Bump the all-pip-updates group across 3 directories with 14 updates

[dependabot]

Warning

Dependabot will stop supporting python v3.9!

Please upgrade to one of the following versions: v3.9, v3.10, v3.11, v3.12, v3.13, or v3.14.

Updates the requirements on cryptography, packaging, pymssql, pyopenssl, urllib3, virtualenv, filelock, pylint, boto3, pynacl, vcert, xmldiff, pygit2 and python-telegram-bot to permit the latest version.
Updates cryptography to 49.0.0

Changelog

Sourced from cryptography's changelog.

49.0.0 - 2026-06-12

* **BACKWARDS INCOMPATIBLE:** Support for ``x86_64`` macOS has been removed.
  We now only publish ``arm64`` wheels for macOS.
* **BACKWARDS INCOMPATIBLE:** Support for 32-bit Windows has been removed.
  Users should move to a 64-bit Python installation.
* **BACKWARDS INCOMPATIBLE:** Removed the deprecated
  ``PUBLIC_KEY_TYPES``, ``PRIVATE_KEY_TYPES``,
  ``CERTIFICATE_PRIVATE_KEY_TYPES``, ``CERTIFICATE_ISSUER_PUBLIC_KEY_TYPES``,
  and ``CERTIFICATE_PUBLIC_KEY_TYPES`` type aliases. Use
  ``PublicKeyTypes``, ``PrivateKeyTypes``, ``CertificateIssuerPrivateKeyTypes``,
  ``CertificateIssuerPublicKeyTypes``, and ``CertificatePublicKeyTypes``
  instead. These were deprecated in version 40.0.
* **BACKWARDS INCOMPATIBLE:** :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20`
  now treats the first 4 bytes of the ``nonce`` as a 32-bit little-endian block
  counter (as defined in :rfc:`7539`) and tracks the number of bytes processed.
  Attempting to encrypt or decrypt more data than the counter allows before it
  would overflow now raises a :class:`ValueError` rather than silently diverging
  from RFC 7539. Setting the counter portion of the ``nonce`` to zero allows
  encrypting up to 256 GiB with a given nonce.
* **BACKWARDS INCOMPATIBLE:** Loading an X.509 certificate whose ECDSA or DSA
  signature ``AlgorithmIdentifier`` contains encoded NULL parameters now raises
  a :class:`ValueError`. Such certificates are invalid, but older versions of
  Java emitted them; previously they loaded with a deprecation warning.
* Fixed cross-compilation of the CFFI bindings when ``PYO3_CROSS_LIB_DIR``
  is set. The build now derives the Python include directory from
  ``PYO3_CROSS_LIB_DIR`` instead of querying the host interpreter, which
  previously caused the build to fail during cross-compilations for embedded
  systems, on hosts which have same-version Python development headers
  installed as the target Python.
* Added support for signing and verifying X.509 certificates, certificate
  signing requests, and certificate revocation lists with
  :doc:`/hazmat/primitives/asymmetric/mldsa` keys, as well as loading
  certificates that contain ML-DSA public keys.
* Added :meth:`~cryptography.hazmat.primitives.hpke.KEM.enc_length` to
  :class:`~cryptography.hazmat.primitives.hpke.KEM` so callers can split the
  encapsulated key from the ciphertext returned by
  :meth:`~cryptography.hazmat.primitives.hpke.Suite.encrypt`.
* :meth:`~cryptography.x509.verification.ExtensionPolicy.require_present`,
  :meth:`~cryptography.x509.verification.ExtensionPolicy.may_be_present`, and
  :meth:`~cryptography.x509.verification.ExtensionPolicy.require_not_present`
  now accept any extension type. Previously only a fixed set of extension
  types was supported, which made it impossible to account for otherwise
  unrecognized critical extensions during path validation.
* Added support for using :class:`~cryptography.x509.Certificate`,
  :class:`~cryptography.x509.CertificateSigningRequest`, and
  :class:`~cryptography.x509.CertificateRevocationList` as field types in
  :doc:`/hazmat/asn1/index` structures.
* Added :func:`~cryptography.hazmat.asn1.value_set`, a class decorator that
</tr></table> 

... (truncated)

Commits

• e300bbe bump version and changelog for 49.0.0 (#15030)
• fa74cd8 Add external mu (message representative) support for ML-DSA (#14979)
• f594db3 chore(deps): bump openssl from 0.10.80 to 0.10.81 (#15029)
• 608e011 chore(deps): bump openssl-sys from 0.9.116 to 0.9.117 (#15028)
• a322bc4 chore(deps): bump cc from 1.2.63 to 1.2.64 (#15027)
• 33181a7 Reject critical nameConstraints extensions containing directoryName constrain...
• 6080dc7 Bump dependencies that dependabot isn't (#15026)
• 121faa3 chore(deps): bump virtualenv from 21.4.2 to 21.4.3 (#15023)
• 829520b Add more robust processing for DH parameters. (#15016)
• 0f05001 Bump downstream dependencies in CI (#15025)
• Additional commits viewable in compare view

Updates packaging from 24.0 to 26.2

Release notes

Sourced from packaging's releases.

26.2

What's Changed

Fixes:

• Fix incorrect sysconfig var name for pyemscripten by @​ryanking13 in pypa/packaging#1160
• Make Version, Specifier, SpecifierSet, Tag, Marker, and Requirement pickle-safe and backward-compatible with pickles created in 25.0-26.1 (including references to the removed packaging._structures module) by @​eachimei and @​henryiii in pypa/packaging#1163, pypa/packaging#1168, pypa/packaging#1170, and pypa/packaging#1171
• fix: re-export ExceptionGroup for now by @​henryiii in pypa/packaging#1164

Documentation:

• docs: add errors section and fix missing details by @​henryiii in pypa/packaging#1159
• docs(dev): document property-based test suite by @​r266-tech in pypa/packaging#1167
• Fix typo in DirectUrl documentation by @​sbidoul in pypa/packaging#1169
• docs(specifiers): add is_unsatisfiable() usage example by @​r266-tech in pypa/packaging#1166

Internal:

• Enable the auditor persona on zizmor by @​henryiii in pypa/packaging#1158
• Test new pickle guarantees by @​henryiii in pypa/packaging#1174
• Use native uv integration in rtd by @​henryiii in pypa/packaging#1175

New Contributors

• @​ryanking13 made their first contribution in pypa/packaging#1160
• @​eachimei made their first contribution in pypa/packaging#1163

Full Changelog: pypa/packaging@26.1...26.2

26.1

Features:

• PEP 783: add handling for Emscripten wheel tags by @​hoodmane in pypa/packaging#804 (old name used in implementation, will be fixed in next release)
• PEP 803: add handling for the abi3.abi3t free-threading tag by @​ngoldbaum in pypa/packaging#1099
• PEP 723: add packaging.dependency_groups module, based on the dependency-groups package by @​sirosen in pypa/packaging#1065
• Add the packaging.direct_url module by @​sbidoul in pypa/packaging#944
• Add the packaging.errors module by @​henryiii in pypa/packaging#1071
• Add SpecifierSet.is_unsatisfiable using ranges (new internals that will be expanded in future versions) by @​notatallshaw in pypa/packaging#1119
• Add create_compatible_tags_selector to select compatible tags by @​sbidoul in pypa/packaging#1110
• Add a key argument to SpecifierSet.filter() by @​frostming in pypa/packaging#1068
• Support & and | for Marker's by @​henryiii in pypa/packaging#1146
• Normalize Version.__replace__ and add Version.from_parts by @​henryiii in pypa/packaging#1078
• Add an option to validate compressed tag set sort order in parse_wheel_filename by @​r266-tech in pypa/packaging#1150

Behavior adaptations:

• Narrow exclusion of pre-releases for <V.postN to match spec by @​notatallshaw in pypa/packaging#1140

... (truncated)

Changelog

Sourced from packaging's changelog.

26.2 - 2026-04-24

Fixes:

Fix incorrect sysconfig var name for pyemscripten in (:pull:1160)
Make Version, Specifier, SpecifierSet, Tag, Marker, and Requirement pickle-safe

and backward-compatible with pickles created in 25.0-26.1 (including references to the removed

packaging._structures module) (:pull:1163, :pull:1168, :pull:1170, :pull:1171)
Re-export ExceptionGroup in metadata for now in (:pull:1164)

Documentation:

Add errors section and fix missing details in (:pull:1159)
Document our property-based test suite in (:pull:1167)
Fix a DirectUrl typo in (:pull:1169)
Add example of is_unsatisfiable in (:pull:1166)

Internal:

Enable the auditor persona on zizmor in (:pull:1158)
Test new pickle guarantees in (:pull:1174)
Use new native ReadTheDocs uv integration in (:pull:1175)

26.1 - 2026-04-14

Features:

• PEP 783: add handling for Emscripten wheel tags in (:pull:804) (old name used in implementation, fixed in next release)
• PEP 803: add handling for the abi3.abi3t free-threading tag in (:pull:1099)
• PEP 735: add packaging.dependency_groups module, based on the dependency-groups package in (:pull:1065)
• Add the packaging.direct_url module in (:pull:944)
• Add the packaging.errors module in (:pull:1071)
• Add SpecifierSet.is_unsatisfiable using ranges (new internals that will be expanded in future versions) in (:pull:1119)
• Add create_compatible_tags_selector to select compatible tags in (:pull:1110)
• Add a key argument to SpecifierSet.filter() in (:pull:1068)
• Support & and | for Marker's in (:pull:1146)
• Normalize Version.__replace__ and add Version.from_parts in (:pull:1078)
• Add an option to validate compressed tag set sort order in parse_wheel_filename in (:pull:1150)

Behavior adaptations:

• Narrow exclusion of pre-releases for <V.postN to match spec in (:pull:1140)
• Narrow exclusion of post-releases for >V to match spec in (:pull:1141)
• Rename format_full_version to _format_full_version to make it visibly private in (:pull:1125)
• Restrict local version to ASCII in (:pull:1102)

Pylock (PEP 751) updates:

... (truncated)

Commits

• 84a87ee Bump for release
• 4a616b6 docs: a few more updates to prepare for 26.2 (#1176)
• 9de6f44 ci: use native uv integration in rtd (#1175)
• bc76e14 chore: update changelog for 26.2 (#1161)
• 3f00091 tests: add a pickle check (#1174)
• 48a8a06 fix: make Requirements/Markers pickle-safe (#1171)
• 823b44e fix: make Tags pickle-safe (#1170)
• 4bed32d fix: make Specifier / SpecifierSet pickle-safe (#1168)
• 963118e fix: re-export ExceptionGroup for now (#1164)
• 66e34a8 docs(specifiers): add is_unsatisfiable() usage example (#1166)
• Additional commits viewable in compare view

Updates pymssql from 2.3.11 to 2.3.13

Release notes

Sourced from pymssql's releases.

pymssql 2.0 greenish

Experimental support for greening for gevent, etc.

Changelog

Sourced from pymssql's changelog.

Version 2.3.13 - 2026-02-13 - Mikhail Terekhov

General

• Fix type stubs with generics, overloads, and corrected types, thanks to jacks0n.

Version 2.3.12 - 2026-02-10 - Mikhail Terekhov

General

• Update manylinux base image to manylinux_2_28 to fix CVE-2023-0464, thanks to grgalex@ba.uoa.gr.

Commits

• a93c1a3 Update ChangeLog.rst.
• 7611ce1 Fix type stubs with generics, overloads, and corrected types
• 0c7d84d Update psutil requirement from <7.2.2 to <7.2.3
• ceef1d4 Update ChangeLog.rst.
• 5b8cdc0 Use manylinux_2_28 to solve CVE-2023-0464.
• 923370e Bump pypa/cibuildwheel from 3.3.0 to 3.3.1
• See full diff in compare view

Updates pyopenssl to 26.3.0

Changelog

Sourced from pyopenssl's changelog.

26.3.0 (2026-06-12)

Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Dropped support for Python 3.8.
• The minimum cryptography version is now 49.0.0.
• Removed deprecated OpenSSL.crypto.X509Req, OpenSSL.crypto.dump_certificate_request, and OpenSSL.crypto.load_certificate_request. cryptography.x509 should be used instead.
• OpenSSL.SSL.Connection.set_session now raises ValueError if the Session was obtained from a Connection that was using a different Context than this one. OpenSSL requires (but does not verify) that sessions only be re-used with a compatible SSL_CTX, so this contract is now enforced.

Deprecations: ^^^^^^^^^^^^^

• Deprecated OpenSSL.crypto.PKey.generate_key and OpenSSL.crypto.PKey.check. The key generation and loading APIs in cryptography should be used instead.
• Deprecated OpenSSL.crypto.dump_privatekey. The serialization APIs on cryptography private key types should be used instead.
• Deprecated all the mutable APIs on OpenSSL.crypto.X509: set_version, set_pubkey, sign, set_serial_number, gmtime_adj_notAfter, gmtime_adj_notBefore, set_notBefore, set_notAfter, set_issuer, and set_subject. cryptography.x509.CertificateBuilder should be used instead.
• Deprecated OpenSSL.SSL.Context.set_passwd_cb. Users should decrypt and load their private keys themselves, with cryptography's key loading APIs, and then call OpenSSL.SSL.Context.use_privatekey.
• Deprecated OpenSSL.crypto.X509Name, as well as the remaining APIs that consume or return it: OpenSSL.crypto.X509.get_issuer, OpenSSL.crypto.X509.get_subject, and OpenSSL.SSL.Context.set_client_ca_list. The APIs in cryptography.x509 should be used instead.

Changes: ^^^^^^^^

• OpenSSL.SSL.Connection.get_client_ca_list now takes an as_cryptography keyword-argument. When True is passed then cryptography.x509.Name are returned, instead of OpenSSL.crypto.X509Name. In the future, passing False (the default) will be deprecated.

26.2.0 (2026-05-04)

Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Removed deprecated OpenSSL.crypto.X509Extension, OpenSSL.crypto.X509Req.add_extension, OpenSSL.crypto.X509Req.get_extensions, OpenSSL.crypto.X509.add_extension, OpenSSL.crypto.X509.get_extensions. cryptography.x509 should be used instead.
• It is now an error to calling any mutating method on OpenSSL.SSL.Context after it has been used to create a Connection. This was previously deprecated and has always been unsafe.

Deprecations: ^^^^^^^^^^^^^

Changes: ^^^^^^^^

• Maximum supported cryptography version is now 48.x.
• Added OpenSSL.SSL.Connection.set_options to set options on a per-connection basis.

26.1.0 (2026-04-24)

Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

... (truncated)

Commits

• a34aa1d Prepare 26.3.0 release (#1515)
• 24db880 Deprecate X509Name and the remaining APIs that consume or return it (#1514)
• 1dc08be Add as_cryptography parameter to Connection.get_client_ca_list (#1508)
• 55653a5 Require cryptography 49, drop Python 3.8 (#1513)
• 9bad760 Remove deprecated CSR functionality (#1507)
• 98ca874 Enforce that Session is only re-used with the Context it came from (#1512)
• cbcb1da Deprecate Context.set_passwd_cb (#1511)
• 3b9d07d Deprecate all the mutable APIs on X509 (#1510)
• e096920 Deprecate PKey.generate_key, PKey.check, and dump_privatekey (#1509)
• 7079d6d Fix zizmor findings in GitHub Actions workflows (#1506)
• Additional commits viewable in compare view

Updates urllib3 to 2.6.3

Release notes

Sourced from urllib3's releases.

2.6.3

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by @​D47A, 8.9 High, GHSA-38jv-5279-wg99)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. (urllib3/urllib3#3743)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. (urllib3/urllib3#3752)

Changelog

Sourced from urllib3's changelog.

2.6.3 (2026-01-07)

• Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. ([#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743>__)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. ([#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752>__)

2.6.2 (2025-12-11)

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. ([#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734>__)

2.6.1 (2025-12-08)

• Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. ([#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731>__)

2.6.0 (2025-12-05)

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

• If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using

... (truncated)

Commits

• 0248277 Release 2.6.3
• 8864ac4 Merge commit from fork
• 70cecb2 Fix Scorecard issues related to vulnerable dev dependencies (#3755)
• 41f249a Move "v2.0 Migration Guide" to the end of the table of contents (#3747)
• fd4dffd Patch VerifiedHTTPSConnection for Emscripten (#3752)
• 13f0bfd Handle massive values in Retry-After when calculating time to sleep for (#3743)
• 8c480bf Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#3748)
• 4b40616 Bump actions/cache from 4.3.0 to 5.0.1 (#3750)
• 82b8479 Bump actions/download-artifact from 6.0.0 to 7.0.0 (#3749)
• 34284cb Mention experimental features in the security policy (#3746)
• Additional commits viewable in compare view

Updates virtualenv to 21.5.0

Release notes

Sourced from virtualenv's releases.

21.5.0

What's Changed

• Set git identity in upgrade changelog rename step by @​gaborbernat in pypa/virtualenv#3169
• Upgrade embedded pip/setuptools/wheel by @​github-actions[bot] in pypa/virtualenv#3168
• ✨ feat: drop Python 3.8 support by @​gaborbernat in pypa/virtualenv#3170

Full Changelog: pypa/virtualenv@21.4.3...21.5.0

Changelog

Sourced from virtualenv's changelog.

Features - 21.5.0

• Drop support for Python 3.8; virtualenv now requires Python 3.9 or later to run and to create environments. Remove the embedded wheel seed package, which virtualenv bundled only for Python 3.8. The --wheel and --no-wheel options stay as no-ops, but now warn that virtualenv will remove them in a release after 2026-12 - by :user:gaborbernat. (:issue:3170)

Bugfixes - 21.5.0

• Upgrade embedded wheels:

  Removed wheel of 0.47.0 (:issue:u)

---

v21.4.3 (2026-06-11)

---

Bugfixes - 21.4.3

• Upgrade embedded wheels:

  • pip to 26.1.2 from 26.1.1 (:issue:u)

• Resolve executable-only symlinks when recording home and base-executable in pyvenv.cfg, mirroring CPython's getpath.realpathpython/cpython#115237 binary locate the base stdlib (for example python-build-standalone); a fully symlinked interpreter tree is kept as-is

  • by :user:gaborbernat. (:issue:3157)

• Stop exporting PS1 from the bash activator so child processes do not inherit shell prompt state. (:issue:3158)

• Handle CYGWIN/MSYS/MINGW path conversions in fish activation script - by user::LuNoX. (:issue:3160)

---

v21.4.2 (2026-05-31)

---

Bugfixes - 21.4.2

• Stop deactivate in the bash/zsh activation script from aborting under set -e when hash -r fails (for example with shell hashing disabled) by appending || true, matching CPython venv (gh-149701) and the existing non-deactivate call - by :user:gaborbernat. (:issue:3152)

---

v21.4.1 (2026-05-28)

---

Bugfixes - 21.4.1

... (truncated)

Commits

• 90735e0 release 21.5.0
• 79ce906 ✨ feat: drop Python 3.8 support (#3170)
• f1f4d68 Upgrade embedded pip/setuptools/wheel (#3168)
• 78df6f0 Set git identity in upgrade changelog rename step (#3169)
• 134b080 release 21.4.3
• 2a36128 🐛 fix(discovery): resolve base interpreter executable-only symlinks (#3166)
• 5389c25 Add wheel-0.47.0 to seed packages as mitigation of CVE-2026-24049 (#3167)
• 0134fee chore(deps): bump astral-sh/setup-uv from 8.1.0 to 8.2.0 (#3165)
• af1ed9f chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#3164)
• 1b00ec8 [pre-commit.ci] pre-commit autoupdate (#3163)
• Additional commits viewable in compare view

Updates cryptography to 49.0.0

Changelog

Sourced from cryptography's changelog.

49.0.0 - 2026-06-12

* **BACKWARDS INCOMPATIBLE:** Support for ``x86_64`` macOS has been removed.
  We now only publish ``arm64`` wheels for macOS.
* **BACKWARDS INCOMPATIBLE:** Support for 32-bit Windows has been removed.
  Users should move to a 64-bit Python installation.
* **BACKWARDS INCOMPATIBLE:** Removed the deprecated
  ``PUBLIC_KEY_TYPES``, ``PRIVATE_KEY_TYPES``,
  ``CERTIFICATE_PRIVATE_KEY_TYPES``, ``CERTIFICATE_ISSUER_PUBLIC_KEY_TYPES``,
  and ``CERTIFICATE_PUBLIC_KEY_TYPES`` type aliases. Use
  ``PublicKeyTypes``, ``PrivateKeyTypes``, ``CertificateIssuerPrivateKeyTypes``,
  ``CertificateIssuerPublicKeyTypes``, and ``CertificatePublicKeyTypes``
  instead. These were deprecated in version 40.0.
* **BACKWARDS INCOMPATIBLE:** :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20`
  now treats the first 4 bytes of the ``nonce`` as a 32-bit little-endian block
  counter (as defined in :rfc:`7539`) and tracks the number of bytes processed.
  Attempting to encrypt or decrypt more data than the counter allows before it
  would overflow now raises a :class:`ValueError` rather than silently diverging
  from RFC 7539. Setting the counter portion of the ``nonce`` to zero allows
  encrypting up to 256 GiB with a given nonce.
* **BACKWARDS INCOMPATIBLE:** Loading an X.509 certificate whose ECDSA or DSA
  signature ``AlgorithmIdentifier`` contains encoded NULL parameters now raises
  a :class:`ValueError`. Such certificates are invalid, but older versions of
  Java emitted them; previously they loaded with a deprecation warning.
* Fixed cross-compilation of the CFFI bindings when ``PYO3_CROSS_LIB_DIR``
  is set. The build now derives the Python include directory from
  ``PYO3_CROSS_LIB_DIR`` instead of querying the host interpreter, which
  previously caused the build to fail during cross-compilations for embedded
  systems, on hosts which have same-version Python development headers
  installed as the target Python.
* Added support for signing and verifying X.509 certificates, certificate
  signing requests, and certificate revocation lists with
  :doc:`/hazmat/primitives/asymmetric/mldsa` keys, as well as loading
  certificates that contain ML-DSA public keys.
* Added :meth:`~cryptography.hazmat.primitives.hpke.KEM.enc_length` to
  :class:`~cryptography.hazmat.primitives.hpke.KEM` so callers can split the
  encapsulated key from the ciphertext returned by
  :meth:`~cryptography.hazmat.primitives.hpke.Suite.encrypt`.
* :meth:`~cryptography.x509.verification.ExtensionPolicy.require_present`,
  :meth:`~cryptography.x509.verification.ExtensionPolicy.may_be_present`, and
  :meth:`~cryptography.x509.verification.ExtensionPolicy.require_not_present`
  now accept any extension type. Previously only a fixed set of extension
  types was supported, which made it impossible to account for otherwise
  unrecognized critical extensions during path validation.
* Added support for using :class:`~cryptography.x509.Certificate`,
  :class:`~cryptography.x509.CertificateSigningRequest`, and
  :class:`~cryptography.x509.CertificateRevocationList` as field types in
  :doc:`/hazmat/asn1/index` structures.
* Added :func:`~cryptography.hazmat.asn1.value_set`, a class decorator that
</tr></table> 

... (truncated)

Commits

• e300bbe bump version and changelog for 49.0.0 (#15030)
• fa74cd8 Add external mu (message representative) support for ML-DSA (#14979)
• f594db3 chore(deps): bump openssl from 0.10.80 to 0.10.81 (#15029)
• 608e011 chore(deps): bump openssl-sys from 0.9.116 to 0.9.117 (#15028)
• a322bc4 chore(deps): bump cc from 1.2.63 to 1.2.64 (#15027)
• 33181a7 Reject critical nameConstraints extensions containing directoryName constrain...
• 6080dc7 Bump dependencies that dependabot isn't (#15026)
• 121faa3 chore(deps): bump virtualenv from 21.4.2 to 21.4.3 (#15023)
• 829520b Add more robust processing for DH parameters. (#15016)
• 0f05001 Bump downstream dependencies in CI (#15025)
• Additional commits viewable in compare view

Updates virtualenv to 21.5.0

Release notes

Sourced from virtualenv's releases.

21.5.0

What's Changed

• Set git identity in upgrade changelog rename step by @​gaborbernat in pypa/virtualenv#3169
• Upgrade embedded pip/setuptools/wheel by @​github-actions[bot] in pypa/virtualenv#3168
• ✨ feat: drop Python 3.8 support by @​gaborbernat in pypa/virtualenv#3170

Full Changelog: pypa/virtualenv@21.4.3...21.5.0

Changelog

Sourced from virtualenv's changelog.

Features - 21.5.0

• Drop support for Python 3.8; virtualenv now requires Python 3.9 or later to run and to create environments. Remove the embedded wheel seed package, which virtualenv bundled only for Python 3.8. The --wheel and --no-wheel options stay as no-ops, but now warn that virtualenv will remove them in a release after 2026-12 - by :user:gaborbernat. (:issue:3170)

Bugfixes - 21.5.0

• Upgrade embedded wheels:

  Removed wheel of 0.47.0 (:issue:u)

---

v21.4.3 (2026-06-11)

---

Bugfixes - 21.4.3

• Upgrade embedded wheels:

  • pip to 26.1.2 from 26.1.1 (:issue:u)

• Resolve executable-only symlinks when recording home and base-executable in pyvenv.cfg, mirroring CPython's getpath.realpathpython/cpython#115237 binary locate the base stdlib (for example python-build-standalone); a fully symlinked interpreter tree is kept as-is

  • by :user:gaborbernat. (:issue:3157)

• Stop exporting PS1 from the bash activator so child processes do not inherit shell prompt state. (:issue:3158)

• Handle CYGWIN/MSYS/MINGW path conversions in fish activation script - by user::LuNoX. (:issue:3160)

---

v21.4.2 (2026-05-31)

---

Bugfixes - 21.4.2

• Stop deactivate in the bash/zsh activation script from aborting under set -e when hash -r fails (for example with shell hashing disabled) by appending || true, matching CPython venv (gh-149701) and the existing non-deactivate call - by :user:gaborbernat. (:issue:3152)

---

v21.4.1 (2026-05-28)

---

Bugfixes - 21.4.1

... (truncated)

Commits

• 90735e0 release 21.5.0
• 79ce906 ✨ feat: drop Python 3.8 support (#3170)
• f1f4d68 Upgrade embedded pip/setuptools/wheel (#3168)
• 78df6f0 Set git identity in upgrade changelog rename step (#3169)
• 134b080 release 21.4.3
• 2a36128 🐛 fix(discovery): resolve base interpreter executable-only symlinks (#3166)
• 5389c25 Add wheel-0.47.0 to seed packages as mitigation of CVE-2026-24049 (#3167)
• 0134fee chore(deps): bump astral-sh/setup-uv from 8.1.0 to 8.2.0 (#3165)
• af1ed9f chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#3164)
• 1b00ec8 [pre-commit.ci] pre-commit autoupdate (#3163)
• Additional commits viewable in compare view

Updates filelock to 3.29.4

Release notes

Sourced from filelock's releases.

3.29.4

What's Changed

• verify inode in break_lock_file before unlinking a stale lock by @​dxbjavid in tox-dev/filelock#561
• keep the read/write heartbeat alive on a transient touch error by @​dxbjavid in tox-dev/filelock#562

Full Changelog: tox-dev/filelock@3.29.3...3.29.4

Changelog

Sourced from filelock's changelog.

########### Changelog ###########

---

3.29.4 (2026-06-13)

---

• keep the read/write heartbeat alive on a transient touch error :pr:562 - by :user:dxbjavid
• verify inode in break_lock_file before unlinking a stale lock :pr:561 - by :user:dxbjavid

---

3.29.3 (2026-06-10)

---

• 🐛 fix(ci): restore release environment on tag job :pr:559
• validate pid range in _parse_lock_holder :pr:556 - by :user:dxbjavid
• 🔧 ci(release): publish to PyPI on tag push :pr:557
• build(deps): bump astral-sh/setup-uv from 8.1.0 to 8.2.0 :pr:558 - by :user:dependabot[bot]

---

3.29.2 (2026-06-10)

---

• build(deps): bump actions/checkout from 6.0.2 to 6.0.3 :pr:555 - by :user:dependabot[bot]
• [pre-commit.ci] pre-commit autoupdate :pr:554 - by :user:pre-commit-ci[bot]
• check hostname in is_lock_held_by_us :pr:553 - by :user:dxbjavid
• 🔒 fix(soft): harden stale-lock breaking and self-heal malformed locks :pr:551
• open marker reads non-blocking to refuse attacker-placed fifo :pr:549 - by :user:dxbjavid

---

3.29.1 (2026-06-03)

---

• 🐛 fix(soft): refuse to follow symlinks when reading the lock file :pr:548 - by :user:dxbjavid
• [pre-commit.ci] pre-commit autoupdate :pr:547 - by :user:pre-commit-ci[bot]
• [pre-commit.ci] pre-commit autoupdate :pr:546 - by :user:pre-commit-ci[bot]
• chore: improve filelock maintenance path :pr:545 - by :user:lphuc2250gma
• chore: improve filelock maintenance path :pr:544 - by :user:lphuc2250gma
• chore: improve filelock maintenance path :pr:542 - by :user:lphuc2250gma
• docs: clarify per-thread scope of FileLock configuration :pr:543 - by :user:Gares95
• [pre-commit.ci] pre-commit autoupdate :pr:541 - by :user:pre-commit-ci[bot]
• docs: fix API docs of release() :pr:540 - by :user:MrAnno
• [pre-commit.ci] pre-commit autoupdate :pr:539 - by :user:pre-commit-ci[bot]
• [pre-commit.ci] pre-commit autoupdate :pr:538 - by :user:pre-commit-ci[bot]
• [pre-commit.ci] pre-commit autoupdate :pr:537 - by :user:pre-commit-ci[bot]
• build(deps): bump astral-sh/setup-uv from 8.0.0 to 8.1.0 :pr:536 - by :user:dependabot[bot]
• [pre-commit.ci] pre-commit autoupdate :pr:535 - by :user:pre-commit-ci[bot]

---

... (truncated)

Commits

• f3c11c0 Release 3.29.4
• 5d663ee keep the read/write heartbeat alive on a transient touch error (#562)
• 406d0a2 verify inode in break_lock_file before unlinking a stale lock (#561)
• 85e73d7 🐛 fix(ci): publish from release.yaml on tag push (#560)
• f86dcb1 Release 3.29.3
• 643bdbe 🐛 fix(ci): restore release environment on tag job (#559)
• 7a8f74a validate pid range in _parse_lock_holder (#556)
• d1d49a0 🔧 ci(release): publish to PyPI on tag push (#557)
• b37e162 build(deps): bump astral-sh/setup-uv from 8.1.0 to 8.2.0 (#558)
• d9216de Release 3.29.2
• Additional commits viewable in compare view

Updates pylint to 4.0.5

Commits

• 88e1ab7 Bump pylint to 4.0.5, update changelog (#10860)
• d96d489 [Backport maintenance/4.0.x] Relax isort version constraint to allow isort 8 ...
• 0b08ccb Fix dynamic color mapping for "fail-on" messages when using multiple reporter...
• 154dba4 [Backport maintenance/4.0.x] Fix FP for invalid-name with typing.Final on...
• 7b73bfd Disable unspecified-encoding for py-version above Python 3.15 (#10800)
• 4cc98be [Backport maintenance/4.0.x] Fix setting options for import order checker (#1...
• f0d30a2 Sync astroid version with requirements file again
• 38bdf02 [Backport maintenance/4.0.x] Fix logging-unsupported-format when logging ...
• f08c33a [Backport maintenance/4.0.x] Properly detect self.fail() as a terminating...
• e16f942 Bump pylint to 4.0.4, update changelog
• Additional commits viewable in compare view

Updates boto3 to 1.43.29

Commits

• 3d3204c Merge branch 'release-1.43.29'
• 4cc6c64 Bumping version to 1.43.29
• 73137ea Add changelog entries from botocore
• b42ee1d Bump https://github.com/astral-sh/ruff-pre-commit (#4798)
• 803cba4 Merge branch 'release-1.43.28'
• 1ed6c48 Merge branch 'release-1.43.28' into develop
• 0044dd3 Bumping version to 1.43.28
• 43e2d2a Add changelog entries from botocore
• 5d9ac3e Merge branch 'release-1.43.27'
• 52b9481 Merge branch 'release-1.43.27' into develop
• Additional commits viewable in compare view

Updates pynacl to 1.6.2

Changelog

Sourced from pynacl's changelog.

1.6.2 (2026-01-01)

• Updated libsodium to 1.0.20-stable (2025-12-31 build) to resolve CVE-2025-69277.

1.6.1 (2025-11-10)

• The MAKE environment variable can now be used...

  Description has been truncated