build(deps): bump the uv group across 1 directory with 12 updates

[dependabot]

Bumps the uv group with 11 updates in the / directory:

Package	From	To
pytest	8.3.5	9.0.3
tornado	6.5.4	6.5.5
requests	2.32.3	2.33.0
notebook	7.3.3	7.5.6
black	25.1.0	26.3.1
cryptography	44.0.2	46.0.7
jupyter-server	2.15.0	2.18.0
nbconvert	7.16.6	7.17.1
orjson	3.10.16	3.11.6
pillow	12.1.1	12.2.0
python-dotenv	1.1.0	1.2.2

Updates pytest from 8.3.5 to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

• #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

  -- by aleguy02

9.0.2

pytest 9.0.2 (2025-12-06)

Bug fixes

• #13896: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.

  You may enable it again by passing -p terminalprogress. We may enable it by default again once compatibility improves in the future.

  Additionally, when the environment variable TERM is dumb, the escape codes are no longer emitted, even if the plugin is enabled.

• #13904: Fixed the TOML type of the tmp_path_retention_count settings in the API reference from number to string.

• #13946: The private config.inicfg attribute was changed in a breaking manner in pytest 9.0.0. Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim. It will be deprecated in pytest 9.1 and removed in pytest 10.

... (truncated)

Commits

• a7d58d7 Prepare release version 9.0.3
• 089d981 Merge pull request #14366 from bluetech/revert-14193-backport
• 8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
• 99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
• ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
• 74eac69 doc: Update training info (#14298) (#14301)
• f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
• 7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
• 37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
• c34bfa3 Add explanation for string context diffs (#14257) (#14266)
• Additional commits viewable in compare view

Updates tornado from 6.5.4 to 6.5.5

Changelog

Sourced from tornado's changelog.

Release notes

.. toctree:: :maxdepth: 2

releases/v6.5.5 releases/v6.5.4 releases/v6.5.3 releases/v6.5.2 releases/v6.5.1 releases/v6.5.0 releases/v6.4.2 releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1 releases/v3.2.0 releases/v3.1.1

... (truncated)

Commits

• 7d64650 Merge pull request #3586 from bdarnell/update-cibw
• d05d59b build: Bump cibuildwheel to 3.4.0
• c2f4673 Merge pull request #3585 from bdarnell/release-655
• e5f1aa4 Release notes and version bump for v6.5.5
• 78a046f httputil: Add CRLF to _FORBIDDEN_HEADER_CHARS_RE
• 24a2d96 web: Validate characters in all cookie attributes.
• 119a195 httputil: Add limits on multipart form data parsing
• See full diff in compare view

Updates requests from 2.32.3 to 2.33.0

Release notes

Sourced from requests's releases.

v2.33.0

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

New Contributors

• @​M0d3v1 made their first contribution in psf/requests#6865
• @​aminvakil made their first contribution in psf/requests#7220
• @​E8Price made their first contribution in psf/requests#6960
• @​mitre88 made their first contribution in psf/requests#7244
• @​magsen made their first contribution in psf/requests#6553
• @​Rohan5commit made their first contribution in psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

v2.32.5

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

v2.32.4

2.32.4 (2025-06-10)

... (truncated)

Changelog

Sourced from requests's changelog.

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

... (truncated)

Commits

• bc04dfd v2.33.0
• 66d21cb Merge commit from fork
• 8b9bc8f Move badges to top of README (#7293)
• e331a28 Remove unused extraction call (#7292)
• 753fd08 docs: fix FAQ grammar in httplib2 example
• 774a0b8 docs(socks): same block as other sections
• 9c72a41 Bump github/codeql-action from 4.33.0 to 4.34.1
• ebf7190 Bump github/codeql-action from 4.32.0 to 4.33.0
• 0e4ae38 docs: exclude Response.is_permanent_redirect from API docs (#7244)
• d568f47 docs: clarify Quickstart POST example (#6960)
• Additional commits viewable in compare view

Updates notebook from 7.3.3 to 7.5.6

Release notes

Sourced from notebook's releases.

v7.5.6

7.5.6

(Full Changelog)

Security patches

• CVE-2026-42557 GHSA-mqcg-5x36-vfcg
• CVE-2026-40171 GHSA-rch3-82jr-f9w9

Maintenance and upkeep improvements

• Update to JupyterLab v4.5.7 #7902 (@​jtpio)

Documentation improvements

• docs: Fix broken links in troubleshooting and migration docs #7824 (@​RamiNoodle733)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​jtpio (activity) | @​RamiNoodle733 (activity)

v7.5.5

7.5.5

(Full Changelog)

Maintenance and upkeep improvements

• Update to JupyterLab v4.5.6 #7861 (@​jtpio)
• [7.5.x] Drop Python 3.9 on CI #7860 (@​jtpio)
• Fix check links #7857 (@​jtpio)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​jtpio (activity)

... (truncated)

Changelog

Sourced from notebook's changelog.

7.5.6

(Full Changelog)

Maintenance and upkeep improvements

• Update to JupyterLab v4.5.7 #7902 (@​jtpio)

Documentation improvements

• docs: Fix broken links in troubleshooting and migration docs #7824 (@​RamiNoodle733)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​jtpio (activity) | @​RamiNoodle733 (activity)

7.5.5

(Full Changelog)

Maintenance and upkeep improvements

• Update to JupyterLab v4.5.6 #7861 (@​jtpio)
• [7.5.x] Drop Python 3.9 on CI #7860 (@​jtpio)
• Fix check links #7857 (@​jtpio)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​jtpio (activity)

7.5.4

(Full Changelog)

Maintenance and upkeep improvements

• Update to JupyterLab v4.5.5 #7842 (@​jtpio)
• Fix PyO3 CI failure with Python 3.15 #7836 (@​jtpio)

... (truncated)

Commits

• 1ab2d2b Publish 7.5.6
• 50e5222 Merge commit from fork
• 2e642f0 Update to JupyterLab v4.5.7 (#7902)
• 4b93f98 Backport PR #7824: docs: Fix broken links in troubleshooting and migration do...
• 9a2c88f Publish 7.5.5
• 4f8438b Update to JupyterLab v4.5.6 (#7861)
• f78fcfa Backport PR #7857: Fix check links (#7858)
• 9e4cf2a [7.5.x] Drop Python 3.9 on CI (#7860)
• ecc3aaf Publish 7.5.4
• e5d8418 Update to JupyterLab v4.5.5 (#7842)
• Additional commits viewable in compare view

Updates black from 25.1.0 to 26.3.1

Release notes

Sourced from black's releases.

26.3.1

Stable style

• Prevent Jupyter notebook magic masking collisions from corrupting cells by using exact-length placeholders for short magics and aborting if a placeholder can no longer be unmasked safely (#5038)

Configuration

• Always hash cache filename components derived from --python-cell-magics so custom magic names cannot affect cache paths (#5038)

Blackd

• Disable browser-originated requests by default, add configurable origin allowlisting and request body limits, and bound executor submissions to improve backpressure (#5039)

26.3.0

Stable style

• Don't double-decode input, causing non-UTF-8 files to be corrupted (#4964)
• Fix crash on standalone comment in lambda default arguments (#4993)
• Preserve parentheses when # type: ignore comments would be merged with other comments on the same line, preventing AST equivalence failures (#4888)

Preview style

• Fix bug where if guards in case blocks were incorrectly split when the pattern had a trailing comma (#4884)
• Fix string_processing crashing on unassigned long string literals with trailing commas (one-item tuples) (#4929)
• Simplify implementation of the power operator "hugging" logic (#4918)

Packaging

• Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in frozen environments (#4930)

Performance

• Introduce winloop for windows as an alternative to uvloop (#4996)
• Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop() (#4996)
• Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop installation and creation of either a uvloop/winloop evenloop or default eventloop (#4996)

Output

... (truncated)

Changelog

Sourced from black's changelog.

Version 26.3.1

Stable style

• Prevent Jupyter notebook magic masking collisions from corrupting cells by using exact-length placeholders for short magics and aborting if a placeholder can no longer be unmasked safely (#5038)

Configuration

• Always hash cache filename components derived from --python-cell-magics so custom magic names cannot affect cache paths (#5038)

Blackd

• Disable browser-originated requests by default, add configurable origin allowlisting and request body limits, and bound executor submissions to improve backpressure (#5039)

Version 26.3.0

Stable style

• Don't double-decode input, causing non-UTF-8 files to be corrupted (#4964)
• Fix crash on standalone comment in lambda default arguments (#4993)
• Preserve parentheses when # type: ignore comments would be merged with other comments on the same line, preventing AST equivalence failures (#4888)

Preview style

• Fix bug where if guards in case blocks were incorrectly split when the pattern had a trailing comma (#4884)
• Fix string_processing crashing on unassigned long string literals with trailing commas (one-item tuples) (#4929)
• Simplify implementation of the power operator "hugging" logic (#4918)

Packaging

• Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in frozen environments (#4930)

Performance

• Introduce winloop for windows as an alternative to uvloop (#4996)
• Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop() (#4996)
• Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop installation and creation of either a uvloop/winloop eventloop or default eventloop (#4996)

... (truncated)

Commits

• c6755bb Prepare release 26.3.1 (#5046)
• 69973fd Harden blackd browser-facing request handling (#5039)
• 4937fe6 Fix some shenanigans with the cache file and IPython (#5038)
• 2e641d1 docs: remove outdated Black Playground references (#5044)
• c014b22 Remove unused internal code (#5041)
• 0dae20b Add new changelog (#5036)
• c5c1cbd Minor release patches (#5035)
• 7e5a828 docs: clarify relationship between Black style and PEP 8 (#5025)
• 69705de docs: add clearer pyproject configuration guidance (#5026)
• 35ea679 Prepare release 26.3.0 (#5032)
• Additional commits viewable in compare view

Updates cryptography from 44.0.2 to 46.0.7

Changelog

Sourced from cryptography's changelog.

46.0.7 - 2026-04-07

* **SECURITY ISSUE**: Fixed an issue where non-contiguous buffers could be
  passed to APIs that accept Python buffers, which could lead to buffer
  overflow. **CVE-2026-39892**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.6.
.. _v46-0-6:
46.0.6 - 2026-03-25

• SECURITY ISSUE: Fixed a bug where name constraints were not applied to peer names during verification when the leaf certificate contains a wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug, including those used by the Web PKI. Credit to Oleh Konko (1seal) for reporting the issue. CVE-2026-34073

.. _v46-0-5:

46.0.5 - 2026-02-10

* An attacker could create a malicious public key that reveals portions of your
  private key when using certain uncommon elliptic curves (binary curves).
  This version now includes additional security checks to prevent this attack.
  This issue only affects binary elliptic curves, which are rarely used in
  real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and
  Atuin Automated Vulnerability Discovery Engine** for reporting the issue.
  **CVE-2026-26007**
* Support for ``SECT*`` binary elliptic curves is deprecated and will be
  removed in the next release.
.. v46-0-4:
46.0.4 - 2026-01-27

• Dropped support for win_arm64 wheels_.
• Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.

.. _v46-0-3:

46.0.3 - 2025-10-15

* Fixed compilation when using LibreSSL 4.2.0.
.. _v46-0-2:

</tr></table>

... (truncated)

Commits

• 622d672 46.0.7 release (#14602)
• 91d7288 Cherry-pick #14542 (#14543)
• 06e120e bump version for 46.0.5 release (#14289)
• 0eebb9d EC check key on cofactor > 1 (#14287)
• bedf6e1 fix openssl version on 46 branch (#14220)
• e6f44fc bump for 46.0.4 and drop win arm64 due to CI issues (#14217)
• c0af4dd release 46.0.3 (#13681)
• 99efe5a bump version for 46.0.2 (#13531)
• e735cfc release 46.0.1 (#13450)
• 4e457ff Explicitly specify python in mac uv build invocation (#13447)
• Additional commits viewable in compare view

Updates jupyter-server from 2.15.0 to 2.18.0

Release notes

Sourced from jupyter-server's releases.

v2.18.0

2.18.0

(Full Changelog)

Security patches

• CVE-2026-40110 GHSA-24qx-w28j-9m6p
• CVE-2025-61669 GHSA-qh7q-6qm3-653w
• CVE-2026-40934 GHSA-5mrq-x3x5-8v8f
• CVE-2026-35397 GHSA-5789-5fc7-67v3

API and Breaking Changes

• Add query param to sanitize HTML in GET /nbconvert/html #1618 (@​Yann-P, @​Carreau)

Enhancements made

• Update handlers.py to fix ioloop blockers(sync file operations) #1617 (@​zolyfarkas-fb, @​Carreau)
• Add resolvePath API for resolving kernel-relative paths #1331 (@​krassowski, @​Carreau, @​blink1073)

Bugs fixed

• Move check origin into a util function and add it to websocket #1630 (@​Carreau, @​Yann-P)
• Fix flaky test_restart_kernel by unsticking nudge() after port-changing restart #1628 (@​Carreau, @​claude, @​krassowski)
• Try to fix flaky test "test_restart_kernel" #1625 (@​Carreau)
• Fix potential unraisable pytest error #1624 (@​Carreau)
• fix: use %s placeholders in HTTPError to prevent Tornado from doubling % in gateway URLs #1620 (@​terminalchai, @​krassowski, @​ptch314)
• Fix three file descriptor leaks in kernel connection lifecycle (#1506) #1619 (@​tonyx93, @​Carreau)
• Use web.HTTPError for kernel restart failures #1616 (@​YDawn, @​Carreau)
• Handle EADDRINUSE and EACCES in _bind_http_server_tcp #1613 (@​YDawn, @​Zsailer, @​minrk)
• Use st_birthtime for file created timestamp on macOS/BSD #1594 (@​ktaletsk, @​krassowski, @​minrk)
• Fix double write when refusing hidden files in contents handler #1585 (@​Krish-876, @​minrk)
• Close all sockets in _find_http_port explicitly #1584 (@​MaryushSoroka, @​minrk)
• Fix writing on remote file systems with attribute cache #1574 (@​krassowski, @​Zsailer)
• Add IdentityProvider.cookie_secret_hook #1569 (@​emin63, @​minrk)
• fix context pollution #1561 (@​dualc, @​Zsailer)
• Fix gateway cookie handling #1558 (@​kevin-bates, @​RRosio, @​lresende, @​minrk)
• fix connection exception cause high cpu load #1484 (@​dualc, @​lresende, @​minrk)

Maintenance and upkeep improvements

• Start to test on Python 3.13 and 3.14 #1623 (@​Carreau)
• Bump actions/create-github-app-token from 2 to 3 in the actions group across 1 directory #1621 (@​Carreau)
• Bump brace-expansion from 1.1.12 to 1.1.13 #1615 (@​minrk)
• Fix package spec for jupytext #1614 (@​krassowski, @​Zsailer)
• chore: update pre-commit hooks #1607 (@​minrk)
• try to fix ci on windows #1600 (@​minrk, @​krassowski)
• run prerelease tests on 3.14 #1599 (@​minrk)
• Pin sphinx to an older version (<9) to fix docs #1597 (@​krassowski, @​minrk)

... (truncated)

Changelog

Sourced from jupyter-server's changelog.

2.18.0

(Full Changelog)

API and Breaking Changes

• Add query param to sanitize HTML in GET /nbconvert/html #1618 (@​Yann-P, @​Carreau)

Enhancements made

• Update handlers.py to fix ioloop blockers(sync file operations) #1617 (@​zolyfarkas-fb, @​Carreau)
• Avoid redundant call to _get_os_path in _dir_model #1547 (@​joeyutong, @​vidartf)
• Allow specifying extra params to scrub from logs #1538 (@​jtpio, @​Zsailer, @​vidartf)
• Add a logger to the ExtensionPoint API #1523 (@​Zsailer, @​vidartf)
• Allow user to update identity values #1518 (@​brichet, @​minrk)
• If ServerApp.ip is ipv6 use [::1] as local_url #1495 (@​manics, @​afshin)
• Better error message when starting kernel for session. #1478 (@​Carreau, @​davidbrochart, @​krassowski, @​minrk)
• Add a traitlet to disable recording HTTP request metrics #1472 (@​yuvipanda, @​Zsailer)
• prometheus: Expose 3 activity metrics #1471 (@​yuvipanda, @​Zsailer)
• Add prometheus info metrics listing server extensions + versions #1470 (@​yuvipanda, @​Zsailer)
• Add prometheus metric with version information #1467 (@​yuvipanda, @​Zsailer)
• Don't hide .so,.dylib files by default #1457 (@​nokados, @​krassowski, @​minrk, @​vidartf)
• Better hash format error message #1442 (@​fcollonval, @​Zsailer)
• Removing excessive logging from reading local files #1420 (@​lresende, @​kevin-bates)
• Add async start hook to ExtensionApp API #1417 (@​Zsailer, @​Darshan808, @​bollwyvl, @​fcollonval, @​krassowski)
• Do not include token in dashboard link, when available #1406 (@​minrk, @​blink1073)
• Add an option to have authentication enabled for all endpoints by default #1392 (@​krassowski, @​Wh1isper, @​blink1073, @​bollwyvl, @​minrk, @​yuvipanda)
• websockets: add configurations for ping interval and timeout #1391 (@​oliver-sanders, @​blink1073)
• log extension import time at debug level unless it's actually slow #1375 (@​minrk, @​Zsailer, @​yuvipanda)
• Add support for async Authorizers (part 2) #1374 (@​Zsailer, @​blink1073)
• Support async Authorizers #1373 (@​Zsailer, @​blink1073)
• Support get file(notebook) md5 #1363 (@​Wh1isper, @​blink1073, @​bollwyvl, @​krassowski)
• Update kernel env to reflect changes in session #1354 (@​blink1073, @​Carreau, @​krassowski)
• Add resolvePath API for resolving kernel-relative paths #1331 (@​krassowski, @​Carreau, @​blink1073)

Bugs fixed

• Move check origin into a util function and add it to websocket #1630 (@​Carreau, @​Yann-P)
• Fix flaky test_restart_kernel by unsticking nudge() after port-changing restart #1628 (@​Carreau, @​claude, @​krassowski)
• Try to fix flaky test "test_restart_kernel" #1625 (@​Carreau)
• Fix potential unraisable pytest error #1624 (@​Carreau)
• fix: use %s placeholders in HTTPError to prevent Tornado from doubling % in gateway URLs #1620 (@​terminalchai, @​krassowski, @​ptch314)
• Fix three file descriptor leaks in kernel connection lifecycle (#1506) #1619 (@​tonyx93, @​Carreau)
• Use web.HTTPError for kernel restart failures #1616 (@​YDawn, @​Carreau)
• Handle EADDRINUSE and EACCES in _bind_http_server_tcp #1613 (@​YDawn, @​Zsailer, @​minrk)
• Use st_birthtime for file created timestamp on macOS/BSD #1594 (@​ktaletsk, @​krassowski, @​minrk)
• Fix double write when refusing hidden files in contents handler #1585 (@​Krish-876, @​minrk)
• Close all sockets in _find_http_port explicitly #1584 (@​MaryushSoroka, @​minrk)
• Fix writing on remote file systems with attribute cache #1574 (@​krassowski, @​Zsailer)
• Add IdentityProvider.cookie_secret_hook #1569 (@​emin63, @​minrk)

... (truncated)

Commits

• 0ceed45 Publish 2.18.0
• 49b3439 Move check origin into a util function and add it to websocket (#1630)
• e2e08c8 Add test case for bad next URL format
• 624d6c0 Delete outdated patch code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.59%. Comparing base (4cf52df) to head (902439c).

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #625      +/-   ##
==========================================
- Coverage   89.31%   88.59%   -0.73%     
==========================================
  Files          49       49              
  Lines        4988     4988              
==========================================
- Hits         4455     4419      -36     
- Misses        533      569      +36     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.