Update Mend: high confidence minor and patch dependency updates

[mend-for-github-com]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
charset-normalizer (changelog)	~=3.0.1 -> ~=3.4.2
msrest	~=0.6.0 -> ~=0.7.1
pytest (changelog)	~=7.3.1 -> ~=7.4.4
requests (source, changelog)	~=2.31.0 -> ~=2.32.3
setuptools (changelog)	~=69.0.3 -> ~=69.5.1
six	~=1.16.0 -> ~=1.17.0
sqlparse (changelog)	~=0.4.4 -> ~=0.5.3
urllib3 (changelog)	~=2.1.0 -> ~=2.4.0

---

Release Notes

jawah/charset_normalizer (charset-normalizer)

v3.4.2

Compare Source

Fixed

• Addressed the DeprecationWarning in our CLI regarding argparse.FileType by backporting the target class into the package. (#​591)
• Improved the overall reliability of the detector with CJK Ideographs. (#​605) (#​587)

Changed

• Optional mypyc compilation upgraded to version 1.15 for Python >= 3.8

v3.4.1

Compare Source

Changed

• Project metadata are now stored using pyproject.toml instead of setup.cfg using setuptools as the build backend.
• Enforce annotation delayed loading for a simpler and consistent types in the project.
• Optional mypyc compilation upgraded to version 1.14 for Python >= 3.8

Added

• pre-commit configuration.
• noxfile.

Removed

• build-requirements.txt as per using pyproject.toml native build configuration.
• bin/integration.py and bin/serve.py in favor of downstream integration test (see noxfile).
• setup.cfg in favor of pyproject.toml metadata configuration.
• Unused utils.range_scan function.

Fixed

• Converting content to Unicode bytes may insert utf_8 instead of preferred utf-8. (#​572)
• Deprecation warning "'count' is passed as positional argument" when converting to Unicode bytes on Python 3.13+

v3.4.0

Compare Source

Added

• Argument --no-preemptive in the CLI to prevent the detector to search for hints.
• Support for Python 3.13 (#​512)

Fixed

• Relax the TypeError exception thrown when trying to compare a CharsetMatch with anything else than a CharsetMatch.
• Improved the general reliability of the detector based on user feedbacks. (#​520) (#​509) (#​498) (#​407) (#​537)
• Declared charset in content (preemptive detection) not changed when converting to utf-8 bytes. (#​381)

v3.3.2

Compare Source

Fixed

• Unintentional memory usage regression when using large payload that match several encoding (#​376)
• Regression on some detection case showcased in the documentation (#​371)

Added

• Noise (md) probe that identify malformed arabic representation due to the presence of letters in isolated form (credit to my wife)

v3.3.1

Compare Source

Changed

• Optional mypyc compilation upgraded to version 1.6.1 for Python >= 3.8
• Improved the general detection reliability based on reports from the community

v3.3.0

Compare Source

Added

• Allow to execute the CLI (e.g. normalizer) through python -m charset_normalizer.cli or python -m charset_normalizer
• Support for 9 forgotten encoding that are supported by Python but unlisted in encoding.aliases as they have no alias (#​323)

Removed

• (internal) Redundant utils.is_ascii function and unused function is_private_use_only
• (internal) charset_normalizer.assets is moved inside charset_normalizer.constant

Changed

• (internal) Unicode code blocks in constants are updated using the latest v15.0.0 definition to improve detection
• Optional mypyc compilation upgraded to version 1.5.1 for Python >= 3.8

Fixed

• Unable to properly sort CharsetMatch when both chaos/noise and coherence were close due to an unreachable condition in __lt__ (#​350)

v3.2.0

Compare Source

Changed

• Typehint for function from_path no longer enforce PathLike as its first argument
• Minor improvement over the global detection reliability

Added

• Introduce function is_binary that relies on main capabilities, and optimized to detect binaries
• Propagate enable_fallback argument throughout from_bytes, from_path, and from_fp that allow a deeper control over the detection (default True)
• Explicit support for Python 3.12

Fixed

• Edge case detection failure where a file would contain 'very-long' camel cased word (Issue #​289)

v3.1.0

Compare Source

Added

• Argument should_rename_legacy for legacy function detect and disregard any new arguments without errors (PR #​262)

Removed

• Support for Python 3.6 (PR #​260)

Changed

• Optional speedup provided by mypy/c 1.0.1

pytest-dev/pytest (pytest)

v7.4.4: pytest 7.4.4 (2023-12-31)

Compare Source

Bug Fixes

• #​11140: Fix non-string constants at the top of file being detected as docstrings on Python>=3.8.
• #​11572: Handle an edge case where sys.stderr{.interpreted-text role="data"} and sys.__stderr__{.interpreted-text role="data"} might already be closed when faulthandler{.interpreted-text role="ref"} is tearing down.
• #​11710: Fixed tracebacks from collection errors not getting pruned.
• #​7966: Removed unhelpful error message from assertion rewrite mechanism when exceptions are raised in __iter__ methods. Now they are treated un-iterable instead.

Improved Documentation

• #​11091: Updated documentation to refer to hyphenated options: replaced --junitxml with --junit-xml and --collectonly with --collect-only.

v7.4.3: pytest 7.4.3 (2023-10-24)

Compare Source

Bug Fixes

• #​10447: Markers are now considered in the reverse mro order to ensure base class markers are considered first -- this resolves a regression.

• #​11239: Fixed := in asserts impacting unrelated test cases.

• #​11439: Handled an edge case where :data:sys.stderr might already be closed when :ref:faulthandler is tearing down.

v7.4.2: pytest 7.4.2 (2023-09-07)

Compare Source

Bug Fixes

• #​11237: Fix doctest collection of functools.cached_property objects.

• #​11306: Fixed bug using --importmode=importlib which would cause package __init__.py files to be imported more than once in some cases.

• #​11367: Fixed bug where user_properties where not being saved in the JUnit XML file if a fixture failed during teardown.

• #​11394: Fixed crash when parsing long command line arguments that might be interpreted as files.

Improved Documentation

• #​11391: Improved disclaimer on pytest plugin reference page to better indicate this is an automated, non-curated listing.

v7.4.1: pytest 7.4.1 (2023-09-02)

Compare Source

Bug Fixes

• #​10337: Fixed bug where fake intermediate modules generated by --import-mode=importlib would not include the
  child modules as attributes of the parent modules.

• #​10702: Fixed error assertion handling in pytest.approx when None is an expected or received value when comparing dictionaries.

• #​10811: Fixed issue when using --import-mode=importlib together with --doctest-modules that caused modules
  to be imported more than once, causing problems with modules that have import side effects.

v7.4.0

Compare Source

pytest 7.4.0 (2023-06-23)

Features

• #​10901: Added ExceptionInfo.from_exception() <pytest.ExceptionInfo.from_exception>{.interpreted-text role="func"}, a simpler way to create an ~pytest.ExceptionInfo{.interpreted-text role="class"} from an exception.
  This can replace ExceptionInfo.from_exc_info() <pytest.ExceptionInfo.from_exc_info()>{.interpreted-text role="func"} for most uses.

Improvements

• #​10872: Update test log report annotation to named tuple and fixed inconsistency in docs for pytest_report_teststatus{.interpreted-text role="hook"} hook.

• #​10907: When an exception traceback to be displayed is completely filtered out (by mechanisms such as __tracebackhide__, internal frames, and similar), now only the exception string and the following message are shown:

  "All traceback entries are hidden. Pass [--full-trace]{.title-ref} to see hidden and internal frames.".

  Previously, the last frame of the traceback was shown, even though it was hidden.

• #​10940: Improved verbose output (-vv) of skip and xfail reasons by performing text wrapping while leaving a clear margin for progress output.

  Added TerminalReporter.wrap_write() as a helper for that.

• #​10991: Added handling of %f directive to print microseconds in log format options, such as log-date-format.

• #​11005: Added the underlying exception to the cache provider's path creation and write warning messages.

• #​11013: Added warning when testpaths{.interpreted-text role="confval"} is set, but paths are not found by glob. In this case, pytest will fall back to searching from the current directory.

• #​11043: When [--confcutdir]{.title-ref} is not specified, and there is no config file present, the conftest cutoff directory ([--confcutdir]{.title-ref}) is now set to the rootdir <rootdir>{.interpreted-text role="ref"}.
  Previously in such cases, [conftest.py]{.title-ref} files would be probed all the way to the root directory of the filesystem.
  If you are badly affected by this change, consider adding an empty config file to your desired cutoff directory, or explicitly set [--confcutdir]{.title-ref}.

• #​11081: The norecursedirs{.interpreted-text role="confval"} check is now performed in a pytest_ignore_collect{.interpreted-text role="hook"} implementation, so plugins can affect it.

  If after updating to this version you see that your [norecursedirs]{.title-ref} setting is not being respected,
  it means that a conftest or a plugin you use has a bad [pytest_ignore_collect]{.title-ref} implementation.
  Most likely, your hook returns [False]{.title-ref} for paths it does not want to ignore,
  which ends the processing and doesn't allow other plugins, including pytest itself, to ignore the path.
  The fix is to return [None]{.title-ref} instead of [False]{.title-ref} for paths your hook doesn't want to ignore.

• #​8711: caplog.set_level() <pytest.LogCaptureFixture.set_level>{.interpreted-text role="func"} and caplog.at_level() <pytest.LogCaptureFixture.at_level>{.interpreted-text role="func"}
  will temporarily enable the requested level if level was disabled globally via
  logging.disable(LEVEL).

Bug Fixes

• #​10831: Terminal Reporting: Fixed bug when running in --tb=line mode where pytest.fail(pytrace=False) tests report None.
• #​11068: Fixed the --last-failed whole-file skipping functionality ("skipped N files") for non-python test files <non-python tests>{.interpreted-text role="ref"}.
• #​11104: Fixed a regression in pytest 7.3.2 which caused to testpaths{.interpreted-text role="confval"} to be considered for loading initial conftests,
  even when it was not utilized (e.g. when explicit paths were given on the command line).
  Now the testpaths are only considered when they are in use.
• #​1904: Fixed traceback entries hidden with __tracebackhide__ = True still being shown for chained exceptions (parts after "... the above exception ..." message).
• #​7781: Fix writing non-encodable text to log file when using --debug.

Improved Documentation

• #​9146: Improved documentation for caplog.set_level() <pytest.LogCaptureFixture.set_level>{.interpreted-text role="func"}.

Trivial/Internal Changes

• #​11031: Enhanced the CLI flag for -c to now include --config-file to make it clear that this flag applies to the usage of a custom config file.

psf/requests (requests)

v2.32.3

Compare Source

Bugfixes

• Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
  HTTPAdapter. (#​6716)
• Fixed issue where Requests started failing to run on Python versions compiled
  without the ssl module. (#​6724)

v2.32.2

Compare Source

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted
  by the CVE changes in 2.32.0, we've renamed _get_connection to
  a new public API, get_connection_with_tls_context. Existing custom
  HTTPAdapters will need to migrate their code to use this new API.
  get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease
  migration, but we strongly urge users to evaluate if their custom adapter
  is subject to the same issue described in CVE-2024-35195. (#​6710)

v2.32.1

Compare Source

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

v2.32.0

Compare Source

Security

• Fixed an issue where setting verify=False on the first request from a
  Session will cause subsequent requests to the same origin to also ignore
  cert verification, regardless of the value of verify.
  (GHSA-9wx4-h78v-vm56)

Improvements

• verify=True now reuses a global SSLContext which should improve
  request time variance between first and subsequent requests. It should
  also minimize certificate load time on Windows systems when using a Python
  version built with OpenSSL 3.x. (#​6667)
• Requests now supports optional use of character detection
  (chardet or charset_normalizer) when repackaged or vendored.
  This enables pip and other projects to minimize their vendoring
  surface area. The Response.text() and apparent_encoding APIs
  will default to utf-8 if neither library is present. (#​6702)

Bugfixes

• Fixed bug in length detection where emoji length was incorrectly
  calculated in the request content-length. (#​6589)
• Fixed deserialization bug in JSONDecodeError. (#​6629)
• Fixed bug where an extra leading / (path separator) could lead
  urllib3 to unnecessarily reparse the request URI. (#​6644)

Deprecations

• Requests has officially added support for CPython 3.12 (#​6503)
• Requests has officially added support for PyPy 3.9 and 3.10 (#​6641)
• Requests has officially dropped support for CPython 3.7 (#​6642)
• Requests has officially dropped support for PyPy 3.7 and 3.8 (#​6641)

Documentation

• Various typo fixes and doc improvements.

Packaging

• Requests has started adopting some modern packaging practices.
  The source files for the projects (formerly requests) is now located
  in src/requests in the Requests sdist. (#​6506)
• Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system
  using hatchling. This should not impact the average user, but extremely old
  versions of packaging utilities may have issues with the new packaging format.

pypa/setuptools (setuptools)

v69.5.1

Compare Source

v69.5.0

Compare Source

v69.4.2

Compare Source

v69.4.1

Compare Source

v69.4.0

Compare Source

v69.3.1

Compare Source

v69.3.0

Compare Source

v69.2.0

Compare Source

v69.1.1

Compare Source

v69.1.0

Compare Source

benjaminp/six (six)

v1.17.0

Compare Source

• Pull request #​388: Remove URLopener and FancyURLopener classes from
  urllib.request when running on Python 3.14 or greater.

• Pull request #​365, issue #​283: six.moves.UserDict now points to
  UserDict.IterableUserDict instead of UserDict.UserDict on Python 2.

andialbrecht/sqlparse (sqlparse)

v0.5.3

Compare Source

Bug Fixes

• This version introduces a more generalized handling of potential denial of
  service attack (DOS) due to recursion errors for deeply nested statements.
  Brought up and fixed by @​living180. Thanks a lot!

v0.5.2

Compare Source

Bug Fixes

• EXTENSION is now recognized as a keyword (issue785).
• SQL hints are not removed when removing comments (issue262, by skryzh).

v0.5.1

Compare Source

Enhancements

• New "compact" option for formatter. If set, the formatter tries to produce
  a more compact output by avoiding some line breaks (issue783).

Bug Fixes

• The strip comments filter was a bit greedy and removed too much
  whitespace (issue772).
  Note: In some cases you might want to add strip_whitespace=True where you
  previously used just strip_comments=True. strip_comments did some of the
  work that strip_whitespace should do.
• Fix error when splitting statements that contain multiple CASE clauses
  within a BEGIN block (issue784).
• Fix whitespace removal with nested expressions (issue782).
• Fix parsing and formatting of ORDER clauses containing NULLS FIRST or
  NULLS LAST (issue532).

v0.5.0

Compare Source

Notable Changes

• Drop support for Python 3.5, 3.6, and 3.7.
• Python 3.12 is now supported (pr725, by hugovk).
• IMPORTANT: Fixes a potential denial of service attack (DOS) due to recursion
  error for deeply nested statements. Instead of recursion error a generic
  SQLParseError is raised. See the security advisory for details:
  GHSA-2m57-hf25-phgg
  The vulnerability was discovered by @​uriyay-jfrog. Thanks for reporting!

Enhancements

• Splitting statements now allows to remove the semicolon at the end.
  Some database backends love statements without semicolon (issue742).
• Support TypedLiterals in get_parameters (pr749, by Khrol).
• Improve splitting of Transact SQL when using GO keyword (issue762).
• Support for some JSON operators (issue682).
• Improve formatting of statements containing JSON operators (issue542).
• Support for BigQuery and Snowflake keywords (pr699, by griffatrasgo).
• Support parsing of OVER clause (issue701, pr768 by r33s3n6).

Bug Fixes

• Ignore dunder attributes when creating Tokens (issue672).
• Allow operators to precede dollar-quoted strings (issue763).
• Fix parsing of nested order clauses (issue745, pr746 by john-bodley).
• Thread-safe initialization of Lexer class (issue730).
• Classify TRUNCATE as DDL and GRANT/REVOKE as DCL keywords (based on pr719
  by josuc1, thanks for bringing this up!).
• Fix parsing of PRIMARY KEY (issue740).

Other

• Optimize performance of matching function (pr799, by admachainz).

urllib3/urllib3 (urllib3)

v2.4.0

Compare Source

==================

Features

• Applied PEP 639 by specifying the license fields in pyproject.toml. (#&#8203;3522 <https://github.com/urllib3/urllib3/issues/3522>__)
• Updated exceptions to save and restore more properties during the pickle/serialization process. (#&#8203;3567 <https://github.com/urllib3/urllib3/issues/3567>__)
• Added verify_flags option to create_urllib3_context with a default of VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT for Python 3.13+. (#&#8203;3571 <https://github.com/urllib3/urllib3/issues/3571>__)

Bugfixes

• Fixed a bug with partial reads of streaming data in Emscripten. (#&#8203;3555 <https://github.com/urllib3/urllib3/issues/3555>__)

Misc

• Switched to uv for installing development dependecies. (#&#8203;3550 <https://github.com/urllib3/urllib3/issues/3550>__)
• Removed the multiple.intoto.jsonl asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. (#&#8203;3566 <https://github.com/urllib3/urllib3/issues/3566>__)

v2.3.0

Compare Source

==================

Features

• Added HTTPResponse.shutdown() to stop any ongoing or future reads for a specific response. It calls shutdown(SHUT_RD) on the underlying socket. This feature was sponsored by LaunchDarkly <https://opencollective.com/urllib3/contributions/815307>. (#&#8203;2868 <https://github.com/urllib3/urllib3/issues/2868>)
• Added support for JavaScript Promise Integration on Emscripten. This enables more efficient WebAssembly
  requests and streaming, and makes it possible to use in Node.js if you launch it as node --experimental-wasm-stack-switching. (#&#8203;3400 <https://github.com/urllib3/urllib3/issues/3400>__)
• Added the proxy_is_tunneling property to HTTPConnection and HTTPSConnection. (#&#8203;3285 <https://github.com/urllib3/urllib3/issues/3285>__)
• Added pickling support to NewConnectionError and NameResolutionError. (#&#8203;3480 <https://github.com/urllib3/urllib3/issues/3480>__)

Bugfixes

• Fixed an issue in debug logs where the HTTP version was rendering as "HTTP/11" instead of "HTTP/1.1". (#&#8203;3489 <https://github.com/urllib3/urllib3/issues/3489>__)

Deprecations and Removals

• Removed support for Python 3.8. (#&#8203;3492 <https://github.com/urllib3/urllib3/issues/3492>__)

v2.2.3

Compare Source

==================

Features

• Added support for Python 3.13. (#&#8203;3473 <https://github.com/urllib3/urllib3/issues/3473>__)

Bugfixes

• Fixed the default encoding of chunked request bodies to be UTF-8 instead of ISO-8859-1.
  All other methods of supplying a request body already use UTF-8 starting in urllib3 v2.0. (#&#8203;3053 <https://github.com/urllib3/urllib3/issues/3053>__)
• Fixed ResourceWarning on CONNECT with Python < 3.11.4 by backporting https://github.com/python/cpython/issues/103472. (#&#8203;3252 <https://github.com/urllib3/urllib3/issues/3252>__)
• Adjust tolerance for floating-point comparison on Windows to avoid flakiness in CI (#&#8203;3413 <https://github.com/urllib3/urllib3/issues/3413>__)
• Fixed a crash where certain standard library hash functions were absent in restricted environments. (#&#8203;3432 <https://github.com/urllib3/urllib3/issues/3432>__)
• Fixed mypy error when adding to HTTPConnection.default_socket_options. (#&#8203;3448 <https://github.com/urllib3/urllib3/issues/3448>__)

HTTP/2 (experimental)

HTTP/2 support is still in early development.

• Excluded Transfer-Encoding: chunked from HTTP/2 request body (#&#8203;3425 <https://github.com/urllib3/urllib3/issues/3425>__)

• Added version checking for h2 (https://pypi.org/project/h2/) usage.

  Now only accepting supported h2 major version 4.x.x. (#&#8203;3290 <https://github.com/urllib3/urllib3/issues/3290>__)

• Added a probing mechanism for determining whether a given target origin
  supports HTTP/2 via ALPN. (#&#8203;3301 <https://github.com/urllib3/urllib3/issues/3301>__)

• Add support for sending a request body with HTTP/2 (#&#8203;3302 <https://github.com/urllib3/urllib3/issues/3302>__)

Deprecations and Removals

• Note for downstream distributors: the _version.py file has been removed and is now created at build time by hatch-vcs. (#&#8203;3412 <https://github.com/urllib3/urllib3/issues/3412>__)
• Drop support for end-of-life PyPy3.8 and PyPy3.9. (#&#8203;3475 <https://github.com/urllib3/urllib3/issues/3475>__)

v2.2.2

Compare Source

==================

• Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.
• Allowed passing negative integers as amt to read methods of http.client.HTTPResponse as an alternative to None. (#&#8203;3122 <https://github.com/urllib3/urllib3/issues/3122>__)
• Fixed return types representing copying actions to use typing.Self. (#&#8203;3363 <https://github.com/urllib3/urllib3/issues/3363>__)

v2.2.1

Compare Source

==================

• Fixed issue where InsecureRequestWarning was emitted for HTTPS connections when using Emscripten. (#&#8203;3331 <https://github.com/urllib3/urllib3/issues/3331>__)
• Fixed HTTPConnectionPool.urlopen to stop automatically casting non-proxy headers to HTTPHeaderDict. This change was premature as it did not apply to proxy headers and HTTPHeaderDict does not handle byte header values correctly yet. (#&#8203;3343 <https://github.com/urllib3/urllib3/issues/3343>__)
• Changed InvalidChunkLength to ProtocolError when response terminates before the chunk length is sent. (#&#8203;2860 <https://github.com/urllib3/urllib3/issues/2860>__)
• Changed ProtocolError to be more verbose on incomplete reads with excess content. (#&#8203;3261 <https://github.com/urllib3/urllib3/issues/3261>__)

v2.2.0

Compare Source

==================

• Added support for Emscripten and Pyodide <https://urllib3.readthedocs.io/en/latest/reference/contrib/emscripten.html>, including streaming support in cross-origin isolated browser environments where threading is enabled. (#&#8203;2951 <https://github.com/urllib3/urllib3/issues/2951>)
• Added support for HTTPResponse.read1() method. (#&#8203;3186 <https://github.com/urllib3/urllib3/issues/3186>__)
• Added rudimentary support for HTTP/2. (#&#8203;3284 <https://github.com/urllib3/urllib3/issues/3284>__)
• Fixed issue where requests against urls with trailing dots were failing due to SSL errors
  when using proxy. (#&#8203;2244 <https://github.com/urllib3/urllib3/issues/2244>__)
• Fixed HTTPConnection.proxy_is_verified and HTTPSConnection.proxy_is_verified
  to be always set to a boolean after connecting to a proxy. It could be
  None in some cases previously. (#&#8203;3130 <https://github.com/urllib3/urllib3/issues/3130>__)
• Fixed an issue where headers passed in a request with json= would be mutated (#&#8203;3203 <https://github.com/urllib3/urllib3/issues/3203>__)
• Fixed HTTPSConnection.is_verified to be set to False when connecting
  from a HTTPS proxy to an HTTP target. It was set to True previously. (#&#8203;3267 <https://github.com/urllib3/urllib3/issues/3267>__)
• Fixed handling of new error message from OpenSSL 3.2.0 when configuring an HTTP proxy as HTTPS (#&#8203;3268 <https://github.com/urllib3/urllib3/issues/3268>__)
• Fixed TLS 1.3 post-handshake auth when the server certificate validation is disabled (#&#8203;3325 <https://github.com/urllib3/urllib3/issues/3325>__)
• Note for downstream distributors: To run integration tests, you now need to run the tests a second
  time with the --integration pytest flag. (#&#8203;3181 <https://github.com/urllib3/urllib3/issues/3181>__)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box