Bump the pip group across 29 directories with 9 updates

[dependabot]

Bumps the pip group with 1 update in the /comps/animation/src directory: orjson.
Bumps the pip group with 1 update in the /comps/asr/src directory: orjson.
Bumps the pip group with 5 updates in the /comps/dataprep/src directory:

Package	From	To
orjson	3.11.5	3.11.6
pyasn1	0.6.1	0.6.3
pypdf	6.5.0	6.9.1
nltk	3.9.2	3.9.3
ujson	5.11.0	5.12.0

Bumps the pip group with 4 updates in the /comps/finetuning/src directory: orjson, pyasn1, memray and pyopenssl.
Bumps the pip group with 1 update in the /comps/guardrails/src/bias_detection directory: orjson.
Bumps the pip group with 1 update in the /comps/guardrails/src/factuality_alignment directory: orjson.
Bumps the pip group with 1 update in the /comps/guardrails/src/hallucination_detection directory: orjson.
Bumps the pip group with 1 update in the /comps/guardrails/src/pii_detection directory: orjson.
Bumps the pip group with 1 update in the /comps/guardrails/src/prompt_injection directory: orjson.
Bumps the pip group with 1 update in the /comps/guardrails/src/toxicity_detection directory: orjson.
Bumps the pip group with 1 update in the /comps/image2video/src directory: orjson.
Bumps the pip group with 1 update in the /comps/lvms/src directory: orjson.
Bumps the pip group with 1 update in the /comps/prompt_template/src directory: orjson.
Bumps the pip group with 1 update in the /comps/rerankings/src directory: orjson.
Bumps the pip group with 4 updates in the /comps/retrievers/src directory: orjson, pyasn1, nltk and ujson.
Bumps the pip group with 2 updates in the /comps/struct2graph/src directory: orjson and pypdf.
Bumps the pip group with 3 updates in the /comps/text2cypher/src directory: orjson, pypdf and nltk.
Bumps the pip group with 1 update in the /comps/text2image/src directory: orjson.
Bumps the pip group with 3 updates in the /comps/text2kg/src directory: orjson, pypdf and nltk.
Bumps the pip group with 1 update in the /comps/third_parties/bridgetower/src directory: orjson.
Bumps the pip group with 1 update in the /comps/third_parties/clip/src directory: orjson.
Bumps the pip group with 1 update in the /comps/third_parties/funasr/src directory: orjson.
Bumps the pip group with 1 update in the /comps/third_parties/llama-vision/src directory: orjson.
Bumps the pip group with 1 update in the /comps/third_parties/llava/src directory: orjson.
Bumps the pip group with 6 updates in the /comps/third_parties/pathway/src directory:

Package	From	To
orjson	3.11.5	3.11.6
pyasn1	0.6.1	0.6.3
pypdf	6.5.0	6.9.1
nltk	3.9.2	3.9.3
authlib	1.6.6	1.6.9
fastmcp	2.12.4	2.14.2

Bumps the pip group with 1 update in the /comps/third_parties/predictionguard/src directory: orjson.
Bumps the pip group with 1 update in the /comps/third_parties/whisper/src directory: orjson.
Bumps the pip group with 1 update in the /comps/tts/src directory: orjson.
Bumps the pip group with 2 updates in the /comps/web_retrievers/src directory: orjson and pyasn1.

Updates orjson from 3.11.5 to 3.11.6

Release notes

Sourced from orjson's releases.

3.11.6

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

Changelog

Sourced from orjson's changelog.

3.11.6 - 2026-01-29

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

Commits

• ec02024 3.11.6
• d581687 build, clippy misc
• 4105b29 writer::num
• 62bb185 Fix sporadic crash on serializing object close
• d860078 PyRef idiom refactors
• 343ae2f Deserializer, Utf8Buffer
• 7835f58 PyBytesRef and other input refactor
• 71e0516 PyStrRef
• 1096df4 MSRV 1.89
• b718e75 Drop support for python3.9
• Additional commits viewable in compare view

Updates orjson from 3.11.5 to 3.11.6

Release notes

Sourced from orjson's releases.

3.11.6

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

Changelog

Sourced from orjson's changelog.

3.11.6 - 2026-01-29

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

Commits

• ec02024 3.11.6
• d581687 build, clippy misc
• 4105b29 writer::num
• 62bb185 Fix sporadic crash on serializing object close
• d860078 PyRef idiom refactors
• 343ae2f Deserializer, Utf8Buffer
• 7835f58 PyBytesRef and other input refactor
• 71e0516 PyStrRef
• 1096df4 MSRV 1.89
• b718e75 Drop support for python3.9
• Additional commits viewable in compare view

Updates orjson from 3.11.5 to 3.11.6

Release notes

Sourced from orjson's releases.

3.11.6

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

Changelog

Sourced from orjson's changelog.

3.11.6 - 2026-01-29

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

Commits

• ec02024 3.11.6
• d581687 build, clippy misc
• 4105b29 writer::num
• 62bb185 Fix sporadic crash on serializing object close
• d860078 PyRef idiom refactors
• 343ae2f Deserializer, Utf8Buffer
• 7835f58 PyBytesRef and other input refactor
• 71e0516 PyStrRef
• 1096df4 MSRV 1.89
• b718e75 Drop support for python3.9
• Additional commits viewable in compare view

Updates pyasn1 from 0.6.1 to 0.6.3

Release notes

Sourced from pyasn1's releases.

Release 0.6.3

It's a minor release.

• Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (CVE-2026-30922).
• Fixed OverflowError from oversized BER length field.
• Fixed DeprecationWarning stacklevel for deprecated attributes.
• Fixed asDateTime incorrect fractional seconds parsing.

All changes are noted in the CHANGELOG.

Release 0.6.2

It's a minor release.

• Fixed continuation octet limits in OID/RELATIVE-OID decoder (CVE-2026-23490).
• Added support for Python 3.14.
• Added SECURITY.md policy.
• Migrated to pyproject.toml packaging.

All changes are noted in the CHANGELOG.

Changelog

Sourced from pyasn1's changelog.

Revision 0.6.3, released 16-03-2026

• CVE-2026-30922 (GHSA-jr27-m4p2-rc6r): Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (thanks for reporting, romanticpragmatism)
• Fixed OverflowError from oversized BER length field [issue #54](pyasn1/pyasn1#54) [pr #100](pyasn1/pyasn1#100)
• Fixed DeprecationWarning stacklevel for deprecated attributes [issue #86](pyasn1/pyasn1#86) [pr #101](pyasn1/pyasn1#101)
• Fixed asDateTime incorrect fractional seconds parsing [issue #81](pyasn1/pyasn1#81) [pr #102](pyasn1/pyasn1#102)

Revision 0.6.2, released 16-01-2026

• CVE-2026-23490 (GHSA-63vm-454h-vhhq): Fixed continuation octet limits in OID/RELATIVE-OID decoder (thanks to tsigouris007)
• Added support for Python 3.14 [pr #97](pyasn1/pyasn1#97)
• Added SECURITY.md policy
• Fixed unit tests failing due to missing code [issue #91](pyasn1/pyasn1#91) [pr #92](pyasn1/pyasn1#92)
• Migrated to pyproject.toml packaging [pr #90](pyasn1/pyasn1#90)

Commits

• af65c3b Prepare release 0.6.3
• 5a49bd1 Merge commit from fork
• 5494ba4 Fix asDateTime incorrect fractional seconds parsing (#102)
• 71f486e Fix DeprecationWarning stacklevel for deprecated attributes (#101)
• d7cb42d Fix OverflowError from oversized BER length field (#100)
• e7356f8 Prepare release 0.6.2
• 3908f14 Merge commit from fork
• 0a7e067 Add support for Python 3.14 (#97)
• 33656e9 Create Security Policy
• fa62307 fix for issue #91: unit tests failing due to missing code (#92)
• Additional commits viewable in compare view

Updates pypdf from 6.5.0 to 6.9.1

Release notes

Sourced from pypdf's releases.

Version 6.9.1, 2026-03-17

What's new

Security (SEC)

• Improve performance and limit length of array-based content streams (#3686) by @​stefan6419846

Full Changelog

Version 6.9.0, 2026-03-15

What's new

New Features (ENH)

• Expose /Perms verification result on Encryption object (#3672) by @​costajohnt

Performance Improvements (PI)

• Fix O(n²) performance in NameObject read/write (#3679) by @​dmitry-kostin
• Batch-parse all objects in ObjStm on first access (#3677) by @​dmitry-kostin

Bug Fixes (BUG)

• Avoid sharing array-based content streams between pages (#3681) by @​stefan6419846
• Avoid accessing invalid page when inserting blank page under some conditions (#3529) by @​j-t-1

Full Changelog

Version 6.8.0, 2026-03-09

What's new

Security (SEC)

• Limit allowed /Length value of stream (#3675) by @​stefan6419846

New Features (ENH)

• Add /IRT (in-reply-to) support for markup annotations (#3631) by @​costajohnt

Documentation (DOC)

• Avoid using PageObject.replace_contents on PdfReader (#3669) by @​stefan6419846
• Document how to disable jbig2dec calls by @​stefan6419846

Full Changelog

Version 6.7.5, 2026-03-02

What's new

Security (SEC)

• Improve the performance of the ASCIIHexDecode filter (#3666) by @​stefan6419846

Full Changelog

Version 6.7.4, 2026-02-27

What's new

... (truncated)

Changelog

Sourced from pypdf's changelog.

Version 6.9.1, 2026-03-17

Security (SEC)

• Improve performance and limit length of array-based content streams (#3686)

Full Changelog

Version 6.9.0, 2026-03-15

New Features (ENH)

• Expose /Perms verification result on Encryption object (#3672)

Performance Improvements (PI)

• Fix O(n²) performance in NameObject read/write (#3679)
• Batch-parse all objects in ObjStm on first access (#3677)

Bug Fixes (BUG)

• Avoid sharing array-based content streams between pages (#3681)
• Avoid accessing invalid page when inserting blank page under some conditions (#3529)

Full Changelog

Version 6.8.0, 2026-03-09

Security (SEC)

• Limit allowed /Length value of stream (#3675)

New Features (ENH)

• Add /IRT (in-reply-to) support for markup annotations (#3631)

Documentation (DOC)

• Avoid using PageObject.replace_contents on PdfReader (#3669)
• Document how to disable jbig2dec calls

Full Changelog

Version 6.7.5, 2026-03-02

Security (SEC)

• Improve the performance of the ASCIIHexDecode filter (#3666)

Full Changelog

Version 6.7.4, 2026-02-27

Security (SEC)

• Allow limiting output length for RunLengthDecode filter (#3664)

Robustness (ROB)

• Deal with invalid annotations in extract_links (#3659)

... (truncated)

Commits

• 0e5157c REL: 6.9.1
• 0b5d05d SEC: Improve performance and limit length of array-based content streams (#3686)
• 87aa1d4 DEV: Remove unused reverse encoding dicts (#3685)
• 84f5266 MAINT: Use placeholder-based approach for logger_error (#3673)
• 8f1f4aa REL: 6.9.0
• 5a9a0da BUG: Avoid sharing array-based content streams between pages (#3681)
• a3451e8 ENH: Expose /Perms verification result on Encryption object (#3672)
• 3a4e913 PI: Fix O(n²) performance in NameObject read/write (#3679)
• cf2e518 PI: Batch-parse all objects in ObjStm on first access (#3677)
• 2cfcd7e BUG: Avoid accessing invalid page when inserting blank page under some condit...
• Additional commits viewable in compare view

Updates nltk from 3.9.2 to 3.9.3

Changelog

Sourced from nltk's changelog.

Version 3.9.3 2026-02-21

• Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (#3468)
• Block path traversal/arbitrary reads in nltk.data for protocol-less refs (#3467)
• Block path traversal/abs paths in corpus readers and FS pointers (#3479, #3480)
• Validate external StanfordSegmenter JARs using SHA256 (#3477)
• Add optional sandbox enforcement for filestring() (#3485)
• Maintenance: downloader/zipped models, CI/tooling updates

Thanks to the following contributors to 3.9.3: Chris Clauss, Eric Kafe, HyperPS, purificant, Shivansh-Game, Christopher Smith

Version 3.9.2 2025-10-01

• Update download checksums to use SHA256 in built index
• Fix percentage escape in new-style string formatting
• replace shortened URLs using goo.gl
• Make Wordnet interoperable with various taggers and tagged corpora
• Fix saving PerceptronTagger
• Document how to reproduce old Wordnet studies
• properly initialize Portuguese corpus reader
• support for mixed rules conversion into Chomsky Normal Form
• only import tkinter if a GUI is needed
• issue #2112 with Corenlp
• new environment variable NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL
• Lesk defaults to most frequent sense in case of ties

Thanks to the following contributors to 3.9.2: Jose Cols, Peter de Blanc, GeneralPoxter, Eric Kafe, William LaCroix, Jason Liu, Samer Masterson, Mike014, purificant, Andrew Ernest Ritz, samertm, Ikram Ul Haq, Christopher Smith, Ryan Mannion

Version 3.9.1 2024-08-19

• Fixed bug that prevented wordnet from loading

Version 3.9 2024-08-18

• Fix security vulnerability CVE-2024-39705 (breaking change)
• Replace pickled models (punkt, chunker, taggers) by new pickle-free "_tab" packages
• No longer sort Wordnet synsets and relations (sort in calling function when required)
• Only strip the last suffix in Wordnet Morphy, thus restricting synsets() results
• Add Python 3.12 support
• Many other minor fixes

Thanks to the following contributors to 3.8.2: Tom Aarsen, Cat Lee Ball, Veralara Bernhard, Carlos Brandt, Konstantin Chernyshev, Michael Higgins, Eric Kafe, Vivek Kalyan, David Lukes, Rob Malouf, purificant, Alex Rudnick, Liling Tan, Akihiro Yamazaki.

Version 3.8.1 2023-01-02

• Resolve RCE vulnerability in localhost WordNet Browser (#3100)

... (truncated)

Commits

• 4154eb8 Merge pull request #3503 from ekaf/hotfix-3501
• 7a710cb Prepare release 3.9.3
• 1056b32 Merge pull request #3468 from HyperPS/fix/secure-unzip-rce
• 7dc5baa Resolve merge conflict in tag mapping using normalized nltk resource URL
• 7ef38b8 Merge pull request #3467 from HyperPS/develop
• b2e1164 Merge pull request #3485 from HyperPS/fix-filestring-sandbox-update
• ac0ce55 Merge pull request #3480 from HyperPS/fix/filesystem-sandbox-security
• 603e34d Merge pull request #3479 from HyperPS/fix/corpusreader-path-traversal
• b63a501 Merge pull request #3477 from HyperPS/fix/stanford-segmenter-rce-sha256
• df38955 Merge pull request #3494 from ekaf/ewnv
• Additional commits viewable in compare view

Updates ujson from 5.11.0 to 5.12.0

Release notes

Sourced from ujson's releases.

5.12.0

Added

• Update license field (#693) @​wagenrace
• Build wheels for GraalPy (#685) @​timfel

Changed

• Drop support for Python 3.9 (#686) @​hugovk

Fixed

• Fix buffer overflow/infinite loop from indent handling (#709) @​bwoodsend
• Remove upper bound of setuptools for PyPy (#704) @​hugovk

Commits

• 4baeb95 Fix memory leak parsing large integers
• 486bd45 Fix buffer overflow/infinite loop from indent handling
• a465ed7 Add leak detection to tests
• 32ebf66 Remove upper bound of setuptools for PyPy (#704)
• 6bf41bd Remove upper bound of setuptools for PyPy
• 4a4fd73 chore(deps): update github-actions
• d708b05 Add security policy (#699)
• 3d66f4d Add security policy
• 8f23cce [pre-commit.ci] pre-commit autoupdate (#698)
• 2696fc3 [pre-commit.ci] pre-commit autoupdate
• Additional commits viewable in compare view

Updates orjson from 3.10.18 to 3.11.6

Release notes

Sourced from orjson's releases.

3.11.6

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

Changelog

Sourced from orjson's changelog.

3.11.6 - 2026-01-29

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

Commits

• ec02024 3.11.6
• d581687 build, clippy misc
• 4105b29 writer::num
• 62bb185 Fix sporadic crash on serializing object close
• d860078 PyRef idiom refactors
• 343ae2f Deserializer, Utf8Buffer
• 7835f58 PyBytesRef and other input refactor
• 71e0516 PyStrRef
• 1096df4 MSRV 1.89
• b718e75 Drop support for python3.9
• Additional commits viewable in compare view

Updates pyasn1 from 0.6.1 to 0.6.3

Release notes

Sourced from pyasn1's releases.

Release 0.6.3

It's a minor release.

• Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (CVE-2026-30922).
• Fixed OverflowError from oversized BER length field.
• Fixed DeprecationWarning stacklevel for deprecated attributes.
• Fixed asDateTime incorrect fractional seconds parsing.

All changes are noted in the CHANGELOG.

Release 0.6.2

It's a minor release.

• Fixed continuation octet limits in OID/RELATIVE-OID decoder (CVE-2026-23490).
• Added support for Python 3.14.
• Added SECURITY.md policy.
• Migrated to pyproject.toml packaging.

All changes are noted in the CHANGELOG.

Changelog

Sourced from pyasn1's changelog.

Revision 0.6.3, released 16-03-2026

• CVE-2026-30922 (GHSA-jr27-m4p2-rc6r): Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (thanks for reporting, romanticpragmatism)
• Fixed OverflowError from oversized BER length field [issue #54](pyasn1/pyasn1#54) [pr #100](pyasn1/pyasn1#100)
• Fixed DeprecationWarning stacklevel for deprecated attributes [issue #86](pyasn1/pyasn1#86) [pr #101](pyasn1/pyasn1#101)
• Fixed asDateTime incorrect fractional seconds parsing [issue #81](pyasn1/pyasn1#81) [pr #102](pyasn1/pyasn1#102)

Revision 0.6.2, released 16-01-2026

• CVE-2026-23490 (GHSA-63vm-454h-vhhq): Fixed continuation octet limits in OID/RELATIVE-OID decoder (thanks to tsigouris007)
• Added support for Python 3.14 [pr #97](pyasn1/pyasn1#97)
• Added SECURITY.md policy
• Fixed unit tests failing due to missing code [issue #91](pyasn1/pyasn1#91) [pr #92](pyasn1/pyasn1#92)
• Migrated to pyproject.toml packaging [pr #90](pyasn1/pyasn1#90)

Commits

• af65c3b Prepare release 0.6.3
• 5a49bd1 Merge commit from fork
• 5494ba4 Fix asDateTime incorrect fractional seconds parsing (#102)
• 71f486e Fix DeprecationWarning stacklevel for deprecated attributes (#101)
• d7cb42d Fix OverflowError from oversized BER length field (#100)
• e7356f8 Prepare release 0.6.2
• 3908f14 Merge commit from fork
• 0a7e067 Add support for Python 3.14 (#97)
• 33656e9 Create Security Policy
• fa62307 fix for issue #91: unit tests failing due to missing code (#92)
• Additional commits viewable in compare view

Updates memray from 1.17.2 to 1.19.2

Release notes

Sourced from memray's releases.

v1.19.2

What's Changed

• Add support for Python 3.14 tail call interpreter in native stack trace analysis by @​Copilot in bloomberg/memray#836
• Remove outdated note about supported arches for Linux by @​ofek in bloomberg/memray#848
• Fix AssertionError when the the process outlives a memray attach TUI by @​pablogsal in bloomberg/memray#850
• Fix broken --no-web flamegraph assets by @​pablogsal in bloomberg/memray#876
• Upgrade D3 and drop d3-tooltip by @​lkollar in bloomberg/memray#883
• Document process attachment for containerized environments by @​hao-lee in bloomberg/memray#853
• Fix escaping in HTML reports by @​godlygeek in bloomberg/memray#885

New Contributors

• @​ofek made their first contribution in bloomberg/memray#848
• @​hao-lee made their first contribution in bloomberg/memray#853

Full Changelog: bloomberg/memray@v1.19.1...v1.19.2

v1.19.1

What's Changed

• Fix enum value collision between AllocatorType and ObjectTrackingEvent by @​pablogsal in bloomberg/memray#832

Full Changelog: bloomberg/memray@v1.19.0...v1.19.1

v1.19.0

What's Changed

• Do not resolve line numbers at runtime by @​pablogsal in bloomberg/memray#801
• build(deps): bump actions/checkout from 4 to 5 by @​dependabot[bot] in bloomberg/memray#811
• Add --no-web to flamegraph reporters by @​pablogsal in bloomberg/memray#790
• build(deps): bump datatables.net from 1.10.23 to 1.11.3 by @​dependabot[bot] in bloomberg/memray#814
• build(deps): bump bootstrap from 4.6.0 to 5.0.0 by @​dependabot[bot] in bloomberg/memray#813
• build(deps): bump d3-color, d3, d3-flame-graph and d3-scale-chromatic by @​dependabot[bot] in bloomberg/memray#815
• Restructure record type packing by @​godlygeek in bloomberg/memray#812
• Update tests to textual 6.0 by @​pablogsal in bloomberg/memray#821
• build(deps): bump actions/setup-python from 5 to 6 by @​dependabot[bot] in bloomberg/memray#824
• build(deps): bump actions/setup-node from 4 to 5 by @​dependabot[bot] in bloomberg/memray#825
• build(deps): bump pypa/cibuildwheel from 3.1.3 to 3.1.4 by @​dependabot[bot] in bloomberg/memray#816
• Expose the record writer for validating arbitrary files by @​godlygeek in bloomberg/memray#826
• Avoid holding frames captured by another thread by @​godlygeek in bloomberg/memray#823
• Add Python object reference tracking by @​pablogsal in bloomberg/memray#752
• Prepare for 1.19.0 release by @​pablogsal in bloomberg/memray#830

Full Changelog: bloomberg/memray@v1.18.0...v1.19.0

v1.18.0

What's Changed

• Add Usage Over Time button to topBar by @​ruchika2ar in bloomberg/memray#767
• Drop wheels for old platforms by @​godlygeek in bloomberg/memray#742
• Fix a race condition under Textual 3.3.0 by @​godlygeek in bloomberg/memray#777
• Wheelfix by @​abstractedfox in bloomberg/memray#773

... (truncated)

Changelog

Sourced from memray's changelog.

memray 1.19.2 (2026-03-12)

Bug Fixes

- Add support for Python 3.14's tail call interpreter. Memray now correctly identifies Python frame boundaries in native stack traces when Python 3.14 is built with the tail call interpreter enabled (``--with-tail-call-interp``), recognizing LLVM-generated tail call functions alongside traditional ``_PyEval_EvalFrameDefault`` functions. ([#836](https://github.com/bloomberg/memray/issues/836))
- Prevent an ``AssertionError`` when the tracked process exits after the live TUI was closed. ([#849](https://github.com/bloomberg/memray/issues/849))
- Ensure the command line is properly HTML escaped when writing it into flamegraph and table reports. ([#885](https://github.com/bloomberg/memray/issues/885))
- Fix the ``--no-web`` option for ``memray flamegraph``, which was generating broken flame graphs. ([#876](https://github.com/bloomberg/memray/issues/876))
memray 1.19.1 (2025-09-29)

Fix a bug that caused Memray to refuse to produce stack traces for pymalloc allocations when --trace-python-allocators was used. (#832)

memray 1.19.0 (2025-09-26)
Features

- Add a mode that can be used in Python 3.13.3 and newer where Memray will track Python object creation and destruction events, which can be used to find leaked objects (ones that were created during a tracking session and not destroyed before the end of that tracking session). ([#752](https://github.com/bloomberg/memray/issues/752))
- Added ``--no-web`` flag to ``flamegraph`` and ``table`` commands for offline HTML report generation. When this flag is specified, memray bundles all external dependencies (Bootstrap, jQuery, D3, DataTables, Plotly.js) directly into the generated HTML files instead of loading them from CDNs. This enables memray to generate fully functional HTML reports on airgapped systems without internet connectivity. ([#790](https://github.com/bloomberg/memray/issues/790))
- Reduced memory profiling overhead and capture file size by changing how
  Python code locations are recorded. This makes allocation tracking
  faster, produces smaller capture files, and improves the accuracy of
  reports that group allocations by source location. ([#801](https://github.com/bloomberg/memray/issues/801))
Bug Fixes

</code></pre>

<ul>

<li>Fix a crash that could occur if tracking was started in one thread while another thread was inside of a trace function installed with <code>sys.settrace</code>. This crash wasn't possible to hit with <code>memray run</code>, but could happen when using <code>pytest-memray</code> and <code>pytest-cov</code> together. (<a href="https://redirect.github.com/bloomberg/memray/issues/823&quot;&gt;#823&lt;/a&gt;)&lt;/li>

<li>Fix timestamps on the heap usage line chart when Memray is run on a 32-bit platform. (<a href="https://redirect.github.com/bloomberg/memray/issues/826&quot;&gt;#826&lt;/a&gt;)&lt;/li>

</ul>

<h2>memray 1.18.0 (2025-08-07)</h2>

<p>Features</p>

<pre><code>

Add a button to the flame graph and table reports for downloading a CSV of the source data of the graph showing RSS and heap memory usage over time. (#769)
Peak memory usage is now included in the stats reporter. (#771)
Python 3.14 is now supported. (#804)
memray attach now supports attaching to a process using the new built-in sys.remote_exec when running in Python 3.14, rather than needing to use a debugger to inject itself. Since this is faster and safer, it is the new default, but you can still use the old methods by passing --method=gdb or --method=lldb to memray attach. (#805)
Free-threaded builds of Python 3.14 are now supported. (#808)

&lt;/tr&gt;&lt;/table&gt;

</code></pre>

</blockquote>

<p>... (truncated)</p>

</details>

<details>

<summary>Commits</summary>

<ul>

<li><a href="https://github.com/bloomberg/memray/commit/87e7f620583329f548c71f2e455160538b9b9afc&quot;&gt;&lt;code&gt;87e7f62&lt;/code&gt;&lt;/a> Prepare for 1.19.2 release</li>

<li><a href="https://github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545ce249&quot;&gt;&lt;code&gt;ba6e4e2&lt;/code&gt;&lt;/a> Fix escaping in HTML reports</li>

<li><a href="https://github.com/bloomberg/memray/commit/f4e7128acaf3bb8800e6f9ca87c81e6c2ac44347&quot;&gt;&lt;code&gt;f4e7128&lt;/code&gt;&lt;/a> docs: Document more caveats for attaching</li>

<li><a href="https://github.com/bloomberg/memray/commit/cb93af08a75b9cae30ab1739287ef6a2bf228f51&quot;&gt;&lt;code&gt;cb93af0&lt;/code&gt;&lt;/a> Format flamegraph tooltip asset with prettier</li>

<li><a href="https://github.com/bloomberg/memray/commit/73c372623a5475f1c168f4dcfb3d61b33b9a6a8a&quot;&gt;&lt;code&gt;73c3726&lt;/code&gt;&lt;/a> Fix strict mypy errors in IPython flamegraph magic</li>

<li><a href="https://github.com/bloomberg/memray/commit/c39776cffd53f147dea98f71917e01847369855d&quot;&gt;&lt;code&gt;c39776c&lt;/code&gt;&lt;/a> Relax no-web flamegraph d3 asset assertion</li>

<li><a href="https://github.com/bloomberg/memray/commit/385a06bf89c752309e00b11b0cb0e0dc54e1174b&quot;&gt;&lt;code&gt;385a06b&lt;/code&gt;&lt;/a> Upgrade d3 v4 to v7</li>

<li><a href="https://github.com/bloomberg/memray/commit/76737ea96ed7b96690bb34a5dd0e7573f623c72c&quot;&gt;&lt;code&gt;76737ea&lt;/code&gt;&lt;/a> Regenerate flamegraph template assets</li>

<li><a href="https://github.com/bloomberg/memray/commit/d0d4da5e0758d9ce825cd44941473066481c89c4&quot;&gt;&lt;code&gt;d0d4da5&lt;/code&gt;&lt;/a> Replace d3-tip with floating-ui tooltips</li>

<li><a href="https://github.com/bloomberg/memray/commit/d73cce4b9cba6b3d75b50980f53d227c40c3b90a&quot;&gt;&lt;code&gt;d73cce4&lt;/code&gt;&lt;/a> build(deps): bump serialize-javascript, copy-webpack-plugin and terser-webpac...</li>

<li>Additional commits viewable in <a href="https://github.com/bloomberg/memray/compare/v1.17.2...v1.19.2&quot;&gt;compare view</a></li>

</ul>

</details>
<br />

Updates pyopenssl from 25.1.0 to 26.0.0

Changelog
Sourced from pyopenssl's changelog.

26.0.0 (2026-03-15)
Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Dropped support for Python 3.7.
The minimum cryptography version is now 46.0.0.

Deprecations:
^^^^^^^^^^^^^
Changes:
^^^^^^^^

Added support for using aws-lc instead of OpenSSL.
Properly raise an error if a DTLS cookie callback returned a cookie longer than DTLS1_COOKIE_LENGTH bytes. Previously this would result in a buffer-overflow. Credit to dark_haxor for reporting the issue. CVE-2026-27459
Added OpenSSL.SSL.Connection.get_group_name to determine which group name was negotiated.
Context.set_tlsext_servername_callback now handles exceptions raised in the callback by calling sys.excepthook and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded. Credit to Leury Castillo for reporting this issue. CVE-2026-27448

25.3.0 (2025-09-16)
Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations:
^^^^^^^^^^^^^
Changes:
^^^^^^^^

Maximum supported cryptography version is now 46.x.

25.2.0 (2025-09-14)
Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The minimum cryptography version is now 45.0.7.

Deprecations:
^^^^^^^^^^^^^
Changes:
^^^^^^^^

pyOpenSSL now sets SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER on connections by default, matching CPython's behavior.



... (truncated)


Commits

358cbf2 Prepare for 26.0.0 release (#1487)
a8d28e7 Bump actions/cache from 4 to 5 (#1486)
6fefff0 Add aws-lc compatibility to tests and CI (#1476)
a739f96 Bump actions/download-artifact from 8.0.0 to 8.0.1 (#1485)
8b4c66b Bump actions/upload-artifact in /.github/actions/upload-coverage (#1484)
02a5c78 Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#1483)
d973387 Bump actions/download-artifact from 7.0.0 to 8.0.0 (#1482)
57f09bb Fix buffer overflow in DTLS cookie generation callback (#1479)
d41a814 Handle exceptions in set_tlsext_servername_callback callbacks (#1478)
7b29beb Fix not using a cryptography wheel on uv (#1475)
Additional commits viewable in compare view




Updates orjson from 3.11.5 to 3.11.6

Release notes
Sourced from orjson's releasesDescription has been truncated

[CICD-at-OPEA]

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days.