Bump the pip group across 9 directories with 15 updates

[dependabot]

Bumps the pip group with 1 update in the /benchmarking directory: sentencepiece.
Bumps the pip group with 10 updates in the /data_extraction directory:

Package	From	To
sentencepiece	0.1.99	0.2.1
pillow	9.5.0	12.1.1
filelock	3.12.4	3.20.3
orjson	3.10.6	3.11.5
pypdf	3.16.2	6.7.5
unstructured	0.12.0	0.18.18
flask	3.0.0	3.1.3
werkzeug	3.0.1	3.1.6
pip	23.0.1	26.0
protobuf	4.25.2	5.29.6

Bumps the pip group with 2 updates in the /document_comparison directory: pillow and nltk.
Bumps the pip group with 2 updates in the /enterprise_knowledge_retriever directory: pillow and nltk.
Bumps the pip group with 1 update in the /eval_jumpstart directory: pypdf.
Bumps the pip group with 1 update in the /financial_assistant directory: pypdf.
Bumps the pip group with 1 update in the /multimodal_knowledge_retriever directory: nltk.
Bumps the pip group with 1 update in the /utils/parsing directory: unstructured.
Bumps the pip group with 9 updates in the /utils/parsing/unstructured-api/requirements directory:

Package	From	To
pillow	10.3.0	12.1.1
filelock	3.15.1	3.20.3
orjson	3.10.5	3.11.5
pypdf	4.2.0	6.7.5
nltk	3.8.1	3.9.3
cryptography	42.0.8	46.0.5
python-multipart	0.0.9	0.0.22
nbconvert	7.16.4	7.17.0
wheel	0.43.0	0.46.2

Updates sentencepiece from 0.2.0 to 0.2.1

Release notes

Sourced from sentencepiece's releases.

v0.2.1

Major changes

• [Python] Supported wheels and builds for Python 3.13 and 3.14(rc1) #1134, #1127, #1121, #1111, #1110, #1104, #1103, #1099, #1091
• [Python] Added an experimental support for free-threading. #1134, #1127, #1110 https://github.com/google/sentencepiece/tree/master/python#free-threading-support
• [Python] Updated the supported Python version to 3.9 or later.

New features

• [ALL]: Added new build mode to prevent the precompiled normalization rules being embedded in *.so and *.a. (-DSPM_DISABLE_EMBEDDED_DATA=ON). This reduces the runtime size by approximately 1-2 MB. This mode is enabled to build python wheels. The rules are loaded as the data package.

Bug fixes & minor changes

• [ALL]: Security fix to address a heap overflow issue that could occur when using a model containing an invalid precompiled normalization model.
• [Python]: Deprecates the wheel package for Linux i686.
• [Python]: Supported wheel for Windows Arm64. #1114
• [Python]: Fixed the crash issue on batch decoding #1051
• [ALL]: Updated the Unicode normalization rule with the latest ICU/Unicode rules.
• [ALL]: Unused code and build mode cleanup.

v0.2.1pre2

Major changes

• [Python] Supported wheels and builds for Python 3.13 and 3.14(rc0)
• [Python] Added an experimental support for free-threading. https://github.com/google/sentencepiece/tree/master/python#free-threading-support
• [Python] Updated the supported Python version to 3.9 or later.

New features

• [ALL]: Added new build mode to prevent the precompiled normalization rules being embedded in *.so and *.a. (-DSPM_DISABLE_EMBEDDED_DATA=ON). This reduces the runtime size by approximately 1-2 MB. This mode is enabled to build python wheels. The rules are loaded as the data package.

Bug fixes & minor changes

• [ALL]: Security fix to address a heap overflow issue that could occur when using a model containing an invalid precompiled normalization model.
• [Python]: Deprecates the wheel package for Linux i686.
• [Python]: Supported wheel for Windows Arm64.
• [Python]: Fixed the crash issue on batch decoding #1051
• [ALL]: Updated the Unicode normalization rule with the latest ICU/Unicode rules.
• [ALL]: Unused code and build mode cleanup.

Commits

• 31646a4 Merge pull request #1136 from crusaderky/pytest-run-parallel
• bcd44b9 free-threading tests
• 135747f install twine before checking wheel
• 69fe0b2 install setuptools before making sdist
• ee1422b install setuptools before making sdist
• 5ac2fd2 use windows-11-arm runner to test ARM64 wheel on native env.
• 36b9745 use windows-11-arm runner to test ARM64 wheel on native env.
• 4f043ae use auto-mode to make wheel with the native binary.
• 623196e uses arm docker image to build and test wheel
• 559fd65 re-enable QEMU to enable arm execution
• Additional commits viewable in compare view

Updates sentencepiece from 0.1.99 to 0.2.1

Release notes

Sourced from sentencepiece's releases.

v0.2.1

Major changes

• [Python] Supported wheels and builds for Python 3.13 and 3.14(rc1) #1134, #1127, #1121, #1111, #1110, #1104, #1103, #1099, #1091
• [Python] Added an experimental support for free-threading. #1134, #1127, #1110 https://github.com/google/sentencepiece/tree/master/python#free-threading-support
• [Python] Updated the supported Python version to 3.9 or later.

New features

• [ALL]: Added new build mode to prevent the precompiled normalization rules being embedded in *.so and *.a. (-DSPM_DISABLE_EMBEDDED_DATA=ON). This reduces the runtime size by approximately 1-2 MB. This mode is enabled to build python wheels. The rules are loaded as the data package.

Bug fixes & minor changes

• [ALL]: Security fix to address a heap overflow issue that could occur when using a model containing an invalid precompiled normalization model.
• [Python]: Deprecates the wheel package for Linux i686.
• [Python]: Supported wheel for Windows Arm64. #1114
• [Python]: Fixed the crash issue on batch decoding #1051
• [ALL]: Updated the Unicode normalization rule with the latest ICU/Unicode rules.
• [ALL]: Unused code and build mode cleanup.

v0.2.1pre2

Major changes

• [Python] Supported wheels and builds for Python 3.13 and 3.14(rc0)
• [Python] Added an experimental support for free-threading. https://github.com/google/sentencepiece/tree/master/python#free-threading-support
• [Python] Updated the supported Python version to 3.9 or later.

New features

• [ALL]: Added new build mode to prevent the precompiled normalization rules being embedded in *.so and *.a. (-DSPM_DISABLE_EMBEDDED_DATA=ON). This reduces the runtime size by approximately 1-2 MB. This mode is enabled to build python wheels. The rules are loaded as the data package.

Bug fixes & minor changes

• [ALL]: Security fix to address a heap overflow issue that could occur when using a model containing an invalid precompiled normalization model.
• [Python]: Deprecates the wheel package for Linux i686.
• [Python]: Supported wheel for Windows Arm64.
• [Python]: Fixed the crash issue on batch decoding #1051
• [ALL]: Updated the Unicode normalization rule with the latest ICU/Unicode rules.
• [ALL]: Unused code and build mode cleanup.

Commits

• 31646a4 Merge pull request #1136 from crusaderky/pytest-run-parallel
• bcd44b9 free-threading tests
• 135747f install twine before checking wheel
• 69fe0b2 install setuptools before making sdist
• ee1422b install setuptools before making sdist
• 5ac2fd2 use windows-11-arm runner to test ARM64 wheel on native env.
• 36b9745 use windows-11-arm runner to test ARM64 wheel on native env.
• 4f043ae use auto-mode to make wheel with the native binary.
• 623196e uses arm docker image to build and test wheel
• 559fd65 re-enable QEMU to enable arm execution
• Additional commits viewable in compare view

Updates pillow from 9.5.0 to 12.1.1

Release notes

Sourced from pillow's releases.

12.1.1

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html

Dependencies

• Patch libavif for svt-av1 4.0 compatibility #9413 [@​hugovk]

Other changes

• Fix OOB Write with invalid tile extents #9427 [@​radarhere]

12.1.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.0.html

Deprecations

• Deprecate getdata(), in favour of new get_flattened_data() #9292 [@​radarhere]

Documentation

• Specify APNG duration type when opening #9368 [@​radarhere]
• Added release notes for #9350 #9366 [@​radarhere]
• Update ImageMorph documentation #9349 [@​radarhere]
• Docs: update major bump cadence #9334 [@​hugovk]
• Add release notes for #9070 #9320 [@​radarhere]
• Updated Ubuntu version #9306 [@​radarhere]
• Update macOS tested Pillow versions #9265 [@​radarhere]

Dependencies

• Update harfbuzz to 12.3.0 #9355 [@​radarhere]
• Update xz to 5.8.2 #9343 [@​radarhere]
• Updated libjpeg-turbo to 3.1.3 #9333 [@​radarhere]
• Updated zlib-ng to 2.3.2 #9324 [@​radarhere]
• Updated libpng to 1.6.53 #9325 [@​radarhere]
• Update actions/checkout action to v6 #9323 [@renovate[bot]]
• Update dependency mypy to v1.19.0 #9322 [@renovate[bot]]
• Updated libpng to 1.6.51 #9305 [@​radarhere]
• Updated brotli to 1.2.0 #9284 [@​radarhere]
• Update libimagequant to 4.4.1 #9301 [@​radarhere]
• Update zlib-ng to 2.3.1, except on manylinux2014 aarch64 #9312 [@​radarhere]
• Updated harfbuzz to 12.2.0 #9289 [@​radarhere]
• Update github-actions #9277 [@renovate[bot]]

Testing

• Replace pre-commit with prek #9360 [@​hugovk]
• Test PyQt6 on Python 3.14 on Windows #9353 [@​radarhere]
• Test 32-bit Windows on Windows Server 2022 #9345 [@​radarhere]
• Correct variable type #9335 [@​radarhere]

... (truncated)

Changelog

Sourced from pillow's changelog.

Changelog (Pillow)

11.1.0 and newer

See GitHub Releases:

• https://github.com/python-pillow/Pillow/releases

11.0.0 (2024-10-15)

• Update licence to MIT-CMU #8460 [hugovk]

• Conditionally define ImageCms type hint to avoid requiring core #8197 [radarhere]

• Support writing LONG8 offsets in AppendingTiffWriter #8417 [radarhere]

• Use ImageFile.MAXBLOCK when saving TIFF images #8461 [radarhere]

• Do not close provided file handles with libtiff when saving #8458 [radarhere]

• Support ImageFilter.BuiltinFilter for I;16* images #8438 [radarhere]

• Use ImagingCore.ptr instead of ImagingCore.id #8341 [homm, radarhere, hugovk]

• Updated EPS mode when opening images without transparency #8281 [Yay295, radarhere]

• Use transparency when combining P frames from APNGs #8443 [radarhere]

• Support all resampling filters when resizing I;16* images #8422 [radarhere]

• Free memory on early return #8413 [radarhere]

• Cast int before potentially exceeding INT_MAX #8402 [radarhere]

... (truncated)

Commits

• 5158d98 12.1.1 version bump
• 9000313 Fix OOB Write with invalid tile extents (#9427)
• cd01118 Patch libavif for svt-av1 4.0 compatibility
• 46f45f6 12.1.0 version bump
• c9ac097 Simplify band splitting (#9291)
• 3baedf2 Deprecate getdata(), in favour of new get_flattened_data() (#9292)
• b51a036 Specify APNG duration type when opening (#9368)
• 8d08e31 Add release notes for #9348 (#9369)
• 432707e Added release notes for #9348
• 2d58910 Specify APNG duration type when opening
• Additional commits viewable in compare view

Updates filelock from 3.12.4 to 3.20.3

Release notes

Sourced from filelock's releases.

3.20.3

What's Changed

• Fix TOCTOU symlink vulnerability in SoftFileLock by @​gaborbernat in tox-dev/filelock#465

Full Changelog: tox-dev/filelock@3.20.2...3.20.3

3.20.2

What's Changed

• Support Unix systems without O_NOFOLLOW by @​mwilliamson in tox-dev/filelock#463
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in tox-dev/filelock#464

New Contributors

• @​mwilliamson made their first contribution in tox-dev/filelock#463

Full Changelog: tox-dev/filelock@3.20.1...3.20.2

3.20.1

What's Changed

• CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file creation by @​gaborbernat in tox-dev/filelock#461

Full Changelog: tox-dev/filelock@3.20.0...3.20.1

3.20.0

What's Changed

• Add tox.toml to sdist by @​mtelka in tox-dev/filelock#436
• Update docs with example by @​znichollscr in tox-dev/filelock#438
• Add 3.14 support and drop 3.9 by @​gaborbernat in tox-dev/filelock#448

New Contributors

• @​mtelka made their first contribution in tox-dev/filelock#436
• @​znichollscr made their first contribution in tox-dev/filelock#438

Full Changelog: tox-dev/filelock@3.19.1...3.20.0

3.19.1

What's Changed

• add 3.14t (free threading) to matrix by @​paultiq in tox-dev/filelock#433
• Increase test coverage by @​paultiq in tox-dev/filelock#434

... (truncated)

Changelog

Sourced from filelock's changelog.

########### Changelog ###########

---

3.25.0 (2026-03-01)

---

• ✨ feat(async): add AsyncReadWriteLock :pr:506
• Standardize .github files to .yaml suffix
• build(deps): bump actions/download-artifact from 7 to 8 :pr:503 - by :user:dependabot[bot]
• build(deps): bump actions/upload-artifact from 6 to 7 :pr:502 - by :user:dependabot[bot]
• Move SECURITY.md to .github/SECURITY.md
• Add security policy
• Add permissions to check workflow :pr:500
• [pre-commit.ci] pre-commit autoupdate :pr:499 - by :user:pre-commit-ci[bot]

---

3.24.3 (2026-02-19)

---

• 🐛 fix(unix): handle ENOENT race on FUSE/NFS during acquire :pr:495
• 🐛 fix(ci): add trailing blank line after changelog entries :pr:492

---

3.24.2 (2026-02-16)

---

• 🐛 fix(rw): close sqlite3 cursors and skip SoftFileLock Windows race :pr:491
• 🐛 fix(test): resolve flaky write non-starvation test :pr:490
• 📝 docs: restructure using Diataxis framework :pr:489

---

3.24.1 (2026-02-15)

---

• 🐛 fix(soft): resolve Windows deadlock and test race condition :pr:488

---

3.24.0 (2026-02-14)

---

• ✨ feat(lock): add lifetime parameter for lock expiration (#68) :pr:486
• ✨ feat(lock): add cancel_check to acquire (#309) :pr:487
• 🐛 fix(api): detect same-thread self-deadlock :pr:481
• ✨ feat(mode): respect POSIX default ACLs (#378) :pr:483
• 🐛 fix(win): eliminate lock file race in threaded usage :pr:484
• ✨ feat(lock): add poll_interval to constructor :pr:482
• 🐛 fix(unix): auto-fallback to SoftFileLock on ENOSYS :pr:480

... (truncated)

Commits

• 41b42dd Fix TOCTOU symlink vulnerability in SoftFileLock (#465)
• f2e7d40 [pre-commit.ci] pre-commit autoupdate (#464)
• 5088854 Support Unix systems without O_NOFOLLOW (#463)
• 377f622 [pre-commit.ci] pre-commit autoupdate (#460)
• 4724d7f Fix TOCTOU symlink vulnerability in lock file creation (#461)
• cb69414 Bump actions/upload-artifact from 5 to 6 (#459)
• 0769294 Bump actions/download-artifact from 6 to 7 (#458)
• 414193a [pre-commit.ci] pre-commit autoupdate (#457)
• 1456797 [pre-commit.ci] pre-commit autoupdate (#456)
• 8d6bf90 Bump actions/checkout from 5 to 6 (#455)
• Additional commits viewable in compare view

Updates orjson from 3.10.6 to 3.11.5

Release notes

Sourced from orjson's releases.

3.11.5

Changed

• Show simple error message instead of traceback when attempting to build on unsupported Python versions.

3.11.4

Changed

• ABI compatibility with CPython 3.15 alpha 1.
• Publish PyPI wheels for 3.14 and manylinux i686, manylinux arm7, manylinux ppc64le, manylinux s390x.
• Build now requires a C compiler.

3.11.3

Fixed

• Fix PyPI project metadata when using maturin 1.9.2 or later.

3.11.2

Fixed

• Fix build using Rust 1.89 on amd64.

Changed

• Build now depends on Rust 1.85 or later instead of 1.82.

3.11.1

Changed

• Publish PyPI wheels for CPython 3.14.

Fixed

• Fix str on big-endian architectures.

3.11.0

Changed

• Use a deserialization buffer allocated per request instead of a shared buffer allocated on import.
• ABI compatibility with CPython 3.14 beta 4.

3.10.18

Fixed

• Fix incorrect escaping of the vertical tabulation character. This was introduced in 3.10.17.

3.10.17

... (truncated)

Changelog

Sourced from orjson's changelog.

3.11.5 - 2025-12-06

Changed

• Show simple error message instead of traceback when attempting to build on unsupported Python versions.

3.11.4 - 2025-10-24

Changed

• ABI compatibility with CPython 3.15 alpha 1.
• Publish PyPI wheels for 3.14 and manylinux i686, manylinux arm7, manylinux ppc64le, manylinux s390x.
• Build now requires a C compiler.

3.11.3 - 2025-08-26

Fixed

• Fix PyPI project metadata when using maturin 1.9.2 or later.

3.11.2 - 2025-08-12

Fixed

• Fix build using Rust 1.89 on amd64.

Changed

• Build now depends on Rust 1.85 or later instead of 1.82.

3.11.1 - 2025-07-25

Changed

• Publish PyPI wheels for CPython 3.14.

Fixed

• Fix str on big-endian architectures. This was introduced in 3.11.0.

3.11.0 - 2025-07-15

Changed

... (truncated)

Commits

• fb3eb1f 3.11.5
• 52688e0 Record contributors in headers
• dc083e8 Further compatibility and build misc
• 18f0186 Compatibility and build misc
• a4fdeb3 3.11.4
• 2e80d68 unlikely to cold_path, remove intrinsics
• 27edea9 FFI through crate::ffi, partial non-CPython compatibility
• 416a8c9 Unconditionally build yyjson
• c8c1a17 edition 2024
• af4179a build maintenance, panic_immediate_abort break, test 3.15
• Additional commits viewable in compare view

Updates pypdf from 3.16.2 to 6.7.5

Release notes

Sourced from pypdf's releases.

Version 6.7.5, 2026-03-02

What's new

Security (SEC)

• Improve the performance of the ASCIIHexDecode filter (#3666) by @​stefan6419846

Full Changelog

Version 6.7.4, 2026-02-27

What's new

Security (SEC)

• Allow limiting output length for RunLengthDecode filter (#3664) by @​stefan6419846

Robustness (ROB)

• Deal with invalid annotations in extract_links (#3659) by @​stefan6419846

Full Changelog

Version 6.7.3, 2026-02-24

What's new

Security (SEC)

• Use zlib decompression limit when retrieving XFA data (#3658) by @​stefan6419846

Full Changelog

Version 6.7.2, 2026-02-22

What's new

Security (SEC)

• Prevent infinite loop from circular xref /Prev references (#3655) by @​rampageservices

Bug Fixes (BUG)

• Fix wrong LUT size error (#3651) by @​stefan6419846
• Fix handling of page boxes defined on /Pages (#3650) by @​stefan6419846

Full Changelog

Version 6.7.1, 2026-02-17

What's new

Security (SEC)

• Detect cyclic references when accessing TreeObject.children (#3645) by @​stefan6419846
• Limit size of /ToUnicode entries (#3646) by @​stefan6419846
• Limit FlateDecode recovery attempts (#3644) by @​stefan6419846

Bug Fixes (BUG)

• Avoid own object replacement logic in PageObject.replace_contents (#3638) by @​stefan6419846
• Fix UnboundLocalError when update_page_form_field_values with /Sig (#3634) by @​John-Sharp

... (truncated)

Changelog

Sourced from pypdf's changelog.

Version 6.7.5, 2026-03-02

Security (SEC)

• Improve the performance of the ASCIIHexDecode filter (#3666)

Full Changelog

Version 6.7.4, 2026-02-27

Security (SEC)

• Allow limiting output length for RunLengthDecode filter (#3664)

Robustness (ROB)

• Deal with invalid annotations in extract_links (#3659)

Full Changelog

Version 6.7.3, 2026-02-24

Security (SEC)

• Use zlib decompression limit when retrieving XFA data (#3658)

Full Changelog

Version 6.7.2, 2026-02-22

Security (SEC)

• Prevent infinite loop from circular xref /Prev references (#3655)

Bug Fixes (BUG)

• Fix wrong LUT size error (#3651)
• Fix handling of page boxes defined on /Pages (#3650)

Full Changelog

Version 6.7.1, 2026-02-17

Security (SEC)

• Detect cyclic references when accessing TreeObject.children (#3645)
• Limit size of /ToUnicode entries (#3646)
• Limit FlateDecode recovery attempts (#3644)

Bug Fixes (BUG)

• Avoid own object replacement logic in PageObject.replace_contents (#3638)
• Fix UnboundLocalError when update_page_form_field_values with /Sig (#3634)

Robustness (ROB)

• Avoid divison by zero when decoding FlateDecode PNG prediction (#3641)

Full Changelog

... (truncated)

Commits

• 7c2bcdd REL: 6.7.5
• 648c627 SEC: Improve the performance of the ASCIIHexDecode filter (#3666)
• 1aef6fb DEV: Update cache key handling in CI (#3665)
• 1650bc3 REL: 6.7.4
• f309c60 SEC: Allow limiting output length for RunLengthDecode filter (#3664)
• 993f052 DEV: Bump actions/upload-artifact from 6 to 7 (#3662)
• a3c996b DEV: Bump actions/download-artifact from 7 to 8 (#3663)
• 37de320 ROB: Deal with invalid annotations in extract_links (#3659)
• 05e6d3c REL: 6.7.3
• 7a4c824 SEC: Use zlib decompression limit when retrieving XFA data (#3658)
• Additional commits viewable in compare view

Updates unstructured from 0.12.0 to 0.18.18

Release notes

Sourced from unstructured's releases.

0.18.18

Fixes

• Prevent path traversal in email MSG attachment filenames Fixed a security vulnerability (GHSA-gm8q-m8mv-jj5m) where malicious attachment filenames containing path traversal sequences could write files outside the intended directory. The fix normalizes both Unix and Windows path separators before sanitizing filenames, preventing cross-platform path traversal attacks in partition_msg functions

0.18.17

Enhancement

Features

Fixes

• Removed Clarifai dependency as it is no longer used
• Bumped dependencies via pip-compile to address the following CVEs:
  • pypdf: GHSA-vr63-x8vc-m265
  • pip: GHSA-4xh5-x5gv-qwph
  • uv: GHSA-8qf3-x8v5-2pj8 GHSA-pqhf-p39g-3x64

0.18.16

Enhancement

• Speed up function _assign_hash_ids by 34% (codeflash)

Features

Fixes

• Bumped dependencies via pip-compile to address the following CVEs:
  • authlib: GHSA-pq5p-34cr-23v9
  • python-3.12/python03.12-base: CVE-2025-8291, GHSA-49g5-f6qw-8mm7
  • libcrypto3/libssl3: CVE-2025-9230, CVE-2025-9231, CVE-2025-9232, GHSA-76r2-c3cg-f5r9, GHSA-9mrx-mqmg-gwj9

0.18.15

What's Changed

• Setup Codeflash Github Actions to optimize all future code by @​misrasaurabh1 in Unstructured-IO/unstructured#4082
• fix: update deps to resolve cve by @​qued in Unstructured-IO/unstructured#4093
• ⚡️ Speed up function group_broken_paragraphs by 30% by @​aseembits93 in Unstructured-IO/unstructured#4088
• ⚡️ Speed up method ElementHtml._get_children_html by 234% by @​aseembits93 in Unstructured-IO/unstructured#4087
• Luke/sept16 CVE by @​luke-kucing in Unstructured-IO/unstructured#4094

New Contributors

• @​aseembits93 made their first contribution in Unstructured-IO/unstructured#4088

Full Changelog: Unstructured-IO/unstructured@0.18.14...0.18.15

0.18.14

Enhancements

• Speed up function sentence_count by 59% (codeflash)

• Speed up function check_for_nltk_package by 111% (codeflash)

... (truncated)

Changelog

Sourced from unstructured's changelog.

0.18.18

Fixes

• Prevent path traversal in email MSG attachment filenames Fixed a security vulnerability (GHSA-gm8q-m8mv-jj5m) where malicious attachment filenames containing path traversal sequences could write files outside the intended directory. The fix normalizes both Unix and Windows path separators before sanitizing filenames, preventing cross-platform path traversal attacks in partition_msg functions

0.18.17

Enhancement

Features

Fixes

• Removed Clardy dependency as it is no longer used
• Bumped dependencies via pip-compile to address the following CVEs:
  • pypdf: GHSA-vr63-x8vc-m265
  • pip: GHSA-4xh5-x5gv-qwph
  • uv: GHSA-8qf3-x8v5-2pj8 GHSA-pqhf-p39g-3x64

0.18.16

Enhancement

• Speed up function _assign_hash_ids by 34% (codeflash)

Features

Fixes

• Bumped dependencies via pip-compile to address the following CVEs:
  • authlib: GHSA-pq5p-34cr-23v9
  • python-3.12/python03.12-base: CVE-2025-8291, GHSA-49g5-f6qw-8mm7
  • libcrypto3/libssl3: CVE-2025-9230, CVE-2025-9231, CVE-2025-9232, GHSA-76r2-c3cg-f5r9, GHSA-9mrx-mqmg-gwj9

0.18.15

Enhancements

• Speed up function ElementHtml._get_children_html by 234% (codeflash)
• Speed up function group_broken_paragraphs by 30% (codeflash)

Features

Fixes

• Bumped dependencies via pip-compile to address the crit CVE in:
  • deepdiff: 8.6.0 -> 8.6.1: GHSA-mw26-5g2v-hqw3

0.18.14

Enhancements

• Speed up function sentence_count by 59% (codeflash)
• Speed up function check_for_nltk_package by 111% (codeflash)
• Speed up function under_non_alpha_ratio by 76% (codeflash)

... (truncated)

Commits

• b01d35b fix: sanitize MSG attachment filenames to prevent path traversal (GHS… (#4117)
• 1c519ef Security Fixes - CVE Remediation (#4115)
• c79cf3a updated dependancies to resolve open CVEs and cut a new version (#4108)
• 8fd07fd feat: Add simple script to sync fork with local branch (#4102)
• ef68384 enhancement: Speed up function _assign_hash_ids by 34% (#4101)
• 2d44d73 Luke/sept16 CVE (#4094)
• ab55d86 ⚡️ Speed up method ElementHtml._get_children_html by 234% (#4087)
• 6aee131 ⚡️ Speed up function group_broken_paragraphs by 30% (#4088)
• 1030a69 fix: update deps to resolve cve (#4093)
• e3854d2 Setup Codeflash Github Actions to optimize all future code (#4082)
• Additional commits viewable in compare view

Updates flask from 3.0.0 to 3.1.3

Release notes

Sourced from flask's releases.

3.1.3

This is the Flask 3.1.3 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.3/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-3

• The session is marked as accessed for operations that only access the keys but not the values, such as in and len. GHSA-68rp-wp8r-4726

3.1.2

This is the Flask 3.1.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.2/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-2 Milestone: https://github.com/pallets/flask/milestone/38?closed=1

• stream_with_context does not fail inside async views. #5774
• When using follow_redirects in the test client, the final state of session is correct. #5786
• Relax type hint for passing bytes IO to send_file. #5776

3.1.1

This is the Flask 3.1.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.1/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-1 Milestone https://github.com/pallets/flask/milestone/36?closed=1

• Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. GHSA-4grg-w6v8-c28g
• Fix type hint for cli_runner.invoke. #5645
• flask --help loads the app and plugins first to make sure all commands are shown. #5673
• Mark sans-io base class as being able to handle views that return AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. #5659

3.1.0

This is the Flask 3.1.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecations, or introduce potentially breaking changes. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

PyPI: https://pypi.org/project/Flask/3.1.0/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-0 Milestone: https://github.com/pallets/flask/milestone/33?closed=1

• Drop support for Python 3.8. #5623
• Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. #5624, #5633
• Provide a configuration option to control automatic option responses. #5496
• Flask.open_resource/open_instance_resource and Blueprint.open_resource take an encoding parameter to use when opening in text mode. It defaults to utf-8. #5504
• Request.max_content_length can be customized per-request instead of only through the MAX_CONTENT_LENGTH config. Added MAX_FORM_MEMORY_SIZE and MAX_FORM_PARTS config. Added documentation about resource limits to the security page. #5625
• Add support for the Partitioned cookie attribute (CHIPS), with the SESSION_COOKIE_PARTITIONED config. #5472
• -e path takes precedence over default .env and .flaskenv files. load_dotenv loads default files in addition to a path unless load_defaults=False is passed. #5628
• Support key rotation with the SECRET_KEY_FALLBACKS config, a list of old secret keys that can still be used for unsigning. Extensions will need to add support. #5621
• Fix how setting host_matching=True or subdomain_matching=False interacts with SERVER_NAME. Setting SERVER_NAME no longer restricts requests to only that domain. #5553
• Request.trusted_hosts is checked during routing, and can be set through the TRUSTED_HOSTS config. #5636

3.0.3

... (truncated)

Changelog

Sourced from flask's changelog.

Version 3.1.3

Released 2026-02-18

• The session is marked as accessed for operations that only access the keys but not the values, such as in and len. :ghsa:68rp-wp8r-4726

Version 3.1.2

Released 2025-08-19

• stream_with_context does not fail inside async views. :issue:5774
• When using follow_redirects in the test client, the final state of session is correct. :issue:5786
• Relax type hint for passing bytes IO to send_file. :issue:5776

Version 3.1.1

Released 2025-05-13

• Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. :ghsa:4grg-w6v8-c28g
• Fix type hint for cli_runner.invoke. :issue:5645Description has been truncated