This issue only affects binary elliptic curves, which are rarely used in
  real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and
  Atuin Automated Vulnerability Discovery Engine** for reporting the issue.
  **CVE-2026-26007**
* Support for ``SECT*`` binary elliptic curves is deprecated and will be
  removed in the next release.
.. v46-0-4:
46.0.4 - 2026-01-27

• Dropped support for win_arm64 wheels_.
• Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.

.. _v46-0-3:

46.0.3 - 2025-10-15

* Fixed compilation when using LibreSSL 4.2.0.
.. _v46-0-2:
46.0.2 - 2025-09-30

• Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.4.

.. _v46-0-1:

46.0.1 - 2025-09-16

* Fixed an issue where users installing via ``pip`` on Python 3.14 development
  versions would not properly install a dependency.
* Fixed an issue building the free-threaded macOS 3.14 wheels.
.. _v46-0-0:
46.0.0 - 2025-09-16

• BACKWARDS INCOMPATIBLE: Support for Python 3.7 has been removed.

... (truncated)

Commits

• 06e120e bump version for 46.0.5 release (#14289)
• 0eebb9d EC check key on cofactor > 1 (#14287)
• bedf6e1 fix openssl version on 46 branch (#14220)
• e6f44fc bump for 46.0.4 and drop win arm64 due to CI issues (#14217)
• c0af4dd release 46.0.3 (#13681)
• 99efe5a bump version for 46.0.2 (#13531)
• e735cfc release 46.0.1 (#13450)
• 4e457ff Explicitly specify python in mac uv build invocation (#13447)
• 2726efd Depend on CFFI 2.0.0 or newer on Python > 3.8 (#13448)
• 6223062 release 46.0.0 (#13446)
• Additional commits viewable in compare view

Updates unstructured from 0.14.3 to 0.18.18

Release notes

Sourced from unstructured's releases.

0.18.18

Fixes

• Prevent path traversal in email MSG attachment filenames Fixed a security vulnerability (GHSA-gm8q-m8mv-jj5m) where malicious attachment filenames containing path traversal sequences could write files outside the intended directory. The fix normalizes both Unix and Windows path separators before sanitizing filenames, preventing cross-platform path traversal attacks in partition_msg functions

0.18.17

Enhancement

Features

Fixes

• Removed Clarifai dependency as it is no longer used
• Bumped dependencies via pip-compile to address the following CVEs:
  • pypdf: GHSA-vr63-x8vc-m265
  • pip: GHSA-4xh5-x5gv-qwph
  • uv: GHSA-8qf3-x8v5-2pj8 GHSA-pqhf-p39g-3x64

0.18.16

Enhancement

• Speed up function _assign_hash_ids by 34% (codeflash)

Features

Fixes

• Bumped dependencies via pip-compile to address the following CVEs:
  • authlib: GHSA-pq5p-34cr-23v9
  • python-3.12/python03.12-base: CVE-2025-8291, GHSA-49g5-f6qw-8mm7
  • libcrypto3/libssl3: CVE-2025-9230, CVE-2025-9231, CVE-2025-9232, GHSA-76r2-c3cg-f5r9, GHSA-9mrx-mqmg-gwj9

0.18.15

What's Changed

• Setup Codeflash Github Actions to optimize all future code by @​misrasaurabh1 in Unstructured-IO/unstructured#4082
• fix: update deps to resolve cve by @​qued in Unstructured-IO/unstructured#4093
• ⚡️ Speed up function group_broken_paragraphs by 30% by @​aseembits93 in Unstructured-IO/unstructured#4088
• ⚡️ Speed up method ElementHtml._get_children_html by 234% by @​aseembits93 in Unstructured-IO/unstructured#4087
• Luke/sept16 CVE by @​luke-kucing in Unstructured-IO/unstructured#4094

New Contributors

• @​aseembits93 made their first contribution in Unstructured-IO/unstructured#4088

Full Changelog: Unstructured-IO/unstructured@0.18.14...0.18.15

0.18.14

Enhancements

• Speed up function sentence_count by 59% (codeflash)

• Speed up function check_for_nltk_package by 111% (codeflash)

... (truncated)

Changelog

Sourced from unstructured's changelog.

0.18.18

Fixes

• Prevent path traversal in email MSG attachment filenames Fixed a security vulnerability (GHSA-gm8q-m8mv-jj5m) where malicious attachment filenames containing path traversal sequences could write files outside the intended directory. The fix normalizes both Unix and Windows path separators before sanitizing filenames, preventing cross-platform path traversal attacks in partition_msg functions

0.18.17

Enhancement

Features

Fixes

• Removed Clardy dependency as it is no longer used
• Bumped dependencies via pip-compile to address the following CVEs:
  • pypdf: GHSA-vr63-x8vc-m265
  • pip: GHSA-4xh5-x5gv-qwph
  • uv: GHSA-8qf3-x8v5-2pj8 GHSA-pqhf-p39g-3x64

0.18.16

Enhancement

• Speed up function _assign_hash_ids by 34% (codeflash)

Features

Fixes

• Bumped dependencies via pip-compile to address the following CVEs:
  • authlib: GHSA-pq5p-34cr-23v9
  • python-3.12/python03.12-base: CVE-2025-8291, GHSA-49g5-f6qw-8mm7
  • libcrypto3/libssl3: CVE-2025-9230, CVE-2025-9231, CVE-2025-9232, GHSA-76r2-c3cg-f5r9, GHSA-9mrx-mqmg-gwj9

0.18.15

Enhancements

• Speed up function ElementHtml._get_children_html by 234% (codeflash)
• Speed up function group_broken_paragraphs by 30% (codeflash)

Features

Fixes

• Bumped dependencies via pip-compile to address the crit CVE in:
  • deepdiff: 8.6.0 -> 8.6.1: GHSA-mw26-5g2v-hqw3

0.18.14

Enhancements

• Speed up function sentence_count by 59% (codeflash)
• Speed up function check_for_nltk_package by 111% (codeflash)
• Speed up function under_non_alpha_ratio by 76% (codeflash)

... (truncated)

Commits

• b01d35b fix: sanitize MSG attachment filenames to prevent path traversal (GHS… (#4117)
• 1c519ef Security Fixes - CVE Remediation (#4115)
• c79cf3a updated dependancies to resolve open CVEs and cut a new version (#4108)
• 8fd07fd feat: Add simple script to sync fork with local branch (#4102)
• ef68384 enhancement: Speed up function _assign_hash_ids by 34% (#4101)
• 2d44d73 Luke/sept16 CVE (#4094)
• ab55d86 ⚡️ Speed up method ElementHtml._get_children_html by 234% (#4087)
• 6aee131 ⚡️ Speed up function group_broken_paragraphs by 30% (#4088)
• 1030a69 fix: update deps to resolve cve (#4093)
• e3854d2 Setup Codeflash Github Actions to optimize all future code (#4082)
• Additional commits viewable in compare view

Updates protobuf from 4.25.8 to 5.29.6

Release notes

Sourced from protobuf's releases.

Protocol Buffers v34.0-rc1

Announcements

• This version includes breaking changes to: C++, Objective-C, PHP, Python.
• [Bazel] Remove deprecated ProtoInfo.transitive_imports. Use equivalent transitive_sources instead (protocolbuffers/protobuf@0a5c2f6)
• [C++] Make generator headers private (protocolbuffers/protobuf@3a2af35)
• [C++] Add a debug check that the target of CopyFrom is not a descendant of the source. (protocolbuffers/protobuf@7a75898)
• [C++] Add [[nodiscard]] to many APIs. (protocolbuffers/protobuf@a70115f)
• [C++] Make the arena-enabled constructors of RepeatedField, RepeatedPtrField, and Map private. (protocolbuffers/protobuf@ef890c3)
• [C++] Remove deprecated FieldDescriptor::label() in OSS. Use is_repeated() or is_required() instead (protocolbuffers/protobuf@b76faa9)
• [C++] Removes proto2::util::MessageDifferencer::AddIgnoreCriteria that takes a raw pointer as an argument in favor of the overload that takes a unique_ptr. Remove macro PROTOBUF_FUTURE_REMOVE_ADD_IGNORE_CRITERIA (protocolbuffers/protobuf@b115358)
• [C++] Remove deprecated FieldDescriptor::has_optional_keyword() in OSS. Use is_repeated() or has_presence() instead (protocolbuffers/protobuf@68346ec)
• [C++] Remove AddUnusedImportTrackFile() and ClearUnusedImportTrackFiles(). Remove PROTOBUF_FUTURE_RENAME_ADD_UNUSED_IMPORT (protocolbuffers/protobuf@837a2cd)
• [C++] Remove deprecated FieldDescriptor::is_optional() in OSS. Use (!is_required() && !is_repeated()) instead (protocolbuffers/protobuf@9dbc5d4)
• [C++] Remove deprecated UseDeprecatedLegacyJsonFieldConflicts() (protocolbuffers/protobuf@c301c2c)
• [C++] All entity names have length limit (2afb0dc)
• [ObjC] Remove generate_minimal_imports generation option warning (protocolbuffers/protobuf@45b1297)
• [ObjC] Fix nullability annotations on some GPB*Dictionary types. (protocolbuffers/protobuf@ea67d6d)
• [ObjC] Remove -[GPBFieldDescriptor optional] (protocolbuffers/protobuf@3414dc1)
• [Other] Remove deprecated flag for enabling MSVC support (protocolbuffers/protobuf@97c979b)
• [PHP] Remove deprecated PHP APIs (protocolbuffers/protobuf@9c45014)
• [PHP] Remove deprecated PHP APIs FieldDescriptor getLabel, use IsRepeated or isRequired instead. (protocolbuffers/protobuf@4208121, protocolbuffers/protobuf@cd76e67, protocolbuffers/protobuf@4208121)
• [PHP] Add PHP typehints for setters and remove redundant GPBUtil checks (protocolbuffers/protobuf#25296) (protocolbuffers/protobuf@aee03b7)
• [PHP] support default values for editions/proto2 (protocolbuffers/protobuf#25161) (protocolbuffers/protobuf@b01099d)
• [Python] Raise errors in OSS when assign bool to int/enum field in Python Proto. (protocolbuffers/protobuf@5b116fe)
• [Python] Remove float_format/double_format from python proto text_format (protocolbuffers/protobuf@e4854a1)
• [Python] Raise TypeError when convert non-timedelta to Duration, or convert non-datetime to Timestamp in python proto. (Original code may raise ArributeError) (protocolbuffers/protobuf@00aaca1)
• [Python] Remove float_precision from python proto json_format (protocolbuffers/protobuf@f027f1f)
• [Python] Remove deprecated FieldDescriptor::label() in OSS. Use is_repeated() or is_required() instead (protocolbuffers/protobuf@b76faa9)
• [Python] Remove deprecated FieldDescriptor.label (protocolbuffers/protobuf@0a8ff55)
• [Python] Remove deprecated UseDeprecatedLegacyJsonFieldConflicts() (protocolbuffers/protobuf@c301c2c)
• Protobuf News may include additional announcements or pre-announcements for upcoming changes.
• Migration Guide may include additional guidance for breaking changes.

Bazel

• Fix: cc_toolchain should prefer protoc when prebuilt flag is flipped. (#25168) (protocolbuffers/protobuf@8c857c3)
• Breaking change: Remove deprecated ProtoInfo.transitive_imports. Use equivalent transitive_sources instead (protocolbuffers/protobuf@0a5c2f6)
• Feat(bazel): wire up prebuilt protoc toolchain (#24115) (protocolbuffers/protobuf@cc23698)
• Migrate proto_descriptor_set (#23369) (protocolbuffers/protobuf@8d4dfdd)

Compiler

• Ruby codegen: support generation of rbs files (#15633) (protocolbuffers/protobuf@6ebdf85)
• Avoid collision name problems between a message named Xyz and a direct sibling enum named XyzView (protocolbuffers/protobuf@eba53e8)
• Generalizing and implementing ValidateFeatureSupport for both Options and Features during proto parsing (protocolbuffers/protobuf@ed3c571)
• Fix a bug with custom features outside of the pb package. (protocolbuffers/protobuf@872d3ce)
• Fix import option handling when include_imports isn't set. (protocolbuffers/protobuf@9ef9e80)
• Fix a bug in STRICT check of namespaced enums to properly check for 'reserved 1 to max' (protocolbuffers/protobuf@1229d4a)
• Prevent accidental stripping of debug_redact options via import option. (protocolbuffers/protobuf@f58b098)

C++

• Add EnumerateEnumValues function. (protocolbuffers/protobuf@397d5d9)

... (truncated)

Commits

• See full diff in compare view

Updates nltk from 3.8.2 to 3.9.3

Changelog

Sourced from nltk's changelog.

Version 3.9.3 2026-02-21

• Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (#3468)
• Block path traversal/arbitrary reads in nltk.data for protocol-less refs (#3467)
• Block path traversal/abs paths in corpus readers and FS pointers (#3479, #3480)
• Validate external StanfordSegmenter JARs using SHA256 (#3477)
• Add optional sandbox enforcement for filestring() (#3485)
• Maintenance: downloader/zipped models, CI/tooling updates

Thanks to the following contributors to 3.9.3: Chris Clauss, Eric Kafe, HyperPS, purificant, Shivansh-Game, Christopher Smith

Version 3.9.2 2025-10-01

• Update download checksums to use SHA256 in built index
• Fix percentage escape in new-style string formatting
• replace shortened URLs using goo.gl
• Make Wordnet interoperable with various taggers and tagged corpora
• Fix saving PerceptronTagger
• Document how to reproduce old Wordnet studies
• properly initialize Portuguese corpus reader
• support for mixed rules conversion into Chomsky Normal Form
• only import tkinter if a GUI is needed
• issue #2112 with Corenlp
• new environment variable NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL
• Lesk defaults to most frequent sense in case of ties

Thanks to the following contributors to 3.9.2: Jose Cols, Peter de Blanc, GeneralPoxter, Eric Kafe, William LaCroix, Jason Liu, Samer Masterson, Mike014, purificant, Andrew Ernest Ritz, samertm, Ikram Ul Haq, Christopher Smith, Ryan Mannion

Version 3.9.1 2024-08-19

• Fixed bug that prevented wordnet from loading

Version 3.9 2024-08-18

• Fix security vulnerability CVE-2024-39705 (breaking change)
• Replace pickled models (punkt, chunker, taggers) by new pickle-free "_tab" packages
• No longer sort Wordnet synsets and relations (sort in calling function when required)
• Only strip the last suffix in Wordnet Morphy, thus restricting synsets() results
• Add Python 3.12 support
• Many other minor fixes

Thanks to the following contributors to 3.8.2: Tom Aarsen, Cat Lee Ball, Veralara Bernhard, Carlos Brandt, Konstantin Chernyshev, Michael Higgins, Eric Kafe, Vivek Kalyan, David Lukes, Rob Malouf, purificant, Alex Rudnick, Liling Tan, Akihiro Yamazaki.

Version 3.8.1 2023-01-02

• Resolve RCE vulnerability in localhost WordNet Browser (#3100)

... (truncated)

Commits

• 4154eb8 Merge pull request #35...

  Description has been truncated