Sourced from numpy's releases.

v1.22.0

NumPy 1.22.0 Release Notes

NumPy 1.22.0 is a big release featuring the work of 153 contributors spread over 609 pull requests. There have been many improvements, highlights are:

• Annotations of the main namespace are essentially complete. Upstream is a moving target, so there will likely be further improvements, but the major work is done. This is probably the most user visible enhancement in this release.
• A preliminary version of the proposed Array-API is provided. This is a step in creating a standard collection of functions that can be used across application such as CuPy and JAX.
• NumPy now has a DLPack backend. DLPack provides a common interchange format for array (tensor) data.
• New methods for quantile, percentile, and related functions. The new methods provide a complete set of the methods commonly found in the literature.
• A new configurable allocator for use by downstream projects.

These are in addition to the ongoing work to provide SIMD support for commonly used functions, improvements to F2PY, and better documentation.

The Python versions supported in this release are 3.8-3.10, Python 3.7 has been dropped. Note that 32 bit wheels are only provided for Python 3.8 and 3.9 on Windows, all other wheels are 64 bits on account of Ubuntu, Fedora, and other Linux distributions dropping 32 bit support. All 64 bit wheels are also linked with 64 bit integer OpenBLAS, which should fix the occasional problems encountered by folks using truly huge arrays.

Expired deprecations

Deprecated numeric style dtype strings have been removed

Using the strings "Bytes0", "Datetime64", "Str0", "Uint32", and "Uint64" as a dtype will now raise a TypeError.

(gh-19539)

Expired deprecations for loads, ndfromtxt, and mafromtxt in npyio

numpy.loads was deprecated in v1.15, with the recommendation that users use pickle.loads instead. ndfromtxt and mafromtxt were both deprecated in v1.17 - users should use numpy.genfromtxt instead with the appropriate value for the usemask parameter.

(gh-19615)

... (truncated)

• 4adc87d Merge pull request #20685 from charris/prepare-for-1.22.0-release
• fd66547 REL: Prepare for the NumPy 1.22.0 release.
• 125304b wip
• c283859 Merge pull request #20682 from charris/backport-20416
• 5399c03 Merge pull request #20681 from charris/backport-20954
• f9c45f8 Merge pull request #20680 from charris/backport-20663
• 794b36f Update armccompiler.py
• d93b14e Update test_public_api.py
• 7662c07 Update init.py
• 311ab52 Update armccompiler.py
• Additional commits viewable in compare view

Sourced from scikit-learn's releases.

Scikit-learn 1.5.0

We're happy to announce the 1.5.0 release.

You can read the release highlights under https://scikit-learn.org/stable/auto_examples/release_highlights/plot_release_highlights_1_5_0.html and the long version of the change log under https://scikit-learn.org/stable/whats_new/v1.5.html

This version supports Python versions 3.9 to 3.12.

You can upgrade with pip as usual:

pip install -U scikit-learn

The conda-forge builds can be installed using:

conda install -c conda-forge scikit-learn

Scikit-learn 1.4.2

We're happy to announce the 1.4.2 release.

This release only includes support for numpy 2.

This version supports Python versions 3.9 to 3.12.

You can upgrade with pip as usual:

pip install -U scikit-learn

Scikit-learn 1.4.1.post1

We're happy to announce the 1.4.1.post1 release.

You can see the changelog here: https://scikit-learn.org/stable/whats_new/v1.4.html#version-1-4-1-post1

This version supports Python versions 3.9 to 3.12.

You can upgrade with pip as usual:

pip install -U scikit-learn

The conda-forge builds can be installed using:

conda install -c conda-forge scikit-learn

... (truncated)

• b51d0c9 trigger whell builder [cd build]
• 919ae9b MAINT Reoder what's new for 1.5 (#29039)
• 0ac28ad DOC Release highlights 1.5 (#29007)
• 729b54d test py3.12 against numpy 2 [cd build]
• 1e50434 set version
• ffbe4ab DOC remove obsolete SVM example (#27108)
• 4647729 DOC Fix time complexity of MLP (#28592)
• 9bd7047 FIX convergence criterion of MeanShift (#28951)
• b79420f FIX add long long for int32/int64 windows compat in NumPy 2.0 (#29029)
• 37f544d DOC replace pandas with Polars in examples/gaussian_process/plot_gpr_co2.py (...
• Additional commits viewable in compare view

Sourced from scrapy's releases.

2.13.4

Fix for the CVE-2025-6176 security issue: improved protection against decompression bombs in HttpCompressionMiddleware for responses compressed using the br and deflate methods. Requires brotli >= 1.2.0.

Full changelog

2.13.3

• Changed the values for DOWNLOAD_DELAY (from 0 to 1) and CONCURRENT_REQUESTS_PER_DOMAIN (from 8 to 1) in the default project template.
• Fixed several bugs in the engine initialization and exception handling logic.
• Allowed running tests with Twisted 25.5.0+ again and fixed test failures with lxml 6.0.0.

See the full changelog

2.13.2

• Fixed a bug introduced in Scrapy 2.13.0 that caused results of request errbacks to be ignored when the errback was called because of a downloader error.
• Docs and error messages improvements related to the Scrapy 2.13.0 default reactor change.

See the full changelog

2.13.1

• Give callback requests precedence over start requests when priority values are the same.

See the full changelog

2.13.0

• The asyncio reactor is now enabled by default
• Replaced start_requests() (sync) with start() (async) and changed how it is iterated.
• Added the allow_offsite request meta key
• Spider middlewares that don't support asynchronous spider output are deprecated
• Added a base class for universal spider middlewares

See the full changelog

2.12.0

• Dropped support for Python 3.8, added support for Python 3.13
• start_requests can now yield items
• Added scrapy.http.JsonResponse
• Added the CLOSESPIDER_PAGECOUNT_NO_ITEM setting

See the full changelog.

2.11.2

Mostly bug fixes, including security bug fixes.

See the full changelog.

2.11.1

• Security bug fixes.
• Support for Twisted >= 23.8.0.
• Documentation improvements.

... (truncated)

Sourced from scrapy's changelog.

Scrapy 2.13.4 (2025-11-17)

Security bug fixes

-   Improved protection against decompression bombs in
    :class:`~scrapy.downloadermiddlewares.httpcompression.HttpCompressionMiddleware`
    for responses compressed using the ``br`` and ``deflate`` methods: if a
    single compressed chunk would be larger than the response size limit (see
    :setting:`DOWNLOAD_MAXSIZE`) when decompressed, decompression is no longer
    carried out. This is especially important for the ``br`` (Brotli) method
    that can provide a very high compression ratio. Please, see the
    `CVE-2025-6176`_ and `GHSA-2qfp-q593-8484`_ security advisories for more
    information.
    (:issue:`7134`)
.. _CVE-2025-6176: https://nvd.nist.gov/vuln/detail/CVE-2025-6176
.. _GHSA-2qfp-q593-8484: https://github.com/advisories/GHSA-2qfp-q593-8484

Modified requirements

• The minimum supported version of the optional brotli package is now 1.2.0. (:issue:7134)

• The brotlicffi and brotlipy packages can no longer be used to decompress Brotli-compressed responses. Please install the brotli package instead. (:issue:7134)

Other changes

-   Restricted the maximum supported Twisted version to ``25.5.0``, as Scrapy
    currently uses some private APIs changed in later Twisted versions.
    (:issue:`7142`)


Stopped setting the COVERAGE_CORE environment variable in tests, it

didn't have an effect but caused the coverage module to produce a

warning or an error.

(:issue:7137)


Removed the documentation build dependency on the deprecated

sphinx-hoverxref module.

(:issue:6786, :issue:6922)


.. _release-2.13.3:
</tr></table>

... (truncated)

• 2f62ab5 Bump version: 2.13.3 → 2.13.4
• 31a9c03 Release notes for 2.13.4. (#7144)
• c44b8df Cherry-pick: Mitigate brotli and deflate decompression bombs DoS (#7134)
• d091256 Remove the deprecated sphinx-hoverxref (#6922)
• c83ca70 Don't force the unavailable sysmon coverage core. (#7137)
• 85e4e6c Pin Twisted to <= 25.5.0 due to internal API changes.
• 155a504 Bump version: 2.13.2 → 2.13.3
• cf465bf Release notes for 2.13.3. (#6934)
• c9cdf0a Narrow down TestEngine::test_short_timeout() expectations. (#6911)
• 03fe7a6 Add a deprecation notice for the offsite spider middleware.
• Additional commits viewable in compare view

Sourced from tqdm's releases.

tqdm v4.66.3 stable

• cli: eval safety (fixes CVE-2024-34062, GHSA-g7vv-2v7x-gj9p)

tqdm v4.66.2 stable

• pandas: add DataFrame.progress_map (#1549)
• notebook: fix HTML padding (#1506)
• keras: fix resuming training when verbose>=2 (#1508)
• fix format_num negative fractions missing leading zero (#1548)
• fix Python 3.12 DeprecationWarning on import (#1519)
• linting: use f-strings (#1549)
• update tests (#1549)
  • fix pandas warnings
  • fix asv (airspeed-velocity/asv#1323)
  • fix macos notebook docstring indentation
• CI: bump actions (#1549)

tqdm v4.66.1 stable

• fix utils.envwrap types (#1493 <- #1491, #1320 <- #966, #1319)
  • e.g. cloudwatch & kubernetes workaround: export TQDM_POSITION=-1
• drop mentions of unsupported Python versions

tqdm v4.66.0 stable

• environment variables to override defaults (TQDM_*) (#1491 <- #1061, #950 <- #614, #1318, #619, #612, #370)
  • e.g. in CI jobs, export TQDM_MININTERVAL=5 to avoid log spam
  • add tests & docs for tqdm.utils.envwrap
• fix & update CLI completion
• fix & update API docs
• minor code tidy: replace os.path => pathlib.Path
• fix docs image hosting
• release with CI bot account again (cli/cli#6680)

tqdm v4.65.2 stable

• exclude examples from distributed wheel (#1492)

tqdm v4.65.1 stable

• migrate setup.{cfg,py} => pyproject.toml (#1490)
  • fix asv benchmarks
  • update docs
• fix snap build (#1490)
• fix & update tests (#1490)
  • fix flaky notebook tests
  • bump pre-commit
  • bump workflow actions

tqdm v4.65.0 stable

• add Python 3.11 and drop Python 3.6 support (#1439, #1419, #502 <- #720, #620)
• misc code & docs tidy
• fix & update CI workflows & tests

tqdm v4.64.1 stable

... (truncated)

• 4e613f8 Merge pull request from GHSA-g7vv-2v7x-gj9p
• b53348c cli: eval safety
• cc372d0 bump version, merge pull request #1549 from tqdm/devel
• e9f0c05 use PyPI trusted publishing
• 7323d5b slight makefile clean
• 5306125 tests: bump pre-commit
• 4a6fd4f fix datetime.utcfromtimestamp py3.12 warning (#1519)
• 6f13759 tests: fix macos notebook indentation
• 3abcd2a tests: fix asv
• a4d15c8 tests: fix pandas warnings
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.