chore(deps): update python-nonmajor

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
PyMySQL (changelog)	==1.1.2 → ==1.1.3
certifi	==2026.2.25 → ==2026.4.22
filelock	==3.28.0 → ==3.29.0
google-auth	==2.49.2 → ==2.52.0
idna (changelog)	==3.11 → ==3.13
packaging	==26.1 → ==26.2
urllib3 (changelog)	==2.6.3 → ==2.7.0
virtualenv	==21.2.4 → ==21.3.1

---

Release Notes

PyMySQL/PyMySQL (PyMySQL)

v1.1.3

Compare Source

Release date: 2026-05-01

Security

• Fix Cursor.callproc() didn't escape procedure name. (#​1206)
  There was a possibility of SQL injection when calling a procedure with a string received from an untrusted source as the procedure name.

  NOTICE: This change may cause backward compatibility issues. If you specified a procedure name like "dbname.funcname", the previous version called CALL dbname.funcname, but from this version, it will call CALL `dbname.funcname` so you cannot specify procedure name with database name anymore.

certifi/python-certifi (certifi)

v2026.4.22

Compare Source

tox-dev/py-filelock (filelock)

v3.29.0

Compare Source

What's Changed

• 🐛 fix(async): use single-thread executor for lock consistency by @​gaborbernat in tox-dev/filelock#533
• ✨ feat(soft): enable stale lock detection on Windows by @​gaborbernat in tox-dev/filelock#534

Full Changelog: tox-dev/filelock@3.28.0...3.29.0

kjd/idna (idna)

v3.13

Compare Source

v3.12

Compare Source

pypa/packaging (packaging)

v26.2

Compare Source

What's Changed

Fixes:

• Fix incorrect sysconfig var name for pyemscripten by @​ryanking13 in #​1160
• Make Version, Specifier, SpecifierSet, Tag, Marker, and Requirement pickle-safe
  and backward-compatible with pickles created in 25.0-26.1 (including references to the removed
  packaging._structures module) by @​eachimei and @​henryiii in #​1163, #​1168, #​1170, and #​1171
• fix: re-export ExceptionGroup for now by @​henryiii in #​1164

Documentation:

• docs: add errors section and fix missing details by @​henryiii in #​1159
• docs(dev): document property-based test suite by @​r266-tech in #​1167
• Fix typo in DirectUrl documentation by @​sbidoul in #​1169
• docs(specifiers): add is_unsatisfiable() usage example by @​r266-tech in #​1166

Internal:

• Enable the auditor persona on zizmor by @​henryiii in #​1158
• Test new pickle guarantees by @​henryiii in #​1174
• Use native uv integration in rtd by @​henryiii in #​1175

New Contributors

• @​ryanking13 made their first contribution in #​1160
• @​eachimei made their first contribution in #​1163

Full Changelog: pypa/packaging@26.1...26.2

urllib3/urllib3 (urllib3)

v2.7.0

Compare Source

=======================

Security

Addressed high-severity security issues.
Impact was limited to specific use cases detailed in the accompanying
advisories; overall user exposure was estimated to be marginal.

• Decompression-bomb safeguards of the streaming API were bypassed:

  1. When HTTPResponse.drain_conn() was called after the response had been
     read and decompressed partially.
  2. During the second HTTPResponse.read(amt=N) or
     HTTPResponse.stream(amt=N) call when the response was decompressed
     using the official Brotli <https://pypi.org/project/brotli/>__ library.

  See GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__
  for details.

• HTTP pools created using ProxyManager.connection_from_url did not strip
  sensitive headers specified in Retry.remove_headers_on_redirect when
  redirecting to a different host.
  (GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>__)

Deprecations and Removals

• Used FutureWarning instead of DeprecationWarning for better
  visibility of existing deprecation notices. Rescheduled the removal of
  deprecated features to version 3.0.
  (#&#8203;3764 <https://github.com/urllib3/urllib3/issues/3764>__)
• Removed support for end-of-life Python 3.9.
  (#&#8203;3720 <https://github.com/urllib3/urllib3/issues/3720>__)
• Removed support for end-of-life PyPy3.10.
  (#&#8203;4979 <https://github.com/urllib3/urllib3/issues/4979>__)
• Bumped the minimum supported pyOpenSSL version to 19.0.0.
  (#&#8203;3777 <https://github.com/urllib3/urllib3/issues/3777>__)

Bugfixes

• Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed
  data buffered from previous partial reads.
  (#&#8203;3636 <https://github.com/urllib3/urllib3/issues/3636>__)
• Fixed a bug where HTTPResponse.read() could cache only part of the
  response after a partial read when cache_content=True.
  (#&#8203;4967 <https://github.com/urllib3/urllib3/issues/4967>__)
• Fixed HTTPResponse.stream() and HTTPResponse.read_chunked() to handle
  amt=0.
  (#&#8203;3793 <https://github.com/urllib3/urllib3/issues/3793>__)
• Updated _TYPE_BODY type alias to include missing Iterable[str],
  matching the documented and runtime behavior of chunked request bodies.
  (#&#8203;3798 <https://github.com/urllib3/urllib3/issues/3798>__)
• Fixed LocationParseError when paths resembling schemeless URIs were
  passed to HTTPConnectionPool.urlopen().
  (#&#8203;3352 <https://github.com/urllib3/urllib3/issues/3352>__)
• Fixed BaseHTTPResponse.readinto() type annotation to accept
  memoryview in addition to bytearray, matching the
  io.RawIOBase.readinto contract and enabling use with
  io.BufferedReader without type errors.
  (#&#8203;3764 <https://github.com/urllib3/urllib3/issues/3764>__)

pypa/virtualenv (virtualenv)

v21.3.1

Compare Source

What's Changed

• 👷 ci: retry transient apt failures on Linux by @​gaborbernat in #​3139
• 🐛 fix(seed): bump embedded pip to 26.1.1 by @​gaborbernat in #​3138

Full Changelog: pypa/virtualenv@21.3.0...21.3.1

v21.3.0

Compare Source

What's Changed

• 🐛 fix(type): stop ty flagging default_source on Action by @​gaborbernat in #​3124
• feat: Reintroduce xonsh shell support by @​anki-code in #​3125
• 🐛 fix(test): prevent PowerShell activation test from crashing xdist workers on Windows by @​gaborbernat in #​3128
• docs: Add usage instruction for Xonsh activation by @​anki-code in #​3130
• Upgrade embedded pip/setuptools/wheel by @​github-actions[bot] in #​3132

New Contributors

• @​anki-code made their first contribution in #​3125

Full Changelog: pypa/virtualenv@21.2.4...21.3.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun