Bump the pip group across 8 directories with 10 updates

[dependabot]

Bumps the pip group with 4 updates in the /mpcontribs-api/requirements directory: cryptography, nbconvert, pillow and werkzeug.
Bumps the pip group with 1 update in the /mpcontribs-client/requirements directory: pillow.
Bumps the pip group with 2 updates in the /mpcontribs-kernel-gateway/requirements directory: nbconvert and pillow.
Bumps the pip group with 4 updates in the /mpcontribs-lux directory: pillow, urllib3, filelock and virtualenv.
Bumps the pip group with 4 updates in the /mpcontribs-lux/requirements directory: pillow, urllib3, filelock and virtualenv.
Bumps the pip group with 3 updates in the /mpcontribs-portal directory: nbconvert, pillow and django.
Bumps the pip group with 3 updates in the /mpcontribs-portal/requirements directory: nbconvert, pillow and django.
Bumps the pip group with 4 updates in the /mpcontribs-serverless/dependencies directory: fonttools, pillow, requests and urllib3.

Updates cryptography from 46.0.3 to 46.0.5

Changelog

Sourced from cryptography's changelog.

46.0.5 - 2026-02-10

* An attacker could create a malicious public key that reveals portions of your
  private key when using certain uncommon elliptic curves (binary curves).
  This version now includes additional security checks to prevent this attack.
  This issue only affects binary elliptic curves, which are rarely used in
  real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and
  Atuin Automated Vulnerability Discovery Engine** for reporting the issue.
  **CVE-2026-26007**
* Support for ``SECT*`` binary elliptic curves is deprecated and will be
  removed in the next release.
.. v46-0-4:
46.0.4 - 2026-01-27

• Dropped support for win_arm64 wheels_.
• Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.

.. _v46-0-3:

Commits

• 06e120e bump version for 46.0.5 release (#14289)
• 0eebb9d EC check key on cofactor > 1 (#14287)
• bedf6e1 fix openssl version on 46 branch (#14220)
• e6f44fc bump for 46.0.4 and drop win arm64 due to CI issues (#14217)
• See full diff in compare view

Updates nbconvert from 7.16.6 to 7.17.0

Release notes

Sourced from nbconvert's releases.

v7.17.0

7.17.0

(Full Changelog)

Enhancements made

• Add support for arbitrary browser arguments #2227 (@​shreve, @​Carreau, @​krassowski)

Bugs fixed

• Fix QtPNGExporter returning empty bytes on macOS #2264 (@​h3pdesign, @​Carreau, @​QuLogic)
• Fix CVE-2025-53000: Secure Inkscape Windows path (registry first + block CWD) #2261 (@​h3pdesign, @​krassowski, @​mberlanda, @​minrk, @​salmankadaya, @​th3gowtham)
• Fix get_export_names and get_exporter default args #2228 (@​shreve, @​krassowski)
• PyPA-Compliant Summary #2226 (@​hackowitz-af, @​Carreau)

Maintenance and upkeep improvements

• avoid cov environment on free-threaded Pythons #2267 (@​minrk)
• update pre-commit, and fix all issues. #2238 (@​Carreau)
• Drop test on 3.9, test on 3.13, 3.14, 3.14t #2237 (@​Carreau)
• Bump the actions group across 1 directory with 2 updates #2231 (@​Carreau, @​krassowski)
• Replace @flaky.flaky decorate with pytest marker #2229 (@​mgorny, @​Carreau)
• update to mermaid 11.10.0 #2224 (@​bollwyvl, @​krassowski)
• Drop support for Python 3.8, fix the CI tests #2221 (@​shreve, @​minrk)

Documentation improvements

• Use intersphinx_registry #2232 (@​Carreau, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​bollwyvl (activity) | @​Carreau (activity) | @​h3pdesign (activity) | @​hackowitz-af (activity) | @​krassowski (activity) | @​mberlanda (activity) | @​mgorny (activity) | @​minrk (activity) | @​MSeal (activity) | @​QuLogic (activity) | @​salmankadaya (activity) | @​shreve (activity) | @​th3gowtham (activity)

Changelog

Sourced from nbconvert's changelog.

7.17.0

(Full Changelog)

Enhancements made

• Add support for arbitrary browser arguments #2227 (@​shreve, @​Carreau, @​krassowski)

Bugs fixed

• Fix QtPNGExporter returning empty bytes on macOS #2264 (@​h3pdesign, @​Carreau, @​QuLogic)
• Fix CVE-2025-53000: Secure Inkscape Windows path (registry first + block CWD) #2261 (@​h3pdesign, @​krassowski, @​mberlanda, @​minrk, @​salmankadaya, @​th3gowtham)
• Fix get_export_names and get_exporter default args #2228 (@​shreve, @​krassowski)
• PyPA-Compliant Summary #2226 (@​hackowitz-af, @​Carreau)

Maintenance and upkeep improvements

• avoid cov environment on free-threaded Pythons #2267 (@​minrk)
• update pre-commit, and fix all issues. #2238 (@​Carreau)
• Drop test on 3.9, test on 3.13, 3.14, 3.14t #2237 (@​Carreau)
• Bump the actions group across 1 directory with 2 updates #2231 (@​Carreau, @​krassowski)
• Replace @flaky.flaky decorate with pytest marker #2229 (@​mgorny, @​Carreau)
• update to mermaid 11.10.0 #2224 (@​bollwyvl, @​krassowski)
• Drop support for Python 3.8, fix the CI tests #2221 (@​shreve, @​minrk)

Documentation improvements

• Use intersphinx_registry #2232 (@​Carreau, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​bollwyvl (activity) | @​Carreau (activity) | @​h3pdesign (activity) | @​hackowitz-af (activity) | @​krassowski (activity) | @​mberlanda (activity) | @​mgorny (activity) | @​minrk (activity) | @​MSeal (activity) | @​QuLogic (activity) | @​salmankadaya (activity) | @​shreve (activity) | @​th3gowtham (activity)

Commits

• 21b35d8 Publish 7.17.0
• c9ac1d1 Fix CVE-2025-53000: Secure Inkscape Windows path (registry first + block CWD)...
• b13276d avoid cov environment on free-threaded Pythons (#2267)
• 7c7055f [pre-commit.ci] auto fixes from pre-commit.com hooks
• 74f3ddd Fix QtPNGExporter returning empty bytes on macOS
• 216550b fix links
• 39777ac try to comment fialing test
• 7b591ca ruff-check
• 6ec7638 parent
• 59414b3 fix mypy
• Additional commits viewable in compare view

Updates pillow from 12.1.0 to 12.1.1

Release notes

Sourced from pillow's releases.

12.1.1

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html

Dependencies

• Patch libavif for svt-av1 4.0 compatibility #9413 [@​hugovk]

Other changes

• Fix OOB Write with invalid tile extents #9427 [@​radarhere]

Commits

• 5158d98 12.1.1 version bump
• 9000313 Fix OOB Write with invalid tile extents (#9427)
• cd01118 Patch libavif for svt-av1 4.0 compatibility
• See full diff in compare view

Updates werkzeug from 3.1.5 to 3.1.6

Release notes

Sourced from werkzeug's releases.

3.1.6

This is the Werkzeug 3.1.6 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.6/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-6

• safe_join on Windows does not allow special devices names in multi-segment paths. GHSA-29vq-49wr-vm6x

Changelog

Sourced from werkzeug's changelog.

Version 3.1.6

Released 2026-02-19

• safe_join on Windows does not allow special devices names in multi-segment paths. :ghsa:29vq-49wr-vm6x

Commits

• 04da1b5 release version 3.1.6
• f407712 Merge commit from fork
• f54fe98 safe_join prevents Windows special device names in multi-segment paths
• d005985 start version 3.1.6
• 8565c2c document rule priority (#3102)
• 3febc7e document rule priority
• 2525b82 remove state machine docs
• 4abfbd5 rewrite build docstring (#3097)
• 161c18b rewrite build docstring
• 86e11c2 release version 3.1.5 (#3085)
• See full diff in compare view

Updates pillow from 12.1.0 to 12.1.1

Release notes

Sourced from pillow's releases.

12.1.1

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html

Dependencies

• Patch libavif for svt-av1 4.0 compatibility #9413 [@​hugovk]

Other changes

• Fix OOB Write with invalid tile extents #9427 [@​radarhere]

Commits

• 5158d98 12.1.1 version bump
• 9000313 Fix OOB Write with invalid tile extents (#9427)
• cd01118 Patch libavif for svt-av1 4.0 compatibility
• See full diff in compare view

Updates nbconvert from 7.16.6 to 7.17.0

Release notes

Sourced from nbconvert's releases.

v7.17.0

7.17.0

(Full Changelog)

Enhancements made

• Add support for arbitrary browser arguments #2227 (@​shreve, @​Carreau, @​krassowski)

Bugs fixed

• Fix QtPNGExporter returning empty bytes on macOS #2264 (@​h3pdesign, @​Carreau, @​QuLogic)
• Fix CVE-2025-53000: Secure Inkscape Windows path (registry first + block CWD) #2261 (@​h3pdesign, @​krassowski, @​mberlanda, @​minrk, @​salmankadaya, @​th3gowtham)
• Fix get_export_names and get_exporter default args #2228 (@​shreve, @​krassowski)
• PyPA-Compliant Summary #2226 (@​hackowitz-af, @​Carreau)

Maintenance and upkeep improvements

• avoid cov environment on free-threaded Pythons #2267 (@​minrk)
• update pre-commit, and fix all issues. #2238 (@​Carreau)
• Drop test on 3.9, test on 3.13, 3.14, 3.14t #2237 (@​Carreau)
• Bump the actions group across 1 directory with 2 updates #2231 (@​Carreau, @​krassowski)
• Replace @flaky.flaky decorate with pytest marker #2229 (@​mgorny, @​Carreau)
• update to mermaid 11.10.0 #2224 (@​bollwyvl, @​krassowski)
• Drop support for Python 3.8, fix the CI tests #2221 (@​shreve, @​minrk)

Documentation improvements

• Use intersphinx_registry #2232 (@​Carreau, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​bollwyvl (activity) | @​Carreau (activity) | @​h3pdesign (activity) | @​hackowitz-af (activity) | @​krassowski (activity) | @​mberlanda (activity) | @​mgorny (activity) | @​minrk (activity) | @​MSeal (activity) | @​QuLogic (activity) | @​salmankadaya (activity) | @​shreve (activity) | @​th3gowtham (activity)

Changelog

Sourced from nbconvert's changelog.

7.17.0

(Full Changelog)

Enhancements made

• Add support for arbitrary browser arguments #2227 (@​shreve, @​Carreau, @​krassowski)

Bugs fixed

• Fix QtPNGExporter returning empty bytes on macOS #2264 (@​h3pdesign, @​Carreau, @​QuLogic)
• Fix CVE-2025-53000: Secure Inkscape Windows path (registry first + block CWD) #2261 (@​h3pdesign, @​krassowski, @​mberlanda, @​minrk, @​salmankadaya, @​th3gowtham)
• Fix get_export_names and get_exporter default args #2228 (@​shreve, @​krassowski)
• PyPA-Compliant Summary #2226 (@​hackowitz-af, @​Carreau)

Maintenance and upkeep improvements

• avoid cov environment on free-threaded Pythons #2267 (@​minrk)
• update pre-commit, and fix all issues. #2238 (@​Carreau)
• Drop test on 3.9, test on 3.13, 3.14, 3.14t #2237 (@​Carreau)
• Bump the actions group across 1 directory with 2 updates #2231 (@​Carreau, @​krassowski)
• Replace @flaky.flaky decorate with pytest marker #2229 (@​mgorny, @​Carreau)
• update to mermaid 11.10.0 #2224 (@​bollwyvl, @​krassowski)
• Drop support for Python 3.8, fix the CI tests #2221 (@​shreve, @​minrk)

Documentation improvements

• Use intersphinx_registry #2232 (@​Carreau, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​bollwyvl (activity) | @​Carreau (activity) | @​h3pdesign (activity) | @​hackowitz-af (activity) | @​krassowski (activity) | @​mberlanda (activity) | @​mgorny (activity) | @​minrk (activity) | @​MSeal (activity) | @​QuLogic (activity) | @​salmankadaya (activity) | @​shreve (activity) | @​th3gowtham (activity)

Commits

• 21b35d8 Publish 7.17.0
• c9ac1d1 Fix CVE-2025-53000: Secure Inkscape Windows path (registry first + block CWD)...
• b13276d avoid cov environment on free-threaded Pythons (#2267)
• 7c7055f [pre-commit.ci] auto fixes from pre-commit.com hooks
• 74f3ddd Fix QtPNGExporter returning empty bytes on macOS
• 216550b fix links
• 39777ac try to comment fialing test
• 7b591ca ruff-check
• 6ec7638 parent
• 59414b3 fix mypy
• Additional commits viewable in compare view

Updates pillow from 12.1.0 to 12.1.1

Release notes

Sourced from pillow's releases.

12.1.1

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html

Dependencies

• Patch libavif for svt-av1 4.0 compatibility #9413 [@​hugovk]

Other changes

• Fix OOB Write with invalid tile extents #9427 [@​radarhere]

Commits

• 5158d98 12.1.1 version bump
• 9000313 Fix OOB Write with invalid tile extents (#9427)
• cd01118 Patch libavif for svt-av1 4.0 compatibility
• See full diff in compare view

Updates pillow from 12.0.0 to 12.1.1

Release notes

Sourced from pillow's releases.

12.1.1

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html

Dependencies

• Patch libavif for svt-av1 4.0 compatibility #9413 [@​hugovk]

Other changes

• Fix OOB Write with invalid tile extents #9427 [@​radarhere]

Commits

• 5158d98 12.1.1 version bump
• 9000313 Fix OOB Write with invalid tile extents (#9427)
• cd01118 Patch libavif for svt-av1 4.0 compatibility
• See full diff in compare view

Updates urllib3 from 2.6.1 to 2.6.3

Release notes

Sourced from urllib3's releases.

2.6.3

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by @​D47A, 8.9 High, GHSA-38jv-5279-wg99)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. (urllib3/urllib3#3743)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. (urllib3/urllib3#3752)

2.6.2

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (urllib3/urllib3#3734)

Changelog

Sourced from urllib3's changelog.

2.6.3 (2026-01-07)

• Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. ([#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743>__)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. ([#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752>__)

2.6.2 (2025-12-11)

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. ([#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734>__)

Commits

• 0248277 Release 2.6.3
• 8864ac4 Merge commit from fork
• 70cecb2 Fix Scorecard issues related to vulnerable dev dependencies (#3755)
• 41f249a Move "v2.0 Migration Guide" to the end of the table of contents (#3747)
• fd4dffd Patch VerifiedHTTPSConnection for Emscripten (#3752)
• 13f0bfd Handle massive values in Retry-After when calculating time to sleep for (#3743)
• 8c480bf Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#3748)
• 4b40616 Bump actions/cache from 4.3.0 to 5.0.1 (#3750)
• 82b8479 Bump actions/download-artifact from 6.0.0 to 7.0.0 (#3749)
• 34284cb Mention experimental features in the security policy (#3746)
• Additional commits viewable in compare view

Updates filelock from 3.20.0 to 3.20.3

Release notes

Sourced from filelock's releases.

3.20.3

What's Changed

• Fix TOCTOU symlink vulnerability in SoftFileLock by @​gaborbernat in tox-dev/filelock#465

Full Changelog: tox-dev/filelock@3.20.2...3.20.3

3.20.2

What's Changed

• Support Unix systems without O_NOFOLLOW by @​mwilliamson in tox-dev/filelock#463
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in tox-dev/filelock#464

New Contributors

• @​mwilliamson made their first contribution in tox-dev/filelock#463

Full Changelog: tox-dev/filelock@3.20.1...3.20.2

3.20.1

What's Changed

• CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file creation by @​gaborbernat in tox-dev/filelock#461

Full Changelog: tox-dev/filelock@3.20.0...3.20.1

Changelog

Sourced from filelock's changelog.

########### Changelog ###########

---

3.24.3 (2026-02-19)

---

• 🐛 fix(unix): handle ENOENT race on FUSE/NFS during acquire :pr:495
• 🐛 fix(ci): add trailing blank line after changelog entries :pr:492

---

3.24.2 (2026-02-16)

---

• 🐛 fix(rw): close sqlite3 cursors and skip SoftFileLock Windows race :pr:491
• 🐛 fix(test): resolve flaky write non-starvation test :pr:490
• 📝 docs: restructure using Diataxis framework :pr:489

---

3.24.1 (2026-02-15)

---

• 🐛 fix(soft): resolve Windows deadlock and test race condition :pr:488

---

3.24.0 (2026-02-14)

---

• ✨ feat(lock): add lifetime parameter for lock expiration (#68) :pr:486
• ✨ feat(lock): add cancel_check to acquire (#309) :pr:487
• 🐛 fix(api): detect same-thread self-deadlock :pr:481
• ✨ feat(mode): respect POSIX default ACLs (#378) :pr:483
• 🐛 fix(win): eliminate lock file race in threaded usage :pr:484
• ✨ feat(lock): add poll_interval to constructor :pr:482
• 🐛 fix(unix): auto-fallback to SoftFileLock on ENOSYS :pr:480

---

3.23.0 (2026-02-14)

---

• 📝 docs: move from Unlicense to MIT :pr:479
• 📝 docs: add fasteners to similar libraries :pr:478

---

3.22.0 (2026-02-14)

---

• 🐛 fix(soft): skip stale detection on Windows :pr:477
• ✨ feat(soft): detect and break stale locks :pr:476

... (truncated)

Commits

• 41b42dd Fix TOCTOU symlink vulnerability in SoftFileLock (#465)
• f2e7d40 [pre-commit.ci] pre-commit autoupdate (#464)
• 5088854 Support Unix systems without O_NOFOLLOW (#463)
• 377f622 [pre-commit.ci] pre-commit autoupdate (#460)
• 4724d7f Fix TOCTOU symlink vulnerability in lock file creation (#461)
• cb69414 Bump actions/upload-artifact from 5 to 6 (#459)
• 0769294 Bump actions/download-artifact from 6 to 7 (#458)
• 414193a [pre-commit.ci] pre-commit autoupdate (#457)
• 1456797 [pre-commit.ci] pre-commit autoupdate (#456)
• 8d6bf90 Bump actions/checkout from 5 to 6 (#455)
• Additional commits viewable in compare view

Updates virtualenv from 20.35.4 to 20.36.1

Release notes

Sourced from virtualenv's releases.

20.36.0

What's Changed

• release 20.35.3 by @​gaborbernat in pypa/virtualenv#2981
• fix: Prevent NameError when accessing _DISTUTILS_PATCH during file ov… by @​gracetyy in pypa/virtualenv#2982
• Upgrade pip and fix 3.15 picking old wheel by @​gaborbernat in pypa/virtualenv#2989
• release 20.35.4 by @​gaborbernat in pypa/virtualenv#2990
• fix: wrong path on migrated venv by @​sk1234567891 in pypa/virtualenv#2996
• test_too_many_open_files: assert on errno.EMFILE instead of strerror by @​pltrz in pypa/virtualenv#3001
• fix: update filelock dependency version to 3.20.1 to fix CVE CVE-2025-68146 by @​pythonhubdev in pypa/virtualenv#3002
• fix: resolve EncodingWarning in tox upgrade environment by @​gaborbernat in pypa/virtualenv#3007
• Fix Interpreter discovery bug wrt. Microsoft Store shortcut using Latin-1 by @​rahuldevikar in pypa/virtualenv#3006
• Add support for PEP 440 version specifiers in the --python flag. by @​rahuldevikar in pypa/virtualenv#3008

New Contributors

• @​gracetyy made their first contribution in pypa/virtualenv#2982
• @​sk1234567891 made their first contribution in pypa/virtualenv#2996
• @​pltrz made their first contribution in pypa/virtualenv#3001
• @​pythonhubdev made their first contribution in pypa/virtualenv#3002
• @​rahuldevikar made their first contribution in pypa/virtualenv#3006

Full Changelog: pypa/virtualenv@20.35.3...20.36.0

Changelog

Sourced from virtualenv's changelog.

Bugfixes - 20.36.1

• Fix TOCTOU vulnerabilities in app_data and lock directory creation that could be exploited via symlink attack...

  Description has been truncated