Bump the pip group across 5 directories with 5 updates

[dependabot]

Bumps the pip group with 4 updates in the /mpcontribs-api/requirements directory: bleach, cryptography, jupyter-server and tornado.
Bumps the pip group with 3 updates in the /mpcontribs-kernel-gateway/requirements directory: bleach, jupyter-server and tornado.
Bumps the pip group with 1 update in the /mpcontribs-lux directory: pyarrow.
Bumps the pip group with 1 update in the /mpcontribs-lux/requirements directory: pyarrow.
Bumps the pip group with 2 updates in the /mpcontribs-portal/requirements directory: bleach and tornado.

Updates bleach from 6.3.0 to 6.4.0

Changelog

Sourced from bleach's changelog.

Version 6.4.0 (June 5th, 2026)

NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future releases including for security issues. See issue: <https://github.com/mozilla/bleach/issues/698>__

Backwards incompatible changes

• Dropped support for pypy 3.10. (#764)

Security fixes

• Fix bug 2023812 / GHSA-8rfp-98v4-mmr6.

  Fix XSS issue with sanitize_uri_value where disallowed schemes with Unicode invisible characters wouldn't be rejected.

  For example::

  import bleach payload1 = 'Click' result1 = bleach.clean(payload1) print(repr(result1))

  outputs::

  'Click'

  See the advisory for details.

• Fix GHSA-gj48-438w-jh9v.

  Fix issue where URI sanitization wasn't happening in formaction attributes.

  See the advisory for details.

Bug fixes

• Add support for pypy 3.11. (#764)

• Drop version max in tinycss2 pin. (#772)

  This removes one of the things we had to keep checking and updating. Users now own the responsibility for correctness with the version of tinycss2 they're using.

Commits

• f0355a7 fix: fix last release date in CHANGES
• ae4e8a2 chore: bleach 6.4.0 and final release
• 970df58 fix: uri-sanitization in formaction attributes
• 7c4867c fix: xss bypass in allowed protocol test using unicode invisible characters
• 913ab75 fix: reduce redundancy in workflow jobs
• 218c15a fix: rework pip caching
• 4f0b097 fix: fix tox platform restrictions
• e95a79d chore: update pytest
• 91539d4 Bump actions/cache from 5.0.3 to 5.0.4
• cd47b4c fix: handle left-angle-bracket that's not a tag (#733)
• Additional commits viewable in compare view

Updates cryptography from 48.0.0 to 48.0.1

Changelog

Sourced from cryptography's changelog.

48.0.1 - 2026-06-09

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 4.0.1.
.. _v48-0-0:

Commits

• de987ce 48.0.1 version bump and changelog (#14996)
• See full diff in compare view

Updates jupyter-server from 2.18.2 to 2.20.0

Release notes

Sourced from jupyter-server's releases.

v2.20.0

2.20.0

(Full Changelog)

Security fixes

• CVE-2026-44727 GHSA-fcw5-x6j4-ccmp

Enhancements made

• Fix confusing terminal output when using ServerApp.ip=0.0.0.0 #1643 (@​Yann-P, @​minrk)
• Add a toggle to enable curve encryption for all kernels that support it #1638 (@​krassowski, @​Carreau, @​ianthomas23, @​minrk)

Bugs fixed

• Grab the port from bind_sockets in case its different #1651 (@​choldgraf, @​krassowski)

Maintenance and upkeep improvements

• Fix test_authorizer having a spurious comma in params #1664 (@​krassowski)
• Add a reminder to merge GHSA before release #1659 (@​Yann-P, @​Carreau)
• Exclude problematic pywinpty 3.0.4 version #1658 (@​krassowski)
• ci: explicitly pass base-setup inputs to fix strict validation failures #1626 (@​Carreau, @​Copilot)

Documentation improvements

• Align docs for curve encryption with latest JEP version #1660 (@​krassowski, @​Carreau)
• Remove PGP key from docs #1653 (@​Yann-P, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​Carreau (activity) | @​choldgraf (activity) | @​Copilot (activity) | @​ianthomas23 (activity) | @​krassowski (activity) | @​minrk (activity) | @​Yann-P (activity)

v2.19.0

2.19.0

(Full Changelog)

Enhancements made

... (truncated)

Changelog

Sourced from jupyter-server's changelog.

2.20.0

(Full Changelog)

Enhancements made

• Fix confusing terminal output when using ServerApp.ip=0.0.0.0 #1643 (@​Yann-P, @​minrk)
• Add a toggle to enable curve encryption for all kernels that support it #1638 (@​krassowski, @​Carreau, @​ianthomas23, @​minrk)

Bugs fixed

• Grab the port from bind_sockets in case its different #1651 (@​choldgraf, @​krassowski)

Maintenance and upkeep improvements

• Fix test_authorizer having a spurious comma in params #1664 (@​krassowski)
• Add a reminder to merge GHSA before release #1659 (@​Yann-P, @​Carreau)
• Exclude problematic pywinpty 3.0.4 version #1658 (@​krassowski)
• ci: explicitly pass base-setup inputs to fix strict validation failures #1626 (@​Carreau, @​Copilot)

Documentation improvements

• Align docs for curve encryption with latest JEP version #1660 (@​krassowski, @​Carreau)
• Remove PGP key from docs #1653 (@​Yann-P, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​Carreau (activity) | @​choldgraf (activity) | @​Copilot (activity) | @​ianthomas23 (activity) | @​krassowski (activity) | @​minrk (activity) | @​Yann-P (activity)

2.19.0

(Full Changelog)

Enhancements made

• Return unresolved stanza when kernel scope is unavailable for resolvePath (instead of failing with 404) #1641 (@​MUFFANUJ, @​Carreau, @​krassowski)

Bugs fixed

• Recreate notary store on failure to prevent save deadlock and data loss #1640 (@​krassowski, @​Carreau)

Maintenance and upkeep improvements

... (truncated)

Commits

• 05a78ad Publish 2.20.0
• 6cbee8d Merge commit from fork
• 333e700 Fix test_authorizer having a spurious comma in params (#1664)
• cccd543 Fix CI: explicitly pass base-setup inputs to avoid strict validation failures
• cd16d71 Align docs for curve encryption with latest JEP version (#1660)
• e458061 Add a toggle to enable curve encryption for all kernels that support it (#1638)
• 0ceeb4f Add note in RELEASE.md
• b13f8a2 Markdown does not work.
• e885b10 Add GHSA reminder in prep-release
• 0e28c90 Exclude problematic pywinpty 3.0.4 version (#1658)
• Additional commits viewable in compare view

Updates tornado from 6.5.5 to 6.5.7

Changelog

Sourced from tornado's changelog.

Release notes

.. toctree:: :maxdepth: 2

releases/v6.5.7 releases/v6.5.6 releases/v6.5.5 releases/v6.5.4 releases/v6.5.3 releases/v6.5.2 releases/v6.5.1 releases/v6.5.0 releases/v6.4.2 releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1

... (truncated)

Commits

• 48fc2d4 Merge pull request #3633 from bdarnell/curl-reset-65
• 4ae1ddd Release notes and version bump for 6.5.7
• 3154caa curl_httpclient: Reset the curl object before putting it on the freelist
• 7d869c0 Merge pull request #3631 from bdarnell/cve-links
• 288241f docs: Use the correct link syntax
• 8da981c docs: Add CVE links to 6.5.6 release notes
• aba2569 Merge pull request #3626 from bdarnell/fixes-656
• a24b260 httpclient_test: Accept an additional error message variant
• a74240a Release notes and version bump for 6.5.6.
• e8fc7ed simple_httpclient: Strip auth headers on cross-origin redirects
• Additional commits viewable in compare view

Updates bleach from 6.3.0 to 6.4.0

Changelog

Sourced from bleach's changelog.

Version 6.4.0 (June 5th, 2026)

NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future releases including for security issues. See issue: <https://github.com/mozilla/bleach/issues/698>__

Backwards incompatible changes

• Dropped support for pypy 3.10. (#764)

Security fixes

• Fix bug 2023812 / GHSA-8rfp-98v4-mmr6.

  Fix XSS issue with sanitize_uri_value where disallowed schemes with Unicode invisible characters wouldn't be rejected.

  For example::

  import bleach payload1 = 'Click' result1 = bleach.clean(payload1) print(repr(result1))

  outputs::

  'Click'

  See the advisory for details.

• Fix GHSA-gj48-438w-jh9v.

  Fix issue where URI sanitization wasn't happening in formaction attributes.

  See the advisory for details.

Bug fixes

• Add support for pypy 3.11. (#764)

• Drop version max in tinycss2 pin. (#772)

  This removes one of the things we had to keep checking and updating. Users now own the responsibility for correctness with the version of tinycss2 they're using.

Commits

• f0355a7 fix: fix last release date in CHANGES
• ae4e8a2 chore: bleach 6.4.0 and final release
• 970df58 fix: uri-sanitization in formaction attributes
• 7c4867c fix: xss bypass in allowed protocol test using unicode invisible characters
• 913ab75 fix: reduce redundancy in workflow jobs
• 218c15a fix: rework pip caching
• 4f0b097 fix: fix tox platform restrictions
• e95a79d chore: update pytest
• 91539d4 Bump actions/cache from 5.0.3 to 5.0.4
• cd47b4c fix: handle left-angle-bracket that's not a tag (#733)
• Additional commits viewable in compare view

Updates jupyter-server from 2.18.2 to 2.20.0

Release notes

Sourced from jupyter-server's releases.

v2.20.0

2.20.0

(Full Changelog)

Security fixes

• CVE-2026-44727 GHSA-fcw5-x6j4-ccmp

Enhancements made

• Fix confusing terminal output when using ServerApp.ip=0.0.0.0 #1643 (@​Yann-P, @​minrk)
• Add a toggle to enable curve encryption for all kernels that support it #1638 (@​krassowski, @​Carreau, @​ianthomas23, @​minrk)

Bugs fixed

• Grab the port from bind_sockets in case its different #1651 (@​choldgraf, @​krassowski)

Maintenance and upkeep improvements

• Fix test_authorizer having a spurious comma in params #1664 (@​krassowski)
• Add a reminder to merge GHSA before release #1659 (@​Yann-P, @​Carreau)
• Exclude problematic pywinpty 3.0.4 version #1658 (@​krassowski)
• ci: explicitly pass base-setup inputs to fix strict validation failures #1626 (@​Carreau, @​Copilot)

Documentation improvements

• Align docs for curve encryption with latest JEP version #1660 (@​krassowski, @​Carreau)
• Remove PGP key from docs #1653 (@​Yann-P, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​Carreau (activity) | @​choldgraf (activity) | @​Copilot (activity) | @​ianthomas23 (activity) | @​krassowski (activity) | @​minrk (activity) | @​Yann-P (activity)

v2.19.0

2.19.0

(Full Changelog)

Enhancements made

... (truncated)

Changelog

Sourced from jupyter-server's changelog.

2.20.0

(Full Changelog)

Enhancements made

• Fix confusing terminal output when using ServerApp.ip=0.0.0.0 #1643 (@​Yann-P, @​minrk)
• Add a toggle to enable curve encryption for all kernels that support it #1638 (@​krassowski, @​Carreau, @​ianthomas23, @​minrk)

Bugs fixed

• Grab the port from bind_sockets in case its different #1651 (@​choldgraf, @​krassowski)

Maintenance and upkeep improvements

• Fix test_authorizer having a spurious comma in params #1664 (@​krassowski)
• Add a reminder to merge GHSA before release #1659 (@​Yann-P, @​Carreau)
• Exclude problematic pywinpty 3.0.4 version #1658 (@​krassowski)
• ci: explicitly pass base-setup inputs to fix strict validation failures #1626 (@​Carreau, @​Copilot)

Documentation improvements

• Align docs for curve encryption with latest JEP version #1660 (@​krassowski, @​Carreau)
• Remove PGP key from docs #1653 (@​Yann-P, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​Carreau (activity) | @​choldgraf (activity) | @​Copilot (activity) | @​ianthomas23 (activity) | @​krassowski (activity) | @​minrk (activity) | @​Yann-P (activity)

2.19.0

(Full Changelog)

Enhancements made

• Return unresolved stanza when kernel scope is unavailable for resolvePath (instead of failing with 404) #1641 (@​MUFFANUJ, @​Carreau, @​krassowski)

Bugs fixed

• Recreate notary store on failure to prevent save deadlock and data loss #1640 (@​krassowski, @​Carreau)

Maintenance and upkeep improvements

... (truncated)

Commits

• 05a78ad Publish 2.20.0
• 6cbee8d Merge commit from fork
• 333e700 Fix test_authorizer having a spurious comma in params (#1664)
• cccd543 Fix CI: explicitly pass base-setup inputs to avoid strict validation failures
• cd16d71 Align docs for curve encryption with latest JEP version (#1660)
• e458061 Add a toggle to enable curve encryption for all kernels that support it (#1638)
• 0ceeb4f Add note in RELEASE.md
• b13f8a2 Markdown does not work.
• e885b10 Add GHSA reminder in prep-release
• 0e28c90 Exclude problematic pywinpty 3.0.4 version (#1658)
• Additional commits viewable in compare view

Updates tornado from 6.5.5 to 6.5.7

Changelog

Sourced from tornado's changelog.

Release notes

.. toctree:: :maxdepth: 2

releases/v6.5.7 releases/v6.5.6 releases/v6.5.5 releases/v6.5.4 releases/v6.5.3 releases/v6.5.2 releases/v6.5.1 releases/v6.5.0 releases/v6.4.2 releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1

... (truncated)

Commits

• 48fc2d4 Merge pull request #3633 from bdarnell/curl-reset-65
• 4ae1ddd Release notes and version bump for 6.5.7
• 3154caa curl_httpclient: Reset the curl object before putting it on the freelist
• 7d869c0 Merge pull request #3631 from bdarnell/cve-links
• 288241f docs: Use the correct link syntax
• 8da981c docs: Add CVE links to 6.5.6 release notes
• aba2569 Merge pull request #3626 from bdarnell/fixes-656
• a24b260 httpclient_test: Accept an additional error message variant
• a74240a Release notes and version bump for 6.5.6.
• e8fc7ed simple_httpclient: Strip auth headers on cross-origin redirects
• Additional commits viewable in compare view

Updates pyarrow from 22.0.0 to 23.0.1

Release notes

Sourced from pyarrow's releases.

Apache Arrow 23.0.1

Release Notes URL: https://arrow.apache.org/release/23.0.1.html

Apache Arrow 23.0.1 RC0

Release Notes: Release Candidate: 23.0.1 RC0

Apache Arrow 23.0.0

Release Notes URL: https://arrow.apache.org/release/23.0.0.html

Apache Arrow 23.0.0 RC2

Release Notes: Release Candidate: 23.0.0 RC2

Commits

• 82a374e MINOR: [Release] Update versions for 23.0.1
• c1ae37c MINOR: [Release] Update .deb/.rpm changelogs for 23.0.1
• 8f6e557 MINOR: [Release] Update CHANGELOG.md for 23.0.1
• 4e16a1a GH-49159: [C++][Gandiva] Detect overflow in repeat() (#49160)
• 985621d GH-48817 [R][C++] Bump C++20 in R build infrastructure (#48819)
• 1bea06a GH-49024: [CI] Update Debian version in .env (#49032)
• 147bcd6 GH-49156: [Python] Require GIL for string comparison (#49161)
• e4f922b GH-49138: [Packaging][Python] Remove nightly cython install from manylinux wh...
• f9376e4 GH-49003: [C++] Don't consider out_of_range an error in float parsing (#49095)
• ab2c0ad GH-49044: [CI][Python] Fix test_download_tzdata_on_windows by adding required...
• Additional commits viewable in compare view

Updates pyarrow from 22.0.0 to 23.0.1

Release notes

Sourced from pyarrow's releases.

Apache Arrow 23.0.1

Release Notes URL: https://arrow.apache.org/release/23.0.1.html

Apache Arrow 23.0.1 RC0

Release Notes: Release Candidate: 23.0.1 RC0

Apache Arrow 23.0.0

Release Notes URL: https://arrow.apache.org/release/23.0.0.html

Apache Arrow 23.0.0 RC2

Release Notes: Release Candidate: 23.0.0 RC2

Commits

• 82a374e MINOR: [Release] Update versions for 23.0.1
• c1ae37c MINOR: [Release] Update .deb/.rpm changelogs for 23.0.1
• 8f6e557 MINOR: [Release] Update CHANGELOG.md for 23.0.1
• 4e16a1a GH-49159: [C++][Gandiva] Detect overflow in repeat() (#49160)
• 985621d GH-48817 [R][C++] Bump C++20 in R build infrastructure (#48819)
• 1bea06a GH-49024: [CI] Update Debian version in .env (#49032)
• 147bcd6 GH-49156: [Python] Require GIL for string comparison (#49161)
• e4f922b GH-49138: [Packaging][Python] Remove nightly cython install from manylinux wh...
• f9376e4 GH-49003: [C++] Don't consider out_of_range an error in float parsing (#49095)
• ab2c0ad GH-49044: [CI][Python] Fix test_download_tzdata_on_windows by adding required...
• Additional commits viewable in compare view

Updates bleach from 6.3.0 to 6.4.0

Changelog

Sourced from bleach's changelog.

Version 6.4.0 (June 5th, 2026)

NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future releases including for security issues. See issue: <https://github.com/mozilla/bleach/issues/698>__

Backwards incompatible changes

• Dropped support for pypy 3.10. (#764)

Security fixes

• Fix bug 2023812 / GHSA-8rfp-98v4-mmr6.

  Fix XSS issue with sanitize_uri_value where disallowed schemes with Unicode invisible characters wouldn't be rejected.

  For example::

  import bleach payload1 = 'Click' result1 = bleach.clean(payload1) print(repr(result1))

  outputs::

  'Click'

  See the advisory for details.

• Fix GHSA-gj48-438w-jh9v.

  Fix issue where URI sanitization wasn't happening in formaction attributes.

  See the advisory for details.

Bug fixes

• Add support for pypy 3.11. (#764)

• Drop version max in tinycss2 pin. (#772)

  This removes one of the things we had to keep checking and updating. Users now own the responsibility for correctness with the version of tinycss2 they're using.

Commits

• f0355a7 fix: fix last release date in CHANGES
• ae4e8a2 chore: bleach 6.4.0 and final release
• 970df58 fix: uri-sanitization in formaction attributes
• 7c4867c fix: xss bypass in allowed protocol test using unicode invisible characters
• 913ab75 fix: reduce redundancy in workflow jobs
• 218c15a fix: rework pip caching
• 4f0b097 fix: fix tox platform restrictions
• e95a79d chore: update pytest
• 91539d4 Bump actions/cache from 5.0.3 to 5.0.4
• cd47b4c fix: handle left-angle-bracket that's not a tag (#733)
• Additional commits viewable in compare view

Updates tornado from 6.5.5 to 6.5.7

Changelog

Sourced from tornado's changelog.

Release notes

.. toctree:: :maxdepth: 2

releases/v6.5.7 releases/v6.5.6 releases/v6.5.5 releases/v6.5.4 releases/v6.5.3 releases/v6.5.2 releases/v6.5.1 releases/v6.5.0 releases/v6.4.2 releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1

... (truncated)

Commits

• 48fc2d4 Merge pull request #3633 from bdarnell/curl-reset-65
• 4ae1ddd Release notes and version bump for 6.5.7
• 3154caa curl_httpclient: Reset the curl object before putting it on the freelist
• 7d869c0 Merge pull request #3631 from bdarnell/cve-links
• 288241f docs: Use the correct link syntax
• 8da981c docs: Add CVE links to 6.5.6 release notes
• aba2569 Merge pull request #3626 from bdarnell/fixes-656
• a24b260 httpclient_test: Accept an additional error message variant
• a74240a Release notes and version bump for 6.5.6.
• e8fc7ed simple_httpclient: Strip auth headers on cross-origin redirects
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.