• d43c7c7 release 7.16.3
• 5fa1e40 Merge pull request from GHSA-pq7m-3gw7-gq5x
• 8df8971 back to dev
• 9f477b7 release 7.16.2
• 138f266 bring back release helper from master branch
• 5aa3634 Merge pull request #13341 from meeseeksmachine/auto-backport-of-pr-13335-on-7...
• bcae8e0 Backport PR #13335: What's new 7.16.2
• 8fcdcd3 Pin Jedi to <0.17.2.
• 2486838 release 7.16.1
• 20bdc6f fix conda build
• Additional commits viewable in compare view

Sourced from pillow's releases.

8.3.2

https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html

Security

• CVE-2021-23437 Raise ValueError if color specifier is too long [hugovk, radarhere]

• Fix 6-byte OOB read in FliDecode [wiredfool]

Python 3.10 wheels

• Add support for Python 3.10 #5569, #5570 [hugovk, radarhere]

Fixed regressions

• Ensure TIFF RowsPerStrip is multiple of 8 for JPEG compression #5588 [kmilos, radarhere]

• Updates for ImagePalette channel order #5599 [radarhere]

• Hide FriBiDi shim symbols to avoid conflict with real FriBiDi library #5651 [nulano]

8.3.1

https://pillow.readthedocs.io/en/stable/releasenotes/8.3.1.html

Changes

• Catch OSError when checking if fp is sys.stdout #5585 [@​radarhere]
• Handle removing orientation from alternate types of EXIF data #5584 [@​radarhere]
• Make Image.array take optional dtype argument #5572 [@​t-vi]

8.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html

Changes

• Use snprintf instead of sprintf #5567 [@​radarhere]
• Limit TIFF strip size when saving with LibTIFF #5514 [@​kmilos]
• Allow ICNS save on all operating systems #4526 [@​newpanjing]
• De-zigzag JPEG's DQT when loading; deprecate convert_dict_qtables #4989 [@​gofr]
• Do not use background or transparency index for new color #5564 [@​radarhere]
• Simplified code #5315 [@​radarhere]
• Replaced xml.etree.ElementTree #5565 [@​radarhere]

... (truncated)

Sourced from pillow's changelog.

8.3.2 (2021-09-02)

• CVE-2021-23437 Raise ValueError if color specifier is too long [hugovk, radarhere]

• Fix 6-byte OOB read in FliDecode [wiredfool]

• Add support for Python 3.10 #5569, #5570 [hugovk, radarhere]

• Ensure TIFF RowsPerStrip is multiple of 8 for JPEG compression #5588 [kmilos, radarhere]

• Updates for ImagePalette channel order #5599 [radarhere]

• Hide FriBiDi shim symbols to avoid conflict with real FriBiDi library #5651 [nulano]

8.3.1 (2021-07-06)

• Catch OSError when checking if fp is sys.stdout #5585 [radarhere]

• Handle removing orientation from alternate types of EXIF data #5584 [radarhere]

• Make Image.array take optional dtype argument #5572 [t-vi, radarhere]

8.3.0 (2021-07-01)

• Use snprintf instead of sprintf. CVE-2021-34552 #5567 [radarhere]

• Limit TIFF strip size when saving with LibTIFF #5514 [kmilos]

• Allow ICNS save on all operating systems #4526 [baletu, radarhere, newpanjing, hugovk]

• De-zigzag JPEG's DQT when loading; deprecate convert_dict_qtables #4989 [gofr, radarhere]

• Replaced xml.etree.ElementTree #5565 [radarhere]

... (truncated)

• 8013f13 8.3.2 version bump
• 23c7ca8 Update CHANGES.rst
• 8450366 Update release notes
• a0afe89 Update test case
• 9e08eb8 Raise ValueError if color specifier is too long
• bd5cf7d FLI tests for Oss-fuzz crash.
• 94a0cf1 Fix 6-byte OOB read in FliDecode
• cece64f Add 8.3.2 (2021-09-02) [CI skip]
• e422386 Add release notes for Pillow 8.3.2
• 08dcbb8 Pillow 8.3.2 supports Python 3.10 [ci skip]
• Additional commits viewable in compare view

Sourced from urllib3's releases.

1.26.5

:warning: IMPORTANT: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

• Fixed deprecation warnings emitted in Python 3.10.
• Updated vendored six library to 1.16.0.
• Improved performance of URL parser when splitting the authority component.

If you or your organization rely on urllib3 consider supporting us via GitHub Sponsors

1.26.4

:warning: IMPORTANT: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

• Changed behavior of the default SSLContext when connecting to HTTPS proxy during HTTPS requests. The default SSLContext now sets check_hostname=True.

If you or your organization rely on urllib3 consider supporting us via GitHub Sponsors

1.26.3

:warning: IMPORTANT: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

• Fixed bytes and string comparison issue with headers (Pull #2141)

• Changed ProxySchemeUnknown error message to be more actionable if the user supplies a proxy URL without a scheme (Pull #2107)

If you or your organization rely on urllib3 consider supporting us via GitHub Sponsors

1.26.2

:warning: IMPORTANT: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

• Fixed an issue where wrap_socket and CERT_REQUIRED wouldn't be imported properly on Python 2.7.8 and earlier (Pull #2052)

1.26.1

:warning: IMPORTANT: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

• Fixed an issue where two User-Agent headers would be sent if a User-Agent header key is passed as bytes (Pull #2047)

1.26.0

:warning: IMPORTANT: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

• Added support for HTTPS proxies contacting HTTPS servers (Pull #1923, Pull #1806)

• Deprecated negotiating TLSv1 and TLSv1.1 by default. Users that still wish to use TLS earlier than 1.2 without a deprecation warning should opt-in explicitly by setting ssl_version=ssl.PROTOCOL_TLSv1_1 (Pull #2002) Starting in urllib3 v2.0: Connections that receive a DeprecationWarning will fail

• Deprecated Retry options Retry.DEFAULT_METHOD_WHITELIST, Retry.DEFAULT_REDIRECT_HEADERS_BLACKLIST and Retry(method_whitelist=...) in favor of Retry.DEFAULT_ALLOWED_METHODS, Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT, and Retry(allowed_methods=...) (Pull #2000) Starting in urllib3 v2.0: Deprecated options will be removed

... (truncated)

Sourced from urllib3's changelog.

1.26.5 (2021-05-26)

• Fixed deprecation warnings emitted in Python 3.10.
• Updated vendored six library to 1.16.0.
• Improved performance of URL parser when splitting the authority component.

1.26.4 (2021-03-15)

• Changed behavior of the default SSLContext when connecting to HTTPS proxy during HTTPS requests. The default SSLContext now sets check_hostname=True.

1.26.3 (2021-01-26)

• Fixed bytes and string comparison issue with headers (Pull #2141)

• Changed ProxySchemeUnknown error message to be more actionable if the user supplies a proxy URL without a scheme. (Pull #2107)

1.26.2 (2020-11-12)

• Fixed an issue where wrap_socket and CERT_REQUIRED wouldn't be imported properly on Python 2.7.8 and earlier (Pull #2052)

1.26.1 (2020-11-11)

• Fixed an issue where two User-Agent headers would be sent if a User-Agent header key is passed as bytes (Pull #2047)

1.26.0 (2020-11-10)

• NOTE: urllib3 v2.0 will drop support for Python 2. Read more in the v2.0 Roadmap <https://urllib3.readthedocs.io/en/latest/v2-roadmap.html>_.

• Added support for HTTPS proxies contacting HTTPS servers (Pull #1923, Pull #1806)

• Deprecated negotiating TLSv1 and TLSv1.1 by default. Users that still wish to use TLS earlier than 1.2 without a deprecation warning

... (truncated)

• d161647 Release 1.26.5
• 2d4a3fe Improve performance of sub-authority splitting in URL
• 2698537 Update vendored six to 1.16.0
• 07bed79 Fix deprecation warnings for Python 3.10 ssl module
• d725a9b Add Python 3.10 to GitHub Actions
• 339ad34 Use pytest==6.2.4 on Python 3.10+
• f271c9c Apply latest Black formatting
• 1884878 [1.26] Properly proxy EOF on the SSLTransport test suite
• a891304 Release 1.26.4
• 8d65ea1 Merge pull request from GHSA-5phf-pp7p-vc2r
• Additional commits viewable in compare view

Sourced from pygments's releases.

2.7.4

• Updated lexers:

  • Apache configurations: Improve handling of malformed tags (#1656)

  • CSS: Add support for variables (#1633, #1666)

  • Crystal (#1650, #1670)

  • Coq (#1648)

  • Fortran: Add missing keywords (#1635, #1665)

  • Ini (#1624)

  • JavaScript and variants (#1647 -- missing regex flags, #1651)

  • Markdown (#1623, #1617)

  • Shell

    • Lex trailing whitespace as part of the prompt (#1645)
    • Add missing in keyword (#1652)

  • SQL - Fix keywords (#1668)

  • Typescript: Fix incorrect punctuation handling (#1510, #1511)

• Fix infinite loop in SML lexer (#1625)

• Fix backtracking string regexes in JavaScript/TypeScript, Modula2 and many other lexers (#1637)

• Limit recursion with nesting Ruby heredocs (#1638)

• Fix a few inefficient regexes for guessing lexers

• Fix the raw token lexer handling of Unicode (#1616)

• Revert a private API change in the HTML formatter (#1655) -- please note that private APIs remain subject to change!

• Fix several exponential/cubic-complexity regexes found by Ben Caller/Doyensec (#1675)

• Fix incorrect MATLAB example (#1582)

Thanks to Google's OSS-Fuzz project for finding many of these bugs.

2.7.3

• Updated lexers:

  • Ada (#1581)
  • HTML (#1615, #1614)
  • Java (#1594, #1586)
  • JavaScript (#1605, #1589, #1588)
  • JSON (#1569 -- this is a complete rewrite)
  • Lean (#1601)
  • LLVM (#1612)
  • Mason (#1592)
  • MySQL (#1555, #1551)
  • Rust (#1608)
  • Turtle (#1590, #1553)

• Deprecated JsonBareObjectLexer, which is now identical to JsonLexer (#1600)

• The ImgFormatter now calculates the exact character width, which fixes some issues with overlapping text (#1213, #1611)

... (truncated)

Sourced from pygments's changelog.

Version 2.7.4

(released January 12, 2021)

• Updated lexers:

  • Apache configurations: Improve handling of malformed tags (#1656)

  • CSS: Add support for variables (#1633, #1666)

  • Crystal (#1650, #1670)

  • Coq (#1648)

  • Fortran: Add missing keywords (#1635, #1665)

  • Ini (#1624)

  • JavaScript and variants (#1647 -- missing regex flags, #1651)

  • Markdown (#1623, #1617)

  • Shell

    • Lex trailing whitespace as part of the prompt (#1645)
    • Add missing in keyword (#1652)

  • SQL - Fix keywords (#1668)

  • Typescript: Fix incorrect punctuation handling (#1510, #1511)

• Fix infinite loop in SML lexer (#1625)

• Fix backtracking string regexes in JavaScript/TypeScript, Modula2 and many other lexers (#1637)

• Limit recursion with nesting Ruby heredocs (#1638)

• Fix a few inefficient regexes for guessing lexers

• Fix the raw token lexer handling of Unicode (#1616)

• Revert a private API change in the HTML formatter (#1655) -- please note that private APIs remain subject to change!

• Fix several exponential/cubic-complexity regexes found by Ben Caller/Doyensec (#1675)

• Fix incorrect MATLAB example (#1582)

Thanks to Google's OSS-Fuzz project for finding many of these bugs.

Version 2.7.3

(released December 6, 2020)

• Updated lexers:

  • Ada (#1581)
  • HTML (#1615, #1614)
  • Java (#1594, #1586)
  • JavaScript (#1605, #1589, #1588)
  • JSON (#1569 -- this is a complete rewrite)
  • Lean (#1601)
  • LLVM (#1612)
  • Mason (#1592)

... (truncated)

• 4d555d0 Bump version to 2.7.4.
• fc3b05d Update CHANGES.
• ad21935 Revert "Added dracula theme style (#1636)"
• e411506 Prepare for 2.7.4 release.
• 275e34d doc: remove Perl 6 ref
• 2e7e8c4 Fix several exponential/cubic complexity regexes found by Ben Caller/Doyensec
• eb39c43 xquery: fix pop from empty stack
• 2738778 fix coding style in test_analyzer_lexer
• 02e0f09 Added 'ERROR STOP' to fortran.py keywords. (#1665)
• c83fe48 support added for css variables (#1633)
• Additional commits viewable in compare view

Sourced from pyyaml's changelog.

5.4 (2021-01-19)

• yaml/pyyaml#407 -- Build modernization, remove distutils, fix metadata, build wheels, CI to GHA
• yaml/pyyaml#472 -- Fix for CVE-2020-14343, moves arbitrary python tags to UnsafeLoader
• yaml/pyyaml#441 -- Fix memory leak in implicit resolver setup
• yaml/pyyaml#392 -- Fix py2 copy support for timezone objects
• yaml/pyyaml#378 -- Fix compatibility with Jython

5.3.1 (2020-03-18)

• yaml/pyyaml#386 -- Prevents arbitrary code execution during python/object/new constructor

5.3 (2020-01-06)

• yaml/pyyaml#290 -- Use is instead of equality for comparing with None
• yaml/pyyaml#270 -- Fix typos and stylistic nit
• yaml/pyyaml#309 -- Fix up small typo
• yaml/pyyaml#161 -- Fix handling of slots
• yaml/pyyaml#358 -- Allow calling add_multi_constructor with None
• yaml/pyyaml#285 -- Add use of safe_load() function in README
• yaml/pyyaml#351 -- Fix reader for Unicode code points over 0xFFFF
• yaml/pyyaml#360 -- Enable certain unicode tests when maxunicode not > 0xffff
• yaml/pyyaml#359 -- Use full_load in yaml-highlight example
• yaml/pyyaml#244 -- Document that PyYAML is implemented with Cython
• yaml/pyyaml#329 -- Fix for Python 3.10
• yaml/pyyaml#310 -- Increase size of index, line, and column fields
• yaml/pyyaml#260 -- Remove some unused imports
• yaml/pyyaml#163 -- Create timezone-aware datetimes when parsed as such
• yaml/pyyaml#363 -- Add tests for timezone

5.2 (2019-12-02)

• Repair incompatibilities introduced with 5.1. The default Loader was changed, but several methods like add_constructor still used the old default yaml/pyyaml#279 -- A more flexible fix for custom tag constructors yaml/pyyaml#287 -- Change default loader for yaml.add_constructor yaml/pyyaml#305 -- Change default loader for add_implicit_resolver, add_path_resolver
• Make FullLoader safer by removing python/object/apply from the default FullLoader yaml/pyyaml#347 -- Move constructor for object/apply to UnsafeConstructor
• Fix bug introduced in 5.1 where quoting went wrong on systems with sys.maxunicode <= 0xffff yaml/pyyaml#276 -- Fix logic for quoting special characters
• Other PRs: yaml/pyyaml#280 -- Update CHANGES for 5.1

5.1.2 (2019-07-30)

• Re-release of 5.1 with regenerated Cython sources to build properly for Python 3.8b2+

... (truncated)

• 58d0cb7 5.4 release
• a60f7a1 Fix compatibility with Jython
• ee98abd Run CI on PR base branch changes
• ddf2033 constructor.timezone: _copy & deepcopy
• fc914d5 Avoid repeatedly appending to yaml_implicit_resolvers
• a001f27 Fix for CVE-2020-14343
• fe15062 Add 3.9 to appveyor file for completeness sake
• 1e1c7fb Add a newline character to end of pyproject.toml
• 0b6b7d6 Start sentences and phrases for capital letters
• c976915 Shell code improvements
• Additional commits viewable in compare view

Sourced from bleach's changelog.

Version 3.3.0 (February 1st, 2021)

Backwards incompatible changes

• clean escapes HTML comments even when strip_comments=False

Security fixes

• Fix bug 1621692 / GHSA-m6xf-fq7q-8743. See the advisory for details.

Features

None

Bug fixes

None

Version 3.2.3 (January 26th, 2021)

Security fixes

None

Features

None

Bug fixes

• fix clean and linkify raising ValueErrors for certain inputs. Thank you @Google-Autofuzz.

Version 3.2.2 (January 20th, 2021)

Security fixes

None

Features

• Migrate CI to Github Actions. Thank you @hugovk.

Bug fixes

• fix linkify raising an IndexError on certain inputs. Thank you @Google-Autofuzz.

Version 3.2.1 (September 18th, 2020)

... (truncated)

• 79b7a3c Merge pull request from GHSA-vv2x-vrpj-qqpq
• 842fcb4 Update for v3.3.0 release
• 1334134 sanitizer: escape HTML comments
• c045a8b Merge pull request #581 from mozilla/nit-fixes
• 491abb0 fix typo s/vnedoring/vendoring/
• 10b1c5d vendor: add html5lib-1.1.dist-info/REQUESTED
• cd838c3 Merge pull request #579 from mozilla/validate-convert-entity-code-points
• 612b808 Update for v3.2.3 release
• 6879f6a html5lib_shim: validate unicode points for convert_entity
• 90cb80b Update for v3.2.2 release
• Additional commits viewable in compare view