Bump the pip group across 2 directories with 16 updates

[dependabot]

Bumps the pip group with 12 updates in the /notebook directory:

Package	From	To
django	3.0.7	4.2.30
jinja2	2.11.1	3.1.6
jupyterlab	2.0.1	4.5.7
mistune	0.8.4	3.2.1
nbconvert	5.6.1	7.17.1
nltk	3.5	3.9.4
pytest	5.4.2	9.0.3
scikit-learn	0.23.1	1.5.0
sqlparse	0.3.1	0.5.4
tornado	6.0.4	6.5.6
tqdm	4.46.0	4.66.3
zipp	3.1.0	3.19.1

Bumps the pip group with 16 updates in the / directory:

Package	From	To
django	3.0.7	4.2.30
jinja2	2.11.1	3.1.6
jupyterlab	2.0.1	4.5.7
mistune	0.8.4	3.2.1
nbconvert	5.6.1	7.17.1
nltk	3.5	3.9.4
pytest	5.4.2	9.0.3
scikit-learn	0.23.1	1.5.0
sqlparse	0.3.1	0.5.4
tornado	6.0.4	6.5.6
tqdm	4.46.0	4.66.3
zipp	3.1.0	3.19.1
flask	1.1.2	3.1.3
flask-cors	3.0.8	6.0.0
gunicorn	20.0.4	22.0.0
werkzeug	1.0.1	3.1.6

Updates django from 3.0.7 to 4.2.30

Commits

• 3396992 [4.2.x] Bumped version for 4.2.30 release.
• ed4dfda [4.2.x] Fixed CVE-2026-33034 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE on body ...
• f13c20f [4.2.x] Fixed CVE-2026-33033 -- Mitigated potential DoS in MultiPartParser.
• abfe1a1 [4.2.x] Fixed CVE-2026-4292 -- Disallowed instance creation via ModelAdmin.li...
• 051f390 [4.2.x] Fixed CVE-2026-4277 -- Checked add permissions in GenericInlineModelA...
• 4412731 [4.2.x] Fixed CVE-2026-3902 -- Ignored headers with underscores in ASGIRequest.
• 8d2a05c [4.2.x] Added stub release notes and release date for 4.2.30.
• b1d9ea4 [4.2.x] Combined scripts confirm_release.sh and test_new_version.sh into veri...
• 385678e [4.2.x] Added CVE-2026-25673 and CVE-2026-25674 to security archive.
• 69de846 [4.2.x] Post-release version bump.
• Additional commits viewable in compare view

Updates jinja2 from 2.11.1 to 3.1.6

Release notes

Sourced from jinja2's releases.

3.1.6

This is the Jinja 3.1.6 security release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.6/ Changes: https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6

• The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. GHSA-cpwx-vrp4-4pq7

3.1.5

This is the Jinja 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.5/ Changes: https://jinja.palletsprojects.com/changes/#version-3-1-5 Milestone: https://github.com/pallets/jinja/milestone/16?closed=1

• The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. GHSA-q2x7-8rv6-6q7h
• Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. #1792, GHSA-gmj6-6f8f-6699
• Sandbox does not allow clear and pop on known mutable sequence types. #2032
• Calling sync render for an async template uses asyncio.run. #1952
• Avoid unclosed auto_aiter warnings. #1960
• Return an aclose-able AsyncGenerator from Template.generate_async. #1960
• Avoid leaving root_render_func() unclosed in Template.generate_async. #1960
• Avoid leaving async generators unclosed in blocks, includes and extends. #1960
• The runtime uses the correct concat function for the current environment when calling block references. #1701
• Make |unique async-aware, allowing it to be used after another async-aware filter. #1781
• |int filter handles OverflowError from scientific notation. #1921
• Make compiling deterministic for tuple unpacking in a {% set ... %} call. #2021
• Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. #2025
• Fix copy/pickle support for the internal missing object. #2027
• Environment.overlay(enable_async) is applied correctly. #2061
• The error message from FileSystemLoader includes the paths that were searched. #1661
• PackageLoader shows a clearer error message when the package does not contain the templates directory. #1705
• Improve annotations for methods returning copies. #1880
• urlize does not add mailto: to values like @a@b. #1870
• Tests decorated with @pass_context can be used with the |select filter. #1624
• Using set for multiple assignment (a, b = 1, 2) does not fail when the target is a namespace attribute. #1413
• Using set in all branches of {% if %}{% elif %}{% else %} blocks does not cause the variable to be considered initially undefined. #1253

3.1.4

This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Jinja2/3.1.4/ Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

• The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj

3.1.3

This is a fix release for the 3.1.x feature branch.

• Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.

... (truncated)

Changelog

Sourced from jinja2's changelog.

Version 3.1.6

Released 2025-03-05

• The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. :ghsa:cpwx-vrp4-4pq7

Version 3.1.5

Released 2024-12-21

• The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. :ghsa:q2x7-8rv6-6q7h
• Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. :issue:1792, :ghsa:gmj6-6f8f-6699
• Sandbox does not allow clear and pop on known mutable sequence types. :issue:2032
• Calling sync render for an async template uses asyncio.run. :pr:1952
• Avoid unclosed auto_aiter warnings. :pr:1960
• Return an aclose-able AsyncGenerator from Template.generate_async. :pr:1960
• Avoid leaving root_render_func() unclosed in Template.generate_async. :pr:1960
• Avoid leaving async generators unclosed in blocks, includes and extends. :pr:1960
• The runtime uses the correct concat function for the current environment when calling block references. :issue:1701
• Make |unique async-aware, allowing it to be used after another async-aware filter. :issue:1781
• |int filter handles OverflowError from scientific notation. :issue:1921
• Make compiling deterministic for tuple unpacking in a {% set ... %} call. :issue:2021
• Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. :issue:2025
• Fix copy/pickle support for the internal missing object. :issue:2027
• Environment.overlay(enable_async) is applied correctly. :pr:2061
• The error message from FileSystemLoader includes the paths that were searched. :issue:1661
• PackageLoader shows a clearer error message when the package does not contain the templates directory. :issue:1705
• Improve annotations for methods returning copies. :pr:1880
• urlize does not add mailto: to values like @a@b. :pr:1870

... (truncated)

Commits

• 1520688 release version 3.1.6
• 90457bb Merge commit from fork
• 065334d attr filter uses env.getattr
• 033c200 start version 3.1.6
• bc68d4e use global contributing guide (#2070)
• 247de5e use global contributing guide
• ab8218c use project advisory link instead of global
• b4ffc8f release version 3.1.5 (#2066)
• 877f6e5 release version 3.1.5
• 8d58859 remove test pypi
• Additional commits viewable in compare view

Updates jupyterlab from 2.0.1 to 4.5.7

Release notes

Sourced from jupyterlab's releases.

v4.5.7

4.5.7

(Full Changelog)

Security patches

• CVE-2026-42557 GHSA-mqcg-5x36-vfcg
• CVE-2026-42266 GHSA-37w4-hwhx-4rc4
• CVE-2026-40171 GHSA-rch3-82jr-f9w9

Bugs fixed

• Video and Audio Content Providers: Fix JupyterLite support #18652 (@​martinRenou)
• Fix notebook hang when dropping cells #18808 (@​MUFFANUJ)
• Fix Contextual Help keyboard shortcut reliability and menu Help functionality #18747 (@​itsmejay80)
• Fix focusing input element when opening a dialog from Command Palette #18735 (@​Carreau)
• Fix native context menu blocked even when context menu is suppressed #18753 (@​utsav-develops)
• Fix flaky toolbar item placement in popup #18618 (@​filipeoliveira05)
• Update terminal default font family to honor macOS system-wide ui-monospace #18647 (@​flaviomartins)

Maintenance and upkeep improvements

• Fix linting issue #18819 (@​krassowski)
• Fix syntax for Python 3.9 on 4.5.x branch #18817 (@​krassowski)
• Remove unused CodeMirror v5 CSS rule #18785 (@​Carreau)
• Remove unused CSS rule forgotten after CodeMirror migration #18763 (@​Carreau)
• Remove unused progress bar CSS rule in execution indicator #18759 (@​Carreau)
• Remove dead .jp-VariableRenderer-TrustButton CSS rule #18762 (@​Carreau)
• Remove used .jp-Cell-Placeholder CSS rules #18761 (@​Carreau)

Documentation improvements

• Fix name of option for extension manager implementation in docs #18788 (@​krassowski)
• Remove 4.5.0 announcement from docs #18740 (@​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​Carreau (activity) | @​filipeoliveira05 (activity) | @​flaviomartins (activity) | @​itsmejay80 (activity) | @​jtpio (activity) | @​krassowski (activity) | @​martinRenou (activity) | @​MUFFANUJ (activity) | @​utsav-develops (activity)

v4.5.6

4.5.6

... (truncated)

Commits

• f514041 [ci skip] Publish 4.5.7
• 66fe9ad Backport PR #18652 on branch 4.5.x (Video and Audio Content Providers: Fix Ju...
• f4455fa Fix syntax for Python 3.9 on 4.5.x branch (#18817)
• d2322b5 Backport PR #18819 on branch 4.5.x (Fix linting issue) (#18820)
• 5d9cb8c Merge commit from fork
• 1de120b Merge commit from fork
• 6926100 Backport PR #18808 on branch 4.5.x (Fix notebook hang when dropping cells) (#...
• 67e6e88 Backport PR #18647 on branch 4.5.x (Update default font family to honor macOS...
• bf21eb9 Backport PR #18747 on branch 4.5.x (Fix Contextual Help keyboard shortcut rel...
• 73cafa5 Backport PR #18788 on branch 4.5.x (Fix name of option for extension manager ...
• Additional commits viewable in compare view

Updates mistune from 0.8.4 to 3.2.1

Release notes

Sourced from mistune's releases.

v3.2.1

   🐞 Bug Fixes

• Resolve Windows compatibility issues in file inclusion and tests  -  by @​Yuki9814 (25471)
• Escape html text  -  by @​lepture (a3cb6)
• Update link reference  -  by @​lepture (85eb5)
• Handle escaped dollar signs in inline math  -  by @​saschabuehrle in lepture/mistune#370 (7bd57)
• Escape id of toc  -  by @​lepture (04880)
• Escape id of headings  -  by @​lepture (28556)
• Remove double-encoding of image alt text  -  by @​lawrence3699 (0d6f3)
• Escape xml for math plugin  -  by @​lepture (5fa09)
• Use strict regex for image's height and width  -  by @​lepture (8d0cb)

    View changes on GitHub

v3.2.0

   🚀 Features

• Support footnotes that start on the next line.  -  by @​kylechui (2677e)
• Properly handle code blocks inside footnotes.  -  by @​kylechui (0516c)
• Support python 3.14  -  by @​lepture (7e0eb)

   🐞 Bug Fixes

• Render ref links and footnotes in footnotes.  -  by @​lepture (bd90e)
• Render ref links in TOC.  -  by @​lemon24 (a0a01)
• Update typing for mypy upgrades  -  by @​lepture (8d49c)
• Render correct html for footnotes  -  by @​lepture (9b622)

    View changes on GitHub

v3.1.4

   🐞 Bug Fixes

• Add fenced directive break rule in list parser, #412  -  by @​lepture in lepture/mistune#412 (ea3ec)
• Prevent remove unicode whitespace when parsing atx heading  -  by @​lepture (9e720)

    View changes on GitHub

v3.1.3

   🚀 Features

• Announce supports for python 3.12 and 3.13  -  by @​lepture (ff831)

    View changes on GitHub

v3.1.2

   🐞 Bug Fixes

• plugin: Fix footnote plugins when rendering ast  -  by @​lepture (a7289)

... (truncated)

Changelog

Sourced from mistune's changelog.

Version 3.2.1

Released on May 3, 2026

• Escape link in render_toc_ul.
• Escape text in math plugin.
• Fix regex for math plugin.
• Escape heading's ID attribute.
• Fix LINK_TITLE_RE to prevent DoS.
• Escape class attribute for admonition directive.
• Remove double-encoding of image alt text.
• Escape class attribute for image directive.
• Fix width/height attribute for image directive.

Version 3.2.0

Released on Dec 23, 2025

• Announce supports for python 3.14
• Fix footnotes plugins for code blocks, ref links, blockquote and etc.
• Fix ref links in TOC.

Version 3.1.4

Released on Aug 29, 2025

• Add fenced directive break rule in list parser.
• Prevent removing unicode whitespace when parsing atx heading.

Version 3.1.3

Released on Mar 19, 2025

• Announce supports for python 3.12 and 3.13

Version 3.1.2

Released on Feb 19, 2025

• Fix footnotes plugin for AST renderer

Version 3.1.1

Released on Jan 28, 2025

... (truncated)

Commits

• 067f908 chore: release 3.2.1
• bf55030 Merge pull request #438 from saschabuehrle/fix/issue-370
• 8d0cb75 fix: use strict regex for image's height and width
• 5fa092e fix: escape xml for math plugin
• 71ec947 Merge pull request #440 from lawrence3699/fix/image-alt-double-encoding
• 0d6f3d8 fix: remove double-encoding of image alt text
• 2855622 fix: escape id of headings
• 04880a0 fix: escape id of toc
• 7bd5709 fix: handle escaped dollar signs in inline math (fixes #370)
• 85eb54f fix: update link reference
• Additional commits viewable in compare view

Updates nbconvert from 5.6.1 to 7.17.1

Release notes

Sourced from nbconvert's releases.

v7.17.1

7.17.1

This is a security release, fixing two CVEs:

• CVE-2026-39377
• CVE-2026-39378

(full advisories will be published seven days after release, on 2026-04-14).

(Full Changelog)

Enhancements made

• Allow configureable WebPDF JavaScript processing timeout #2250 (@​timkpaine, @​Carreau)

Bugs fixed

• Fix PermissionError when checking template paths on shared filesystems #2252 (@​ctcjab, @​krassowski)
• Tweak webpdf template logic to fix duplicate extension problem #2249 (@​timkpaine, @​Carreau)

Maintenance and upkeep improvements

• specify python version for pre #2276 (@​minrk, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​akhmerov (activity) | @​bollwyvl (activity) | @​Carreau (activity) | @​ctcjab (activity) | @​davidbrochart (activity) | @​Ken-B (activity) | @​krassowski (activity) | @​mgeier (activity) | @​minrk (activity) | @​mpacer (activity) | @​MSeal (activity) | @​SylvainCorlay (activity) | @​takluyver (activity) | @​timkpaine (activity)

v7.17.0

7.17.0

(Full Changelog)

Enhancements made

• Add support for arbitrary browser arguments #2227 (@​shreve, @​Carreau, @​krassowski)

Bugs fixed

• Fix QtPNGExporter returning empty bytes on macOS #2264 (@​h3pdesign, @​Carreau, @​QuLogic)

... (truncated)

Changelog

Sourced from nbconvert's changelog.

7.17.1

This is a security release, fixing two CVEs:

• CVE-2026-39377
• CVE-2026-39378

(full advisories will be published seven days after release, on 2026-04-14).

(Full Changelog)

Enhancements made

• Allow configureable WebPDF JavaScript processing timeout #2250 (@​timkpaine, @​Carreau)

Bugs fixed

• Fix PermissionError when checking template paths on shared filesystems #2252 (@​ctcjab, @​krassowski)
• Tweak webpdf template logic to fix duplicate extension problem #2249 (@​timkpaine, @​Carreau)

Maintenance and upkeep improvements

• specify python version for pre #2276 (@​minrk, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​akhmerov (activity) | @​bollwyvl (activity) | @​Carreau (activity) | @​ctcjab (activity) | @​davidbrochart (activity) | @​Ken-B (activity) | @​krassowski (activity) | @​mgeier (activity) | @​minrk (activity) | @​mpacer (activity) | @​MSeal (activity) | @​SylvainCorlay (activity) | @​takluyver (activity) | @​timkpaine (activity)

7.17.0

(Full Changelog)

Enhancements made

• Add support for arbitrary browser arguments #2227 (@​shreve, @​Carreau, @​krassowski)

Bugs fixed

• Fix QtPNGExporter returning empty bytes on macOS #2264 (@​h3pdesign, @​Carreau, @​QuLogic)
• Fix CVE-2025-53000: Secure Inkscape Windows path (registry first + block CWD) #2261 (@​h3pdesign, @​krassowski, @​mberlanda, @​minrk, @​salmankadaya, @​th3gowtham)
• Fix get_export_names and get_exporter default args #2228 (@​shreve, @​krassowski)
• PyPA-Compliant Summary #2226 (@​hackowitz-af, @​Carreau)

... (truncated)

Commits

• 78ed308 Publish 7.17.1
• f090a64 ruff format
• b3b6ec0 chore: update pre-commit hooks (#2277)
• be4841f ignore silly security lint in tests
• 26d57b2 fix type annotation on Lexer
• 0e6b8cc Merge commit from fork
• ba5e5cd Merge commit from fork
• 1db0c88 Specify python version for pre (#2276)
• 7473fc3 chore: update pre-commit hooks (#2242)
• 4322f7f Bump the actions group across 1 directory with 2 updates (#2273)
• Additional commits viewable in compare view

Updates nltk from 3.5 to 3.9.4

Changelog

Sourced from nltk's changelog.

Version 3.10.0 2026-06-11

• Enforce the stricter nltk.pathsec security policy by default
• Document the new security model and migration guidance
• Harden resource loading against path traversal and SSRF/DNS-rebinding
• Harden downloader path handling and block XML entity expansion
• Close remaining corpus-reader security edge cases
• Replace unsafe exec() usage in the utility CLI
• Warn on unpickling user-provided pickles
• Add HuggingFace datasets integration (nltk.huggingface)
• Align TnT with Brants (2000) specifications
• Fix PorterStemmer irregular-form lowercasing in NLTK mode
• Fix TransitionParser sparse index dtype for scikit-learn 1.9
• Fix TextCat tie handling
• Fix WordNet object comparisons for incompatible types
• Cache WordNet max depth lazily for lch_similarity()
• Fix CCG variable direction, substitution, and type-raising bugs
• Fix Jaro similarity for single-character and empty-string cases
• Improve CI and release-maintenance workflows

Thanks to the following contributors to 3.10.0: 13rac1, alvations, bowiechen, devesh-2002, ekaf, elias-ba, haosenwang1018, HyperPS, ihitamandal, jancallewaert, jhnwnstd, JuanIMartinezB, Lemm1, LinZiyuu, Mr-Neutr0n, PastelStorm, scruge1, Syzygy2048, ylwango613, yzhaoinuw

Version 3.9.4 2026-03-24

• Support Python 3.14
• Fix bug in Levenshtein distance when substitution_cost > 2
• Fix bug in Treebank detokeniser re quote ordering
• Fix bug in Jaro similarity for empty strings
• Several security enhancements
• Fix GHSA-rf74-v2fm-23pw: unbounded recursion in JSONTaggedDecoder
• Implement TextTiling vocabulary introduction method (Hearst 1997)
• Fix ALINE feature matrix errors and add comprehensive tests
• Support multiple VerbNet versions, fix longid/shortid regex for VerbNet ids
• Let downloader fallback to md5 when sha256 is unavailable
• Several other minor bugfixes and code cleanups

Thanks to the following contributors to 3.9.4: Min-Yen Kan, Eric Kafe, Emily Voss, bowiechen, Hrudhai01, jancallewaert, Mr-Neutr0n, pollak.peter89, ylwango613,

Version 3.9.3 2026-02-21

• Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (#3468)
• Block path traversal/arbitrary reads in nltk.data for protocol-less refs (#3467)
• Block path traversal/abs paths in corpus readers and FS pointers (#3479, #3480)
• Validate external StanfordSegmenter JARs using SHA256 (#3477)

... (truncated)

Commits

• ad9c96b Update copyright year
• 7edcddf Updates for 3.9.4 release
• 67a2736 Merge pull request #3180 from yzhaoinuw/bug-on-edit_distance_align
• 2b17ac5 Fix edit_distance_align backtrace for high substitution costs
• 4b72976 Merge pull request #3018 from JuanIMartinezB/bug/shortid-longid
• 8a5619f Merge pull request #3222 from Syzygy2048/feature/texttiling-vocabulary-introd...
• c6574d7 Merge pull request #3289 from ihitamandal/codeflash/optimize-windowdiff-2024-...
• 98ff5d9 Merge pull request #3435 from Hrudhai01/fix-3260-detokenize-quotes
• aec4fce Merge pull request #3522 from ekaf/pathsec
• eec4ee3 Merge pull request #3526 from nltk/update-contributing
• Additional commits viewable in compare view

Updates pytest from 5.4.2 to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

• #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

  -- by aleguy02

9.0.2

pytest 9.0.2 (2025-12-06)

Bug fixes

• #13896: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.

  You may enable it again by passing -p terminalprogress. We may enable it by default again once compatibility improves in the future.

  Additionally, when the environment variable TERM is dumb, the escape codes are no longer emitted, even if the plugin is enabled.

• #13904: Fixed the TOML type of the tmp_path_retention_count settings in the API reference from number to string.

• #13946: The private config.inicfg attribute was changed in a breaking manner in pytest 9.0.0. Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim. It will be deprecated in pytest 9.1 and removed in pytest 10.

... (truncated)

Commits

• a7d58d7 Prepare release version 9.0.3
• 089d981 Merge pull request #14366 from bluetech/revert-14193-backport
• 8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
• 99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
• ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
• 74eac69 doc: Update training info (#14298) (#14301)
• f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
• 7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
• 37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
• c34bfa3 Add explanation for string context diffs (#14257) (#14266)
• Additional commits viewable in compare view

Updates scikit-learn from 0.23.1 to 1.5.0

Release notes

Sourced from scikit-learn's releases.

Scikit-learn 1.5.0

We're happy to announce the 1.5.0 release.

You can read the release highlights under