Bump the pip group across 7 directories with 8 updates

[dependabot]

Bumps the pip group with 1 update in the /CrewAI-LangGraph directory: langgraph.
Bumps the pip group with 3 updates in the /game-builder-crew directory: google-cloud-aiplatform, orjson and pyasn1.
Bumps the pip group with 6 updates in the /landing_page_generator directory:

Package	From	To
google-cloud-aiplatform	1.71.1	1.133.0
orjson	3.10.10	3.11.6
pyasn1	0.6.1	0.6.3
pypdf	5.1.0	6.9.2
deepdiff	8.0.1	8.6.2
nltk	3.9.1	3.9.4

Bumps the pip group with 4 updates in the /markdown_validator directory: google-cloud-aiplatform, orjson, pyasn1 and pypdf.
Bumps the pip group with 4 updates in the /match_profile_to_positions directory: google-cloud-aiplatform, orjson, pyasn1 and ujson.
Bumps the pip group with 4 updates in the /recruitment directory: google-cloud-aiplatform, orjson, pyasn1 and ujson.
Bumps the pip group with 1 update in the /trip_planner directory: nltk.

Updates langgraph from 0.0.15 to 1.0.10rc1

Release notes

Sourced from langgraph's releases.

langgraph==1.0.10rc1

Changes since 1.0.9

• release: Candidate (#6947)
• Merge commit from fork
• chore: add tests to confirm expected subgraph persistence behavior (#6943)
• fix(langgraph): correct ParentCommand bubbling when checkpoint_ns includes numeric task segments (#6864)
• chore: add make type target for type checking (#6748)

langgraph==1.0.9

Changes since 1.0.8

• release: langgraph + prebuilt (#6875)
• fix: sequential interrupt handling w/ functional API (#6863)
• chore: state_updated_at sort by (#6857)
• chore: bump orjson (#6852)
• chore: conformance testing (#6842)
• chore(deps): bump the all-dependencies group in /libs/langgraph with 6 updates (#6815)
• chore(deps): bump protobuf from 6.33.4 to 6.33.5 in /libs/langgraph (#6833)
• chore(deps): bump cryptography from 46.0.3 to 46.0.5 in /libs/langgraph (#6837)
• chore(deps): bump nbconvert from 7.16.6 to 7.17.0 in /libs/langgraph (#6832)
• chore: server runtime type (#6774)
• refactor: replace bare except with BaseException in AsyncQueue (#6765)

langgraph==1.0.8

Changes since 1.0.7

• release(langgraph): 1.0.8 (#6757)
• chore: shallow copy futures (#6755)
• fix: pydantic messages double streaming (#6753)
• chore(deps-dev): bump ruff from 0.14.7 to 0.14.11 in /libs/sdk-py (#6673)
• chore: Omit lock when using connection pool (#6734)
• docs: enhance Runtime and ToolRuntime class descriptions for clarity (#6689)
• docs: add clarity to use of thread_id (#6515)
• docs: add docstrings to add_node overloads (#6514)
• docs: update notebook links and add archival notices for examples (#6720)
• release(cli): 0.4.12 (#6716)

langgraph-prebuilt==1.0.8

Changes since prebuilt==1.0.7

• release: langgraph + prebuilt (#6875)
• fix: inject ToolRuntime for dynamically registered tools (#6874)
• chore: bump orjson (#6852)
• chore(deps): bump langchain-core from 1.2.12 to 1.2.13 in /libs/prebuilt in the all-dependencies group (#6849)
• chore: conformance testing (#6842)
• chore(deps): bump the all-dependencies group in /libs/prebuilt with 3 updates (#6810)
• chore: server runtime type (#6774)
• docs(prebuilt): update warning for create_react_agent (#6760)
• release(langgraph): 1.0.8 (#6757)

... (truncated)

Commits

• See full diff in compare view

Updates google-cloud-aiplatform from 1.68.0 to 1.133.0

Release notes

Sourced from google-cloud-aiplatform's releases.

v1.133.0

1.133.0 (2026-01-08)

Features

• Deprecate tuning public preview SDK in favor of tuning SDK (35d362c)
• GenAI SDK client - Enabling Few-shot Prompt Optimization by passing either "OPTIMIZATION_TARGET_FEW_SHOT_RUBRICS" or "OPTIMIZATION_TARGET_FEW_SHOT_TARGET_RESPONSE" to the optimize_prompt method (715cc5b)
• GenAI SDK client(memory): Add enable_third_person_memories (65717fa)
• Support Developer Connect in AE (04f1771)

Bug Fixes

• Add None check for agent_info in evals.py (c8c0f0f)
• GenAI client(evals) - Fix TypeError in _build_generate_content_config (be2eaaa)
• Make project_number to project_id mapping fail-open. (f1c8458)
• Replace asyncio.run with create_task in ADK async thread mains. (83f4076)
• Replace asyncio.run with create_task in ADK async thread mains. (8c876ef)
• Require uri or staging bucket configuration for saving model to Vertex Experiment. (5448f06)
• Return embedding metadata if available (d9c6eb1)
• Update examples_dataframe type to PandasDataFrame in Prompt Optimizer. (a2564cc)

v1.132.0

1.132.0 (2025-12-17)

Features

• Add Lustre support to the Vertex Training Custom Job API (71747e8)

Documentation

• A comment for field restart_job_on_worker_restart in message .google.cloud.aiplatform.v1beta1.Scheduling is changed (71747e8)
• A comment for field timeout in message .google.cloud.aiplatform.v1beta1.Scheduling is changed (71747e8)

v1.131.0

1.131.0 (2025-12-16)

Features

• Allow list of events to be passed to AdkApp.async_stream_query (dd8840a)
• GenAI Client(evals) - Support CustomCodeExecution metric in Vertex Gen AI Eval Service (4114728)
• Updates the ADK template to direct structured JSON logs to standard output. (a65ec29)

Bug Fixes

... (truncated)

Changelog

Sourced from google-cloud-aiplatform's changelog.

1.133.0 (2026-01-08)

Features

• Deprecate tuning public preview SDK in favor of tuning SDK (35d362c)
• GenAI SDK client - Enabling Few-shot Prompt Optimization by passing either "OPTIMIZATION_TARGET_FEW_SHOT_RUBRICS" or "OPTIMIZATION_TARGET_FEW_SHOT_TARGET_RESPONSE" to the optimize_prompt method (715cc5b)
• GenAI SDK client(memory): Add enable_third_person_memories (65717fa)
• Support Developer Connect in AE (04f1771)

Bug Fixes

• Add None check for agent_info in evals.py (c8c0f0f)
• GenAI client(evals) - Fix TypeError in _build_generate_content_config (be2eaaa)
• Make project_number to project_id mapping fail-open. (f1c8458)
• Replace asyncio.run with create_task in ADK async thread mains. (83f4076)
• Replace asyncio.run with create_task in ADK async thread mains. (8c876ef)
• Require uri or staging bucket configuration for saving model to Vertex Experiment. (5448f06)
• Return embedding metadata if available (d9c6eb1)
• Update examples_dataframe type to PandasDataFrame in Prompt Optimizer. (a2564cc)

1.132.0 (2025-12-17)

Features

• Add Lustre support to the Vertex Training Custom Job API (71747e8)
• Add Lustre support to the Vertex Training Custom Job API (71747e8)

Documentation

• A comment for field restart_job_on_worker_restart in message .google.cloud.aiplatform.v1beta1.Scheduling is changed (71747e8)
• A comment for field timeout in message .google.cloud.aiplatform.v1beta1.Scheduling is changed (71747e8)

1.131.0 (2025-12-16)

Features

• Allow list of events to be passed to AdkApp.async_stream_query (dd8840a)
• GenAI Client(evals) - Support CustomCodeExecution metric in Vertex Gen AI Eval Service (4114728)
• Updates the ADK template to direct structured JSON logs to standard output. (a65ec29)

Bug Fixes

• Fix RagManagedVertexVectorSearch when using backend_config (df0976e)
• GenAI Client(evals) - patch for vulnerability in visualization (8a00d43)

... (truncated)

Commits

• 78f2bdd chore(main): release 1.133.0 (#6211)
• c8c0f0f fix: Add None check for agent_info in evals.py
• 9952b97 chore: rollback
• 83f4076 fix: Replace asyncio.run with create_task in ADK async thread mains.
• 937d5af Copybara import of the project:
• aaaf902 chore: bump google-auth lower bound to 2.47.0 in GenAI and Vertex SDKs
• 8c876ef fix: Replace asyncio.run with create_task in ADK async thread mains.
• 5448f06 fix: Require uri or staging bucket configuration for saving model to Vertex E...
• 65717fa feat: GenAI SDK client(memory): Add enable_third_person_memories
• be2eaaa fix: GenAI client(evals) - Fix TypeError in _build_generate_content_config
• Additional commits viewable in compare view

Updates orjson from 3.10.7 to 3.11.6

Release notes

Sourced from orjson's releases.

3.11.6

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

3.11.5

Changed

• Show simple error message instead of traceback when attempting to build on unsupported Python versions.

3.11.4

Changed

• ABI compatibility with CPython 3.15 alpha 1.
• Publish PyPI wheels for 3.14 and manylinux i686, manylinux arm7, manylinux ppc64le, manylinux s390x.
• Build now requires a C compiler.

3.11.3

Fixed

• Fix PyPI project metadata when using maturin 1.9.2 or later.

3.11.2

Fixed

• Fix build using Rust 1.89 on amd64.

Changed

• Build now depends on Rust 1.85 or later instead of 1.82.

3.11.1

Changed

• Publish PyPI wheels for CPython 3.14.

Fixed

• Fix str on big-endian architectures.

3.11.0

... (truncated)

Changelog

Sourced from orjson's changelog.

3.11.6 - 2026-01-29

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

3.11.5 - 2025-12-06

Changed

• Show simple error message instead of traceback when attempting to build on unsupported Python versions.

3.11.4 - 2025-10-24

Changed

• ABI compatibility with CPython 3.15 alpha 1.
• Publish PyPI wheels for 3.14 and manylinux i686, manylinux arm7, manylinux ppc64le, manylinux s390x.
• Build now requires a C compiler.

3.11.3 - 2025-08-26

Fixed

• Fix PyPI project metadata when using maturin 1.9.2 or later.

3.11.2 - 2025-08-12

Fixed

• Fix build using Rust 1.89 on amd64.

Changed

• Build now depends on Rust 1.85 or later instead of 1.82.

... (truncated)

Commits

• ec02024 3.11.6
• d581687 build, clippy misc
• 4105b29 writer::num
• 62bb185 Fix sporadic crash on serializing object close
• d860078 PyRef idiom refactors
• 343ae2f Deserializer, Utf8Buffer
• 7835f58 PyBytesRef and other input refactor
• 71e0516 PyStrRef
• 1096df4 MSRV 1.89
• b718e75 Drop support for python3.9
• Additional commits viewable in compare view

Updates pyasn1 from 0.6.1 to 0.6.3

Release notes

Sourced from pyasn1's releases.

Release 0.6.3

It's a minor release.

• Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (CVE-2026-30922).
• Fixed OverflowError from oversized BER length field.
• Fixed DeprecationWarning stacklevel for deprecated attributes.
• Fixed asDateTime incorrect fractional seconds parsing.

All changes are noted in the CHANGELOG.

Release 0.6.2

It's a minor release.

• Fixed continuation octet limits in OID/RELATIVE-OID decoder (CVE-2026-23490).
• Added support for Python 3.14.
• Added SECURITY.md policy.
• Migrated to pyproject.toml packaging.

All changes are noted in the CHANGELOG.

Changelog

Sourced from pyasn1's changelog.

Revision 0.6.3, released 16-03-2026

• CVE-2026-30922 (GHSA-jr27-m4p2-rc6r): Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (thanks for reporting, romanticpragmatism)
• Fixed OverflowError from oversized BER length field [issue #54](pyasn1/pyasn1#54) [pr #100](pyasn1/pyasn1#100)
• Fixed DeprecationWarning stacklevel for deprecated attributes [issue #86](pyasn1/pyasn1#86) [pr #101](pyasn1/pyasn1#101)
• Fixed asDateTime incorrect fractional seconds parsing [issue #81](pyasn1/pyasn1#81) [pr #102](pyasn1/pyasn1#102)

Revision 0.6.2, released 16-01-2026

• CVE-2026-23490 (GHSA-63vm-454h-vhhq): Fixed continuation octet limits in OID/RELATIVE-OID decoder (thanks to tsigouris007)
• Added support for Python 3.14 [pr #97](pyasn1/pyasn1#97)
• Added SECURITY.md policy
• Fixed unit tests failing due to missing code [issue #91](pyasn1/pyasn1#91) [pr #92](pyasn1/pyasn1#92)
• Migrated to pyproject.toml packaging [pr #90](pyasn1/pyasn1#90)

Commits

• af65c3b Prepare release 0.6.3
• 5a49bd1 Merge commit from fork
• 5494ba4 Fix asDateTime incorrect fractional seconds parsing (#102)
• 71f486e Fix DeprecationWarning stacklevel for deprecated attributes (#101)
• d7cb42d Fix OverflowError from oversized BER length field (#100)
• e7356f8 Prepare release 0.6.2
• 3908f14 Merge commit from fork
• 0a7e067 Add support for Python 3.14 (#97)
• 33656e9 Create Security Policy
• fa62307 fix for issue #91: unit tests failing due to missing code (#92)
• Additional commits viewable in compare view

Updates google-cloud-aiplatform from 1.71.1 to 1.133.0

Release notes

Sourced from google-cloud-aiplatform's releases.

v1.133.0

1.133.0 (2026-01-08)

Features

• Deprecate tuning public preview SDK in favor of tuning SDK (35d362c)
• GenAI SDK client - Enabling Few-shot Prompt Optimization by passing either "OPTIMIZATION_TARGET_FEW_SHOT_RUBRICS" or "OPTIMIZATION_TARGET_FEW_SHOT_TARGET_RESPONSE" to the optimize_prompt method (715cc5b)
• GenAI SDK client(memory): Add enable_third_person_memories (65717fa)
• Support Developer Connect in AE (04f1771)

Bug Fixes

• Add None check for agent_info in evals.py (c8c0f0f)
• GenAI client(evals) - Fix TypeError in _build_generate_content_config (be2eaaa)
• Make project_number to project_id mapping fail-open. (f1c8458)
• Replace asyncio.run with create_task in ADK async thread mains. (83f4076)
• Replace asyncio.run with create_task in ADK async thread mains. (8c876ef)
• Require uri or staging bucket configuration for saving model to Vertex Experiment. (5448f06)
• Return embedding metadata if available (d9c6eb1)
• Update examples_dataframe type to PandasDataFrame in Prompt Optimizer. (a2564cc)

v1.132.0

1.132.0 (2025-12-17)

Features

• Add Lustre support to the Vertex Training Custom Job API (71747e8)

Documentation

• A comment for field restart_job_on_worker_restart in message .google.cloud.aiplatform.v1beta1.Scheduling is changed (71747e8)
• A comment for field timeout in message .google.cloud.aiplatform.v1beta1.Scheduling is changed (71747e8)

v1.131.0

1.131.0 (2025-12-16)

Features

• Allow list of events to be passed to AdkApp.async_stream_query (dd8840a)
• GenAI Client(evals) - Support CustomCodeExecution metric in Vertex Gen AI Eval Service (4114728)
• Updates the ADK template to direct structured JSON logs to standard output. (a65ec29)

Bug Fixes

... (truncated)

Changelog

Sourced from google-cloud-aiplatform's changelog.

1.133.0 (2026-01-08)

Features

• Deprecate tuning public preview SDK in favor of tuning SDK (35d362c)
• GenAI SDK client - Enabling Few-shot Prompt Optimization by passing either "OPTIMIZATION_TARGET_FEW_SHOT_RUBRICS" or "OPTIMIZATION_TARGET_FEW_SHOT_TARGET_RESPONSE" to the optimize_prompt method (715cc5b)
• GenAI SDK client(memory): Add enable_third_person_memories (65717fa)
• Support Developer Connect in AE (04f1771)

Bug Fixes

• Add None check for agent_info in evals.py (c8c0f0f)
• GenAI client(evals) - Fix TypeError in _build_generate_content_config (be2eaaa)
• Make project_number to project_id mapping fail-open. (f1c8458)
• Replace asyncio.run with create_task in ADK async thread mains. (83f4076)
• Replace asyncio.run with create_task in ADK async thread mains. (8c876ef)
• Require uri or staging bucket configuration for saving model to Vertex Experiment. (5448f06)
• Return embedding metadata if available (d9c6eb1)
• Update examples_dataframe type to PandasDataFrame in Prompt Optimizer. (a2564cc)

1.132.0 (2025-12-17)

Features

• Add Lustre support to the Vertex Training Custom Job API (71747e8)
• Add Lustre support to the Vertex Training Custom Job API (71747e8)

Documentation

• A comment for field restart_job_on_worker_restart in message .google.cloud.aiplatform.v1beta1.Scheduling is changed (71747e8)
• A comment for field timeout in message .google.cloud.aiplatform.v1beta1.Scheduling is changed (71747e8)

1.131.0 (2025-12-16)

Features

• Allow list of events to be passed to AdkApp.async_stream_query (dd8840a)
• GenAI Client(evals) - Support CustomCodeExecution metric in Vertex Gen AI Eval Service (4114728)
• Updates the ADK template to direct structured JSON logs to standard output. (a65ec29)

Bug Fixes

• Fix RagManagedVertexVectorSearch when using backend_config (df0976e)
• GenAI Client(evals) - patch for vulnerability in visualization (8a00d43)

... (truncated)

Commits

• 78f2bdd chore(main): release 1.133.0 (#6211)
• c8c0f0f fix: Add None check for agent_info in evals.py
• 9952b97 chore: rollback
• 83f4076 fix: Replace asyncio.run with create_task in ADK async thread mains.
• 937d5af Copybara import of the project:
• aaaf902 chore: bump google-auth lower bound to 2.47.0 in GenAI and Vertex SDKs
• 8c876ef fix: Replace asyncio.run with create_task in ADK async thread mains.
• 5448f06 fix: Require uri or staging bucket configuration for saving model to Vertex E...
• 65717fa feat: GenAI SDK client(memory): Add enable_third_person_memories
• be2eaaa fix: GenAI client(evals) - Fix TypeError in _build_generate_content_config
• Additional commits viewable in compare view

Updates orjson from 3.10.10 to 3.11.6

Release notes

Sourced from orjson's releases.

3.11.6

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

3.11.5

Changed

• Show simple error message instead of traceback when attempting to build on unsupported Python versions.

3.11.4

Changed

• ABI compatibility with CPython 3.15 alpha 1.
• Publish PyPI wheels for 3.14 and manylinux i686, manylinux arm7, manylinux ppc64le, manylinux s390x.
• Build now requires a C compiler.

3.11.3

Fixed

• Fix PyPI project metadata when using maturin 1.9.2 or later.

3.11.2

Fixed

• Fix build using Rust 1.89 on amd64.

Changed

• Build now depends on Rust 1.85 or later instead of 1.82.

3.11.1

Changed

• Publish PyPI wheels for CPython 3.14.

Fixed

• Fix str on big-endian architectures.

3.11.0

... (truncated)

Changelog

Sourced from orjson's changelog.

3.11.6 - 2026-01-29

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

3.11.5 - 2025-12-06

Changed

• Show simple error message instead of traceback when attempting to build on unsupported Python versions.

3.11.4 - 2025-10-24

Changed

• ABI compatibility with CPython 3.15 alpha 1.
• Publish PyPI wheels for 3.14 and manylinux i686, manylinux arm7, manylinux ppc64le, manylinux s390x.
• Build now requires a C compiler.

3.11.3 - 2025-08-26

Fixed

• Fix PyPI project metadata when using maturin 1.9.2 or later.

3.11.2 - 2025-08-12

Fixed

• Fix build using Rust 1.89 on amd64.

Changed

• Build now depends on Rust 1.85 or later instead of 1.82.

... (truncated)

Commits

• ec02024 3.11.6
• d581687 build, clippy misc
• 4105b29 writer::num
• 62bb185 Fix sporadic crash on serializing object close
• d860078 PyRef idiom refactors
• 343ae2f Deserializer, Utf8Buffer
• 7835f58 PyBytesRef and other input refactor
• 71e0516 PyStrRef
• 1096df4 MSRV 1.89
• b718e75 Drop support for python3.9
• Additional commits viewable in compare view

Updates pyasn1 from 0.6.1 to 0.6.3

Release notes

Sourced from pyasn1's releases.

Release 0.6.3

It's a minor release.

• Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (CVE-2026-30922).
• Fixed OverflowError from oversized BER length field.
• Fixed DeprecationWarning stacklevel for deprecated attributes.
• Fixed asDateTime incorrect fractional seconds parsing.

All changes are noted in the CHANGELOG.

Release 0.6.2

It's a minor release.

• Fixed continuation octet limits in OID/RELATIVE-OID decoder (CVE-2026-23490).
• Added support for Python 3.14.
• Added SECURITY.md policy.
• Migrated to pyproject.toml packaging.

All changes are noted in the CHANGELOG.

Changelog

Sourced from pyasn1's changelog.

Revision 0.6.3, released 16-03-2026

• CVE-2026-30922 (GHSA-jr27-m4p2-rc6r): Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (thanks for reporting, romanticpragmatism)
• Fixed OverflowError from oversized BER length field [issue #54](pyasn1/pyasn1#54) [pr #100](pyasn1/pyasn1#100)
• Fixed DeprecationWarning stacklevel for deprecated attributes [issue #86](pyasn1/pyasn1#86) [pr #101](pyasn1/pyasn1#101)
• Fixed asDateTime incorrect fractional seconds parsing [issue #81](pyasn1/pyasn1#81) [pr #102](pyasn1/pyasn1#102)

Revision 0.6.2, released 16-01-2026

• CVE-2026-23490 (GHSA-63vm-454h-vhhq): Fixed continuation octet limits in OID/RELATIVE-OID decoder (thanks to tsigouris007)
• Added support for Python 3.14 [pr #97](pyasn1/pyasn1#97)
• Added SECURITY.md policy
• Fixed unit tests failing due to missing code [issue #91](pyasn1/pyasn1#91) [pr #92](pyasn1/pyasn1#92)
• Migrated to pyproject.toml packaging [pr #90](pyasn1/pyasn1#90)

Commits

• af65c3b Prepare release 0.6.3
• 5a49bd1 Merge commit from fork
• 5494ba4 Fix asDateTime incorrect fractional seconds parsing (#102)
• 71f486e Fix DeprecationWarning stacklevel for deprecated attributes (#101)
• d7cb42d Fix OverflowError from oversized BER length field (#100)
• e7356f8 Prepare release 0.6.2
• 3908f14 Merge commit from fork
• 0a7e067 Add support for Python 3.14 (#97)
• 33656e9 Create Security Policy
• fa62307 fix for issue #91: unit tests failing due to missing code (#92)
• Additional commits viewable in compare view

Updates pypdf from 5.1.0 to 6.9.2

Release notes

Sourced from pypdf's releases.

Version 6.9.2, 2026-03-23

What's new

Security (SEC)

• Avoid infinite loop in read_from_stream for broken files (#3693) by @​stefan6419846

Robustness (ROB)

• Resolve UnboundLocalError for xobjs in _get_image (#3684) by @​Yuki9814

Full Changelog

Version 6.9.1, 2026-03-17

What's new

Security (SEC)

• Improve performance and limit length of array-based content streams (#3686) by @​stefan6419846

Full Changelog

Version 6.9.0, 2026-03-15

What's new

New Features (ENH)

• Expose /Perms verification result on Encryption object (#3672) by @​costajohnt

Performance Improvements (PI)

• Fix O(n²) performance in NameObject read/write (#3679) by @​dmitry-kostin
• Batch-parse all objects in ObjStm on first access (#3677) by @​dmitry-kostin

Bug Fixes (BUG)

• Avoid sharing array-based content streams between pages (#3681) by @​stefan6419846
• Avoid accessing invalid page when inserting blank page under some conditions (#3529) by @​j-t-1

Full Changelog

Version 6.8.0, 2026-03-09

What's new

Security (SEC)

• Limit allowed /Length value of stream (#3675) by @​stefan6419846

New Features (ENH)

• Add /IRT (in-reply-to) support for markup annotations (#3631) by @​costajohnt

Documentation (DOC)

• Avoid using PageObject.replace_contents on PdfReader (#3669) by @​stefan6419846
• Document how to disable jbig2dec calls by @​stefan6419846

Full Changelog

... (truncated)

Changelog

Sourced from pypdf's changelog.

Version 6.9.2, 2026-03-23

Security (SEC)

• Avoid infinite loop in read_from_stream for broken files (#3693)

Robustness (ROB)

• Resolve UnboundLocalError for xobjs in _get_image (#3684)

Full Changelog

Version 6.9.1, 2026-03-17

Security (SEC)

• Improve performance and limit length of array-based content streams (#3686)

Full Changelog

Version 6.9.0, 2026-03-15

New Features (ENH)

• Expose /Perms verification result on Encryption object (#3672)

Performance Improvements (PI)

• Fix O(n²) performance in NameObject read/write (#3679)
• Batch-parse all objects in ObjStm on first access (#3677)

Bug Fixes (BUG)

• Avoid sharing array-based content streams between pages (#3681)
• Avoid accessing invalid page when inserting blank page under some conditions (#3529)

Full Changelog

Version 6.8.0, 2026-03-09

Security (SEC)

• Limit allowed /Length value of stream (#3675)

New Features (ENH)

• Add /IRT (in-reply-to) support for markup annotations (#3631)

Documentation (DOC)

• Avoid using PageObject.replace_contents on PdfReader (#3669)
• Document how to disable jbig2dec calls

Full Changelog

Version 6.7.5, 2026-03-02

Security (SEC)

• Improve the performance of the ASCIIHexDecode filter (#3666)

... (truncated)

Commits

• da867f4 REL: 6.9.2
• 02b1345 SEC: Avoid infinite loop in read_from_stream for broken files (#3693)
• 3bef339 MAINT: Prefer bytearray over bytes in image_inline (#3692)
• 04b0a38 ROB: Resolve UnboundLocalError for xobjs in _get_image (#3684)
• 0e5157c REL: 6.9.1
• 0b5d05d SEC: Improve performance and limit length of array-based content streams (#3686)
• 87aa1d4 DEV: Remove unused reverse encoding dicts (#3685)
• 84f5266 MAINT: Use placeholder-based approach for logger_error (#3673)
• 8f1f4aa REL: 6.9.0
• 5a9a0da BUG: Avoid sharing array-based content streams between pages (#3681)
• Additional commits viewable in compare view

Updates deepdiff from 8.0.1 to 8.6.2

Release notes

Sourced from deepdiff's releases.

8.6.2 - Fix (CVE-2025-58367)

8.6.1

DeepDiff 8-6-1

• Patched security vulnerability in the Delta class which was vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it could lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization).

8.5.0

• Updating deprecated pydantic calls
• Switching to pyproject.toml
• Fix for moving nested tables when using iterable_compare_func. by
• Fix recursion depth limit when hashing numpy.datetime64
• Moving from legacy setuptools use to pyproject.toml

8.4.1

• pytz is not required.

8.4.0

• Adding BaseOperatorPlus base class for custom operators
• default_timezone can be passed now to set your default timezone to something other than UTC.
• New summarization algorithm that produces valid json
• Better type hint support

8.1.1

Adding Python 3.13 to setup.py

8.1.0

• Removing deprecated lines from setup.py
• Added prefix option to pretty()
• Fixes hashing of numpy boolean values.
• Fixes slots comparison when the attribute doesn't exist.
• Relaxing orderly-set reqs
• Added Python 3.13 support
• Only lower if clean_key is instance of str #504
• Fixes issue where the key deep_distance is not returned when both compared items are equal #510
• Fixes exclude_paths fails to work in certain cases
• exclude_paths fails to work #509
• Fixes to_json() method chokes on standard json.dumps() kwargs such as sort_keys
• to_dict() method chokes on standard json.dumps() kwargs #490
• Fixes accessing the affected_root_keys property on the diff object returned by DeepDiff fails when one of the dicts is empty
• Fixes accessing the affected_root_keys property on the diff object returned by DeepDiff fails when one of the dicts is empty #508

Commits

• 0d07ec2 Merge commit from fork
• 791f5aa updating CVE number
• a6aafea updating docs
• a0950ab Bump version: 8.6.1 → 8.6.2
• 887128a Fix (CVE-2025-58367)
• 60ac5b9 Merge commit from fork

[secure-code-warrior-for-github]

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Stack overflow (Detected by phrase)

Matched on "stack overflow"

What is this? (2min video)

Also referred to as Stack buffer overflows. This vulnerability occurs when data received by a program is written to a memory location on the stack and the allocated space is not large enough to take the whole input. If proper boundary checks are not implemented, or unsafe functions like sprintf, fgets etc. are used which don't require a destination size limit the stack memory after the target buffer may be written to, allowing an attacker to alter the normal behaviour of the program. Most modern compilers now have a secure switch which may reorder stack variables and generate extra code to protect against this type of vulnerability.

Try a challenge in Secure Code Warrior

[dependabot]

Superseded by #5.