Skip to content

Update all non-major dependencies#1110

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch
Open

Update all non-major dependencies#1110
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Dec 5, 2025

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
coverage >=7.12,<7.13>=7.15,<7.16 age confidence
flask-wtf (changelog) ~=1.2.0~=1.3.0 age confidence
jsonschema (changelog) ~=4.25.0~=4.26.0 age confidence
lxml (source, changelog) >=6.0.0,<6.1.0>=6.1.1,<6.2.0 age confidence
numpy (changelog) ~= 2.3.0~=2.5.1 age confidence
pyjwt ~=2.10.0~=2.13.0 age confidence
python-json-logger ~=4.0.0~=4.1.0 age confidence
requests (changelog) ~=2.32.1~=2.34.2 age confidence
semgrep (changelog) >=1.144,<1.145>=1.169,<1.170 age confidence
tomlkit ~=0.13.0~=0.15.0 age confidence
types-defusedxml (changelog) ==0.7.0.20250822==0.7.0.20260504 age confidence
types-wtforms (changelog) ==3.2.1.20250809==3.2.1.20260518 age confidence

Release Notes

coveragepy/coveragepy (coverage)

v7.15.1

Compare Source

  • Fix: in the HTML report with show_contexts enabled, a context label
    containing </script> (for example a parametrized pytest node id) could
    close the inline <script> element in a file page early, injecting markup.
    Context labels are now fully escaped. Thanks, Rajath Mohare <pull 2224_>_.

  • A number of performance improvements thanks to Paul Kehrer, in pull requests
    2213 <pull 2213_>, 2214 <pull 2214_>, 2215 <pull 2215_>, 2216 <pull 2216_>, 2218 <pull 2218_>, 2220 <pull 2220_>, and 2221 <pull 2221_>_.

.. _pull 2213: #​2213
.. _pull 2214: #​2214
.. _pull 2215: #​2215
.. _pull 2216: #​2216
.. _pull 2218: #​2218
.. _pull 2220: #​2220
.. _pull 2221: #​2221
.. _pull 2224: #​2224

.. _changes_7-15-0:

v7.15.0

Compare Source

  • Since 7.14.0, reporting commands implicitly combine parallel data files. Now
    those commands have a new option --keep-combined to retain the data files
    after combining them instead of the default, which is to delete them.
    Finishes issue 2198_.

  • Fix: the LCOV report would incorrectly count excluded functions as uncovered,
    as described in issue 2205. This is now fixed thanks to Martin Kuntz Jacobsen <pull 2206_>.

  • When running your program, coverage now correctly sets
    yourmodule.__spec__.loader as strongly recommended <--loader--_>,
    avoiding the deprecation warning described in issue 2208
    . Thanks, A5rocks <pull 2209_>_.

  • Fix: with Python 3.10, running with the -I (isolated mode) option didn't
    correctly omit the current directory from the module search path, as
    described in issue 2103. That is now fixed thanks to Ilia Sorokin <pull 2211_>.

.. --loader--: https://docs.python.org/3/reference/datamodel.html#module.__loader_
.. _issue 2103: #​2103
.. _issue 2198: #​2198
.. _issue 2205: #​2205
.. _pull 2206: #​2206
.. _issue 2208: #​2208
.. _pull 2209: #​2209
.. _pull 2211: #​2211

.. _changes_7-14-3:

v7.14.3

Compare Source

  • Fix: the default ... exclusion rule now also matches function bodies
    whose closing return-type bracket is on its own line (for example, after a
    long -> dict[ ... ] annotation that a formatter has split over multiple
    lines). Closes issue 2185, thanks Mengjia Shang <pull 2196_>.

  • Fix: On 3.13t, we incorrectly issued Couldn't import C tracer errors.
    We can't import the C tracer because in 7.14.2 we stopped shipping compiled
    wheels for 3.13t. Thanks, Hugo van Kemenade <pull 2203_>_.

.. _issue 2185: #​2185
.. _pull 2196: #​2196
.. _pull 2203: #​2203

.. _changes_7-14-2:

v7.14.2

Compare Source

  • Fix: some messages were being written to stdout, making coverage json -o - useless for capturing JSON output. Now messages are written to stderr,
    fixing issue 2197_.

  • Fix: CoverageData kept one SQLite connection per thread that recorded
    coverage, but never closed them when those threads terminated. On long runs
    with many short-lived threads this leaked one file descriptor per dead
    thread, eventually failing with OSError: [Errno 24] Too many open files.
    Connections belonging to terminated threads are now closed and dropped.
    Fixes issue 2192_.

  • Fix: when using sys.monitoring, we were assuming we could use the
    COVERAGE_ID tool id. But other tools might also assume they could use
    that id. Pre-allocated ids don't really make sense, so now we search for a
    usable one instead. Fixes issue 2187. Thanks, Matthew Lloyd <pull 2198_>.

  • Following the advice of cibuildwheel <no-13t_>_, we no longer distribute
    wheels for Python 3.13 free-threaded.

.. _issue 2187: #​2187
.. _issue 2192: #​2192
.. _issue 2197: #​2197
.. _pull 2198: #​2198
.. _no-13t: https://py-free-threading.github.io/ci/#building-free-threaded-wheels-with-cibuildwheel

.. _changes_7-14-1:

v7.14.1

Compare Source

  • Fix: the HTML report used typographic niceties to make file paths more
    readable by adding a small amount of space around slashes. Those spaces
    interfered with searching the page for file paths of interest. Now the report
    uses CSS to accomplish the same visual tweak so that searches with slashes
    work correctly. Closes issue 2170_.

  • Add a 3.16 PyPI classifier <hugo-316_>_ since we test on the 3.16 main
    branch.

.. _issue 2170: #​2170
.. _hugo-316: https://mastodon.social/@​hugovk/116588523571204490

.. _changes_7-14-0:

v7.14.0

Compare Source

  • Feature: now when running one of the reporting commands, if there are
    parallel data files that need combining, they will be implicitly combined
    before creating the report. There is no option to avoid the combination; let
    us know if you have a use case that requires it. Thanks, Tim Hatch <pull 2162_>. Closes issue 1781.

  • Fix: the output from combine was too verbose, listing each file
    considered. Now it shows a single line with the counts of files combined,
    files skipped, and files with errors. The -q flag suppresses this line.
    The old detailed lines are available with the new --debug=combine option.

  • Fix: running a Python file through a symlink now sets the sys.path correctly,
    matching regular Python behavior. Fixes issue 2157_.

  • Fix: Collector.flush_data could fail with "RuntimeError: Set changed
    size during iteration" when a tracer in another thread added a line to the
    per-file set that add_lines (or add_arcs) was iterating. The values
    passed to CoverageData are now snapshotted via dict.copy() and
    set.copy(), which are atomic under the GIL. Thanks, Alex Vandiver <pull 2165_>_.

  • Fix: the soft keyword lazy is now bolded in HTML reports.

  • We are no longer testing eventlet support. Eventlet started issuing stern
    deprecation warnings that break our tests. Our support code is still there.

.. _issue 1781: #​1781
.. _issue 2157: #​2157
.. _pull 2162: #​2162
.. _pull 2165: #​2165

.. _changes_7-13-5:

v7.13.5

Compare Source

  • Fix: issue 2138_ describes a memory leak that happened when repeatedly
    using the Coverage API with in-memory data. This is now fixed.

  • Fix: the markdown-formatted coverage report didn't fully escape special
    characters in file paths (issue 2141). This would be very unlikely to
    cause a problem, but now it's done properly, thanks to Ellie Ayla <pull 2142_>
    .

  • Fix: the C extension wouldn't build on VS2019, but now it does (issue 2145_).

.. _issue 2138: #​2138
.. _issue 2141: #​2141
.. _pull 2142: #​2142
.. _issue 2145: #​2145

.. _changes_7-13-4:

v7.13.4

Compare Source

  • Fix: the third-party code fix in 7.13.3 required examining the parent
    directories where coverage was run. In the unusual situation that one of the
    parent directories is unreadable, a PermissionError would occur, as
    described in issue 2129_. This is now fixed.

  • Fix: in test suites that change sys.path, coverage.py could fail with
    "RuntimeError: Set changed size during iteration" as described and fixed in
    pull 2130_. Thanks, Noah Fatsi.

  • We now publish ppc64le wheels, thanks to Pankhudi Jain <pull 2121_>_.

.. _pull 2121: #​2121
.. _issue 2129: #​2129
.. _pull 2130: #​2130

.. _changes_7-13-3:

v7.13.3

Compare Source

  • Fix: in some situations, third-party code was measured when it shouldn't have
    been, slowing down test execution. This happened with layered virtual
    environments such as uv sometimes makes. The problem is fixed, closing issue 2082_. Now any directory on sys.path that is inside a virtualenv is
    considered third-party code.

.. _issue 2082: #​2082

.. _changes_7-13-2:

v7.13.2

Compare Source

  • Fix: when Python is installed via symlinks, for example with Homebrew, the
    standard library files could be incorrectly included in coverage reports.
    This is now fixed, closing issue 2115_.

  • Fix: if a data file is created with no read permissions, the combine step
    would fail completely. Now a warning is issued and the file is skipped.
    Closes issue 2117_.

.. _issue 2115: #​2115
.. _issue 2117: #​2117

.. _changes_7-13-1:

v7.13.1

Compare Source

  • Added: the JSON report now includes a "start_line" key for function and
    class regions, indicating the first line of the region in the source. Closes
    issue 2110_.

  • Added: The debug data command now takes file names as arguments on the
    command line, so you can inspect specific data files without needing to set
    the COVERAGE_FILE environment variable.

  • Fix: the JSON report used to report module docstrings as executed lines,
    which no other report did, as described in issue 2105_. This is now fixed,
    thanks to Jianrong Zhao.

  • Fix: coverage.py uses a more disciplined approach to detecting where
    third-party code is installed, and avoids measuring it. This shouldn't change
    any behavior. If you find that it does, please get in touch.

  • Performance: data files that will be combined now record their hash as part
    of the file name. This lets us skip duplicate data more quickly, speeding the
    combining step.

  • Docs: added a section explaining more about what is considered a missing
    branch and how it is reported: :ref:branch_explain, as requested in issue 1597. Thanks to Ayisha Mohammed <pull 2092_>.

  • Tests: the test suite misunderstood what core was being tested if
    COVERAGE_CORE wasn't set on 3.14+. This is now fixed, closing issue 2109_.

.. _issue 1597: #​1597
.. _pull 2092: #​2092
.. _issue 2105: #​2105
.. _issue 2109: #​2109
.. _issue 2110: #​2110

.. _changes_7-13-0:

v7.13.0

Compare Source

  • Feature: coverage.py now supports :file:.coveragerc.toml configuration
    files. These files use TOML syntax and take priority over
    :file:pyproject.toml but lower priority than :file:.coveragerc files.
    Closes issue 1643_ thanks to Olena Yefymenko <pull 1952_>_.

  • Fix: we now include a permanent .pth file which is installed with the code,
    fixing issue 2084. In 7.12.1b1 this was done incorrectly: it didn't work
    when using the source wheel (py3-none-any). This is now fixed. Thanks,
    Henry Schreiner <pull 2100_>
    .

  • Deprecated: when coverage.py is installed, it creates three command entry
    points: coverage, coverage3, and coverage-3.10 (if installed for
    Python 3.10). The second and third of these are not needed and will
    eventually be removed. They still work for now, but print a message about
    their deprecation.

.. _issue 1643: #​1643
.. _pull 1952: #​1952
.. _pull 2100: #​2100

.. _changes_7-12-1b1:

python-jsonschema/jsonschema (jsonschema)

v4.26.0

Compare Source

=======

  • Decrease import time by delaying importing of urllib.request (#​1416).
lxml/lxml (lxml)

v6.1.1

Compare Source

==================

Bugs fixed

v6.1.0

Compare Source

==================

This release fixes a possible external entity injection (XXE) vulnerability in
iterparse() and the ETCompatXMLParser.

Features added

  • GH#486: The HTML ARIA accessibility attributes were added to the set of safe attributes
    in lxml.html.defs. This allows lxml_html_clean to pass them through.
    Patch by oomsveta.

  • The default chunk size for reading from file-likes in iterparse() is now configurable
    with a new chunk_size argument.

Bugs fixed

  • LP#2146291: The resolve_entities option was still set to True for
    iterparse and ETCompatXMLParser, allowing for external entity injection (XXE)
    when using these parsers without setting this option explicitly.
    The default was now changed to 'internal' only (as for the normal XML and HTML parsers
    since lxml 5.0).
    Issue found by Sihao Qiu as CVE-2026-41066.
numpy/numpy (numpy)

v2.5.1

Compare Source

v2.5.0: (June 21, 2026)

Compare Source

NumPy 2.5.0 Release Notes

Numpy 2.5.0 is a transitional release. It drops support for Python 3.11,
marking the end of distutils, and expires a large number of deprecations made
in the 2.0.x release. It also improves free threading and brings sorting into
compliance with the array-api standard with the addition of descending sorts.
There is also a fair amount of preparation for Python 3.15, which will be
supported starting with the first rc.

This release supports Python versions 3.12-3.14.

Highlights

  • Distutils has been removed,
  • Many expired deprecations, see below,
  • Many new deprecations, see below,
  • Many static typing improvements.
  • Improved support for free threading,
  • Support for descending sorts,

See New Features below for other additions.

Deprecations

  • numpy.char.chararray is deprecated. Use an ndarray with a string or bytes dtype instead.

    (gh-30605)

  • numpy.take now correctly checks if the result can be cast to the provided
    out=out under the same-kind rule. A DeprecationWarning is given now
    when this check fails. Previously, take incorrectly checked if out
    could be cast to the result (the wrong direction). This deprecation also
    affects compress and possibly other functions. (Future versions of NumPy
    may tighten the casting check further.)

    (gh-30615)

  • The numpy.char.[as]array functions are deprecated. Use an
    numpy.[as]array with a string or bytes dtype instead.

    (gh-30802)

  • Setting the dtype attribute is deprecated because mutating an array is unsafe
    if an array is shared, especially by multiple threads. As an alternative,
    you can create a view with a new dtype via array.view(dtype=new_dtype).

    (gh-29244)

  • Setting the shape attribute is deprecated because mutating an array is
    unsafe if an array is shared, especially by multiple threads. As an
    alternative, you can create a new view via np.reshape or
    np.ndarray.reshape. For example: x = np.arange(15); x = np.reshape(x, (3, 5)).
    To ensure no copy is made from the data, one can use np.reshape(..., copy=False).

    While setting the shape on an array is discouraged, for cases where it is
    difficult to work around, e.g., in __array_finalize__, it is possible
    with the private method np.ndarray._set_shape.

    (gh-29536)

  • Using the generic unit in numpy.timedelta64 is deprecated since this
    can lead to unexpected behavior such as non-transitive comparison, see
    gh-28287 for details. As
    an alternative, specify an explicit unit such as 's' (seconds) or 'D'
    (days) when constructing numpy.timedelta64. Due to this change, operations
    that implicitly rely on the generic unit are also deprecated. For
    example:

    arr = np.array([1, 2, 3], dtype="m8[s]")
    

1 is implicitly converted to generic timedelta64

  arr + 1

(gh-29619)

  • Resizing a Numpy array in place is deprecated since mutating an array is
    unsafe if an array is shared, especially by multiple threads. As an
    alternative, you can create a resized array via np.resize.

    (gh-30181)

  • numpy.fix is deprecated, use numpy.trunc instead. It is faster and
    follows the Array API standard. Both functions provide identical
    functionality: rounding array elements towards zero.

    (gh-30644)

  • numpy.ma.round_ is deprecated. numpy.ma.round can be used as a
    replacement.

    (gh-30738)

  • numpy.typename is deprecated because the names returned by it were
    outdated and inconsistent. numpy.dtype.name can be used as a
    replacement.

    (gh-30774)

  • Inputs other than integers are deprecated for numpy.triu_indices and
    numpy.tril_indices. Non-integer values for the M, k and N
    parameters of numpy.tri are deprecated. Non-integer values for the k
    parameter of both numpy.tril_indices_from and numpy.triu_indices_from
    are deprecated.

    (gh-30869)

  • Deprecations in custom dtype property and __array_finalize__.

    Previously arr.view(dtype=new_dtype) called arr.dtype = new_dtype
    also for subclasses, i.e., the attribute setting. That path is now
    deprecated and refined, meaning that even subclasses that do not see this
    DeprecationWarning may wish to update their code.

    A subclass that does any dtype specific logic (i.e. verifying the dtype
    in __array_finalize__ or has a dtype property) should now:

    • Set _set_dtype = None in which case arr.view(dtype=new_dtype)
      will call __array_finalize__ with the new dtype, ensuring that
      any validation __array_finalize__ will run is done.
    • Or, for a quick fix, define _set_dtype as a function (calling
      ndarray._set_dtype() to avoid DeprecationWarnings.
      (Future versions might migrate towards the _set_dtype = None path.)

    Ideally, follow NumPy's deprecation to prevent dtype mutation by users.
    The use of ndarray._set_dtype() may be necessary for some subclass
    finalization patterns, but should otherwise be avoided.

    (gh-31293)

Expired deprecations

  • numpy.distutils has been removed

    (gh-30340)

  • Passing None as dtype to np.finfo will now raise a TypeError
    (deprecated since 1.25)

    (gh-30460)

  • numpy.cross no longer supports 2-dimensional vectors.
    (Deprecated since 2.0)

    (gh-30461)

  • numpy._core.numerictypes.maximum_sctype has been removed.
    (deprecated since 2.0)

    (gh-30462)

  • numpy.row_stack has been removed in favor of numpy.vstack.
    (deprecated since 2.0)

    (gh-30463)

  • get_array_wrap has been removed.
    (deprecated since 2.0)

    (gh-30463)

  • recfromtxt and recfromcsv have been removed from numpy.lib._npyio
    in favor of numpy.genfromtxt.
    (deprecated since 2.0)

    (gh-30467)

  • The numpy.chararray re-export of numpy.char.chararray has been removed.
    (deprecated since 2.0)

    (gh-30604)

  • bincount now raises a TypeError for non-integer inputs.
    (deprecated since 2.1)

    (gh-30610)

  • The numpy.lib.math alias for the standard library math module has
    been removed.
    (deprecated since 1.25)

    (gh-30612)

  • Data type alias 'a' was removed in favor of 'S'.
    (deprecated since 2.0)

    (gh-30613)

  • _add_newdoc_ufunc(ufunc, newdoc) has been removed in favor of
    ufunc.__doc__ = newdoc.
    (deprecated since 2.2)

    (gh-30614)

Compatibility notes

linalg.eig and linalg.eigvals now always return complex arrays

Previously, the return values depended on whether the eigenvalues happen to lie
on the real line (which, for a general, non-symmetric matrix, is not
guaranteed).

This change makes consistent what was a value-dependent result. To retain the
previous behavior, do:

w = eigvals(a)
if np.any(w.imag == 0):  # this is what NumPy used to do
    w = w.real

If your matrix is symmetrix/hermitian, use eigh and eigvalsh instead of
eig and eigvals. These are guaranteed to return real values. A common
case is covariance matrices, which are symmetric and positive definite by
construction.

(gh-30411)

MSVC support

NumPy now requires minimum MSVC 19.35 toolchain version on Windows platforms.
This corresponds to Visual Studio 2022 version 17.5 Preview 2 or newer.

(gh-30489)

Cython support

NumPy's Cython headers (accessed via cimport numpy) now require Cython 3.0
or newer to build. If you try to compile a project that depends on NumPy's
Cython headers using Cython 0.29 or older, you will see a message like this:

Error compiling Cython file:
------------------------------------------------------------
...

versions.


#

See init.cython-30.pxd for the real Cython header


#

DEF err = int('Build aborted: the NumPy Cython headers require Cython 3.0.0 or newer.')
  ------------------------------------------------------------

  /path/to/site-packages/numpy/__init__.pxd:11:13: Error in compile-time expression:
  ValueError: invalid literal for int() with base 10: 
  'Build aborted: the NumPy Cython headers require Cython 3.0.0 or newer.'

Note that the invalid integer is not a bug in NumPy - we are intentionally
generating this error to avoid triggering a more obscure error later in the
build when an older Cython version tries to use a Cython feature that was not
available in the old Cython version.

(gh-30770)

numpy.where no longer truncates Python integers

Previously, if the x or y argument of numpy.where was a Python
integer that was out of range of the output type, it would be silently
truncated. Now, an OverflowError will be raised instead.

This change also applies to the underlying C API function PyArray_Where.

(gh-30803)

Default memory allocator change

NumPy now uses PyMem_RawMalloc and PyMem_RawFree as the default memory
allocator, instead of system's malloc and free directly.

(gh-30846)

from_dlpack raises BufferError instead of RuntimeError

np.from_dlpack now raises BufferError instead of RuntimeError when
the incoming DLPack tensor has an unsupported device, dtype, or exceeds the
maximum number of dimensions. This aligns with the DLPack and Array API
specifications, which recommend BufferError for data that cannot be
imported.

(gh-30937)

Corrections to the BTPE binomial sampler

Two independent errors in the Stirling series of the acceptance/rejection step
of the BTPE algorithm used by numpy.random.Generator.binomial have been
corrected:

  • The third and fourth error terms were added rather than subtracted. This sign
    error was inherited from section 5.3 of the original 1988 paper by
    Kachitvichyanukul & Schmeiser, which incorrectly adds all four terms.
  • The leading coefficient had a digit-swap typo (13680 instead of
    13860) that was introduced in the initial implementation.

As a result, Generator.binomial and Generator.multinomial, which uses
binomial internally, may now return different samples for the same seed.

The legacy numpy.random.RandomState.binomial and
numpy.random.RandomState.multinomial are not affected: they preserve the
original (incorrect) behavior, so existing streams remain reproducible.

(gh-31238)

datetime64/timedelta64 arithmetic raises on overflow

Addition, subtraction, and integer multiplication of datetime64 and
timedelta64 values now raise OverflowError when the result would
overflow int64 or land on the NaT sentinel value. Previously these
operations silently wrapped, often producing a value that was indistinguishable
from NaT. This matches the overflow checking already performed by
unit-conversion casts.

(gh-31378)

C API changes

  • It is now possible to register "real" and "imag" ArrayMethods via
    PyUFunc_AddLoopsFromSpecs. These will be used for imag and real
    and should normally set *view_offset in their resolve_descriptors
    function to allow the array attributes to return views.

    (gh-30984)

  • New PyDataType_TYPE, PyDataType_KIND, PyDataType_BYTEORDER and
    PyDataType_TYPEOBJ accessor macros to the C API. Together with the other
    accessor macros added for the NumPy 2.0 transition, these allow accessing the
    fields of PyArray_Descr structs without any direct field accesses.

    (gh-30994)

  • NumPy now supports the stable ABI for free-threaded Python as described in
    803{.interpreted-text role="pep"}.

    (gh-31091)

  • PyArray_DescrFromScalar now returns the full dtype descriptor for scalars
    of user-defined parametric data types, including any dtype parameters.
    Parameters were previously silently discarded, which could cause incorrect
    results in operations like astype on scalar objects. Internally, the
    function now delegates to discover_descr_from_pyobject, which handles
    parametric dtypes correctly.

    (gh-31067)

New Features

  • It is now possible to register user-dtypes for dlpack export and import
    via numpy.dtypes.register_dlpack_dtype. This functionality is meant to
    be used with care by user-dtype authors.

    (gh-31256)

Pixi package definitions

Pixi package definitions have been added for different kinds
of from-source builds of NumPy. These can be used in
downstream Pixi workspaces via the pixi-build feature.

Definitions for both default and AddressSanitizer-instrumented
(asan) builds are available in the source code under the
pixi-packages/ directory.

linux-64 and osx-arm64 platforms are supported.

(gh-30381)

numpy.ndarray now supports structural pattern matching

numpy.ndarray and its subclasses now have the Py_TPFLAGS_SEQUENCE flag
set, enabling structural pattern matching (PEP 634) with match/case
statements. This also enables Cython to optimize integer indexing operations.
See `arrays.ndarray.pattern-matching{.interpreted-text role="ref"}` for details.

(gh-30653)

Added N-D evaluation functions to the polynomial package

New functions polyvalnd, chebvalnd, legvalnd, hermvalnd,
hermevalnd, and lagvalnd have been added to evaluate polynomials
in arbitrary dimensions, analogous to the existing 2D and 3D evaluators.

(gh-30857)

New "descending" keyword argument for numpy.sort and numpy.argsort

Users can now pass the descending=True keyword argument to numpy.sort
and numpy.argsort to sort and argsort arrays in descending order. NaN
values, if present, are sorted to the end of the array in both ascending and
descending sorts. This feature is available for all built-in dtypes except
void, object, and generic. Note that SIMD optimizations for sorting
are currently not available for descending sorts, so performance may be slower.

(gh-31345)

Improvements

For f2py, the behaviour of intent(inplace) has improved. Previously,
if an input array did not have the right dtype or order, the input array was
modified in-place, changing its dtype and replacing its data by a corrected
copy. Now, instead, the corrected copy is kept a separate array, which, after
being passed and presumably modified by the fortran routine, is copied back to
the input routine. The above means one no longer has the risk that
pre-existing views or slices of the input array start pointing to unallocated
memory (at the price of increased overhead for the write-back copy at the end
of the call).

A potential problem would be that one might get very different results if one,
e.g., previously passed in an integer array where a double array was expected:
the writeback to integer would likely give wrong results. To avoid such
situations, intent(inplace) will now only allow arrays that have equivalent
type to that used in the fortran routine, i.e., dtype.kind is the same. For
instance, a routine expecting double would be able to receive float, but would
raise on integer input.

(gh-29929)

f2py modules now show allocatable arrays in dir()

Allocatable module variables wrapped by f2py now appear in dir()
output, matching their accessibility by name.

(gh-30965)

StringDType comparisons now correctly handle embedded NULL bytes.

(gh-31662)

Performance improvements and changes

Improved performance of numpy.searchsorted

The C++ binary search implementation used by numpy.searchsorted now has a
much better performance when searching for multiple keys. The new
implementation batches binary search steps across all keys to leverage cache
locality and out-of-order execution. Benchmarks show the new implementation can
be up to 20 times faster for hundreds of thousands keys while single-key
performance remains comparable to previous versions.

(gh-30517)

Improved scaling of ufuncs on free-threading

NumPy's ufuncs now scale significantly better on free-threading builds
of CPython due to the following optimizations:

  • Lock-free dispatch table: The ufuncs dispatch table is now implemented as
    a lock-free concurrent hash map, allowing multiple threads to call ufuncs
    without contention.
  • Immortal shared objects: Certain shared objects, such as global memory
    handlers, have been made immortal. This effectively reduces reference
    counting contention across threads.
  • Optimized memory allocation: NumPy now utilizes PyMem_RawMalloc and
    PyMem_RawFree for memory allocation. On Python 3.15 and newer, this
    leverages mimalloc and significantly reduces memory allocation overhead
    in multi-threaded workloads.

(gh-30846)

Faster reductions on small/medium contiguous arrays

numpy.sum, numpy.prod, numpy.any, numpy.all, and other
reductions with an identity value now use a fast path when the input is a
contiguous, aligned, non-object array and the reduction covers all axes
(axis=None) with no special arguments. Typical speedup is ~1.3x on small
arrays; numpy.any / numpy.all on contiguous boolean arrays can see
speedup up to 1.9x.

(gh-31274)

Typing improvements and changes

numpy.linalg typing improvements and preliminary shape-typing support

Input and output dtypes for numpy.linalg functions are now more precise.
Several of these functions also gain preliminary shape-typing support while
remaining backward compatible. For example, the return type of
numpy.linalg.matmul now depends on the shape-type of its inputs, or fall
back to the backward-compatible return type if the shape-types are unknown at
type-checking time. Because of limitations in Python's type system and current
type-checkers, shape-typing cannot cover every situation and is often only
implemented for the most common lower-rank cases.

(gh-30480)

numpy.ma typing annotations

The numpy.ma module is now fully covered by typing annotations. This
includes annotations for masked arrays, masks, and various functions and
methods. With this, NumPy has achieved 100% typing coverage across all its
submodules.

(gh-30566)

Shape-typing support for many functions and methods

Many functions and methods now have shape-aware return type annotations.
Type-checkers can now infer the number of dimensions of the returned array
through common operations. For example, np.linspace(0, 1) is now typed as a
1-d float64 array, and np.sum(x, keepdims=True) has the same number of
dimensions as x.

This covers numpy.linalg functions, array creation functions (like
asarray, from{buffer,string,file,iter,regex}), range functions
(linspace, logspace, geomspace), aggregation functions and methods
(sum, mean, std, var, min, max, all, any,
etc.), sorting (sort, argsort, argpartition), cumulative operations
(cumsum, cumprod, etc.), set operations (unique_values,
intersect1d, union1d, etc.), and various other functions including
nonzero, transpose, diagonal, atleast_{1,2,3}d, clip,
round, inner, bincount, and fft.fftfreq. Several of these also
gained more precise return dtype annotations as part of this work.

Shape-typing is still a work-in-progress, so coverage is not yet complete.
Because of limitations in Python's type system and current type-checkers,
shape-typing is often only implemented for the most common lower-rank cases.

(gh-31172)

numpy.fft typing improvements and preliminary shape-typing support

The numpy.fft functions now support non-float64/complex128 dtypes
and gain preliminary shape-typing support. For example, the return type of
numpy.fft.fft now depends on the shape-type of its inputs, falling back to
the backward-compatible return type when the shape-types are unknown at
type-checking time.

(gh-31226)

Changes

Structured array copies now use memcpy for contiguous dtypes

Copying structured arrays with identical dtypes now uses memcpy instead of
field-by-field transfer when the dtype has a contiguous layout (no gaps between
fields). A new NPY_NOT_TRIVIALLY_COPYABLE dtype flag is set on structured
dtypes that have gaps in their memory layout, such as those created with
explicit offsets or via multi-field indexing. Only these dtypes continue to
use the slower field-by-field copy.

This means that padding bytes in contiguous structured dtypes (e.g. those
created without explicit offsets) may now be copied as part of the
memcpy, whereas previously they were left untouched. Code that relies on
padding bytes being preserved during structured array copies may be affected.

(gh-29270)

numpy.ctypeslib.as_ctypes now does not support scalar types

The function numpy.ctypeslib.as_ctypes has been updated to only accept
numpy.ndarray. Passing a scalar type (e.g., numpy.int32(5)) will now
raise a TypeError. This change was made to avoid the issue
gh-30354 and to enforce the
readonly nature of scalar types in NumPy. The previous behavior relied on
undocumented implicit temporary arrays and was not well-defined. Users who
need to convert scalar types to ctypes should first convert them to an array
(e.g., numpy.asarray) before passing them to numpy.ctypeslib.as_ctypes.

(gh-30538)

__array_interface__ changes on scalars

Scalars now export the __array_interface__ directly rather than including
an array copy as a __ref entry. This means that scalars are now exported as
read-only while they previously exported as writeable. The path via __ref
was undocumented and not consistently used even within NumPy itself.

(gh-30538)

meshgrid now always returns a tuple

np.meshgrid previously used to return a list when sparse was true and
copy was false. Now, it always returns a tuple regardless of the
arguments.

(gh-30707)

numpy.triu_indices now accepts unsigned integers

numpy.triu_indices previously used to error in some cases when unsigned integers
were given as arguments. Now, it accepts them in all cases.

(gh-30869)

object dtype in .real and .imag and related functions

The array attributes .real and .imag now behave differently for object
arrays and return getattr(element, "real", element) or getattr(element, "imag", 0)
elementwise. Additionally, the return for both is now read-only to avoid possible
in-place changes having no effect.

This change also affects np.isreal() which uses arr.imag.

Previously, .imag always returned 0 while .real returned the
original array unmodified. The new behavior now returnes the correct values
for complex Python objects but may also lead to surprises for example if
element.real() is a method and not a property.

(gh-30984)

NumPy's internal memory allocations now use PyMem_RawMalloc

NumPy's internal memory allocations now use PyMem_RawMalloc instead of
malloc and can be tracked by tracemalloc.

(gh-31503)

v2.4.6

Compare Source

v2.4.5: (May 15, 2026)

Compare Source

NumPy 2.4.5 Release Notes

NumPy 2.4.5 is a patch release that fixes bugs discovered after the 2.4.4
release, has some typing improvements, and maintains infrastructure.

This release supports Python versions 3.11-3.14

Contributors

A total of 17 people contributed to this release. People with a "+" by their
names contributed a patch for the first time.

  • Aleksei Nikiforov
  • Anarion Zuo +
  • Ankit Ahlawat
  • Breno Favaretto +
  • Charles Harris
  • Igor Krivenko +
  • Ijtihed Kilani +
  • Joren Hammudoglu
  • Maarten Baert +
  • Matti Picus
  • Nathan Goldbaum
  • Praneeth Kodumagulla +
  • Ralf Gommers
  • RoomWithOutRoof +
  • Sebastian Berg
  • Warren Weckesser
  • div +
Pull requests merged

A total of 28 pull requests were merged for this release.

  • #​31093: MAINT: Prepare 2.4.x for further development
  • #​31182: TYP: fix np.shape assignability issue for python lists (#​31171)
  • #​31197: ENH: Return rank 0 for empty matrices in matrix_rank (#​30422)
  • #​31198: CI/BUG: add native jobs for s390x, fix bug in pack_inner...
  • #​31199: BUG: f2py map complex_long_double to NPY_CLONGDOUBLE
  • #​31205: MAINT: f2py: Stop setting re._MAXCACHE to 50.
  • #​31206: BUG: fix heap buffer overflow in timedelta to string casts
  • #​31207: MAINT: Rename ppc64le and s390x workflow (#​31121)
  • #​31208: BUG: Fix matvec/vecmat in-place aliasing (out=input produces...
  • #​31209: TYP: tile: accept numpy scalars and arrays as second argument...
  • #​31211: DEP: Undo deprecation for np.dtype() signature used by old pickles...
  • #​31212: REV: Manual revert of float16 svml use (#​31178)
  • #​31222: TYP: ix_ fix for boolean and non-1d input (#​31218)
  • #​31329: BUG: incorrect temp elision for new-style (NEP 43) user-defined...
  • #​31330: TYP: fix sliding_window_view axis parameter typing
  • #​31335: BUG: Prevent deadlock due to downstream importing NumPy in dlopen...
  • #​31336: BUG: Fix segfault in nditer.multi_index when __getitem__ raises...
  • #​31338: TYP: Fix ruff lint error
  • #​31357: BUG: fix memory leak in np.zeros when fill-zero loop raises (#​31320)
  • #​31358: BUG: np.einsum() fails with a 0-dimensional out argument and...
  • #​31379: BUG: Fix signed overflow issue in npy_gcd for INT_MIN on s390x...
  • #​31383: CI: remove Cirrus CI FreeBSD job (#​31380)
  • #​31390: BUILD: newer MKL uses so.3
  • #​31391: BLD/MAINT: improve support for Intel LLVM compilers
  • #​31401: BUG: Avoid UB in safe[add,sub,mul] helpers (#​31396)
  • #​31402: BUG: exclude __pycache__ directories from wheels (#​31397)
  • #​31404: TYP: _NestedSequence type parameter default to work around...
  • #​31426: TYP: Fix DTypeLike runtime type-checker support (#​31425)

v2.4.4: 2.4.4 (Mar 29, 2026)

Compare Source

NumPy 2.4.4 Release Notes

The NumPy 2.4.4 is a patch release that fixes bugs discovered after the 2.4.3
release. It should finally close issue #​30816, the OpenBLAS threading problem
on ARM.

This release supports Python versions 3.11-3.14

Contributors

A total of 8 people contributed to this release. People with a "+" by their
names contributed a patch for the first time.

  • Charles Harris
  • Daniel Haag +
  • Denis Prokopenko +
  • Harshith J +
  • Koki Watanabe
  • Marten van Kerkwijk
  • Matti Picus
  • Nathan Goldbaum

Pull requests merged

A total of 7 pull requests were merged for this release.

v2.4.3

Compare Source

v2.4.2

Compare Source

v2.4.1: 2.4.1 (Jan 10, 2026)

Compare Source

NumPy 2.4.1 Release Notes

The NumPy 2.4.1 is a patch release that fixes bugs discoved after the
2.4.0 release. In particular, the typo SeedlessSequence is preserved to
enable wheels using the rand

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 69ba220 to d038471 Compare December 8, 2025 14:04
@renovate renovate Bot changed the title Update dependency semgrep to >=1.145,<1.146 Update all non-major dependencies Dec 8, 2025
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from ced2fc2 to 5247aed Compare December 20, 2025 18:09
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from 3f35a32 to dc98e5f Compare January 13, 2026 04:39
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 98a2fa1 to 5ad5d2c Compare January 22, 2026 00:40
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from 556cee3 to a4b20f7 Compare February 4, 2026 21:44
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from a4b20f7 to aaa8d88 Compare February 18, 2026 01:42
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from 98b1d4b to 09df190 Compare March 4, 2026 21:53
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from 182e262 to e56752d Compare March 12, 2026 04:58
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from ea8501e to 5afdc9f Compare March 18, 2026 01:08
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 51d85ec to 5bbfa81 Compare March 25, 2026 16:54
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 47e3824 to 686278a Compare May 10, 2026 21:07
@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 686278a to 9a9d057 Compare May 11, 2026 22:33
@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 7 times, most recently from 65d29b9 to 746af22 Compare May 19, 2026 02:00
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from cfda36a to 149b112 Compare May 27, 2026 16:46
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from ad0150a to e6a3c06 Compare June 10, 2026 19:12
@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from e6a3c06 to 9f6fd85 Compare June 11, 2026 15:58
@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from 5c41c61 to 66d05f8 Compare June 19, 2026 17:48
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from 8e4edea to e99e4c9 Compare June 29, 2026 04:50
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from e99e4c9 to fb4f785 Compare July 10, 2026 20:11
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from fb4f785 to f18f0a6 Compare July 12, 2026 10:00
@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

💡 Need a hand with PR review? Try Gitar by Sonar!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants