chore(deps): bump the uv group across 40 directories with 4 updates

[dependabot]

Bumps the uv group with 1 update in the /python/agents/adk-ae-oauth directory: authlib.
Bumps the uv group with 1 update in the /python/agents/ai-security-agent directory: authlib.
Bumps the uv group with 1 update in the /python/agents/airflow_version_upgrade_agent directory: authlib.
Bumps the uv group with 1 update in the /python/agents/ambient-expense-agent directory: authlib.
Bumps the uv group with 1 update in the /python/agents/antom-payment directory: authlib.
Bumps the uv group with 1 update in the /python/agents/auto-insurance-agent directory: authlib.
Bumps the uv group with 1 update in the /python/agents/bidi-demo directory: authlib.
Bumps the uv group with 1 update in the /python/agents/brand-aligned-presentations directory: authlib.
Bumps the uv group with 2 updates in the /python/agents/brand-aligner directory: authlib and nltk.
Bumps the uv group with 1 update in the /python/agents/brand-search-optimization directory: authlib.
Bumps the uv group with 1 update in the /python/agents/camel directory: authlib.
Bumps the uv group with 1 update in the /python/agents/claim-adjudication-agent directory: authlib.
Bumps the uv group with 1 update in the /python/agents/currency-agent directory: authlib.
Bumps the uv group with 1 update in the /python/agents/cyber-guardian-agent directory: authlib.
Bumps the uv group with 1 update in the /python/agents/data-engineering directory: authlib.
Bumps the uv group with 1 update in the /python/agents/earth-engine-geospatial directory: authlib.
Bumps the uv group with 1 update in the /python/agents/economic-research-agent directory: authlib.
Bumps the uv group with 1 update in the /python/agents/fomc-research directory: authlib.
Bumps the uv group with 1 update in the /python/agents/fun-facts directory: authlib.
Bumps the uv group with 1 update in the /python/agents/global-kyc-agent directory: authlib.
Bumps the uv group with 1 update in the /python/agents/google-trends-agent directory: authlib.
Bumps the uv group with 2 updates in the /python/agents/hierarchical-workflow-automation directory: authlib and langchain-text-splitters.
Bumps the uv group with 1 update in the /python/agents/high-volume-document-analyzer directory: pypdf.
Bumps the uv group with 1 update in the /python/agents/incident-management directory: authlib.
Bumps the uv group with 1 update in the /python/agents/invoice-processing directory: authlib.
Bumps the uv group with 2 updates in the /python/agents/llm-auditor directory: authlib and nltk.
Bumps the uv group with 2 updates in the /python/agents/machine-learning-engineering directory: authlib and nltk.
Bumps the uv group with 1 update in the /python/agents/memory-bank directory: authlib.
Bumps the uv group with 1 update in the /python/agents/nexshift-agent directory: authlib.
Bumps the uv group with 1 update in the /python/agents/nurse-handover directory: authlib.
Bumps the uv group with 2 updates in the /python/agents/on-brand-genmedia directory: authlib and nltk.
Bumps the uv group with 1 update in the /python/agents/order-processing directory: authlib.
Bumps the uv group with 1 update in the /python/agents/plumber-data-engineering-assistant directory: authlib.
Bumps the uv group with 1 update in the /python/agents/policy-as-code directory: authlib.
Bumps the uv group with 1 update in the /python/agents/retail-ai-location-strategy directory: authlib.
Bumps the uv group with 1 update in the /python/agents/safety-plugins directory: authlib.
Bumps the uv group with 1 update in the /python/agents/small-business-loan-agent directory: authlib.
Bumps the uv group with 1 update in the /python/agents/story_teller directory: authlib.
Bumps the uv group with 1 update in the /python/agents/supply-chain directory: authlib.
Bumps the uv group with 1 update in the /python/agents/tau2-benchmark-agent directory: authlib.

Updates authlib from 1.6.10 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.9 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.10 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.9 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.9 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.9 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.6 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.9 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.9 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates nltk from 3.9.3 to 3.9.4

Changelog

Sourced from nltk's changelog.

Version 3.9.4 2026-03-24

• Support Python 3.14
• Fix bug in Levenshtein distance when substitution_cost > 2
• Fix bug in Treebank detokeniser re quote ordering
• Fix bug in Jaro similarity for empty strings
• Several security enhancements
• Fix GHSA-rf74-v2fm-23pw: unbounded recursion in JSONTaggedDecoder
• Implement TextTiling vocabulary introduction method (Hearst 1997)
• Fix ALINE feature matrix errors and add comprehensive tests
• Support multiple VerbNet versions, fix longid/shortid regex for VerbNet ids
• Let downloader fallback to md5 when sha256 is unavailable
• Several other minor bugfixes and code cleanups

Thanks to the following contributors to 3.9.4: Min-Yen Kan, Eric Kafe, Emily Voss, bowiechen, Hrudhai01, jancallewaert, Mr-Neutr0n, pollak.peter89, ylwango613,

Version 3.9.3 2026-02-21

• Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (#3468)
• Block path traversal/arbitrary reads in nltk.data for protocol-less refs (#3467)
• Block path traversal/abs paths in corpus readers and FS pointers (#3479, #3480)
• Validate external StanfordSegmenter JARs using SHA256 (#3477)
• Add optional sandbox enforcement for filestring() (#3485)
• Maintenance: downloader/zipped models, CI/tooling updates

Thanks to the following contributors to 3.9.3: Chris Clauss, Eric Kafe, HyperPS, purificant, Shivansh-Game, Christopher Smith

Version 3.9.2 2025-10-01

• Update download checksums to use SHA256 in built index
• Fix percentage escape in new-style string formatting
• replace shortened URLs using goo.gl
• Make Wordnet interoperable with various taggers and tagged corpora
• Fix saving PerceptronTagger
• Document how to reproduce old Wordnet studies
• properly initialize Portuguese corpus reader
• support for mixed rules conversion into Chomsky Normal Form
• only import tkinter if a GUI is needed
• issue #2112 with Corenlp
• new environment variable NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL
• Lesk defaults to most frequent sense in case of ties

Thanks to the following contributors to 3.9.2: Jose Cols, Peter de Blanc, GeneralPoxter, Eric Kafe, William LaCroix, Jason Liu, Samer Masterson, Mike014, purificant, Andrew Ernest Ritz, samertm, Ikram Ul Haq, Christopher Smith, Ryan Mannion

Version 3.9.1 2024-08-19

... (truncated)

Commits

• ad9c96b Update copyright year
• 7edcddf Updates for 3.9.4 release
• 67a2736 Merge pull request #3180 from yzhaoinuw/bug-on-edit_distance_align
• 2b17ac5 Fix edit_distance_align backtrace for high substitution costs
• 4b72976 Merge pull request #3018 from JuanIMartinezB/bug/shortid-longid
• 8a5619f Merge pull request #3222 from Syzygy2048/feature/texttiling-vocabulary-introd...
• c6574d7 Merge pull request #3289 from ihitamandal/codeflash/optimize-windowdiff-2024-...
• 98ff5d9 Merge pull request #3435 from Hrudhai01/fix-3260-detokenize-quotes
• aec4fce Merge pull request #3522 from ekaf/pathsec
• eec4ee3 Merge pull request #3526 from nltk/update-contributing
• Additional commits viewable in compare view

Updates authlib from 1.6.9 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.9 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.9 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.9 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.9 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.9 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.9 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.9 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.9 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.9 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.9 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.9 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.3 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates langchain-text-splitters from 0.3.11 to 1.1.2

Release notes

Sourced from langchain-text-splitters's releases.

langchain-text-splitters==1.1.2

Changes since langchain-text-splitters==1.1.1

release(text-splitters): 1.1.2 (#36822) fix(text-splitters): deprecate and use SSRF-safe transport in split_text_from_url (#36821) chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/text-splitters (#36797) chore(deps): bump pytest to 9.0.3 (#36801) chore: bump pytest from 9.0.2 to 9.0.3 in /libs/text-splitters (#36714) chore: add comment explaining pygments>=2.20.0 (#36570) release(core): 1.2.26 (#36511) chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385) fix(text-splitters): prevent silent data loss for empty dict values in RecursiveJsonSplitter (#35079) feat(text-splitters): support spacy tests with Python 3.14 (#36198) fix(infra): correct lint_diff relative paths in package makefiles (#36333) chore: bump requests from 2.32.5 to 2.33.0 in /libs/text-splitters (#36238) chore: bump nltk from 3.9.3 to 3.9.4 in /libs/text-splitters (#36237) chore(partners): bump langchain-core min to 1.2.21 (#36183) chore(text-splitters): bump nltk in lock file (#36112) ci: suppress pytest streaming output in CI (#36092) chore(text-splitters): speed up ci (#36050) ci: avoid unnecessary dep installs in lint targets (#36046) chore: bump orjson from 3.11.5 to 3.11.6 in /libs/text-splitters (#35856) chore: bump locks, lint (#35985) perf(.github): set a timeout on get min versions HTTP calls (#35851) chore: bump tornado from 6.5.2 to 6.5.5 in /libs/text-splitters (#35774) chore: bump the minor-and-patch group across 3 directories with 3 updates (#35589) chore: bump the other-deps group across 3 directories with 2 updates (#35512) chore: bump nltk from 3.9.2 to 3.9.3 in /libs/text-splitters (#35449) chore: bump the other-deps group across 3 directories with 2 updates (#35407)

langchain-text-splitters==1.1.1

Changes since langchain-text-splitters==1.1.0

release(text-splitters): 1.1.1 (#35318) fix(text-splitters): prevent JSFrameworkTextSplitter from mutating self._separators on each split_text() call (#35316) chore: bump transformers from 5.1.0 to 5.2.0 in /libs/text-splitters in the other-deps group across 1 directory (#35279) chore: bump the other-deps group across 3 directories with 2 updates (#35255) style: bump ruff version to 0.15 (#35042) fix: Server-Side Request Forgery (SSRF) in HTMLHeaderTextSplitter.split_text_from_url (#35196) feat(text-splitters): add model_kwargs to SentenceTransformersTokenTextSplitter (#35113) chore(deps): bump langsmith from 0.4.31 to 0.6.3 in /libs/text-splitters (#35162) chore(deps): bump the other-deps group across 3 directories with 12 updates (#35127) chore(deps): bump the other-deps group across 3 directories with 8 updates (#35120) chore: add make type target (#35015) revert: "chore: add typing target in Makefile" (#35013) chore: add typing target in Makefile (#35012) fix(text-splitters): reverse preserved elements iterator in HTMLSemanticPreservingSplitter (#34080) chore: enrich pyproject.toml files (#34980) chore(deps): bump the uv group across 20 directories with 3 updates (#34941) chore: upgrade urllib3 to 2.6.3 (#34940)

... (truncated)

Commits

• 58c4e5b release(text-splitters): 1.1.2 (#36822)
• c289bf1 fix(text-splitters): deprecate and use SSRF-safe transport in split_text_from...
• b7447c6 fix(infra): skip serdes tests in min-version release step (#36818)
• 41c0cc5 release(openai): 1.1.14 (#36820)
• 0516156 fix(openai): use SSRF-safe transport for image token counting (#36819)
• 338aa81 fix(core): restore cloud metadata IPs and link-local range in SSRF policy (#3...
• 51e9548 chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/text-splitters (#36797)
• e85c418 chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/model-profiles (#36798)
• 789126e chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/standard-tests (#36799)
• 937b3eb chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/langchain_v1 (#36800)
• Additional commits viewable in compare view

Updates pypdf from 6.9.2 to 6.10.2

Release notes

Sourced from pypdf's releases.

Version 6.10.2, 2026-04-15

What's new

Security (SEC)

• Do not rely on possibly invalid /Size for incremental cloning (#3735) by @​stefan6419846
• Introduce limits for FlateDecode parameters and image decoding (#3734) by @​stefan6419846

Full Changelog

Version 6.10.1, 2026-04-14

What's new

Security (SEC)

• Limit the allowed size of xref and object streams (#3733) by @​stefan6419846

Robustness (ROB)

• Consider strict mode setting for decryption errors (#3731) by @​stefan6419846

Documentation (DOC)

• Use new parameter names for compress_identical_objects by @​stefan6419846

Full Changelog

Version 6.10.0, 2026-04-10

What's new

Security (SEC)

• Disallow custom XML entity declarations for XMP metadata (#3724) by @​stefan6419846

New Features (ENH)

• Skip MD5 key derivation for AES-256 encrypted PDFs (#3694) by @​Ygnas

Bug Fixes (BUG)

• Use remove_orphans in compress_identical_objects (#3310) by @​j-t-1
• Fix PdfReadError when xref table contains comments before trailer (#3710) by @​rassie
• Correctly verify AES padding during decryption (#3699) by @​stefan6419846
• Fix stale object cache from non-authoritative object streams (#3698) by @​astahlman
• Fix extract_links pairing when annotations include non-links (#3687) by @​ReinerBRO

Documentation (DOC)

• Add AI policy (#3717) by @​stefan6419846

Full Changelog

Changelog

Sourced from pypdf's changelog.

Version 6.10.2, 2026-04-15

Security (SEC)

• Do not rely on possibly invalid /Size for incremental cloning (#3735)
• Introduce limits for FlateDecode parameters and image decoding (#3734)

Full Changelog

Version 6.10.1, 2026-04-14

Security (SEC)

• Limit the allowed size of xref and object streams (#3733)

Robustness (ROB)

• Consider strict mode setting for decryption errors (#3731)

Documentation (DOC)

• Use new parameter names for compress_identical_objects

Full Changelog

Version 6.10.0, 2026-04-10

Security (SEC)

• Disallow custom XML entity declarations for XMP metadata (#3724)

New Features (ENH)

• Skip MD5 key derivation for AES-256 encrypted PDFs (#3694)

Bug Fixes (BUG)

• Use remove_orphans in compress_identical_objects (#3310)
• Fix PdfReadError when xref table contains comments before trailer (#3710)
• Correctly verify AES padding during decryption (#3699)
• Fix stale object cache from non-authoritative object streams (#3698)
• Fix extract_links pairing when annotations include non-links (#3687)

Documentation (DOC)

• Add AI policy (#3717)

Full Changelog

Commits

• c476b4f REL: 6.10.2
• c50a010 SEC: Do not rely on possibly invalid /Size for incremental cloning (#3735)
• ac734da SEC: Introduce limits for FlateDecode parameters and image decoding (#3734)
• b49e7eb REL: 6.10.1
• 62338e9 SEC: Limit the allowed size of xref and object streams (#3733)
• 5dcc0ae DEV: Update pytest-benchmark to 5.2.3
• b42e4aa DEV: Update pinned pillow and pytest where possible (#3732)
• 717446b ROB: Consider strict mode setting for decryption errors (#3731)
• 9e461d3 DEV: Bump softprops/action-gh-release from 2 to 3 (#3730)
• 500d09d TST: Update test_embedded_file__basic to use tmp_path fixture (#3726)
• Additional commits viewable in compare view

Updates authlib from 1.6.9 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• See full diff in compare view

Updates authlib from 1.6.10 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.
Description has been truncated

[dependabot]

Superseded by #1699.