Bump the pip group across 1 directory with 20 updates

[dependabot]

Bumps the pip group with 20 updates in the /requirements directory:

Package	From	To
certifi	2023.7.22	2024.7.4
cryptography	41.0.4	43.0.1
dash	2.13.0	2.15.0
dnspython	2.4.2	2.6.1
idna	3.4	3.7
jinja2	3.1.2	3.1.4
jupyter-server	2.7.3	2.11.2
jupyterlab	3.6.6	3.6.8
pillow	10.0.1	10.3.0
pymatgen	2023.6.23	2024.2.20
pymongo	4.5.0	4.6.3
requests	2.31.0	2.32.2
scikit-learn	1.3.1	1.5.0
tornado	6.3.3	6.4.1
tqdm	4.66.1	4.66.3
urllib3	1.26.20	2.2.3
werkzeug	2.2.3	3.0.3
zipp	3.17.0	3.19.1
aiohttp	3.8.6	3.10.2
black	23.9.1	24.3.0

Updates certifi from 2023.7.22 to 2024.7.4

Commits

• bd81538 2024.07.04 (#295)
• 06a2cbf Bump peter-evans/create-pull-request from 6.0.5 to 6.1.0 (#294)
• 13bba02 Bump actions/checkout from 4.1.6 to 4.1.7 (#293)
• e8abcd0 Bump pypa/gh-action-pypi-publish from 1.8.14 to 1.9.0 (#292)
• 124f4ad 2024.06.02 (#291)
• c2196ce --- (#290)
• fefdeec Bump actions/checkout from 4.1.4 to 4.1.5 (#289)
• 3c5fb15 Bump actions/download-artifact from 4.1.6 to 4.1.7 (#286)
• 4a9569a Bump actions/checkout from 4.1.2 to 4.1.4 (#287)
• 1fc8086 Bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 (#288)
• Additional commits viewable in compare view

Updates cryptography from 41.0.4 to 43.0.1

Changelog

Sourced from cryptography's changelog.

43.0.1 - 2024-09-03

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.3.2.
.. _v43-0-0:
43.0.0 - 2024-07-20

• BACKWARDS INCOMPATIBLE: Support for OpenSSL less than 1.1.1e has been removed. Users on older version of OpenSSL will need to upgrade.
• BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.8.
• Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.3.1.
• Updated the minimum supported Rust version (MSRV) to 1.65.0, from 1.63.0.
• :func:~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still considered insecure, users should generally use a key size of 2048-bits.
• :func:~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates now emits ASN.1 that more closely follows the recommendations in :rfc:2315.
• Added new :doc:/hazmat/decrepit/index module which contains outdated and insecure cryptographic primitives. :class:~cryptography.hazmat.primitives.ciphers.algorithms.CAST5, :class:~cryptography.hazmat.primitives.ciphers.algorithms.SEED, :class:~cryptography.hazmat.primitives.ciphers.algorithms.IDEA, and :class:~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish, which were deprecated in 37.0.0, have been added to this module. They will be removed from the cipher module in 45.0.0.
• Moved :class:~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES and :class:~cryptography.hazmat.primitives.ciphers.algorithms.ARC4 into :doc:/hazmat/decrepit/index and deprecated them in the cipher module. They will be removed from the cipher module in 48.0.0.
• Added support for deterministic :class:~cryptography.hazmat.primitives.asymmetric.ec.ECDSA (:rfc:6979)
• Added support for client certificate verification to the :mod:X.509 path validation <cryptography.x509.verification> APIs in the form of :class:~cryptography.x509.verification.ClientVerifier, :class:~cryptography.x509.verification.VerifiedClient, and PolicyBuilder :meth:~cryptography.x509.verification.PolicyBuilder.build_client_verifier.
• Added Certificate :attr:~cryptography.x509.Certificate.public_key_algorithm_oid and Certificate Signing Request :attr:~cryptography.x509.CertificateSigningRequest.public_key_algorithm_oid to determine the :class:~cryptography.hazmat._oid.PublicKeyAlgorithmOID Object Identifier of the public key found inside the certificate.
• Added :attr:~cryptography.x509.InvalidityDate.invalidity_date_utc, a timezone-aware alternative to the naïve datetime attribute :attr:~cryptography.x509.InvalidityDate.invalidity_date.
• Added support for parsing empty DN string in

... (truncated)

Commits

• a773387 bump for 43.0.1 (#11533)
• 0393fef Backport setuptools version ban (#11526)
• 6687bab Bump openssl from 0.10.65 to 0.10.66 in /src/rust (#11320) (#11324)
• ebf14f2 bump for 43.0.0 and update changelog (#11311)
• 42788a0 Fix exchange with keys that had Q automatically computed (#11309)
• 2dbdfb8 don't assign unused name (#11310)
• ccc66e6 Bump openssl from 0.10.64 to 0.10.65 in /src/rust (#11308)
• 4310c87 Bump sphinxcontrib-qthelp from 1.0.7 to 1.0.8 (#11307)
• f66a9c4 Bump sphinxcontrib-htmlhelp from 2.0.5 to 2.0.6 (#11306)
• a8fcf18 Bump openssl-sys from 0.9.102 to 0.9.103 in /src/rust (#11305)
• Additional commits viewable in compare view

Updates dash from 2.13.0 to 2.15.0

Release notes

Sourced from dash's releases.

Dash v2.15.0

Added

• #2695 Adds triggered_id to dash_clientside.callback_context. Fixes #2692
• #2723 Improve dcc Slider/RangeSlider tooltips. Fixes #1846
  • Add tooltip.template a string for the format template, {value} will be formatted with the actual value.
  • Add tooltip.style a style object to give to the div of the tooltip.
  • Add tooltip.transform a reference to a function in the window.dccFunctions namespace.
• #2732 Add special key _dash_error to setProps, allowing component developers to send error without throwing in render. Usage props.setProps({_dash_error: new Error("custom error")})

Fixed

• #2732 Sanitize html props that are vulnerable to xss vulnerability if user data is inserted. Fix Validate url to prevent XSS attacks #2729

Changed

• #2652 dcc.Clipboard supports htm_content and triggers a copy to clipboard when n_clicks are changed
• #2721 Remove ansi2html, fixes #2613

Dash v2.14.2

Fixed

• #2700 Fix _allow_dynamic_callbacks for newly-added components.

Dash v2.14.1

Fixed

• #2672 Fix get_caller_name in case the source is not available.

Changed

• #2674 Raise flask & werkzeug limits to <3.1

Dash v2.14.0

Fixed

• #2634 Fix deprecation warning on pkg_resources, fix #2631

Changed

• #2635 Get proper app module name, remove need to give __name__ to Dash constructor.

Added

• #2647 routing_callback_inputs allowing to pass more Input and/or State arguments to the pages routing callback
• #2649 Add _allow_dynamic_callbacks, register new callbacks inside other callbacks. WARNING: dynamic callback creation can be dangerous, use at you own risk. It is not intended for use in a production app, multi-user or multiprocess use as it only works for a single user.

Changelog

Sourced from dash's changelog.

[2.15.0] - 2024-01-31

Added

• #2695 Adds triggered_id to dash_clientside.callback_context. Fixes #2692
• #2723 Improve dcc Slider/RangeSlider tooltips. Fixes #1846
  • Add tooltip.template a string for the format template, {value} will be formatted with the actual value.
  • Add tooltip.style a style object to give to the div of the tooltip.
  • Add tooltip.transform a reference to a function in the window.dccFunctions namespace.
• #2732 Add special key _dash_error to setProps, allowing component developers to send error without throwing in render. Usage props.setProps({_dash_error: new Error("custom error")})

Fixed

• #2732 Sanitize html props that are vulnerable to xss vulnerability if user data is inserted. Fix Validate url to prevent XSS attacks #2729

Changed

• #2652 dcc.Clipboard supports htm_content and triggers a copy to clipboard when n_clicks are changed
• #2721 Remove ansi2html, fixes #2613

[2.14.2] - 2023-11-27

Fixed

• #2700 Fix _allow_dynamic_callbacks for newly-added components.

[2.14.1] - 2023-10-26

Fixed

• #2672 Fix get_caller_name in case the source is not available.

Changed

• #2674 Raise flask & werkzeug limits to <3.1

[2.14.0] - 2023-10-11

Fixed

• #2634 Fix deprecation warning on pkg_resources, fix #2631

Changed

• #2635 Get proper app module name, remove need to give __name__ to Dash constructor.

Added

• #2647 routing_callback_inputs allowing to pass more Input and/or State arguments to the pages routing callback
• #2649 Add _allow_dynamic_callbacks, register new callbacks inside other callbacks. WARNING: dynamic callback creation can be dangerous, use at you own risk. It is not intended for use in a production app, multi-user or multiprocess use as it only works for a single user.

Commits

• 115aa4e Merge pull request #2739 from plotly/master-2.15.0
• 9243f93 build
• 83c5422 Version 2.15.0 build artifacts
• 78d07c4 Merge branch 'dev' into master-2.15.0
• 6a8da52 Merge pull request #2737 from plotly/version-2.15.0
• 7cb6f07 build
• da4261e Fix changelog.
• 27751a8 Version 2.15.0
• 49ac14f Merge pull request #2723 from plotly/slider-tips
• 06fb03a docstring typos
• Additional commits viewable in compare view

Updates dnspython from 2.4.2 to 2.6.1

Release notes

Sourced from dnspython's releases.

dnspython 2.6.1

See What's New for details.

This is a bug fix release for 2.6.0 where the "TuDoor" fix erroneously suppressed legitimate Truncated exceptions. This caused the stub resolver to timeout instead of failing over to TCP when a legitimate truncated response was received over UDP.

This release addresses the potential DoS issue discussed in the "TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.

Thank you to all the contributors to this release, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.

dnspython 2.6.0

See What's New for details.

This release addresses the potential DoS issue discussed in the "TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.

Thank you to all the contributors to this release, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.

dnspython 2.5.0

See the What's New page for a summary of this release.

Thanks to all the contributors, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.

Changelog

Sourced from dnspython's changelog.

2.6.1

• The Tudoor fix ate legitimate Truncated exceptions, preventing the resolver from failing over to TCP and causing the query to timeout #1053.

2.6.0

• As mentioned in the "TuDoor" paper and the associated CVE-2023-29483, the dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query.

  This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.

• Added support for the NSID EDNS option.

• Dnspython now looks for version metadata for optional packages and will not use them if they are too old. This prevents possible exceptions when a feature like DoH is not desired in dnspython, but an old httpx is installed along with dnspython for some other purpose.

• The DoHNameserver class now allows GET to be used instead of the default POST, and also passes source and source_port correctly to the underlying query methods.

2.5.0

• Dnspython now uses hatchling for builds.

• Asynchronous destinationless sockets now work on Windows.

• Cython is no longer supported due to various typing issues.

• Dnspython now explicitly canonicalizes IPv4 and IPv6 addresses. Previously it was possible for non-canonical IPv6 forms to be stored in a AAAA address, which would work correctly but possibly cause problmes if the address were used as a key in a dictionary.

• The number of messages in a section can be retrieved with section_count().

• Truncation preferences for messages can be specified.

• The length of a message can be automatically prepended when rendering.

... (truncated)

Commits

• 0a742b9 update CI
• 0ea5ad0 The Tudoor fix should not eat valid Truncated exceptions #1053 (#1054)
• f12d398 2.6.1 version prep
• cecb853 Further improve CVE fix coverage to 100% for sync and async.
• 7952e31 test IgnoreErrors
• e093299 For the Tudoor fix, we also need the UDP nameserver to ignore_unexpected.
• 3af9f78 2.6.0 versioning
• ca63d95 Require cryptography >=41 instead of 42.
• 902cbf3 Create CODE_OF_CONDUCT.md
• ed9795f github contributing and pull request template
• Additional commits viewable in compare view

Updates idna from 3.4 to 3.7

Release notes

Sourced from idna's releases.

v3.7

What's Changed

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: kjd/idna@v3.6...v3.7

Changelog

Sourced from idna's changelog.

3.7 (2024-04-11) ++++++++++++++++

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

3.6 (2023-11-25) ++++++++++++++++

• Fix regression to include tests in source distribution.

3.5 (2023-11-24) ++++++++++++++++

• Update to Unicode 15.1.0
• String codec name is now "idna2008" as overriding the system codec "idna" was not working.
• Fix typing error for codec encoding
• "setup.cfg" has been added for this release due to some downstream lack of adherence to PEP 517. Should be removed in a future release so please prepare accordingly.
• Removed reliance on a symlink for the "idna-data" tool to comport with PEP 517 and the Python Packaging User Guide for sdist archives.
• Added security reporting protocol for project

Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions to this release.

Commits

• 1d365e1 Release v3.7
• c1b3154 Merge pull request #172 from kjd/optimize-contextj
• 0394ec7 Merge branch 'master' into optimize-contextj
• cd58a23 Merge pull request #152 from elliotwutingfeng/dev
• 5beb28b More efficient resolution of joiner contexts
• 1b12148 Update ossf/scorecard-action to v2.3.1
• d516b87 Update Github actions/checkout to v4
• c095c75 Merge branch 'master' into dev
• 60a0a4c Fix typo in GitHub Actions workflow key
• 5918a0e Merge branch 'master' into dev
• Additional commits viewable in compare view

Updates jinja2 from 3.1.2 to 3.1.4

Release notes

Sourced from jinja2's releases.

3.1.4

This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Jinja2/3.1.4/ Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

• The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj

3.1.3

This is a fix release for the 3.1.x feature branch.

• Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.
• Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-3
• Milestone: https://github.com/pallets/jinja/milestone/15?closed=1

Changelog

Sourced from jinja2's changelog.

Version 3.1.4

Released 2024-05-05

• The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. :ghsa:h75v-3vvj-5mfj

Version 3.1.3

Released 2024-01-10

• Fix compiler error when checking if required blocks in parent templates are empty. :pr:1858
• xmlattr filter does not allow keys with spaces. :ghsa:h5c8-rqwp-cp95
• Make error messages stemming from invalid nesting of {% trans %} blocks more helpful. :pr:1918

Commits

• dd4a8b5 release version 3.1.4
• 0668239 Merge pull request from GHSA-h75v-3vvj-5mfj
• d655030 disallow invalid characters in keys to xmlattr filter
• a7863ba add ghsa links
• b5c98e7 start version 3.1.4
• da3a9f0 update project files (#1968)
• 0ee5eb4 satisfy formatter, linter, and strict mypy
• 20477c6 update project files (#5457)
• e491223 update pyyaml dev dependency
• 36f9885 fix pr link
• Additional commits viewable in compare view

Updates jupyter-server from 2.7.3 to 2.11.2

Release notes

Sourced from jupyter-server's releases.

v2.11.2

2.11.2

(Full Changelog)

Contributors to this release

(GitHub contributors page for this release)

v2.11.1

2.11.1

(Full Changelog)

Bugs fixed

• avoid unhandled error on some invalid paths #1369 (@​minrk)
• Change md5 to hash and hash_algorithm, fix incompatibility #1367 (@​Wh1isper)

Contributors to this release

(GitHub contributors page for this release)

@​blink1073 | @​fcollonval | @​minrk | @​Wh1isper

v2.11.0

2.11.0

(Full Changelog)

Enhancements made

• Support get file(notebook) md5 #1363 (@​Wh1isper)

Maintenance and upkeep improvements

• Update ruff and typings #1365 (@​blink1073)

Documentation improvements

• Update api docs with md5 param #1364 (@​Wh1isper)
• typo: ServerApp #1361 (@​IITII)

Contributors to this release

... (truncated)

Changelog

Sourced from jupyter-server's changelog.

2.11.2

(Full Changelog)

Contributors to this release

(GitHub contributors page for this release)

2.11.1

(Full Changelog)

Bugs fixed

• avoid unhandled error on some invalid paths #1369 (@​minrk)
• Change md5 to hash and hash_algorithm, fix incompatibility #1367 (@​Wh1isper)

Contributors to this release

(GitHub contributors page for this release)

@​blink1073 | @​fcollonval | @​minrk | @​Wh1isper

2.11.0

(Full Changelog)

Enhancements made

• Support get file(notebook) md5 #1363 (@​Wh1isper)

Maintenance and upkeep improvements

• Update ruff and typings #1365 (@​blink1073)

Documentation improvements

• Update api docs with md5 param #1364 (@​Wh1isper)
• typo: ServerApp #1361 (@​IITII)

Contributors to this release

(GitHub contributors page for this release)

@​blink1073 | @​IITII | @​welcome | @​Wh1isper

2.10.1

(Full Changelog)

... (truncated)

Commits

• 9bd9657 Publish 2.11.2
• 0056c3a Merge pull request from GHSA-h56g-gq9v-vc8r
• 88eca99 Bump to 2.12.0.dev0
• 3755794 Publish 2.11.1
• 40a95e5 avoid unhandled error on some invalid paths (#1369)
• ecd5b1f Change md5 to hash and hash_algorithm, fix incompatibility (#1367)
• 8e5d766 Bump to 2.12.0.dev0
• cc74bb6 Publish 2.11.0
• e7c0f33 Update api docs with md5 param (#1364)
• 0983b71 Update ruff and typings (#1365)
• Additional commits viewable in compare view

Updates jupyterlab from 3.6.6 to 3.6.8

Release notes

Sourced from jupyterlab's releases.

v3.6.8

3.6.8

(Full Changelog)

Bugs fixed

• Fix workspaces loading #15842 (@​krassowski)

Maintenance and upkeep improvements

• Run Python tests on MacOS with Python 12, replace canvas with jest-canvas-mock #16314 (@​krassowski)
• Ignore empty stdout data when logging in verdaccio #16459 (@​fcollonval)
• Install Firefox from brew on Mac on CI #16245 (@​krassowski)

Documentation improvements

• Run Python tests on MacOS with Python 12, replace canvas with jest-canvas-mock #16314 (@​krassowski)
• Remove SO links, add more recent issue to FAQ #15811 (@​krassowski)

Other merged PRs

• Removed broken gif links in README.md files #16151 (@​Tanmay-Deshmukh)

Contributors to this release

(GitHub contributors page for this release)

@​afshin | @​ajbozarth | @​AllanChain | @​andrii-i | @​bollwyvl | @​brichet | @​davidbrochart | @​diyoyo | @​echarles | @​ellisonbg | @​ericsnekbytes | @​fcollonval | @​FoSuCloud | @​g547315 | @​gabalafou | @​github-actions | @​guyq1997 | @​HaudinFlorence | @​j264415 | @​JasonWeill | @​joaopalmeiro | @​jtpio | @​jupyterlab-dev-mode | @​jupyterlab-probot | @​kiliansinger | @​kolibril13 | @​krassowski | @​linlol | @​lumberbot-app | @​mahendrapaipuri | @​meeseeksmachine | @​Mehak261124 | @​None | @​Rob-P-Smith | @​RRosio | @​srdas | @​tonyfast | @​trungleduc | @​welcome | @​williamstein | @​xc2 | @​Zsailer

v3.6.7

3.6.7

(Full Changelog)

Security fixes

• Potential authentication and CSRF tokens leak in JupyterLab (GHSA-44cc-43rp-5947)

Bugs fixed

• [3.6.x] Fix M1 install, declare node-gyp@^9.0.0 #15395 (@​dlqqq)
• Backport PR #14534 and PR #15237 on branch 3.6.x (Hide completer when changing notebook tabs) #15244 (@​meeseeksmachine)

Maintenance and upkeep improvements

• Pin actions/labeler to v4 to fix failing CI action #15496 (@​krassowski)
• Fix URLs in debugger-extension #15462 (@​fcollonval)
• Fix docs deployment failing on 3.6 branch #15424 (@​krassowski)

... (truncated)

Commits

• decbea1 [ci skip] New version
• 06ad9de Merge commit from fork
• 2ce23ac Backport PR #16245: Install Firefox from brew on Mac on CI (#16249)
• 51da49c Backport PR #16151: Removed broken gif links in README.md files (#16504)
• a6ee24f Backport PR #16459: Ignore empty stdout data when logging in verdaccio (#16463)
• 7b80cf9 Backport PR #16314: Run Python tests on MacOS with Python 12, replace `canvas...
• d3897d2 Backport PR #15842: Fix workspaces loading (#15847)
• 17a2c05 Backport PR #15811 on branch 3.6.x (Remove SO links, add more recent issue to...
• ccc9082 Automated Changelog Entry - Remove 1 placeholder entries. (#15668)
• c71ad3c [ci skip] Publish 3.6.7
• Additional commits viewable in compare view

Updates pillow from 10.0.1 to 10.3.0

Release notes

Sourced from pillow's releases.

10.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html

Changes

• CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [@​hugovk]
• Use functools.lru_cache for hopper() #7912 [@​hugovk]
• Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [@​radarhere]
• Improve speed of loading QOI images #7925 [@​radarhere]
• Added RGB to I;16N conversion #7920 [@​radarhere]
• Add --report argument to main.py to omit supported formats #7818 [@​nulano]
• Added RGB to I;16, I;16L and I;16B conversion #7918 [@​radarhere]
• Fix editable installation with custom build backend and configuration options #7658 [@​nulano]
• Fix putdata() for I;16N on big-endian #7209 [@​Yay295]
• Determine MPO size from markers, not EXIF data #7884 [@​radarhere]
• Improved conversion from RGB to RGBa, LA and La #7888 [@​radarhere]
• Support FITS images with GZIP_1 compression #7894 [@​radarhere]
• Use I;16 mode for 9-bit JPEG 2000 images #7900 [@​scaramallion]
• Raise ValueError if kmeans is negative #7891 [@​radarhere]
• Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [@​radarhere]
• Raise ValueError for negative values when loading P1-P3 PPM images #7882 [@​radarhere]
• Added reading of JPEG2000 palettes #7870 [@​radarhere]
• Added alpha_quality argument when saving WebP images #7872 [@​radarhere]
• Fixed joined corners for ImageDraw rounded_rectangle() non-integer dimensions #7881 [@​radarhere]
• Removed Python and NumPy pinning on Cygwin #7880 [@​radarhere]
• Update UnidentifiedImageError and version imports #7644 [@​radarhere]
• Stop reading EPS image at EOF marker #7753 [@​radarhere]
• PSD layer co-ordinates may be negative #7706 [@​radarhere]
• Use subprocess with CREATE_NO_WINDOW flag in ImageShow WindowsViewer #7791 [@​radarhere]
• When saving GIF frame that restores to background color, do not fill identical pixels #7788 [@​radarhere]
• Fixed reading PNG iCCP compression method #7823 [@​radarhere]
• Allow writing IFDRational to UNDEFINED tag