Bump the pip group across 1 directory with 15 updates

[dependabot]

Bumps the pip group with 15 updates in the / directory:

Package	From	To
babel	2.6.0	2.9.1
certifi	2018.10.15	2023.7.22
flask	1.0.2	2.2.5
gunicorn	19.9.0	22.0.0
idna	2.7	3.7
jinja2	2.10	3.1.4
joblib	0.12.5	1.2.0
lxml	4.2.5	4.9.1
numpy	1.15.2	1.22.0
py	1.7.0	1.11.0
requests	2.20.0	2.32.2
scikit-learn	0.20.0	1.5.0
tqdm	4.27.0	4.66.3
urllib3	1.24	1.26.19
werkzeug	0.14.1	3.0.3

Updates babel from 2.6.0 to 2.9.1

Release notes

Sourced from babel's releases.

Version 2.9.1

Bugfixes

• The internal locale-data loading functions now validate the name of the locale file to be loaded and only allow files within Babel's data directory. Thank you to Chris Lyne of Tenable, Inc. for discovering the issue!

Version 2.9.0

Upcoming version support changes

• This version, Babel 2.9, is the last version of Babel to support Python 2.7, Python 3.4, and Python 3.5.

Improvements

• CLDR: Use CLDR 37 – Aarni Koskela (#734)
• Dates: Handle ZoneInfo objects in get_timezone_location, get_timezone_name - Alessio Bogon (#741)
• Numbers: Add group_separator feature in number formatting - Abdullah Javed Nesar (#726)

Bugfixes

• Dates: Correct default Format().timedelta format to 'long' to mute deprecation warnings – Aarni Koskela
• Import: Simplify iteration code in "import_cldr.py" – Felix Schwarz
• Import: Stop using deprecated ElementTree methods "getchildren()" and "getiterator()" – Felix Schwarz
• Messages: Fix unicode printing error on Python 2 without TTY. – Niklas Hambüchen
• Messages: Introduce invariant that _invalid_pofile() takes unicode line. – Niklas Hambüchen
• Tests: fix tests when using Python 3.9 – Felix Schwarz
• Tests: Remove deprecated 'sudo: false' from Travis configuration – Jon Dufresne
• Tests: Support Py.test 6.x – Aarni Koskela
• Utilities: LazyProxy: Handle AttributeError in specified func – Nikiforov Konstantin (#724)
• Utilities: Replace usage of parser.suite with ast.parse – Miro Hrončok

Documentation

• Update parse_number comments – Brad Martin (#708)
• Add iter to Catalog documentation – @​CyanNani123

Version 2.8.1

This patch version only differs from 2.8.0 in that it backports in #752.

Version 2.8.0

Improvements

• CLDR: Upgrade to CLDR 36.0 - Aarni Koskela (#679)
• Messages: Don't even open files with the "ignore" extraction method - @​sebleblanc (#678)

Bugfixes

• Numbers: Fix formatting very small decimals when quantization is disabled - Lev Lybin, @​miluChen (#662)
• Messages: Attempt to sort all messages – Mario Frasca (#651, #606)

Docs

... (truncated)

Changelog

Sourced from babel's changelog.

Version 2.9.1

Bugfixes

* The internal locale-data loading functions now validate the name of the locale file to be loaded and only
  allow files within Babel's data directory.  Thank you to Chris Lyne of Tenable, Inc. for discovering the issue!
Version 2.9.0
Upcoming version support changes

• This version, Babel 2.9, is the last version of Babel to support Python 2.7, Python 3.4, and Python 3.5.

Improvements

* CLDR: Use CLDR 37 – Aarni Koskela (:gh:`734`)
* Dates: Handle ZoneInfo objects in get_timezone_location, get_timezone_name - Alessio Bogon (:gh:`741`)
* Numbers: Add group_separator feature in number formatting - Abdullah Javed Nesar (:gh:`726`)
Bugfixes

* Dates: Correct default Format().timedelta format to 'long' to mute deprecation warnings – Aarni Koskela
* Import: Simplify iteration code in "import_cldr.py" – Felix Schwarz
* Import: Stop using deprecated ElementTree methods "getchildren()" and "getiterator()" – Felix Schwarz
* Messages: Fix unicode printing error on Python 2 without TTY. – Niklas Hambüchen
* Messages: Introduce invariant that _invalid_pofile() takes unicode line. – Niklas Hambüchen
* Tests: fix tests when using Python 3.9 – Felix Schwarz
* Tests: Remove deprecated 'sudo: false' from Travis configuration – Jon Dufresne
* Tests: Support Py.test 6.x – Aarni Koskela
* Utilities: LazyProxy: Handle AttributeError in specified func – Nikiforov Konstantin (:gh:`724`)
* Utilities: Replace usage of parser.suite with ast.parse – Miro Hrončok
Documentation

</code></pre>

<ul>

<li>Update parse_number comments – Brad Martin (:gh:<code>708</code>)</li>

<li>Add <strong>iter</strong> to Catalog documentation – <a href="https://github.com/CyanNani123&quot;&gt;&lt;code&gt;@​CyanNani123&lt;/code&gt;&lt;/a&gt;&lt;/li>

</ul>

<h2>Version 2.8.1</h2>

<p>This is solely a patch release to make running tests on Py.test 6+ possible.</p>

<p>Bugfixes</p>

<!-- raw HTML omitted -->

</blockquote>

<p>... (truncated)</p>

</details>

<details>

<summary>Commits</summary>
<ul>

<li><a href="https://github.com/python-babel/babel/commit/a99fa2474c808b51ebdabea18db871e389751559&quot;&gt;&lt;code&gt;a99fa24&lt;/code&gt;&lt;/a> Use 2.9.0's setup.py for 2.9.1</li>

<li><a href="https://github.com/python-babel/babel/commit/60b33e083801109277cb068105251e76d0b7c14e&quot;&gt;&lt;code&gt;60b33e0&lt;/code&gt;&lt;/a> Become 2.9.1</li>

<li><a href="https://github.com/python-babel/babel/commit/412015ef642bfcc0d8ba8f4d05cdbb6aac98d9b3&quot;&gt;&lt;code&gt;412015e&lt;/code&gt;&lt;/a> Merge pull request <a href="https://redirect.github.com/python-babel/babel/issues/782&quot;&gt;#782&lt;/a> from python-babel/locale-basename</li>

<li><a href="https://github.com/python-babel/babel/commit/5caf717ceca4bd235552362b4fbff88983c75d8c&quot;&gt;&lt;code&gt;5caf717&lt;/code&gt;&lt;/a> Disallow special filenames on Windows</li>

<li><a href="https://github.com/python-babel/babel/commit/3a700b5b8b53606fd98ef8294a56f9510f7290f8&quot;&gt;&lt;code&gt;3a700b5&lt;/code&gt;&lt;/a> Run locale identifiers through <code>os.path.basename()</code></li>

<li><a href="https://github.com/python-babel/babel/commit/5afe2b2f11dcdd6090c00231d342c2e9cd1bdaab&quot;&gt;&lt;code&gt;5afe2b2&lt;/code&gt;&lt;/a> Merge pull request <a href="https://redirect.github.com/python-babel/babel/issues/754&quot;&gt;#754&lt;/a> from python-babel/github-ci</li>

<li><a href="https://github.com/python-babel/babel/commit/58de8342f865df88697a4a166191e880e3c84d82&quot;&gt;&lt;code&gt;58de834&lt;/code&gt;&lt;/a> Replace Travis + Appveyor with GitHub Actions (WIP)</li>

<li><a href="https://github.com/python-babel/babel/commit/d1bbc08e845d03d8e1f0dfa0e04983d755f39cb5&quot;&gt;&lt;code&gt;d1bbc08&lt;/code&gt;&lt;/a> import_cldr: use logging; add -q option</li>

<li><a href="https://github.com/python-babel/babel/commit/156b7fb9f377ccf58c71cf01dc69fb10c7b69314&quot;&gt;&lt;code&gt;156b7fb&lt;/code&gt;&lt;/a> Quiesce CLDR download progress bar if requested (or not a TTY)</li>

<li><a href="https://github.com/python-babel/babel/commit/613dc1700f91c3d40b081948c0dd6023d8ece057&quot;&gt;&lt;code&gt;613dc17&lt;/code&gt;&lt;/a> Make the import warnings about unsupported number systems less verbose</li>

<li>Additional commits viewable in <a href="https://github.com/python-babel/babel/compare/v2.6.0...v2.9.1&quot;&gt;compare view</a></li>

</ul>

</details>
<br />


Updates certifi from 2018.10.15 to 2023.7.22

Commits

8fb96ed 2023.07.22
afe7722 Bump actions/setup-python from 4.6.1 to 4.7.0 (#230)
2038739 Bump dessant/lock-threads from 3.0.0 to 4.0.1 (#229)
44df761 Hash pin Actions and enable dependabot (#228)
8b3d7ba 2023.05.07
53da240 ci: Add Python 3.12-dev to the testing (#224)
c2fc3b1 Create a Security Policy (#222)
c211ef4 Set up permissions to github workflows (#218)
2087de5 Don't let deprecation warning fail CI (#219)
e0b9fc5 remove paragraphs about 1024-bit roots from README
Additional commits viewable in compare view




Updates flask from 1.0.2 to 2.2.5

Release notes
Sourced from flask's releases.

2.2.5
This is a security fix release for the 2.2.x release branch. Note that 2.3.x is the currently supported release branch; please upgrade to the latest version if possible.

Security advisory: https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq, CVE-2023-30861
Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-5
Milestone: https://github.com/pallets/flask/milestone/30?closed=1

2.2.4
This is a fix release for the 2.2.x release branch.

Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-4
Milestone: https://github.com/pallets/flask/milestone/27?closed=1

2.2.3
This is a fix release for the 2.2.x release branch.

Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-3
Milestone: https://github.com/pallets/flask/milestone/26?closed=1

2.2.2
This is a fix release for the 2.2.0 feature release.

Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-2
Milestone: https://github.com/pallets/flask/milestone/25?closed=1

2.2.1
This is a fix release for the 2.2.0 feature release.

Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-1
Milestone: https://github.com/pallets/flask/milestone/23?closed=1

2.2.0
This is a feature release, which includes new features and removes previously deprecated code. The 2.2.x branch is now the supported bug fix branch, the 2.1.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades.

Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-0
Milestone: https://github.com/pallets/flask/milestone/19?closed=1

2.1.3

Changes: https://flask.palletsprojects.com/en/2.1.x/changes/#version-2-1-3
Milestone: https://github.com/pallets/flask/milestone/22?closed=1

2.1.2
This is a fix release for the 2.1.0 feature release.

Changes: https://flask.palletsprojects.com/en/2.1.x/changes/#version-2-1-2
Milestone: https://github.com/pallets/flask/milestone/21?closed=1

2.1.1
This is a fix release for the 2.1.0 feature release.


... (truncated)


Changelog
Sourced from flask's changelog.

Version 2.2.5
Released 2023-05-02

Update for compatibility with Werkzeug 2.3.3.
Set Vary: Cookie header when the session is accessed, modified, or refreshed.

Version 2.2.4
Released 2023-04-25

Update for compatibility with Werkzeug 2.3.

Version 2.2.3
Released 2023-02-15

Autoescape is enabled by default for .svg template files. :issue:4831
Fix the type of template_folder to accept pathlib.Path. :issue:4892
Add --debug option to the flask run command. :issue:4777

Version 2.2.2
Released 2022-08-08

Update Werkzeug dependency to >= 2.2.2. This includes fixes related
to the new faster router, header parsing, and the development
server. :pr:4754
Fix the default value for app.env to be "production". This
attribute remains deprecated. :issue:4740

Version 2.2.1
Released 2022-08-03

Setting or accessing json_encoder or json_decoder raises a
deprecation warning. :issue:4732

Version 2.2.0


... (truncated)


Commits

47af817 release version 2.2.5
afd63b1 Merge pull request #5109 from pallets/backport-vary-cookie
8646edc set Vary: Cookie header consistently for session
a6367da Merge pull request #5108 from pallets/werkzeug-compat
3fbfbad werkzeug 2.3.3 compatibility
726d3f4 start version 2.2.5
ddc7acc Merge pull request #5081 from pallets/release-2.2.4
74e0329 release version 2.2.4
2d46068 update dev env
64bc458 update dev dependencies
Additional commits viewable in compare view




Updates gunicorn from 19.9.0 to 22.0.0

Release notes
Sourced from gunicorn's releases.

Gunicorn 22.0 has been released
Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.
Changes:
22.0.0 - 2024-04-17
===================

use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12

** Breaking changes **

minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

** SECURITY **

fix CVE-2024-1135



Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
Packages: https://pypi.org/project/gunicorn/

Gunicorn 21.2.0 has been released
Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.
Changes:
21.2.0 - 2023-07-19
===================
fix thread worker: revert change considering connection as idle .
</tr></table> 


... (truncated)


Commits

f63d59e bump to 22.0
4ac81e0 Merge pull request #3175 from e-kwsm/typo
401cecf Merge pull request #3179 from dhdaines/exclude-eventlet-0360
0243ec3 fix(deps): exclude eventlet 0.36.0
628a0bc chore: fix typos
88fc4a4 Merge pull request #3131 from pajod/patch-py12-rebased
deae2fc CI: back off the agressive timeout
f470382 docs: promise 3.12 compat
5e30bfa add changelog to project.urls (updated for PEP621)
481c3f9 remove setup.cfg - overridden by pyproject.toml
Additional commits viewable in compare view




Updates idna from 2.7 to 3.7

Release notes
Sourced from idna's releases.

v3.7
What's Changed

Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.
Full Changelog: https://github.com/kjd/idna/compare/v3.6...v3.7



Changelog
Sourced from idna's changelog.

3.7 (2024-04-11)
++++++++++++++++

Fix issue where specially crafted inputs to encode() could
take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.
3.6 (2023-11-25)
++++++++++++++++

Fix regression to include tests in source distribution.

3.5 (2023-11-24)
++++++++++++++++

Update to Unicode 15.1.0
String codec name is now "idna2008" as overriding the system codec
"idna" was not working.
Fix typing error for codec encoding
"setup.cfg" has been added for this release due to some downstream
lack of adherence to PEP 517. Should be removed in a future release
so please prepare accordingly.
Removed reliance on a symlink for the "idna-data" tool to comport
with PEP 517 and the Python Packaging User Guide for sdist archives.
Added security reporting protocol for project

Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions
to this release.
3.4 (2022-09-14)
++++++++++++++++

Update to Unicode 15.0.0
Migrate to pyproject.toml for build information (PEP 621)
Correct another instance where generic exception was raised instead of
IDNAError for malformed input
Source distribution uses zeroized file ownership for improved
reproducibility

Thanks to Seth Michael Larson for contributions to this release.
3.3 (2021-10-13)
++++++++++++++++

Update to Unicode 14.0.0
Update to in-line type annotations
Throw IDNAError exception correctly for some malformed input
Advertise support for Python 3.10
Improve testing regime on Github



... (truncated)


Commits

1d365e1 Release v3.7
c1b3154 Merge pull request #172 from kjd/optimize-contextj
0394ec7 Merge branch 'master' into optimize-contextj
cd58a23 Merge pull request #152 from elliotwutingfeng/dev
5beb28b More efficient resolution of joiner contexts
1b12148 Update ossf/scorecard-action to v2.3.1
d516b87 Update Github actions/checkout to v4
c095c75 Merge branch 'master' into dev
60a0a4c Fix typo in GitHub Actions workflow key
5918a0e Merge branch 'master' into dev
Additional commits viewable in compare view




Updates jinja2 from 2.10 to 3.1.4

Release notes
Sourced from jinja2's releases.

3.1.4
This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.
PyPI: https://pypi.org/project/Jinja2/3.1.4/
Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj

3.1.3
This is a fix release for the 3.1.x feature branch.

Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.
Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-3
Milestone: https://github.com/pallets/jinja/milestone/15?closed=1

3.1.2
This is a fix release for the 3.1.0 feature release.

Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-2
Milestone: https://github.com/pallets/jinja/milestone/13?closed=1

3.1.1

Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-1
Milestone: https://github.com/pallets/jinja/milestone/12?closed=1

3.1.0
This is a feature release, which includes new features and removes previously deprecated features. The 3.1.x branch is now the supported bugfix branch, the 3.0.x branch has become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. We also encourage upgrading to MarkupSafe 2.1.1, the latest version at this time.

Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-0
Milestone: https://github.com/pallets/jinja/milestone/8?closed=1
MarkupSafe changes: https://markupsafe.palletsprojects.com/en/2.1.x/changes/#version-2-1-1

3.0.3

Changes: https://jinja.palletsprojects.com/en/3.0.x/changes/#version-3-0-3

3.0.2

Changes: https://jinja.palletsprojects.com/en/3.0.x/changes/#version-3-0-2

3.0.1

Changes: https://jinja.palletsprojects.com/en/3.0.x/changes/#version-3-0-1

3.0.0
New major versions of all the core Pallets libraries, including Jinja 3.0, have been released! :tada:

Read the announcement on our blog: https://palletsprojects.com/blog/flask-2-0-released/
Read the full list of changes: https://jinja.palletsprojects.com/changes/#version-3-0-0
Retweet the announcement on Twitter: https://twitter.com/PalletsTeam/status/1392266507296514048
Follow our blog, Twitter, or GitHub to see future announcements.

This represents a significant amount of work, and there are quite a few changes. Be sure to carefully read the changelog, and use tools such as pip-compile and Dependabot to pin your dependencies and control your updates.


... (truncated)


Changelog
Sourced from jinja2's changelog.

Version 3.1.4
Released 2024-05-05

The xmlattr filter does not allow keys with / solidus, >
greater-than sign, or = equals sign, in addition to disallowing spaces.
Regardless of any validation done by Jinja, user input should never be used
as keys to this filter, or must be separately validated first.
:ghsa:h75v-3vvj-5mfj

Version 3.1.3
Released 2024-01-10

Fix compiler error when checking if required blocks in parent templates are
empty. :pr:1858
xmlattr filter does not allow keys with spaces. :ghsa:h5c8-rqwp-cp95
Make error messages stemming from invalid nesting of {% trans %} blocks
more helpful. :pr:1918

Version 3.1.2
Released 2022-04-28

Add parameters to Environment.overlay to match __init__.
:issue:1645
Handle race condition in FileSystemBytecodeCache. :issue:1654

Version 3.1.1
Released 2022-03-25

The template filename on Windows uses the primary path separator.
:issue:1637

Version 3.1.0
Released 2022-03-24

Drop support for Python 3.6. :pr:1534
Remove previously deprecated code. :pr:1544



... (truncated)


Commits

dd4a8b5 release version 3.1.4
0668239 Merge pull request from GHSA-h75v-3vvj-5mfj
d655030 disallow invalid characters in keys to xmlattr filter
a7863ba add ghsa links
b5c98e7 start version 3.1.4
da3a9f0 update project files (#1968)
0ee5eb4 satisfy formatter, linter, and strict mypy
20477c6 update project files (#5457)
e491223 update pyyaml dev dependency
36f9885 fix pr link
Additional commits viewable in compare view




Updates joblib from 0.12.5 to 1.2.0

Changelog
Sourced from joblib's changelog.

Release 1.2.0


Fix a security issue where eval(pre_dispatch) could potentially run
arbitrary code. Now only basic numerics are supported.
joblib/joblib#1327


Make sure that joblib works even when multiprocessing is not available,
for instance with Pyodide
joblib/joblib#1256


Avoid unnecessary warnings when workers and main process delete
the temporary memmap folder contents concurrently.
joblib/joblib#1263


Fix memory alignment bug for pickles containing numpy arrays.
This is especially important when loading the pickle with
mmap_mode != None as the resulting numpy.memmap object
would not be able to correct the misalignment without performing
a memory copy.
This bug would cause invalid computation and segmentation faults
with native code that would directly access the underlying data
buffer of a numpy array, for instance C/C++/Cython code compiled
with older GCC versions or some old OpenBLAS written in platform
specific assembly.
joblib/joblib#1254


Vendor cloudpickle 2.2.0 which adds support for PyPy 3.8+.


Vendor loky 3.3.0 which fixes several bugs including:


robustly forcibly terminating worker processes in case of a crash
(joblib/joblib#1269);


avoiding leaking worker processes in case of nested loky parallel
calls;


reliability spawn the correct number of reusable workers.




Release 1.1.1

Fix a security issue where eval(pre_dispatch) could potentially run
arbitrary code. Now only basic numerics are supported.
joblib/joblib#1327

Release 1.1.0

Fix byte order inconsistency issue during deserialization using joblib.load



... (truncated)


Commits

5991350 Release 1.2.0
3fa2188 MAINT cleanup numpy warnings related to np.matrix in tests (#1340)
cea26ff CI test the future loky-3.3.0 branch (#1338)
8aca6f4 MAINT: remove pytest.warns(None) warnings in pytest 7 (#1264)
067ed4f XFAIL test_child_raises_parent_exits_cleanly with multiprocessing (#1339)
ac4ebd5 MAINT add back pytest warnings plugin (#1337)
a23427d Test child raises parent exits cleanly more reliable on macos (#1335)
ac09691 [MAINT] various test updates (#1334)
4a314b1 Vendor loky 3.2.0 (#1333)
bdf47e9 Make test_parallel_with_interactively_defined_functions_default_backend timeo...
Additional commits viewable in compare view




Updates lxml from 4.2.5 to 4.9.1

Changelog
Sourced from lxml's changelog.

4.9.1 (2022-07-01)
Bugs fixed

A crash was resolved when using iterwalk() (or canonicalize())
after parsing certain incorrect input.  Note that iterwalk() can crash
on valid input parsed with the same parser after failing to parse the
incorrect input.

4.9.0 (2022-06-01)
Bugs fixed

GH#341: The mixin inheritance order in lxml.html was corrected.
Patch by xmo-odoo.

Other changes


Built with Cython 0.29.30 to adapt to changes in Python 3.11 and 3.12.


Wheels include zlib 1.2.12, libxml2 2.9.14 and libxslt 1.1.35
(libxml2 2.9.12+ and libxslt 1.1.34 on Windows).


GH#343: Windows-AArch64 build support in Visual Studio.
Patch by Steve Dower.


4.8.0 (2022-02-17)
Features added


GH#337: Path-like objects are now supported throughout the API instead of just strings.
Patch by Henning Janssen.


The ElementMaker now supports QName values as tags, which always override
the default namespace of the factory.


Bugs fixed

GH#338: In lxml.objectify, the XSI float annotation "nan" and "inf" were spelled in
lower case, whereas XML Schema datatypes define them as "NaN" and "INF" respectively.



... (truncated)


Commits

d01872c Prevent parse failure in new test from leaking into later test runs.
d65e632 Prepare release of lxml 4.9.1.
86368e9 Fix a crash when incorrect parser input occurs together with usages of iterwa...
50c2764 Delete unused Travis CI config and reference in docs (GH-345)
8f0bf2d Try to speed up the musllinux AArch64 build by splitting the different CPytho...
b9f7074 Remove debug print from test.
b224e0f Try to install 'xz' in wheel builds, if available, since it's now needed to e...
897ebfa Update macOS deployment target version from 10.14 to 10.15 since 10.14 starts...
853c9e9 Prepare release of 4.9.0.
d3f77e6 Add a test for https://bugs.launchpad.net/lxml/+bug/1965070 leaving out the a...
Additional commits viewable in compare view




Updates numpy from 1.15.2 to 1.22.0

Release notes
Sourced from numpy's releases.

v1.22.0
NumPy 1.22.0 Release Notes
NumPy 1.22.0 is a big release featuring the work of 153 contributors
spread over 609 pull requests. There have been many improvements,
highlights are:

Annotations of the main namespace are essentially complete. Upstream
is a moving target, so there will likely be further improvements,
but the major work is done. This is probably the most user visible
enhancement in this release.
A preliminary version of the proposed Array-API is provided. This is
a step in creating a standard collection of functions that can be
used across application such as CuPy and JAX.
NumPy now has a DLPack backend. DLPack provides a common interchange
format for array (tensor) data.
New methods for quantile, percentile, and related functions. The
new methods provide a complete set of the methods commonly found in
the literature.
A new configurable allocator for use by downstream projects.

These are in addition to the ongoing work to provide SIMD support for
commonly used functions, improvements to F2PY, and better documentation.
The Python versions supported in this release are 3.8-3.10, Python 3.7
has been dropped. Note that 32 bit wheels are only provided for Python
3.8 and 3.9 on Windows, all other wheels are 64 bits on account of
Ubuntu, Fedora, and other Linux distributions dropping 32 bit support.
All 64 bit wheels are also linked with 64 bit integer OpenBLAS, which should fix
the occasional problems encountered by folks using truly huge arrays.
Expired deprecations
Deprecated numeric style dtype strings have been removed
Using the strings "Bytes0", "Datetime64", "Str0", "Uint32",
and "Uint64" as a dtype will now raise a TypeError.
(gh-19539)
Expired deprecations for loads, ndfromtxt, and mafromtxt in npyio
numpy.loads was deprecated in v1.15, with the recommendation that
users use pickle.loads instead. ndfromtxt and mafromtxt were both
deprecated in v1.17 - users should use numpy.genfromtxt instead with
the appropriate value for the usemask parameter.
(gh-19615)


... (truncated)


Commits

4adc87d Merge pull request #20685 from charris/prepare-for-1.22.0-release
fd66547 REL: Prepare for the NumPy 1.22.0 release.
125304b wip
c283859 Merge pull request #20682 from charris/backport-20416
5399c03 Merge pull request #20681 from charris/backport-20954
f9c45f8 Merge pull request #20680 from charris/backport-20663
794b36f Update armccompiler.py
d93b14e Update test_public_api.py
7662c07 Update init.py
311ab52 Update armccompiler.py
Additional commits viewable in compare view




Updates py from 1.7.0 to 1.11.0

Changelog
Sourced from py's changelog.

1.11.0 (2021-11-04)

Support Python 3.11
Support NO_COLOR environment variable
Update vendored apipkg: 1.5 => 2.0

1.10.0 (2020-12-12)

Fix a regular expression DoS vulnerability in the py.path.svnwc SVN blame functionality (CVE-2020-29651)
Update vendored apipkg: 1.4 => 1.5
Update vendored iniconfig: 1.0.0 => 1.1.1

1.9.0 (2020-06-24)


Add type annotation stubs for the following modules:

py.error
py.iniconfig
py.path (not including SVN paths)
py.io
py.xml

There are no plans to type other modules at this time.
The type annotations are provided in external .pyi files, not inline in the
code, and may therefore contain small errors or omissions. If you use py
in conjunction with a type checker, and encounter any type errors you believe
should be accepted, please report it in an issue.


1.8.2 (2020-06-15)

On Windows, py.path.locals which differ only in case now have the same
Python hash value. Previously, such paths were considered equal but had
different hashes, which is not allowed and breaks the assumptions made by
dicts, sets and other users of hashes.

1.8.1 (2019-12-27)


Handle FileNotFoundError when trying to import pathlib in path.common
on Python 3.4 (#207).


py.path.local.samefile now works correctly in Python 3 on Windows when dealing with symlinks.


1.8.0 (2019-02-21)


... (truncated)


Commits

447bac5 Update CHANGELOG.rst
6d003d9 Update CHANGELOG.rst
9cf613f Declare support for Python 3.8-3.10
d831150 Update python_requires: Python 3.4 was already dropped
e68532e Update CHANGELOG for 1.11.0
2f03e5a Merge pull request #258 from blueyed/NO_COLOR
e116b2b Merge pull request #275 from pytest-dev/upgrade-vendor-libs
f3a1a59 remove build pin again
f6cbf28 try to use pipx tox
3fe9ad7 try to use preinstalled tox
Additional commits viewable in compare view




Updates requests from 2.20.0 to 2.32.2

Release notes
Sourced from requests's releases.

v2.32.2
2.32.2 (2024-05-21)
Deprecations


To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed _get_connection to
a new public API, get_connection_with_tls_context. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
get_connection is considered deprecated in all versions of Requests>=2.32.0.
A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (#6710)


v2.32.1
2.32.1 (2024-05-20)
Bugfixes

Add missing test certs to the sdist distributed on PyPI.

v2.32.0
2.32.0 (2024-05-20)
🐍 PYCON US 2024 EDITION 🐍
Security

Fixed an issue where setting verify=False on the first request from a
Session will cause subsequent requests to the same origin to also ignore
cert verification, regardless of the value of verify.
(https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)

Improvements

verify=True now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (#6667)
Requests now supports optional use of character detection
(chardet or charset_normalizer) when repackaged or vendored.
This enables pip and other projects to minimize their vendoring
surface area. The Response.text() and apparent_encoding APIs
will default to utf-8 if neither library is present. (#6702)

Bugfixes

Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (#6589)
Fixed deserialization bug in JSONDecodeError. (#6629)
Fixed bug where an extra leading / (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (#6644)



... (truncated)


Changelog
Sourced from requests's changelog.

2.32.2 (2024-05-21)
Deprecations


To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed _get_connection to
a new public API, get_connection_with_tls_context. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
get_connection is considered deprecated in all versions of Requests>=2.32.0.
A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (#6710)


2.32.1 (2024-05-20)
Bugfixes

Add missing test certs to the sdist distributed on PyPI.

2.32.0 (2024-05-20)
Security

Fixed an issue where setting verify=False on the first request from a
Session will cause subsequent requests to the same origin to also ignore
cert verification, regardless of the value of verify.
(https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)

Improvements

verify=True now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (#6667)
Requests now supports optional use of character detection
(chardet or charset_normalizer) when repackaged or vendored.
This enables pip and other projects to minimize their vendoring
surface area. The Response.text() and apparent_encoding APIs
will default to utf-8 if neither library is present. (#6702)

Bugfixes

Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (#6589)
Fixed deserialization bug in JSONDecodeError. (#6629)
Fixed bug where an extra leading / (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (#6644)

Deprecations


... (truncated)


Commits

88dce9d v2.32.2
c98e4d1 Merge pull request #6710 from nateprewitt/api_rename
92075b3 Add deprecation warning
aa1461b Move _get_connection to get_connection_with_tls_context
970e8ce v2.32.1
d6ebc4a v2.32.0
9a40d12 Avoid reloading root certificates to improve concurrent performance (#6667)
0c030f7 Merge pull request #6702 from nateprewitt/no_char_detection
555b870 Allow character detection dependencies to be optional in post-packaging steps
d6dded3 Merge pull request #6700 from franekmagiera/update-redirect-to-invalid-uri-test
Additional commits viewable in compare view




Updates scikit-learn from 0.20.0 to 1.5.0

Release notes
Sourced from scikit-learn's releases.

Scikit-learn 1.5.0
We're happy to announce the 1.5.0 release.
You can read the release highlights under https://scikit-learn.org/stable/auto_examples/release_highlights/plot_release_highlights_1_5_0.html and the long version of the change log under https://scikit-le...
Description has been truncated